From 616d78e2a5b9e0d78a71b42fa7205520ca0b6484 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max@semmle.com>
Date: Wed, 13 Nov 2019 14:25:32 +0000
Subject: [PATCH] Teach `CleartextLogging` not to flag constant sources.

---
 .../semmle/go/security/CleartextLoggingCustomizations.qll   | 5 +++++
 ql/test/query-tests/Security/CWE-312/passwords.go           | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
index 39106dca4f2..c7f08faac64 100644
--- a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
+++ b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
@@ -12,6 +12,11 @@ module CleartextLogging {
    * A data-flow source for clear-text logging of sensitive information.
    */
   abstract class Source extends DataFlow::Node {
+    Source() {
+      // hard-coded strings are uninteresting
+      not exists(getStringValue())
+    }
+
     /** Gets a string that describes the type of this data-flow source. */
     abstract string describe();
   }
diff --git a/ql/test/query-tests/Security/CWE-312/passwords.go b/ql/test/query-tests/Security/CWE-312/passwords.go
index b0dfb034494..777fceb9374 100644
--- a/ql/test/query-tests/Security/CWE-312/passwords.go
+++ b/ql/test/query-tests/Security/CWE-312/passwords.go
@@ -126,3 +126,9 @@ func test() {
 	log.Println(config.x)        // NOT OK
 	log.Println(config.y)        // NOT OK
 }
+
+const password = "horsebatterystaplecorrect"
+
+func test2() {
+	log.Println(password) // OK
+}