From 6ca2e0e38e8a0343fde685854bc538a96d7cbd6a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 1 Dec 2020 13:12:14 +0000 Subject: [PATCH] Add SecretInterface as source for cleartext logging query --- change-notes/2020-12-09-clear-text-logging-source.md | 2 ++ ql/src/semmle/go/security/CleartextLoggingCustomizations.qll | 4 ++++ 2 files changed, 6 insertions(+) create mode 100644 change-notes/2020-12-09-clear-text-logging-source.md diff --git a/change-notes/2020-12-09-clear-text-logging-source.md b/change-notes/2020-12-09-clear-text-logging-source.md new file mode 100644 index 00000000000..7ba2113ba79 --- /dev/null +++ b/change-notes/2020-12-09-clear-text-logging-source.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* The query "Clear-text logging of sensitive information" has been improved to recognize `SecretInterface` from `k8s.io/client-go/kubernetes/typed/core/v1` as a source of sensitive data, which may lead to more alerts. diff --git a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll index 9f21fa67eb4..1a6af789aaf 100644 --- a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll +++ b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll @@ -184,6 +184,10 @@ module CleartextLogging { override string describe() { result = "HTTP request headers" } } + private class KubernetesSecretInterfaceSource extends Source, K8sIoClientGo::SecretInterfaceSource { + override string describe() { result = "Kubernetes Secret" } + } + /** * The first element of a split by ' ' or ':', often sanitizing a username/password pair * or the "Method value" syntax used in the HTTP Authorization header.