move new secret key sinks to existing CredentialsNode class,

add new additional global taint and dataflow steps
update tests of CWE-798
add a new sanitizer for `semmle.javascript.security.dataflow.HardcodedCredentialsQuery`

javascript/ql/lib/semmle/javascript/frameworks/JWT.qll

@@ -40,11 +40,163 @@ private module JsonWebToken {
   }
 
   /**
-   * The private key for a JWT as a `CredentialsNode`.
+   * The secret Or PublicKey for a JWT as a `CredentialsNode`.
    */
   private class JwtKey extends CredentialsNode {
-    JwtKey() { this = DataFlow::moduleMember("jsonwebtoken", "sign").getACall().getArgument(1) }
+    JwtKey() {
+      this =
+        API::moduleImport("jsonwebtoken").getMember(["sign", "verify"]).getParameter(1).asSink()
+    }
 
     override string getCredentialsKind() { result = "key" }
   }
 }
+
+/**
+ * Provides classes and predicates modeling the `jose` library.
+ */
+private module Jose {
+  /**
+   * A taint-step for `succ = await jose.importSPKI(pred, 'RS256')`.
+   */
+  private class ImportSpkiStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node n | n = API::moduleImport("jose").getMember("importSPKI") |
+        pred = n.getACall().getArgument(0) and
+        succ = n.getReturn().getPromised().asSource()
+      )
+    }
+  }
+
+  /**
+   * A taint-step for `succ = jose.base64url.encode(pred)` or `succ = jose.base64url.decode(pred)`.
+   */
+  private class Base64urlStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node n |
+        n = API::moduleImport("jose").getMember("base64url").getMember(["decode", "encode"])
+      |
+        pred = n.getACall().getArgument(0) and
+        succ = n.getACall()
+      )
+    }
+  }
+
+  /**
+   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() { this = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink() }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jwt-simple` library.
+ */
+private module JwtSimple {
+  /**
+   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() { this = API::moduleImport("jwt-simple").getMember("decode").getParameter(1).asSink() }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `koa-jwt` library.
+ */
+private module KoaJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this = API::moduleImport("koa-jwt").getParameter(0).getMember("secret").asSink()
+    }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `express-jwt` library.
+ */
+private module ExpressJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this =
+        API::moduleImport("express-jwt")
+            .getMember("expressjwt")
+            .getParameter(0)
+            .getMember("secret")
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `passport-jwt` library.
+ */
+private module PassportJwt {
+  /**
+   * The secret (symmetric) or PEM-encoded public key (asymmetric) for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() {
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKey")
+            .asSink()
+      or
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKeyProvider")
+            .getParameter(2)
+            .getParameter(1)
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * A taint-step for `succ = new TextEncoder().encode(pred)`.
+ */
+private class TextEncoderStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode n, DataFlow::NewNode nn |
+      n.getCalleeName() = "encode" and
+      nn.flowsTo(n.getReceiver()) and
+      nn.getCalleeName() = "TextEncoder"
+    |
+      pred = n.getArgument(0) and
+      succ = n
+    )
+  }
+}
+
+/**
+ * A taint-step for `succ = Buffer.from(pred, "base64")`.
+ */
+private class BufferFromStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("Buffer").getAMemberCall("from") |
+      pred = n.getArgument(0) and
+      succ = [n, n.getAChainedMethodCall(["toString", "toJSON"])]
+    )
+  }
+}

javascript/ql/lib/semmle/javascript/frameworks/Next.qll

@@ -255,4 +255,20 @@ module NextJS {
           .getMember("router")
           .asSource()
   }
+
+  /**
+   * Provides classes and predicates modeling the `next-auth` library.
+   */
+  private module NextAuth {
+    /**
+     * A random string used to hash tokens, sign cookies and generate cryptographic keys as a `CredentialsNode`.
+     */
+    private class SecretKey extends CredentialsNode {
+      SecretKey() {
+        this = API::moduleImport("next-auth").getParameter(0).getMember("secret").asSink()
+      }
+
+      override string getCredentialsKind() { result = "key" }
+    }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll

@@ -32,6 +32,16 @@ module HardcodedCredentials {
     ConstantStringSource() { not astNode.getStringValue() = "" }
   }
 
+  class NonProductionFiles extends Sanitizer {
+    NonProductionFiles() {
+      this.getFile()
+          .getLocation()
+          .hasLocationInfo(any(string s |
+              s.regexpMatch(["/.*test[.].*", "/.*demo[.].*", "/.*example[.].*", "/.*sample[.].*"])
+            ), _, _, _, _)
+    }
+  }
+
   /**
    * A subclass of `Sink` that includes every `CredentialsNode`
    * as a credentials sink.

javascript/ql/test/query-tests/Security/CWE-347-HardCodedKey/jwtConstantKey.expected

