Add SecretInterface as source for cleartext logging query

2026-01-29 06:12:58 +01:00 · 2020-12-01 13:12:14 +00:00
parent 8fd055bc60
commit 6ca2e0e38e
2 changed files with 6 additions and 0 deletions
--- a/change-notes/2020-12-09-clear-text-logging-source.md
+++ b/change-notes/2020-12-09-clear-text-logging-source.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Clear-text logging of sensitive information" has been improved to recognize `SecretInterface` from `k8s.io/client-go/kubernetes/typed/core/v1` as a source of sensitive data, which may lead to more alerts.
--- a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
+++ b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
@@ -184,6 +184,10 @@ module CleartextLogging {
    override string describe() { result = "HTTP request headers" }
  }

+  private class KubernetesSecretInterfaceSource extends Source, K8sIoClientGo::SecretInterfaceSource {
+    override string describe() { result = "Kubernetes Secret" }
+  }
+
  /**
   * The first element of a split by ' '  or ':', often sanitizing a username/password pair
   * or the "Method value" syntax used in the HTTP Authorization header.