From ee6cb96d07bf34e32a810944bde06bcd6ad57b58 Mon Sep 17 00:00:00 2001
From: Ed Minnix <egregius313@github.com>
Date: Tue, 22 Aug 2023 11:31:14 -0400
Subject: [PATCH] Add a superclass for credential nodes

---
 .../java/security/HardcodedCredentials.qll    |  7 +-----
 .../code/java/security/SensitiveApi.qll       | 24 +++++++++----------
 2 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll
index f4ae5f98f0a..d3cfc4e33ef 100644
--- a/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll
+++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll
@@ -58,12 +58,7 @@ abstract class CredentialsSink extends Expr {
  * credentials.
  */
 class CredentialsApiSink extends CredentialsSink {
-  CredentialsApiSink() {
-    this = any(PasswordParameter p).asExpr() or
-    this = any(UsernameParameter p).asExpr() or
-    this = any(CryptoKeyParameter p).asExpr() or
-    this = any(CredentialParameter p).asExpr()
-  }
+  CredentialsApiSink() { this = any(CredentialSinkNode csn).asExpr() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
index 1b8555f399c..d3b407b5111 100644
--- a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
@@ -6,32 +6,30 @@ import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.ExternalFlow
 
+/**
+ * A node which represents the use of a credential.
+ */
+abstract class CredentialSinkNode extends DataFlow::Node { }
+
 /**
  * A node representing a password being passed to a method.
  */
-class PasswordParameter extends DataFlow::Node {
-  PasswordParameter() { sinkNode(this, "credential-password") }
+class PasswordSink extends CredentialSinkNode {
+  PasswordSink() { sinkNode(this, "credential-password") }
 }
 
 /**
  * A node representing a username being passed to a method.
  */
-class UsernameParameter extends DataFlow::Node {
-  UsernameParameter() { sinkNode(this, "credential-username") }
+class UsernameSink extends CredentialSinkNode {
+  UsernameSink() { sinkNode(this, "credential-username") }
 }
 
 /**
  * A node representing a cryptographic key being passed to a method.
  */
-class CryptoKeyParameter extends DataFlow::Node {
-  CryptoKeyParameter() { sinkNode(this, "crypto-parameter") }
-}
-
-/**
- * A node representing a credential being passed to a method.
- */
-class CredentialParameter extends DataFlow::Node {
-  CredentialParameter() { sinkNode(this, "credential-other") }
+class CryptoKeySink extends CredentialSinkNode {
+  CryptoKeySink() { sinkNode(this, "crypto-parameter") }
 }
 
 /**