@@ -1,109 +1,3 @@
 nodes
-| Config.js:2:12:2:19 | "secret" |
-| Config.js:2:12:2:19 | "secret" |
-| ExpressJWT.js:5:36:5:46 | getSecret() |
-| ExpressJWT.js:5:36:5:46 | getSecret() |
-| ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") |
-| ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") |
-| ExpressJWT.js:12:25:12:35 | getSecret() |
-| jwtConstantKey.js:5:46:5:56 | getSecret() |
-| jwtConstantKey.js:5:46:5:56 | getSecret() |
-| jwtConstantKey.js:6:43:6:53 | getSecret() |
-| jwtConstantKey.js:6:43:6:53 | getSecret() |
-| jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) |
-| jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) |
-| jwtConstantKey.js:12:93:12:103 | getSecret() |
-| jwtConstantKey.js:21:7:29:25 | spki |
-| jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` |
-| jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` |
-| jwtConstantKey.js:34:9:34:52 | publicKey |
-| jwtConstantKey.js:34:21:34:52 | await j ... i, alg) |
-| jwtConstantKey.js:34:43:34:46 | spki |
-| jwtConstantKey.js:35:65:35:73 | publicKey |
-| jwtConstantKey.js:35:65:35:73 | publicKey |
-| jwtConstantKey.js:51:42:51:52 | getSecret() |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" |
-| jwtNoVerification.js:5:46:5:56 | getSecret() |
-| jwtNoVerification.js:5:46:5:56 | getSecret() |
-| jwtNoVerification.js:19:26:19:36 | getSecret() |
-| jwtNoVerification.js:19:26:19:36 | getSecret() |
-| koaJWT.js:29:22:29:32 | getSecret() |
-| koaJWT.js:29:22:29:32 | getSecret() |
-| netxAuth.js:10:13:10:23 | getSecret() |
-| netxAuth.js:10:13:10:23 | getSecret() |
-| passportJWT.js:6:20:6:30 | getSecret() |
-| passportJWT.js:6:20:6:30 | getSecret() |
 edges
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:12:25:12:35 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:12:25:12:35 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:12:93:12:103 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:12:93:12:103 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:51:42:51:52 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:51:42:51:52 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() |
-| ExpressJWT.js:12:25:12:35 | getSecret() | ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") |
-| ExpressJWT.js:12:25:12:35 | getSecret() | ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") |
-| jwtConstantKey.js:12:93:12:103 | getSecret() | jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) |
-| jwtConstantKey.js:12:93:12:103 | getSecret() | jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) |
-| jwtConstantKey.js:21:7:29:25 | spki | jwtConstantKey.js:34:43:34:46 | spki |
-| jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` | jwtConstantKey.js:21:7:29:25 | spki |
-| jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` | jwtConstantKey.js:21:7:29:25 | spki |
-| jwtConstantKey.js:34:9:34:52 | publicKey | jwtConstantKey.js:35:65:35:73 | publicKey |
-| jwtConstantKey.js:34:9:34:52 | publicKey | jwtConstantKey.js:35:65:35:73 | publicKey |
-| jwtConstantKey.js:34:21:34:52 | await j ... i, alg) | jwtConstantKey.js:34:9:34:52 | publicKey |
-| jwtConstantKey.js:34:43:34:46 | spki | jwtConstantKey.js:34:21:34:52 | await j ... i, alg) |
-| jwtConstantKey.js:51:42:51:52 | getSecret() | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:42:51:52 | getSecret() | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
 #select
-| ExpressJWT.js:5:36:5:46 | getSecret() | Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") | Config.js:2:12:2:19 | "secret" | ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:5:46:5:56 | getSecret() | Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:6:43:6:53 | getSecret() | Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) | Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:35:65:35:73 | publicKey | jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` | jwtConstantKey.js:35:65:35:73 | publicKey | this $@. is used as a secret key | jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` | Constant |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" | Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" | jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" | this $@. is used as a secret key | jwtConstantKey.js:51:56:51:59 | "fj" | Constant |
-| jwtNoVerification.js:5:46:5:56 | getSecret() | Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtNoVerification.js:19:26:19:36 | getSecret() | Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| koaJWT.js:29:22:29:32 | getSecret() | Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| netxAuth.js:10:13:10:23 | getSecret() | Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| passportJWT.js:6:20:6:30 | getSecret() | Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

