From 1cf97142723e06d8b0e2acd10612e71a4d73392b Mon Sep 17 00:00:00 2001
From: Mathew Payne <geekmasher@gmail.com>
Date: Fri, 28 Jun 2024 14:30:36 +0100
Subject: [PATCH 1/3] feat(python): Add Hardcoded Credentials MaD support

---
 python/ql/src/Security/CWE-798/HardcodedCredentials.ql | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
index 4a2ff24a2f2..50fa7e02cff 100644
--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -18,6 +18,7 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.filters.Tests
 private import semmle.python.dataflow.new.internal.DataFlowDispatch as DataFlowDispatch
 private import semmle.python.dataflow.new.internal.Builtins::Builtins as Builtins
+private import semmle.python.frameworks.data.ModelsAsData
 
 bindingset[char, fraction]
 predicate fewer_characters_than(StringLiteral str, string char, float fraction) {
@@ -80,6 +81,8 @@ class HardcodedValueSource extends DataFlow::Node {
 
 class CredentialSink extends DataFlow::Node {
   CredentialSink() {
+    this = ModelOutput::getASinkNode("credentials-hardcoded").asSink()
+    or
     exists(string name |
       name.regexpMatch(getACredentialRegex()) and
       not name.matches("%file")

From ed314b179930d8dfc753181ce329314406809573 Mon Sep 17 00:00:00 2001
From: Mathew Payne <geekmasher@gmail.com>
Date: Fri, 28 Jun 2024 14:42:35 +0100
Subject: [PATCH 2/3] docs: Add Change Notes

---
 python/ql/src/change-notes/2024-06-28-cred-hardcoded.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 python/ql/src/change-notes/2024-06-28-cred-hardcoded.md

diff --git a/python/ql/src/change-notes/2024-06-28-cred-hardcoded.md b/python/ql/src/change-notes/2024-06-28-cred-hardcoded.md
new file mode 100644
index 00000000000..97efe1e30a1
--- /dev/null
+++ b/python/ql/src/change-notes/2024-06-28-cred-hardcoded.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Adding Python support for Hardcoded Credentials as Models as Data
\ No newline at end of file

From 96048f962e7a24b758db8af70d65697c4c88346e Mon Sep 17 00:00:00 2001
From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com>
Date: Mon, 1 Jul 2024 14:29:00 +0100
Subject: [PATCH 3/3] Update
 python/ql/src/Security/CWE-798/HardcodedCredentials.ql

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
---
 python/ql/src/Security/CWE-798/HardcodedCredentials.ql | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
index 50fa7e02cff..6e48ada26a4 100644
--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -81,7 +81,10 @@ class HardcodedValueSource extends DataFlow::Node {
 
 class CredentialSink extends DataFlow::Node {
   CredentialSink() {
-    this = ModelOutput::getASinkNode("credentials-hardcoded").asSink()
+    exists(string s | s.matches("credentials-%") |
+      // Actual sink-type will be things like `credentials-password` or `credentials-username`
+      this = ModelOutput::getASinkNode(s).asSink()
+    )
     or
     exists(string name |
       name.regexpMatch(getACredentialRegex()) and