Shared: Add 'security_code' sensitive data heuristic.

2026-05-24 08:07:07 +02:00 · 2026-05-06 14:19:08 +01:00
parent 5ed78d1a4a
commit f2f4f4cce3
2 changed files with 2 additions and 1 deletions
--- a/rust/ql/test/library-tests/sensitivedata/test.rs
+++ b/rust/ql/test/library-tests/sensitivedata/test.rs
@@ -315,7 +315,7 @@ fn test_private_info(
 	sink(info.financials.credit_card_no.as_str()); // $ sensitive=private
 	sink(info.financials.card_no.as_str()); // $ sensitive=private
 	sink(info.financials.cardNumber.as_str()); // $ sensitive=private
-	sink(info.financials.card_security_code.as_str()); // $ MISSING: sensitive=private
+	sink(info.financials.card_security_code.as_str()); // $ sensitive=private
 	sink(info.financials.credit_rating); // $ sensitive=private
 	sink(info.financials.user_ccn.as_str()); // $ sensitive=private
 	sink(info.financials.cvv.as_str()); // $ sensitive=private
--- a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
+++ b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
@@ -106,6 +106,7 @@ module HeuristicNames {
        // Financial data - such as credit card numbers, salary, bank accounts, and debts
        "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|(card|acc(ou)?nt).?(no|num|credit)|routing.?num|"
        + "salary|billing|beneficiary|credit.?(rating|score)|([_-]|\\b)(ccn|cvv|iban)([_-]|\\b)|" +
+        "security.?code|" +
        // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
        // "e(mail|_mail)|" + // this seems too noisy
        // Health - medical conditions, insurance status, prescription records