@@ -5,22 +5,22 @@ nodes
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
-| HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" |
-| HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" |
-| HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" |
-| HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" |
-| HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" |
-| HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" |
+| HardcodedCredentials.js:15:37:15:51 | "user:hgfedcba" |
+| HardcodedCredentials.js:15:37:15:51 | "user:hgfedcba" |
+| HardcodedCredentials.js:15:37:15:51 | "user:hgfedcba" |
+| HardcodedCredentials.js:16:38:16:52 | "user:hgfedcba" |
+| HardcodedCredentials.js:16:38:16:52 | "user:hgfedcba" |
+| HardcodedCredentials.js:16:38:16:52 | "user:hgfedcba" |
 | HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" |
 | HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" |
-| HardcodedCredentials.js:20:36:20:51 | getCredentials() |
-| HardcodedCredentials.js:20:36:20:51 | getCredentials() |
-| HardcodedCredentials.js:27:25:27:31 | 'admin' |
-| HardcodedCredentials.js:27:25:27:31 | 'admin' |
-| HardcodedCredentials.js:27:25:27:31 | 'admin' |
-| HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' |
-| HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' |
-| HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' |
+| HardcodedCredentials.js:20:37:20:52 | getCredentials() |
+| HardcodedCredentials.js:20:37:20:52 | getCredentials() |
+| HardcodedCredentials.js:27:26:27:32 | 'admin' |
+| HardcodedCredentials.js:27:26:27:32 | 'admin' |
+| HardcodedCredentials.js:27:26:27:32 | 'admin' |
+| HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' |
+| HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' |
+| HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' |
@@ -150,18 +150,18 @@ nodes
 | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' |
 | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' |
 | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' |
-| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
-| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
-| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
-| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
-| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
-| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
+| HardcodedCredentials.js:135:45:135:54 | "hgfedcba" |
+| HardcodedCredentials.js:135:45:135:54 | "hgfedcba" |
+| HardcodedCredentials.js:135:45:135:54 | "hgfedcba" |
+| HardcodedCredentials.js:160:41:160:51 | "change_me" |
+| HardcodedCredentials.js:160:41:160:51 | "change_me" |
+| HardcodedCredentials.js:160:41:160:51 | "change_me" |
+| HardcodedCredentials.js:161:44:161:54 | 'change_me' |
+| HardcodedCredentials.js:161:44:161:54 | 'change_me' |
+| HardcodedCredentials.js:161:44:161:54 | 'change_me' |
+| HardcodedCredentials.js:164:39:164:49 | 'change_me' |
+| HardcodedCredentials.js:164:39:164:49 | 'change_me' |
+| HardcodedCredentials.js:164:39:164:49 | 'change_me' |
 | HardcodedCredentials.js:171:11:171:25 | USER |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' |
@@ -202,17 +202,22 @@ nodes
 | HardcodedCredentials.js:231:11:231:29 | username |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' |
-| HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
-| HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
-| HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
-| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
-| HardcodedCredentials.js:237:47:237:54 | username |
-| HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
+| HardcodedCredentials.js:237:28:237:95 | 'Basic  ... ase64') |
+| HardcodedCredentials.js:237:28:237:95 | 'Basic  ... ase64') |
+| HardcodedCredentials.js:237:39:237:76 | Buffer. ... ssword) |
+| HardcodedCredentials.js:237:39:237:95 | Buffer. ... ase64') |
+| HardcodedCredentials.js:237:51:237:58 | username |
+| HardcodedCredentials.js:237:51:237:75 | usernam ... assword |
 | HardcodedCredentials.js:245:9:245:44 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
@@ -223,42 +228,42 @@ nodes
 | HardcodedCredentials.js:268:39:268:46 | 'Bearer' |
 | HardcodedCredentials.js:268:50:268:56 | 'OAuth' |
 | HardcodedCredentials.js:268:50:268:56 | 'OAuth' |
-| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" |
-| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" |
-| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" |
-| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" |
-| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" |
-| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" |
-| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" |
-| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" |
-| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" |
-| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" |
-| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" |
-| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" |
-| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" |
-| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" |
-| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" |
-| HardcodedCredentials.js:280:36:280:50 | "user:12345678" |
-| HardcodedCredentials.js:280:36:280:50 | "user:12345678" |
-| HardcodedCredentials.js:280:36:280:50 | "user:12345678" |
-| HardcodedCredentials.js:281:36:281:45 | "user:foo" |
-| HardcodedCredentials.js:281:36:281:45 | "user:foo" |
-| HardcodedCredentials.js:281:36:281:45 | "user:foo" |
-| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" |
-| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" |
-| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" |
-| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" |
-| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" |
-| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" |
-| HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
-| HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
-| HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
-| HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
-| HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
-| HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
-| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
-| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
-| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
+| HardcodedCredentials.js:275:37:275:60 | "user:{ ... ERE }}" |
+| HardcodedCredentials.js:275:37:275:60 | "user:{ ... ERE }}" |
+| HardcodedCredentials.js:275:37:275:60 | "user:{ ... ERE }}" |
+| HardcodedCredentials.js:276:37:276:66 | "user:t ... ERE }}" |
+| HardcodedCredentials.js:276:37:276:66 | "user:t ... ERE }}" |
+| HardcodedCredentials.js:276:37:276:66 | "user:t ... ERE }}" |
+| HardcodedCredentials.js:277:37:277:58 | "user:( ... HERE )" |
+| HardcodedCredentials.js:277:37:277:58 | "user:( ... HERE )" |
+| HardcodedCredentials.js:277:37:277:58 | "user:( ... HERE )" |
+| HardcodedCredentials.js:278:37:278:65 | "user:{ ... ken }}" |
+| HardcodedCredentials.js:278:37:278:65 | "user:{ ... ken }}" |
