Swift: Rewrite CleartextLogging to use DataFlow::ConfigSig

swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll

@@ -12,7 +12,7 @@ private import codeql.swift.security.SensitiveExprs
 /**
  * A taint-tracking configuration for cleartext logging of sensitive data vulnerabilities.
  */
-class CleartextLoggingConfiguration extends TaintTracking::Configuration {
+deprecated class CleartextLoggingConfiguration extends TaintTracking::Configuration {
   CleartextLoggingConfiguration() { this = "CleartextLoggingConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
@@ -30,3 +30,26 @@ class CleartextLoggingConfiguration extends TaintTracking::Configuration {
     any(CleartextLoggingAdditionalTaintStep s).step(n1, n2)
   }
 }
+
+/**
+ * A taint-tracking configuration for cleartext logging of sensitive data vulnerabilities.
+ */
+module CleartextLoggingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CleartextLoggingSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof CleartextLoggingSanitizer }
+
+  // Disregard paths that contain other paths. This helps with performance.
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(CleartextLoggingAdditionalTaintStep s).step(n1, n2)
+  }
+}
+
+/**
+ * Detect taint flow of cleartext logging of sensitive data vulnerabilities.
+ */
+module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;

swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql

@@ -16,9 +16,9 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.CleartextLoggingQuery
-import DataFlow::PathGraph
+import CleartextLoggingFlow::PathGraph
 
-from DataFlow::PathNode src, DataFlow::PathNode sink
-where any(CleartextLoggingConfiguration c).hasFlowPath(src, sink)
+from CleartextLoggingFlow::PathNode src, CleartextLoggingFlow::PathNode sink
+where CleartextLoggingFlow::flowPath(src, sink)
 select sink.getNode(), src, sink, "This $@ is written to a log file.", src.getNode(),
   "potentially sensitive information"

swift/ql/test/query-tests/Security/CWE-312/CleartextLoggingTest.ql

@@ -9,11 +9,8 @@ class CleartextLogging extends InlineExpectationsTest {
   override string getARelevantTag() { result = "hasCleartextLogging" }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(
-      CleartextLoggingConfiguration config, DataFlow::Node source, DataFlow::Node sink,
-      Expr sinkExpr
-    |
-      config.hasFlow(source, sink) and
+    exists(DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr |
+      CleartextLoggingFlow::flow(source, sink) and
       sinkExpr = sink.asExpr() and
       location = sinkExpr.getLocation() and
       element = sinkExpr.toString() and