Merge branch 'main' into post-release-prep/codeql-cli-2.25.5

python/extractor/cli-integration-test/writing-diagnostics/diagnostics.expected

@@ -17,13 +17,13 @@
     ]
   },
   "location": {
-    "file": "<test-root-directory>/repo_dir/syntaxerror3.py",
+    "file": "syntaxerror3.py",
     "startColumn": 0,
     "endColumn": 0,
     "startLine": 1,
     "endLine": 1
   },
-  "markdownMessage": "A parse error occurred while processing `<test-root-directory>/repo_dir/syntaxerror3.py`, and as a result this file could not be analyzed. Check the syntax of the file using the `python -m py_compile` command and correct any invalid syntax.",
+  "markdownMessage": "A parse error occurred while processing `syntaxerror3.py`, and as a result this file could not be analyzed. Check the syntax of the file using the `python -m py_compile` command and correct any invalid syntax.",
   "severity": "warning",
   "source": {
     "extractorName": "python",
@@ -56,13 +56,13 @@
     ]
   },
   "location": {
-    "file": "<test-root-directory>/repo_dir/syntaxerror1.py",
+    "file": "syntaxerror1.py",
     "startColumn": 0,
     "endColumn": 0,
     "startLine": 3,
     "endLine": 3
   },
-  "markdownMessage": "A parse error occurred while processing `<test-root-directory>/repo_dir/syntaxerror1.py`, and as a result this file could not be analyzed. Check the syntax of the file using the `python -m py_compile` command and correct any invalid syntax.",
+  "markdownMessage": "A parse error occurred while processing `syntaxerror1.py`, and as a result this file could not be analyzed. Check the syntax of the file using the `python -m py_compile` command and correct any invalid syntax.",
   "severity": "warning",
   "source": {
     "extractorName": "python",
@@ -95,13 +95,13 @@
     ]
   },
   "location": {
-    "file": "<test-root-directory>/repo_dir/syntaxerror2.py",
+    "file": "syntaxerror2.py",
     "startColumn": 0,
     "endColumn": 0,
     "startLine": 5,
     "endLine": 5
   },
-  "markdownMessage": "A parse error occurred while processing `<test-root-directory>/repo_dir/syntaxerror2.py`, and as a result this file could not be analyzed. Check the syntax of the file using the `python -m py_compile` command and correct any invalid syntax.",
+  "markdownMessage": "A parse error occurred while processing `syntaxerror2.py`, and as a result this file could not be analyzed. Check the syntax of the file using the `python -m py_compile` command and correct any invalid syntax.",
   "severity": "warning",
   "source": {
     "extractorName": "python",
@@ -145,7 +145,7 @@
     ]
   },
   "location": {
-    "file": "<test-root-directory>/repo_dir/recursion_error.py"
+    "file": "recursion_error.py"
   },
   "plaintextMessage": "maximum recursion depth exceeded while calling a Python object",
   "severity": "error",

python/extractor/semmle/logging.py

@@ -359,11 +359,30 @@ def get_stack_trace_lines():
             return lines[:i]
     return lines
 
+def _get_source_root():
+    """Get the source root directory for relativizing diagnostic paths."""
+    return os.environ.get("LGTM_SRC", os.getcwd())
+
+def _relative_path(path):
+    """Make a path relative to the source root for use in diagnostic locations.
+    If the path is not under the source root, return it unchanged."""
+    source_root = os.path.abspath(_get_source_root())
+    abs_path = os.path.abspath(path)
+    try:
+        relpath = os.path.relpath(abs_path, source_root)
+    except ValueError:
+        # On Windows, relpath raises ValueError for paths on different drives
+        return path
+    if relpath.startswith(os.pardir):
+        return path
+    return relpath.replace(os.sep, "/")
+
 def syntax_error_message(exception, unit):
-    l = Location(file=unit.path, startLine=exception.lineno, startColumn=exception.offset)
+    diag_path = _relative_path(unit.path)
+    l = Location(file=diag_path, startLine=exception.lineno, startColumn=exception.offset)
     error = (DiagnosticMessage(Source("py/diagnostics/syntax-error", "Could not process some files due to syntax errors"), Severity.WARNING)
              .with_location(l)
-             .markdown("A parse error occurred while processing `{}`, and as a result this file could not be analyzed. Check the syntax of the file using the `python -m py_compile` command and correct any invalid syntax.".format(unit.path))
+             .markdown("A parse error occurred while processing `{}`, and as a result this file could not be analyzed. Check the syntax of the file using the `python -m py_compile` command and correct any invalid syntax.".format(diag_path))
              .attribute("traceback", get_stack_trace_lines())
              .attribute("args", exception.args)
              .status_page()
@@ -374,7 +393,7 @@ def syntax_error_message(exception, unit):
 