+| HardcodedCredentials.js:278:37:278:65 | "user:{ ... ken }}" |
+| HardcodedCredentials.js:279:37:279:51 | "user:abcdefgh" |
+| HardcodedCredentials.js:279:37:279:51 | "user:abcdefgh" |
+| HardcodedCredentials.js:279:37:279:51 | "user:abcdefgh" |
+| HardcodedCredentials.js:280:37:280:51 | "user:12345678" |
+| HardcodedCredentials.js:280:37:280:51 | "user:12345678" |
+| HardcodedCredentials.js:280:37:280:51 | "user:12345678" |
+| HardcodedCredentials.js:281:37:281:46 | "user:foo" |
+| HardcodedCredentials.js:281:37:281:46 | "user:foo" |
+| HardcodedCredentials.js:281:37:281:46 | "user:foo" |
+| HardcodedCredentials.js:282:37:282:53 | "user:mypassword" |
+| HardcodedCredentials.js:282:37:282:53 | "user:mypassword" |
+| HardcodedCredentials.js:282:37:282:53 | "user:mypassword" |
+| HardcodedCredentials.js:283:37:283:50 | "user:mytoken" |
+| HardcodedCredentials.js:283:37:283:50 | "user:mytoken" |
+| HardcodedCredentials.js:283:37:283:50 | "user:mytoken" |
+| HardcodedCredentials.js:284:37:284:53 | "user:fake token" |
+| HardcodedCredentials.js:284:37:284:53 | "user:fake token" |
+| HardcodedCredentials.js:284:37:284:53 | "user:fake token" |
+| HardcodedCredentials.js:285:37:285:47 | "user:dcba" |
+| HardcodedCredentials.js:285:37:285:47 | "user:dcba" |
+| HardcodedCredentials.js:285:37:285:47 | "user:dcba" |
+| HardcodedCredentials.js:286:37:286:56 | "user:custom string" |
+| HardcodedCredentials.js:286:37:286:56 | "user:custom string" |
+| HardcodedCredentials.js:286:37:286:56 | "user:custom string" |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` |
@@ -271,17 +276,61 @@ nodes
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
+| HardcodedCredentials.js:302:9:302:44 | privateKey |
+| HardcodedCredentials.js:302:22:302:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:302:22:302:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:303:34:303:43 | privateKey |
+| HardcodedCredentials.js:303:34:303:43 | privateKey |
+| HardcodedCredentials.js:310:9:310:44 | privateKey |
+| HardcodedCredentials.js:310:22:310:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:310:22:310:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:311:27:311:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:311:27:311:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:311:52:311:61 | privateKey |
+| HardcodedCredentials.js:314:11:317:29 | spki |
+| HardcodedCredentials.js:314:18:317:29 | `-----B ... Y-----` |
+| HardcodedCredentials.js:314:18:317:29 | `-----B ... Y-----` |
+| HardcodedCredentials.js:318:11:318:58 | publicKey |
+| HardcodedCredentials.js:318:23:318:58 | await j ... RS256') |
+| HardcodedCredentials.js:318:45:318:48 | spki |
+| HardcodedCredentials.js:319:27:319:35 | publicKey |
+| HardcodedCredentials.js:319:27:319:35 | publicKey |
+| HardcodedCredentials.js:325:9:325:43 | secretKey |
+| HardcodedCredentials.js:325:21:325:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:325:21:325:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:330:21:330:29 | secretKey |
+| HardcodedCredentials.js:330:21:330:29 | secretKey |
+| HardcodedCredentials.js:341:21:341:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:341:21:341:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:341:33:341:41 | secretKey |
+| HardcodedCredentials.js:356:9:356:43 | secretKey |
+| HardcodedCredentials.js:356:21:356:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:356:21:356:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:359:24:359:32 | secretKey |
+| HardcodedCredentials.js:359:24:359:32 | secretKey |
+| HardcodedCredentials.js:366:31:366:39 | secretKey |
+| HardcodedCredentials.js:366:31:366:39 | secretKey |
+| HardcodedCredentials.js:377:9:377:43 | secretKey |
+| HardcodedCredentials.js:377:21:377:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:377:21:377:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:380:17:380:25 | secretKey |
+| HardcodedCredentials.js:380:17:380:25 | secretKey |
+| HardcodedCredentials.js:395:9:395:43 | secretKey |
+| HardcodedCredentials.js:395:21:395:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:395:21:395:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:397:27:397:35 | secretKey |
+| HardcodedCredentials.js:397:27:397:35 | secretKey |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
-| HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" |
-| HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" |
-| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
-| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
-| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
-| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
-| HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' |
-| HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' |
+| HardcodedCredentials.js:15:37:15:51 | "user:hgfedcba" | HardcodedCredentials.js:15:37:15:51 | "user:hgfedcba" |
+| HardcodedCredentials.js:16:38:16:52 | "user:hgfedcba" | HardcodedCredentials.js:16:38:16:52 | "user:hgfedcba" |
+| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:37:20:52 | getCredentials() |
+| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:37:20:52 | getCredentials() |
+| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:37:20:52 | getCredentials() |
+| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:37:20:52 | getCredentials() |
+| HardcodedCredentials.js:27:26:27:32 | 'admin' | HardcodedCredentials.js:27:26:27:32 | 'admin' |
+| HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' | HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' |
 | HardcodedCredentials.js:29:35:29:44 | 'hgfedcba' | HardcodedCredentials.js:29:35:29:44 | 'hgfedcba' |
 | HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' |
@@ -325,10 +374,10 @@ edges
 | HardcodedCredentials.js:113:19:113:28 | 'hgfedcba' | HardcodedCredentials.js:113:19:113:28 | 'hgfedcba' |
 | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' |
 | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' |
-| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' |
-| HardcodedCredentials.js:164:35:164:45 | 'change_me' | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
+| HardcodedCredentials.js:135:45:135:54 | "hgfedcba" | HardcodedCredentials.js:135:45:135:54 | "hgfedcba" |
+| HardcodedCredentials.js:160:41:160:51 | "change_me" | HardcodedCredentials.js:160:41:160:51 | "change_me" |
+| HardcodedCredentials.js:161:44:161:54 | 'change_me' | HardcodedCredentials.js:161:44:161:54 | 'change_me' |
+| HardcodedCredentials.js:164:39:164:49 | 'change_me' | HardcodedCredentials.js:164:39:164:49 | 'change_me' |
 | HardcodedCredentials.js:171:11:171:25 | USER | HardcodedCredentials.js:173:35:173:38 | USER |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
@@ -364,18 +413,23 @@ edges
 | HardcodedCredentials.js:216:43:216:46 | PASS | HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
 | HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
 | HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
-| HardcodedCredentials.js:231:11:231:29 | username | HardcodedCredentials.js:237:47:237:54 | username |
