fp case if encrypt set in initializer

2026-04-30 03:05:15 +02:00 · 2024-05-16 13:30:26 -07:00
parent a8201a19ae
commit 5ee7004a62
3 changed files with 26 additions and 15 deletions
--- a/Features/CWE-327/InsecureSQLConnection.ql
+++ b/Features/CWE-327/InsecureSQLConnection.ql
@@ -32,6 +32,11 @@ module InsecureSqlConnectionConfig implements DataFlow::ConfigSig {
        oc.getType().getName() = "SqlConnectionStringBuilder"
        or
        oc.getType().getName() = "SqlConnection"
+      ) and 
+      not exists(MemberInitializer mi | 
+        mi = oc.getInitializer().(ObjectInitializer).getAMemberInitializer() and
+        mi.getLValue().(PropertyAccess).getTarget().getName() = "Encrypt" and
+        mi.getRValue().(BoolLiteral).getValue() = "true"
      )
    )
  }