 def recursion_error_message(exception, unit):
     # if unit is a BuiltinModuleExtractable, there will be no path attribute
-    l = Location(file=unit.path) if hasattr(unit, "path") else None
+    l = Location(file=_relative_path(unit.path)) if hasattr(unit, "path") else None
     return (DiagnosticMessage(Source("py/diagnostics/recursion-error", "Recursion error in Python extractor"), Severity.ERROR)
             .with_location(l)
             .text(exception.args[0])
@@ -385,7 +404,7 @@ def recursion_error_message(exception, unit):
 
 def internal_error_message(exception, unit):
     # if unit is a BuiltinModuleExtractable, there will be no path attribute
-    l = Location(file=unit.path) if hasattr(unit, "path") else None
+    l = Location(file=_relative_path(unit.path)) if hasattr(unit, "path") else None
     return (DiagnosticMessage(Source("py/diagnostics/internal-error", "Internal error in Python extractor"), Severity.ERROR)
             .with_location(l)
             .text("Internal error")

python/ql/lib/change-notes/2026-05-14-sensitive-data.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example `py/clear-text-logging-sensitive-data`) may find more correct results and less fewer positive results after these changes.

python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected

@@ -10,6 +10,8 @@ edges
 | test.py:48:14:48:35 | ControlFlowNode for social_security_number | test.py:49:15:49:36 | ControlFlowNode for social_security_number | provenance |  |
 | test.py:48:38:48:40 | ControlFlowNode for ssn | test.py:50:15:50:17 | ControlFlowNode for ssn | provenance |  |
 | test.py:48:54:48:63 | ControlFlowNode for passportNo | test.py:52:15:52:24 | ControlFlowNode for passportNo | provenance |  |
+| test.py:54:14:54:22 | ControlFlowNode for post_code | test.py:55:15:55:23 | ControlFlowNode for post_code | provenance |  |
+| test.py:54:25:54:31 | ControlFlowNode for zipCode | test.py:56:15:56:21 | ControlFlowNode for zipCode | provenance |  |
 | test.py:54:34:54:45 | ControlFlowNode for home_address | test.py:57:15:57:26 | ControlFlowNode for home_address | provenance |  |
 | test.py:59:14:59:26 | ControlFlowNode for user_latitude | test.py:60:15:60:27 | ControlFlowNode for user_latitude | provenance |  |
 | test.py:59:29:59:42 | ControlFlowNode for user_longitude | test.py:61:15:61:28 | ControlFlowNode for user_longitude | provenance |  |
@@ -42,7 +44,11 @@ nodes
 | test.py:49:15:49:36 | ControlFlowNode for social_security_number | semmle.label | ControlFlowNode for social_security_number |
 | test.py:50:15:50:17 | ControlFlowNode for ssn | semmle.label | ControlFlowNode for ssn |
 | test.py:52:15:52:24 | ControlFlowNode for passportNo | semmle.label | ControlFlowNode for passportNo |
+| test.py:54:14:54:22 | ControlFlowNode for post_code | semmle.label | ControlFlowNode for post_code |
+| test.py:54:25:54:31 | ControlFlowNode for zipCode | semmle.label | ControlFlowNode for zipCode |
 | test.py:54:34:54:45 | ControlFlowNode for home_address | semmle.label | ControlFlowNode for home_address |
+| test.py:55:15:55:23 | ControlFlowNode for post_code | semmle.label | ControlFlowNode for post_code |
+| test.py:56:15:56:21 | ControlFlowNode for zipCode | semmle.label | ControlFlowNode for zipCode |