+| HardcodedCredentials.js:231:11:231:29 | username | HardcodedCredentials.js:237:51:237:58 | username |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:11:231:29 | username |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:11:231:29 | username |
-| HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
-| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
-| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
-| HardcodedCredentials.js:237:47:237:54 | username | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
-| HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
+| HardcodedCredentials.js:237:39:237:76 | Buffer. ... ssword) | HardcodedCredentials.js:237:39:237:95 | Buffer. ... ase64') |
+| HardcodedCredentials.js:237:39:237:95 | Buffer. ... ase64') | HardcodedCredentials.js:237:28:237:95 | 'Basic  ... ase64') |
+| HardcodedCredentials.js:237:39:237:95 | Buffer. ... ase64') | HardcodedCredentials.js:237:28:237:95 | 'Basic  ... ase64') |
+| HardcodedCredentials.js:237:51:237:58 | username | HardcodedCredentials.js:237:51:237:75 | usernam ... assword |
+| HardcodedCredentials.js:237:51:237:75 | usernam ... assword | HardcodedCredentials.js:237:39:237:76 | Buffer. ... ssword) |
+| HardcodedCredentials.js:237:51:237:75 | usernam ... assword | HardcodedCredentials.js:237:39:237:95 | Buffer. ... ase64') |
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
 | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
@@ -383,27 +437,64 @@ edges
 | HardcodedCredentials.js:268:39:268:46 | 'Bearer' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
 | HardcodedCredentials.js:268:50:268:56 | 'OAuth' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
 | HardcodedCredentials.js:268:50:268:56 | 'OAuth' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
-| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" |
-| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" |
-| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" |
-| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" |
-| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" |
-| HardcodedCredentials.js:280:36:280:50 | "user:12345678" | HardcodedCredentials.js:280:36:280:50 | "user:12345678" |
-| HardcodedCredentials.js:281:36:281:45 | "user:foo" | HardcodedCredentials.js:281:36:281:45 | "user:foo" |
-| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" |
-| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" |
-| HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
-| HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
-| HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
+| HardcodedCredentials.js:275:37:275:60 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:37:275:60 | "user:{ ... ERE }}" |
+| HardcodedCredentials.js:276:37:276:66 | "user:t ... ERE }}" | HardcodedCredentials.js:276:37:276:66 | "user:t ... ERE }}" |
+| HardcodedCredentials.js:277:37:277:58 | "user:( ... HERE )" | HardcodedCredentials.js:277:37:277:58 | "user:( ... HERE )" |
+| HardcodedCredentials.js:278:37:278:65 | "user:{ ... ken }}" | HardcodedCredentials.js:278:37:278:65 | "user:{ ... ken }}" |
+| HardcodedCredentials.js:279:37:279:51 | "user:abcdefgh" | HardcodedCredentials.js:279:37:279:51 | "user:abcdefgh" |
+| HardcodedCredentials.js:280:37:280:51 | "user:12345678" | HardcodedCredentials.js:280:37:280:51 | "user:12345678" |
+| HardcodedCredentials.js:281:37:281:46 | "user:foo" | HardcodedCredentials.js:281:37:281:46 | "user:foo" |
+| HardcodedCredentials.js:282:37:282:53 | "user:mypassword" | HardcodedCredentials.js:282:37:282:53 | "user:mypassword" |
+| HardcodedCredentials.js:283:37:283:50 | "user:mytoken" | HardcodedCredentials.js:283:37:283:50 | "user:mytoken" |
+| HardcodedCredentials.js:284:37:284:53 | "user:fake token" | HardcodedCredentials.js:284:37:284:53 | "user:fake token" |
+| HardcodedCredentials.js:285:37:285:47 | "user:dcba" | HardcodedCredentials.js:285:37:285:47 | "user:dcba" |
+| HardcodedCredentials.js:286:37:286:56 | "user:custom string" | HardcodedCredentials.js:286:37:286:56 | "user:custom string" |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` |
 | HardcodedCredentials.js:293:37:293:65 | `Basic  ... xxxxxx` | HardcodedCredentials.js:293:37:293:65 | `Basic  ... xxxxxx` |
 | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` |
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
+| HardcodedCredentials.js:302:9:302:44 | privateKey | HardcodedCredentials.js:303:34:303:43 | privateKey |
+| HardcodedCredentials.js:302:9:302:44 | privateKey | HardcodedCredentials.js:303:34:303:43 | privateKey |
+| HardcodedCredentials.js:302:22:302:44 | "myHard ... ateKey" | HardcodedCredentials.js:302:9:302:44 | privateKey |
+| HardcodedCredentials.js:302:22:302:44 | "myHard ... ateKey" | HardcodedCredentials.js:302:9:302:44 | privateKey |
+| HardcodedCredentials.js:310:9:310:44 | privateKey | HardcodedCredentials.js:311:52:311:61 | privateKey |
+| HardcodedCredentials.js:310:22:310:44 | "myHard ... ateKey" | HardcodedCredentials.js:310:9:310:44 | privateKey |
+| HardcodedCredentials.js:310:22:310:44 | "myHard ... ateKey" | HardcodedCredentials.js:310:9:310:44 | privateKey |
+| HardcodedCredentials.js:311:52:311:61 | privateKey | HardcodedCredentials.js:311:27:311:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:311:52:311:61 | privateKey | HardcodedCredentials.js:311:27:311:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:314:11:317:29 | spki | HardcodedCredentials.js:318:45:318:48 | spki |
+| HardcodedCredentials.js:314:18:317:29 | `-----B ... Y-----` | HardcodedCredentials.js:314:11:317:29 | spki |
+| HardcodedCredentials.js:314:18:317:29 | `-----B ... Y-----` | HardcodedCredentials.js:314:11:317:29 | spki |
+| HardcodedCredentials.js:318:11:318:58 | publicKey | HardcodedCredentials.js:319:27:319:35 | publicKey |
+| HardcodedCredentials.js:318:11:318:58 | publicKey | HardcodedCredentials.js:319:27:319:35 | publicKey |
+| HardcodedCredentials.js:318:23:318:58 | await j ... RS256') | HardcodedCredentials.js:318:11:318:58 | publicKey |
+| HardcodedCredentials.js:318:45:318:48 | spki | HardcodedCredentials.js:318:23:318:58 | await j ... RS256') |
+| HardcodedCredentials.js:325:9:325:43 | secretKey | HardcodedCredentials.js:330:21:330:29 | secretKey |
+| HardcodedCredentials.js:325:9:325:43 | secretKey | HardcodedCredentials.js:330:21:330:29 | secretKey |
+| HardcodedCredentials.js:325:9:325:43 | secretKey | HardcodedCredentials.js:341:33:341:41 | secretKey |
+| HardcodedCredentials.js:325:21:325:43 | "myHard ... ateKey" | HardcodedCredentials.js:325:9:325:43 | secretKey |
+| HardcodedCredentials.js:325:21:325:43 | "myHard ... ateKey" | HardcodedCredentials.js:325:9:325:43 | secretKey |
+| HardcodedCredentials.js:341:33:341:41 | secretKey | HardcodedCredentials.js:341:21:341:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:341:33:341:41 | secretKey | HardcodedCredentials.js:341:21:341:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:356:9:356:43 | secretKey | HardcodedCredentials.js:359:24:359:32 | secretKey |
+| HardcodedCredentials.js:356:9:356:43 | secretKey | HardcodedCredentials.js:359:24:359:32 | secretKey |
