Rust: Add sensitive data to summary queries.

2026-04-26 01:05:15 +02:00 · 2025-01-03 18:57:42 +00:00
parent 821eb4f3e6
commit e1e980c2e8
3 changed files with 19 additions and 0 deletions
--- a/rust/ql/src/queries/summary/SensitiveData.ql
+++ b/rust/ql/src/queries/summary/SensitiveData.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Sensitive Data
+ * @description List all sensitive data found in the database. Sensitive data is anything that
+ *              should not be sent in unencrypted form.
+ * @kind problem
+ * @problem.severity info
+ * @id rust/summary/sensitive-data
+ * @tags summary
+ */
+
+import rust
+import codeql.rust.security.SensitiveData
+
+from SensitiveData d
+select d, "Sensitive data (" + d.getClassification() + "): " + d.toString()
--- a/rust/ql/src/queries/summary/SummaryStats.ql
+++ b/rust/ql/src/queries/summary/SummaryStats.ql
@@ -8,6 +8,7 @@

 import rust
 import codeql.rust.Concepts
+import codeql.rust.security.SensitiveData
 import codeql.rust.Diagnostics
 import Stats

@@ -56,4 +57,6 @@ where
  key = "Taint sources - total" and value = count(ThreatModelSource s)
  or
  key = "Taint sources - active" and value = count(ActiveThreatModelSource s)
+  or
+  key = "Sensitive data" and value = count(SensitiveData d)
 select key, value order by key
--- a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected
+++ b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected
@@ -14,5 +14,6 @@
 | Macro calls - resolved | 8 |
 | Macro calls - total | 9 |
 | Macro calls - unresolved | 1 |
+| Sensitive data | 0 |
 | Taint sources - active | 0 |
 | Taint sources - total | 0 |