Merge pull request #184 from max/cleartext-logging-constant

Teach `CleartextLogging` not to flag constant sources.
2026-01-29 22:32:58 +01:00 · 2019-11-14 01:21:04 -05:00
parent 50cde34878 616d78e2a5
commit eda858eafb
2 changed files with 11 additions and 0 deletions
--- a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
+++ b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
@@ -12,6 +12,11 @@ module CleartextLogging {
   * A data-flow source for clear-text logging of sensitive information.
   */
  abstract class Source extends DataFlow::Node {
+    Source() {
+      // hard-coded strings are uninteresting
+      not exists(getStringValue())
+    }
+
    /** Gets a string that describes the type of this data-flow source. */
    abstract string describe();
  }
--- a/ql/test/query-tests/Security/CWE-312/passwords.go
+++ b/ql/test/query-tests/Security/CWE-312/passwords.go
@@ -126,3 +126,9 @@ func test() {
 	log.Println(config.x)        // NOT OK
 	log.Println(config.y)        // NOT OK
 }
+
+const password = "horsebatterystaplecorrect"
+
+func test2() {
+	log.Println(password) // OK
+}