diff --git a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll index e5320c76d34..ef9c8c13b56 100644 --- a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll +++ b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll @@ -16,9 +16,11 @@ private import semmle.python.dataflow.new.SensitiveDataSources import CleartextStorageCustomizations::CleartextStorage /** + * DEPRECATED: Use `CleartextStorageFlow` module instead. + * * A taint-tracking configuration for detecting "Clear-text storage of sensitive information". */ -class Configuration extends TaintTracking::Configuration { +deprecated class Configuration extends TaintTracking::Configuration { Configuration() { this = "CleartextStorage" } override predicate isSource(DataFlow::Node source) { source instanceof Source } @@ -31,3 +33,14 @@ class Configuration extends TaintTracking::Configuration { node instanceof Sanitizer } } + +private module CleartextStorageConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof Source } + + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } +} + +/** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */ +module CleartextStorageFlow = TaintTracking::Global; diff --git a/python/ql/src/Security/CWE-312/CleartextStorage.ql b/python/ql/src/Security/CWE-312/CleartextStorage.ql index 9a8d5de3331..f83097d6e0b 100644 --- a/python/ql/src/Security/CWE-312/CleartextStorage.ql +++ b/python/ql/src/Security/CWE-312/CleartextStorage.ql @@ -15,12 +15,13 @@ import python private import semmle.python.dataflow.new.DataFlow -import DataFlow::PathGraph +import CleartextStorageFlow::PathGraph import semmle.python.security.dataflow.CleartextStorageQuery -from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, string classification +from + CleartextStorageFlow::PathNode source, CleartextStorageFlow::PathNode sink, string classification where - config.hasFlowPath(source, sink) and + CleartextStorageFlow::flowPath(source, sink) and classification = source.getNode().(Source).getClassification() select sink.getNode(), source, sink, "This expression stores $@ as clear text.", source.getNode(), "sensitive data (" + classification + ")"