From df37b500516e7f633f0b640a12924bd35e34b2bf Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Thu, 7 May 2026 10:35:04 +0100
Subject: [PATCH] Shared: Small adjustment to the encrypt not-sensitive regex.

---
 .../Security/CWE-312/CleartextLogging.expected       | 12 ------------
 .../test/query-tests/Security/CWE-312/passwords.js   |  8 ++++----
 .../concepts/internal/SensitiveDataHeuristics.qll    |  3 ++-
 3 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
index 77eefa87c2b..af9e0f485c2 100644
--- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -9,9 +9,6 @@
 | passwords.js:16:17:16:38 | `${name ... sword}` | passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` | This logs sensitive data returned by $@ as clear text. | passwords.js:16:29:16:36 | password | an access to password |
 | passwords.js:21:17:21:20 | obj1 | passwords.js:19:19:19:19 | x | passwords.js:21:17:21:20 | obj1 | This logs sensitive data returned by $@ as clear text. | passwords.js:19:19:19:19 | x | an access to password |
 | passwords.js:26:17:26:20 | obj2 | passwords.js:24:12:24:19 | password | passwords.js:26:17:26:20 | obj2 | This logs sensitive data returned by $@ as clear text. | passwords.js:24:12:24:19 | password | an access to password |
-| passwords.js:41:17:41:37 | {passwo ... pt(pw)} | passwords.js:41:28:41:36 | crypt(pw) | passwords.js:41:17:41:37 | {passwo ... pt(pw)} | This logs sensitive data returned by $@ as clear text. | passwords.js:41:28:41:36 | crypt(pw) | an access to password |
-| passwords.js:43:17:43:40 | actuall ... assword | passwords.js:43:17:43:40 | actuall ... assword | passwords.js:43:17:43:40 | actuall ... assword | This logs sensitive data returned by $@ as clear text. | passwords.js:43:17:43:40 | actuall ... assword | an access to actually_secure_password |
-| passwords.js:47:17:47:21 | user1 | passwords.js:46:30:46:32 | x() | passwords.js:47:17:47:21 | user1 | This logs sensitive data returned by $@ as clear text. | passwords.js:46:30:46:32 | x() | an access to crypted_password |
 | passwords.js:78:17:78:38 | temp.en ... assword | passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword | This logs sensitive data returned by $@ as clear text. | passwords.js:77:37:77:53 | req.body.password | an access to password |
 | passwords.js:81:17:81:31 | `pw: ${secret}` | passwords.js:80:18:80:25 | password | passwords.js:81:17:81:31 | `pw: ${secret}` | This logs sensitive data returned by $@ as clear text. | passwords.js:80:18:80:25 | password | an access to password |
 | passwords.js:93:21:93:46 | "Passwo ... assword | passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword | This logs sensitive data returned by $@ as clear text. | passwords.js:93:39:93:46 | password | an access to password |
@@ -55,9 +52,6 @@ edges
 | passwords.js:23:9:23:12 | obj2 [x] | passwords.js:26:17:26:20 | obj2 | provenance |  |
 | passwords.js:23:16:25:5 | {\\n      ... ]\\n    } [x] | passwords.js:23:9:23:12 | obj2 [x] | provenance |  |
 | passwords.js:24:12:24:19 | password | passwords.js:23:16:25:5 | {\\n      ... ]\\n    } [x] | provenance |  |
-| passwords.js:41:28:41:36 | crypt(pw) | passwords.js:41:17:41:37 | {passwo ... pt(pw)} | provenance |  |
-| passwords.js:46:5:46:9 | [post update] user1 [crypted_password] | passwords.js:47:17:47:21 | user1 | provenance |  |
-| passwords.js:46:30:46:32 | x() | passwords.js:46:5:46:9 | [post update] user1 [crypted_password] | provenance |  |
 | passwords.js:77:9:77:12 | temp [encryptedPassword] | passwords.js:78:17:78:20 | temp [encryptedPassword] | provenance |  |
 | passwords.js:77:16:77:55 | { encry ... sword } [encryptedPassword] | passwords.js:77:9:77:12 | temp [encryptedPassword] | provenance |  |
 | passwords.js:77:37:77:53 | req.body.password | passwords.js:77:16:77:55 | { encry ... sword } [encryptedPassword] | provenance |  |
@@ -145,12 +139,6 @@ nodes
 | passwords.js:23:16:25:5 | {\\n      ... ]\\n    } [x] | semmle.label | {\\n      ... ]\\n    } [x] |
 | passwords.js:24:12:24:19 | password | semmle.label | password |
 | passwords.js:26:17:26:20 | obj2 | semmle.label | obj2 |
-| passwords.js:41:17:41:37 | {passwo ... pt(pw)} | semmle.label | {passwo ... pt(pw)} |
-| passwords.js:41:28:41:36 | crypt(pw) | semmle.label | crypt(pw) |
-| passwords.js:43:17:43:40 | actuall ... assword | semmle.label | actuall ... assword |
-| passwords.js:46:5:46:9 | [post update] user1 [crypted_password] | semmle.label | [post update] user1 [crypted_password] |
-| passwords.js:46:30:46:32 | x() | semmle.label | x() |
-| passwords.js:47:17:47:21 | user1 | semmle.label | user1 |
 | passwords.js:77:9:77:12 | temp [encryptedPassword] | semmle.label | temp [encryptedPassword] |
 | passwords.js:77:16:77:55 | { encry ... sword } [encryptedPassword] | semmle.label | { encry ... sword } [encryptedPassword] |
 | passwords.js:77:37:77:53 | req.body.password | semmle.label | req.body.password |
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
index ed1c9785f23..47304946e39 100644
--- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
+++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -38,13 +38,13 @@
     console.log(login.wrappedJSObject.encryptedPassword);
     console.log(HTML5QQ.encodedPassword);
 
-    console.log({password: crypt(pw)}); // $ SPURIOUS: Alert[js/clear-text-logging]
+    console.log({password: crypt(pw)});
     var actually_secure_password = crypt(password);
-    console.log(actually_secure_password); // $ SPURIOUS: Alert[js/clear-text-logging]
+    console.log(actually_secure_password);
 
     var user1 = {};
-    user1.crypted_password = x(); // $ SPURIOUS: Source[js/clear-text-logging]
-    console.log(user1); // $ SPURIOUS: Alert[js/clear-text-logging]
+    user1.crypted_password = x();
+    console.log(user1);
 
     var user2 = {};
     user2.password = hash();
diff --git a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
index 94619488f1a..13861dfdd25 100644
--- a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
+++ b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
@@ -151,7 +151,8 @@ module HeuristicNames {
    */
   string notSensitiveRegexp() {
     result =
-      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|(?<!un)en(crypt|code)|" +
+      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|(?<!unen)crypt|(?<!un)encode|"
+        +
         "certain|concert|secretar|wildcard|coauthor|account(ant|ab|ing|ed)|(?<!pro)file|path|([_-]|\\b)url).*"
   }