From 3193b3b171c01bb7c49dc52452389ee3fe9f2ca7 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 15 May 2023 10:51:21 +0100 Subject: [PATCH 1/3] Swift: Make the CleartextLogging.ql query ID consistent with the other swift/cleartext-* queries. --- swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql b/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql index 2d76f1d3e7e..d4314ab1631 100644 --- a/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql +++ b/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql @@ -6,7 +6,7 @@ * @problem.severity error * @security-severity 7.5 * @precision high - * @id swift/clear-text-logging + * @id swift/cleartext-logging * @tags security * external/cwe/cwe-312 * external/cwe/cwe-359 From 2a4d7cb642f5bd6c7121d9b3205f6d8e84812bc0 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Mon, 15 May 2023 11:53:58 +0100 Subject: [PATCH 2/3] Swift: Make the result message consistent as well. --- .../src/queries/Security/CWE-312/CleartextLogging.ql | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql b/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql index d4314ab1631..764a4af3d94 100644 --- a/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql +++ b/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql @@ -18,7 +18,9 @@ import codeql.swift.dataflow.DataFlow import codeql.swift.security.CleartextLoggingQuery import CleartextLoggingFlow::PathGraph -from CleartextLoggingFlow::PathNode src, CleartextLoggingFlow::PathNode sink -where CleartextLoggingFlow::flowPath(src, sink) -select sink.getNode(), src, sink, "This $@ is written to a log file.", src.getNode(), - "potentially sensitive information" +from CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink +where CleartextLoggingFlow::flowPath(source, sink) +select sink, source, sink, + "This operation writes '" + sink.toString() + + "' to a log file. It may contain unencrypted sensitive data from $@.", source, + source.getNode().toString() From 94b4ebe38b0628e957599e7daea8cfea919c0df2 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 16 May 2023 14:16:30 +0100 Subject: [PATCH 3/3] Update swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql Co-authored-by: Mathias Vorreiter Pedersen --- swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql b/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql index 764a4af3d94..69601b3d931 100644 --- a/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql +++ b/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql @@ -20,7 +20,7 @@ import CleartextLoggingFlow::PathGraph from CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink where CleartextLoggingFlow::flowPath(source, sink) -select sink, source, sink, +select sink.getNode(), source, sink, "This operation writes '" + sink.toString() + "' to a log file. It may contain unencrypted sensitive data from $@.", source, source.getNode().toString()