 | test.py:57:15:57:26 | ControlFlowNode for home_address | semmle.label | ControlFlowNode for home_address |
 | test.py:59:14:59:26 | ControlFlowNode for user_latitude | semmle.label | ControlFlowNode for user_latitude |
 | test.py:59:29:59:42 | ControlFlowNode for user_longitude | semmle.label | ControlFlowNode for user_longitude |
@@ -79,6 +85,8 @@ subpaths
 | test.py:49:15:49:36 | ControlFlowNode for social_security_number | test.py:48:14:48:35 | ControlFlowNode for social_security_number | test.py:49:15:49:36 | ControlFlowNode for social_security_number | This expression logs $@ as clear text. | test.py:48:14:48:35 | ControlFlowNode for social_security_number | sensitive data (private) |
 | test.py:50:15:50:17 | ControlFlowNode for ssn | test.py:48:38:48:40 | ControlFlowNode for ssn | test.py:50:15:50:17 | ControlFlowNode for ssn | This expression logs $@ as clear text. | test.py:48:38:48:40 | ControlFlowNode for ssn | sensitive data (private) |
 | test.py:52:15:52:24 | ControlFlowNode for passportNo | test.py:48:54:48:63 | ControlFlowNode for passportNo | test.py:52:15:52:24 | ControlFlowNode for passportNo | This expression logs $@ as clear text. | test.py:48:54:48:63 | ControlFlowNode for passportNo | sensitive data (private) |
+| test.py:55:15:55:23 | ControlFlowNode for post_code | test.py:54:14:54:22 | ControlFlowNode for post_code | test.py:55:15:55:23 | ControlFlowNode for post_code | This expression logs $@ as clear text. | test.py:54:14:54:22 | ControlFlowNode for post_code | sensitive data (private) |
+| test.py:56:15:56:21 | ControlFlowNode for zipCode | test.py:54:25:54:31 | ControlFlowNode for zipCode | test.py:56:15:56:21 | ControlFlowNode for zipCode | This expression logs $@ as clear text. | test.py:54:25:54:31 | ControlFlowNode for zipCode | sensitive data (private) |
 | test.py:57:15:57:26 | ControlFlowNode for home_address | test.py:54:34:54:45 | ControlFlowNode for home_address | test.py:57:15:57:26 | ControlFlowNode for home_address | This expression logs $@ as clear text. | test.py:54:34:54:45 | ControlFlowNode for home_address | sensitive data (private) |
 | test.py:60:15:60:27 | ControlFlowNode for user_latitude | test.py:59:14:59:26 | ControlFlowNode for user_latitude | test.py:60:15:60:27 | ControlFlowNode for user_latitude | This expression logs $@ as clear text. | test.py:59:14:59:26 | ControlFlowNode for user_latitude | sensitive data (private) |
 | test.py:61:15:61:28 | ControlFlowNode for user_longitude | test.py:59:29:59:42 | ControlFlowNode for user_longitude | test.py:61:15:61:28 | ControlFlowNode for user_longitude | This expression logs $@ as clear text. | test.py:59:29:59:42 | ControlFlowNode for user_longitude | sensitive data (private) |

python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py

@@ -52,8 +52,8 @@ def log_private():
         print(passportNo) # NOT OK
 
     def log2(post_code, zipCode, home_address):
-        print(post_code) # NOT OK, but NOT FOUND - "code" is treated as encrypted and thus not sensitive
-        print(zipCode) # NOT OK, but NOT FOUND - "code" is treated as encrypted and thus not sensitive
+        print(post_code) # NOT OK
+        print(zipCode) # NOT OK
         print(home_address) # NOT OK
 
     def log3(user_latitude, user_longitude):