+| HardcodedCredentials.js:356:9:356:43 | secretKey | HardcodedCredentials.js:366:31:366:39 | secretKey |
+| HardcodedCredentials.js:356:9:356:43 | secretKey | HardcodedCredentials.js:366:31:366:39 | secretKey |
+| HardcodedCredentials.js:356:21:356:43 | "myHard ... ateKey" | HardcodedCredentials.js:356:9:356:43 | secretKey |
+| HardcodedCredentials.js:356:21:356:43 | "myHard ... ateKey" | HardcodedCredentials.js:356:9:356:43 | secretKey |
+| HardcodedCredentials.js:377:9:377:43 | secretKey | HardcodedCredentials.js:380:17:380:25 | secretKey |
+| HardcodedCredentials.js:377:9:377:43 | secretKey | HardcodedCredentials.js:380:17:380:25 | secretKey |
+| HardcodedCredentials.js:377:21:377:43 | "myHard ... ateKey" | HardcodedCredentials.js:377:9:377:43 | secretKey |
+| HardcodedCredentials.js:377:21:377:43 | "myHard ... ateKey" | HardcodedCredentials.js:377:9:377:43 | secretKey |
+| HardcodedCredentials.js:395:9:395:43 | secretKey | HardcodedCredentials.js:397:27:397:35 | secretKey |
+| HardcodedCredentials.js:395:9:395:43 | secretKey | HardcodedCredentials.js:397:27:397:35 | secretKey |
+| HardcodedCredentials.js:395:21:395:43 | "myHard ... ateKey" | HardcodedCredentials.js:395:9:395:43 | secretKey |
+| HardcodedCredentials.js:395:21:395:43 | "myHard ... ateKey" | HardcodedCredentials.js:395:9:395:43 | secretKey |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
-| HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | The hard-coded value "admin" is used as $@. | HardcodedCredentials.js:27:25:27:31 | 'admin' | user name |
-| HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | password |
+| HardcodedCredentials.js:27:26:27:32 | 'admin' | HardcodedCredentials.js:27:26:27:32 | 'admin' | HardcodedCredentials.js:27:26:27:32 | 'admin' | The hard-coded value "admin" is used as $@. | HardcodedCredentials.js:27:26:27:32 | 'admin' | user name |
+| HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' | HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' | HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:27:35:27:44 | 'hgfedcba' | password |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | The hard-coded value "unknown-admin-name" is used as $@. | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | user name |
 | HardcodedCredentials.js:29:35:29:44 | 'hgfedcba' | HardcodedCredentials.js:29:35:29:44 | 'hgfedcba' | HardcodedCredentials.js:29:35:29:44 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:29:35:29:44 | 'hgfedcba' | password |
 | HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:35:15:35:24 | 'username' | user name |
@@ -447,9 +538,9 @@ edges
 | HardcodedCredentials.js:113:19:113:28 | 'hgfedcba' | HardcodedCredentials.js:113:19:113:28 | 'hgfedcba' | HardcodedCredentials.js:113:19:113:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:113:19:113:28 | 'hgfedcba' | password |
 | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | key |
 | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | key |
-| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | key |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
+| HardcodedCredentials.js:135:45:135:54 | "hgfedcba" | HardcodedCredentials.js:135:45:135:54 | "hgfedcba" | HardcodedCredentials.js:135:45:135:54 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:135:45:135:54 | "hgfedcba" | key |
+| HardcodedCredentials.js:160:41:160:51 | "change_me" | HardcodedCredentials.js:160:41:160:51 | "change_me" | HardcodedCredentials.js:160:41:160:51 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:41:160:51 | "change_me" | key |
+| HardcodedCredentials.js:161:44:161:54 | 'change_me' | HardcodedCredentials.js:161:44:161:54 | 'change_me' | HardcodedCredentials.js:161:44:161:54 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:44:161:54 | 'change_me' | key |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | authorization header |
@@ -460,7 +551,17 @@ edges
 | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
-| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | authorization header |
+| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:28:237:95 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:28:237:95 | 'Basic  ... ase64') | authorization header |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:249:23:249:31 | publicKey | The hard-coded value "myHardCodedPublicKey" is used as $@. | HardcodedCredentials.js:249:23:249:31 | publicKey | key |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | authorization header |
 | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | authorization header |
+| HardcodedCredentials.js:302:22:302:44 | "myHard ... ateKey" | HardcodedCredentials.js:302:22:302:44 | "myHard ... ateKey" | HardcodedCredentials.js:303:34:303:43 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:303:34:303:43 | privateKey | key |
+| HardcodedCredentials.js:310:22:310:44 | "myHard ... ateKey" | HardcodedCredentials.js:310:22:310:44 | "myHard ... ateKey" | HardcodedCredentials.js:311:27:311:62 | new Tex ... ateKey) | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:311:27:311:62 | new Tex ... ateKey) | key |
+| HardcodedCredentials.js:314:18:317:29 | `-----B ... Y-----` | HardcodedCredentials.js:314:18:317:29 | `-----B ... Y-----` | HardcodedCredentials.js:319:27:319:35 | publicKey | The hard-coded value "-----BEGIN PUBLIC KEY-----\n    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9\n    ...\n    -----END PUBLIC KEY-----" is used as $@. | HardcodedCredentials.js:319:27:319:35 | publicKey | key |
+| HardcodedCredentials.js:325:21:325:43 | "myHard ... ateKey" | HardcodedCredentials.js:325:21:325:43 | "myHard ... ateKey" | HardcodedCredentials.js:330:21:330:29 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:330:21:330:29 | secretKey | key |
+| HardcodedCredentials.js:325:21:325:43 | "myHard ... ateKey" | HardcodedCredentials.js:325:21:325:43 | "myHard ... ateKey" | HardcodedCredentials.js:341:21:341:52 | Buffer. ... ase64") | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:341:21:341:52 | Buffer. ... ase64") | key |
+| HardcodedCredentials.js:356:21:356:43 | "myHard ... ateKey" | HardcodedCredentials.js:356:21:356:43 | "myHard ... ateKey" | HardcodedCredentials.js:359:24:359:32 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:359:24:359:32 | secretKey | key |
+| HardcodedCredentials.js:356:21:356:43 | "myHard ... ateKey" | HardcodedCredentials.js:356:21:356:43 | "myHard ... ateKey" | HardcodedCredentials.js:366:31:366:39 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:366:31:366:39 | secretKey | key |
+| HardcodedCredentials.js:377:21:377:43 | "myHard ... ateKey" | HardcodedCredentials.js:377:21:377:43 | "myHard ... ateKey" | HardcodedCredentials.js:380:17:380:25 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:380:17:380:25 | secretKey | key |
+| HardcodedCredentials.js:395:21:395:43 | "myHard ... ateKey" | HardcodedCredentials.js:395:21:395:43 | "myHard ... ateKey" | HardcodedCredentials.js:397:27:397:35 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:397:27:397:35 | secretKey | key |

