From a6ab92bbca778dab44507ccc531b2656c86eacd8 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Thu, 9 Jul 2020 15:07:28 +0100
Subject: [PATCH] Supress paths that extend beyond the first sink

For this particular query it's hardly ever interesting to complain about a bad cipher suite being configured, then read from the list and re-added elsewhere. In such a case the longer path will be detected when the shorter one is fixed in any case.
---
 ql/src/experimental/CWE-327/InsecureTLS.ql | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ql/src/experimental/CWE-327/InsecureTLS.ql b/ql/src/experimental/CWE-327/InsecureTLS.ql
index 3f8fa167f2f..ab11ec924af 100644
--- a/ql/src/experimental/CWE-327/InsecureTLS.ql
+++ b/ql/src/experimental/CWE-327/InsecureTLS.ql
@@ -119,6 +119,15 @@ class TlsInsecureCipherSuitesFlowConfig extends TaintTracking::Configuration {
       sink = fld.getAWrite().getRhs()
     )
   }
+
+  /**
+   * Declare sinks as out-sanitizers in order to avoid producing superfluous paths where a cipher
+   * is written to CipherSuites, then the list is further extended with either safe or tainted
+   * suites.
+   */
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    super.isSanitizerOut(node) or isSink(node)
+  }
 }
 
 /**