Use a combined regex for performance

This commit is contained in:
Joe Farebrother
2024-06-17 15:00:03 +01:00
parent 90d6f2ece3
commit eee7f5a896

View File

@@ -40,16 +40,32 @@ module CleartextSources {
re.getConstantValue().getStringlikeValue() = [".*", ".+"]
}
/** Holds if `c` is a sensitive data classification that is relevant to consider for Cleartext Storage queries. */
private predicate isRelevantClassification(SensitiveDataClassification c) {
c =
[
SensitiveDataClassification::password(), SensitiveDataClassification::certificate(),
SensitiveDataClassification::secret(), SensitiveDataClassification::private()
]
}
pragma[noinline]
private string getCombinedRelevantSensitiveRegexp() {
// Combine all the maybe-sensitive regexps into one using non-capturing groups and |.
result =
"(?:" +
strictconcat(string r, SensitiveDataClassification c |
r = maybeSensitiveRegexp(c) and isRelevantClassification(c)
|
r, ")|(?:"
) + ")"
}
/** Holds if the given name indicates the presence of sensitive data that is relevant to consider for Cleartext Storage queries. */
bindingset[name]
private predicate nameIndicatesRelevantSensitiveData(string name) {
exists(SensitiveDataClassification classification |
nameIndicatesSensitiveData(name, classification) and
classification in [
SensitiveDataClassification::password(), SensitiveDataClassification::certificate(),
SensitiveDataClassification::secret(), SensitiveDataClassification::private(),
]
)
name.regexpMatch(getCombinedRelevantSensitiveRegexp()) and
not name.regexpMatch(notSensitiveRegexp())
}
/**