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

@@ -1,4 +1,4 @@
-(function() {
+(function () {
     const pg = require('pg');
 
     const client = new pg.Client({
@@ -11,43 +11,43 @@
     client.connect();
 })();
 
-(function() {
-    require("http").request({auth: "user:hgfedcba"});  // NOT OK
-    require("https").request({auth: "user:hgfedcba"}); // NOT OK
+(function () {
+    require("http").request({ auth: "user:hgfedcba" });  // NOT OK
+    require("https").request({ auth: "user:hgfedcba" }); // NOT OK
     function getCredentials() {
         return "user:hgfedcba";
     }
-    require("http").request({auth: getCredentials()}); // NOT OK
-    require("http").request({auth: getUnknownCredentials()}); // OK
+    require("http").request({ auth: getCredentials() }); // NOT OK
+    require("http").request({ auth: getUnknownCredentials() }); // OK
 })();
 
-(function() {
+(function () {
     var basicAuth = require('express-basic-auth');
 
-    basicAuth({users: { 'admin': 'hgfedcba' }});  // NOT OK
+    basicAuth({ users: { 'admin': 'hgfedcba' } });  // NOT OK
     var users = {};
     users['unknown-admin-name'] = 'hgfedcba'; // NOT OK
-    basicAuth({users: users});
+    basicAuth({ users: users });
 })();
 
-(function() {
+(function () {
     var basicAuth = require('basic-auth-connect');
     basicAuth('username', 'hgfedcba'); // NOT OK
-    basicAuth(function(){}); // OK
+    basicAuth(function () { }); // OK
 })();
 
-(function() {
+(function () {
     var AWS = require('aws-sdk');
-    AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'hgfedcba'}); // NOT OK
-    new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'hgfedcba'}); // NOT OK
+    AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'hgfedcba' }); // NOT OK
+    new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'hgfedcba' }); // NOT OK
     var config = new AWS.Config();
-    config.update({ accessKeyId: 'username', secretAccessKey: 'hgfedcba'}); // NOT OK
+    config.update({ accessKeyId: 'username', secretAccessKey: 'hgfedcba' }); // NOT OK
     var o = {};
     o.secretAccessKey = 'hgfedcba'; // NOT OK
     config.update(o);
 })();
 
-(function() {
+(function () {
     var request = require('request');
 
     request.get(url).auth('username', 'hgfedcba'); // NOT OK
@@ -78,21 +78,21 @@
     });
 })();
 
-(function() {
+(function () {
     const MsRest = require('ms-rest-azure');
 
-    MsRest.loginWithUsernamePassword('username', 'hgfedcba', function(){}); // NOT OK
-    MsRest.loginWithUsernamePassword(process.env.AZURE_USER, process.env.AZURE_PASS, function(){}); // OK
-    MsRest.loginWithServicePrincipalSecret('username', 'hgfedcba', function(){}); // NOT OK
+    MsRest.loginWithUsernamePassword('username', 'hgfedcba', function () { }); // NOT OK
+    MsRest.loginWithUsernamePassword(process.env.AZURE_USER, process.env.AZURE_PASS, function () { }); // OK
+    MsRest.loginWithServicePrincipalSecret('username', 'hgfedcba', function () { }); // NOT OK
 })();
 
-(function() {
+(function () {
     var digitalocean = require('digitalocean');
     digitalocean.client('TOKEN'); // NOT OK
     digitalocean.client(process.env.DIGITAL_OCEAN_TOKEN); // OK
 })();
 
-(function() {
+(function () {
     var pkgcloud = require('pkgcloud');
     pkgcloud.compute.createClient({
         account: 'x1', // NOT OK
@@ -126,26 +126,26 @@
     });
 })();
 
-(function(){
+(function () {
     require('crypto').createHmac('sha256', 'hgfedcba');
     require("crypto-js/aes").encrypt('my message', 'hgfedcba');
 })()
 
-(function(){
-    require("cookie-session")({ secret: "hgfedcba" });
-})()
+    (function () {
+        require("cookie-session")({ secret: "hgfedcba" });
+    })()
 
-(function(){
-    var request = require('request');
-    request.get(url, { // OK
-        'auth': {
-            'user': '',
-            'pass': process.env.PASSWORD
-        }
-    });
-})();
+    (function () {
+        var request = require('request');
+        request.get(url, { // OK
+            'auth': {
+                'user': '',
+                'pass': process.env.PASSWORD
+            }
+        });
+    })();
 
-(function(){
+(function () {
     var request = require('request');
     let pass = getPassword() || '';
     request.get(url, { // OK
@@ -156,12 +156,12 @@
     });
 })();
 
-(function(){
-	require("cookie-session")({ secret: "change_me" }); // NOT OK
-	require('crypto').createHmac('sha256', 'change_me'); // NOT OK
+(function () {
+    require("cookie-session")({ secret: "change_me" }); // NOT OK
+    require('crypto').createHmac('sha256', 'change_me'); // NOT OK
 
-	var basicAuth = require('express-basic-auth');
-	basicAuth({users: { [adminName]: 'change_me' }});  // OK
+    var basicAuth = require('express-basic-auth');
+    basicAuth({ users: { [adminName]: 'change_me' } });  // OK
 })();
 
 (async function () {
@@ -231,22 +231,22 @@
     const username = 'sdsdag';
     const password = config.get('some_actually_secrect_password');
     const response = await fetch(ENDPOINT, {
-      method: 'get',
-      headers: {
-        'Content-Type': 'application/json',
-        Authorization: 'Basic ' + Buffer.from(username + ':' + password).toString('base64'),
-      },
+        method: 'get',
+        headers: {
+            'Content-Type': 'application/json',
+            Authorization: 'Basic ' + Buffer.from(username + ':' + password).toString('base64'),
+        },
     });
-})
+})();
 
 (function () {
     import jwt from "jsonwebtoken";
 
     var privateKey = "myHardCodedPrivateKey";
-    var token = jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'RS256'});
+    var token = jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'RS256' });  // NOT OK
 
     var publicKey = "myHardCodedPublicKey";
-    jwt.verify(token, publicKey, function(err, decoded) {
+    jwt.verify(token, publicKey, function (err, decoded) {  // NOT OK
         console.log(decoded);
     });
 })();
@@ -271,19 +271,19 @@
     });
 });
 
-(function() {
-    require("http").request({auth: "user:{{ INSERT_HERE }}"}); // OK
-    require("http").request({auth: "user:token {{ INSERT_HERE }}"}); // OK
-    require("http").request({auth: "user:( INSERT_HERE )"}); // OK
-    require("http").request({auth: "user:{{ env.access_token }}"}); // OK
-    require("http").request({auth: "user:abcdefgh"}); // OK
-    require("http").request({auth: "user:12345678"}); // OK
-    require("http").request({auth: "user:foo"}); // OK
-    require("http").request({auth: "user:mypassword"}) // OK
-    require("http").request({auth: "user:mytoken"}) // OK
-    require("http").request({auth: "user:fake token"}) // OK
-    require("http").request({auth: "user:dcba"}) // OK
-    require("http").request({auth: "user:custom string"}) // OK
+(function () {
+    require("http").request({ auth: "user:{{ INSERT_HERE }}" }); // OK
+    require("http").request({ auth: "user:token {{ INSERT_HERE }}" }); // OK
+    require("http").request({ auth: "user:( INSERT_HERE )" }); // OK
+    require("http").request({ auth: "user:{{ env.access_token }}" }); // OK
+    require("http").request({ auth: "user:abcdefgh" }); // OK
+    require("http").request({ auth: "user:12345678" }); // OK
+    require("http").request({ auth: "user:foo" }); // OK
+    require("http").request({ auth: "user:mypassword" }) // OK
+    require("http").request({ auth: "user:mytoken" }) // OK
+    require("http").request({ auth: "user:fake token" }) // OK
+    require("http").request({ auth: "user:dcba" }) // OK
+    require("http").request({ auth: "user:custom string" }) // OK
 });
 
 (function () {
@@ -294,3 +294,105 @@
     headers.append("Authorization", `Basic sdsdag:aaaiuogrweuibgbbbbb`); // NOT OK
     headers.append("Authorization", `Basic sdsdag:000000000000001`); // OK
 });
+
+
+(function () {
+    const jwt_simple = require("jwt-simple");
+
+    var privateKey = "myHardCodedPrivateKey";
+    jwt_simple.decode(UserToken, privateKey); // NOT OK
+})();
+
+
+(async function () {
+    const jose = require("jose");
+
+    var privateKey = "myHardCodedPrivateKey";
+    jose.jwtVerify(token, new TextEncoder().encode(privateKey)) // NOT OK
+
+
+    const spki = `-----BEGIN PUBLIC KEY-----
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9
+    ...
+    -----END PUBLIC KEY-----`
+    const publicKey = await jose.importSPKI(spki, 'RS256')
+    jose.jwtVerify(token, publicKey) // NOT OK
+})();
+
+(function () {
+    const expressjwt = require("express-jwt");
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    app.get(
+        "/protected",
+        expressjwt.expressjwt({
+            secret: secretKey, algorithms: ["HS256"] // NOT OK
+        }),
+        function (req, res) {
+            if (!req.auth.admin) return res.sendStatus(401);
+            res.sendStatus(200);
+        }
+    );
+
+    app.get(
+        "/protected",
+        expressjwt.expressjwt({
+            secret: Buffer.from(secretKey, "base64"), // NOT OK
+            algorithms: ["RS256"],
+        }),
+        function (req, res) {
+            if (!req.auth.admin) return res.sendStatus(401);
+            res.sendStatus(200);
+        }
+    );
+
+})();
+
+(function () {
+    const JwtStrategy = require('passport-jwt').Strategy;
+    const passport = require('passport')
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    const opts = {}
+    opts.secretOrKey = secretKey; // NOT OK
+    passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+
+    passport.use(new JwtStrategy({
+        secretOrKeyProvider: function (request, rawJwtToken, done) {
+            return done(null, secretKey) // NOT OK
+        }
+    }, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+})();
+
+(function () {
+    import NextAuth from "next-auth"
+    import AppleProvider from "next-auth/providers/apple"
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    NextAuth({
+        secret: secretKey, // NOT OK
+        providers: [
+            AppleProvider({
+                clientId: process.env.APPLE_ID,
+                clientSecret: process.env.APPLE_SECRET,
+            }),
+        ],
+    })
+})();
+
+(function () {
+    const Koa = require('koa');
+    const jwt = require('koa-jwt');
+    const app = new Koa();
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    app.use(jwt({ secret: secretKey })); // NOT OK
+})();