Skip to content

Commit 5f6e3dc

Browse files
RasmusWLRasmusWL
committed
Python: Revert changes to sensitive data query alert messages
This partly reverts the changes from #10252 Although consistency is nice, the new messages didn't sound as natural. New alert message would read > Insecure hashing algorithm (md5) depends on sensitive data (password). (...) I'm not sure what it means that a hashing algorithm depends on data. So for me, the original text below is much easier to understand. > Sensitive data (password) is used in a hashing algorithm (md5) that is insecure (...) Same goes for the other sensitive data queries.
1 parent 6674e07 commit 5f6e3dc

File tree

7 files changed

+37
-37
lines changed

7 files changed

+37
-37
lines changed

python/ql/src/Security/CWE-312/CleartextLogging.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,5 +22,5 @@ from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, s
2222
where
2323
config.hasFlowPath(source, sink) and
2424
classification = source.getNode().(Source).getClassification()
25-
select sink.getNode(), source, sink, "This log entry depends on $@.", source.getNode(),
26-
"sensitive data (" + classification + ")"
25+
select sink.getNode(), source, sink, "$@ is logged here.", source.getNode(),
26+
"Sensitive data (" + classification + ")"

python/ql/src/Security/CWE-312/CleartextStorage.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,5 +22,5 @@ from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink, s
2222
where
2323
config.hasFlowPath(source, sink) and
2424
classification = source.getNode().(Source).getClassification()
25-
select sink.getNode(), source, sink, "This data storage depends on $@.", source.getNode(),
26-
"sensitive data (" + classification + ")"
25+
select sink.getNode(), source, sink, "$@ is stored here.", source.getNode(),
26+
"Sensitive data (" + classification + ")"

python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -36,14 +36,14 @@ where
3636
source.getNode().(ComputationallyExpensiveHashFunction::Source).getClassification() and
3737
(
3838
sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
39-
ending = ""
39+
ending = "."
4040
or
4141
not sink.getNode().(ComputationallyExpensiveHashFunction::Sink).isComputationallyExpensive() and
4242
ending =
43-
" The algorithm is insufficient for " + classification +
43+
" for " + classification +
4444
" hashing, since it is not a computationally expensive hash function."
4545
)
4646
)
4747
select sink.getNode(), source, sink,
48-
"Insecure hashing algorithm (" + algorithmName + ") depends on $@." + ending, source.getNode(),
49-
"sensitive data (" + classification + ")"
48+
"$@ is used in a hashing algorithm (" + algorithmName + ") that is insecure" + ending,
49+
source.getNode(), "Sensitive data (" + classification + ")"

python/ql/test/query-tests/Security/CWE-312-CleartextLogging/CleartextLogging.expected

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,13 @@ nodes
2222
| test.py:69:11:69:31 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
2323
subpaths
2424
#select
25-
| test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | This log entry depends on $@. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) |
26-
| test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | This log entry depends on $@. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) |
27-
| test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | This log entry depends on $@. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) |
28-
| test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | This log entry depends on $@. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) |
29-
| test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | This log entry depends on $@. | test.py:19:16:19:29 | ControlFlowNode for get_password() | sensitive data (password) |
30-
| test.py:34:30:34:39 | ControlFlowNode for get_cert() | test.py:34:30:34:39 | ControlFlowNode for get_cert() | test.py:34:30:34:39 | ControlFlowNode for get_cert() | This log entry depends on $@. | test.py:34:30:34:39 | ControlFlowNode for get_cert() | sensitive data (certificate) |
31-
| test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | This log entry depends on $@. | test.py:37:11:37:24 | ControlFlowNode for get_password() | sensitive data (password) |
32-
| test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | This log entry depends on $@. | test.py:39:22:39:35 | ControlFlowNode for get_password() | sensitive data (password) |
33-
| test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | This log entry depends on $@. | test.py:40:22:40:35 | ControlFlowNode for get_password() | sensitive data (password) |
34-
| test.py:69:11:69:31 | ControlFlowNode for Subscript | test.py:67:21:67:37 | ControlFlowNode for Attribute | test.py:69:11:69:31 | ControlFlowNode for Subscript | This log entry depends on $@. | test.py:67:21:67:37 | ControlFlowNode for Attribute | sensitive data (password) |
25+
| test.py:20:48:20:55 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:20:48:20:55 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
26+
| test.py:22:58:22:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:22:58:22:65 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
27+
| test.py:23:58:23:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:23:58:23:65 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
28+
| test.py:27:40:27:47 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:27:40:27:47 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
29+
| test.py:30:58:30:65 | ControlFlowNode for password | test.py:19:16:19:29 | ControlFlowNode for get_password() | test.py:30:58:30:65 | ControlFlowNode for password | $@ is logged here. | test.py:19:16:19:29 | ControlFlowNode for get_password() | Sensitive data (password) |
30+
| test.py:34:30:34:39 | ControlFlowNode for get_cert() | test.py:34:30:34:39 | ControlFlowNode for get_cert() | test.py:34:30:34:39 | ControlFlowNode for get_cert() | $@ is logged here. | test.py:34:30:34:39 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
31+
| test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | test.py:37:11:37:24 | ControlFlowNode for get_password() | $@ is logged here. | test.py:37:11:37:24 | ControlFlowNode for get_password() | Sensitive data (password) |
32+
| test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | test.py:39:22:39:35 | ControlFlowNode for get_password() | $@ is logged here. | test.py:39:22:39:35 | ControlFlowNode for get_password() | Sensitive data (password) |
33+
| test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | test.py:40:22:40:35 | ControlFlowNode for get_password() | $@ is logged here. | test.py:40:22:40:35 | ControlFlowNode for get_password() | Sensitive data (password) |
34+
| test.py:69:11:69:31 | ControlFlowNode for Subscript | test.py:67:21:67:37 | ControlFlowNode for Attribute | test.py:69:11:69:31 | ControlFlowNode for Subscript | $@ is logged here. | test.py:67:21:67:37 | ControlFlowNode for Attribute | Sensitive data (password) |

python/ql/test/query-tests/Security/CWE-312-CleartextStorage-py3/CleartextStorage.expected

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,6 @@ nodes
99
| test.py:15:26:15:29 | ControlFlowNode for cert | semmle.label | ControlFlowNode for cert |
1010
subpaths
1111
#select
12-
| test.py:12:21:12:24 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:12:21:12:24 | ControlFlowNode for cert | This data storage depends on $@. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
13-
| test.py:13:22:13:41 | ControlFlowNode for Attribute() | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:13:22:13:41 | ControlFlowNode for Attribute() | This data storage depends on $@. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
14-
| test.py:15:26:15:29 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:15:26:15:29 | ControlFlowNode for cert | This data storage depends on $@. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
12+
| test.py:12:21:12:24 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:12:21:12:24 | ControlFlowNode for cert | $@ is stored here. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
13+
| test.py:13:22:13:41 | ControlFlowNode for Attribute() | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:13:22:13:41 | ControlFlowNode for Attribute() | $@ is stored here. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
14+
| test.py:15:26:15:29 | ControlFlowNode for cert | test.py:9:12:9:21 | ControlFlowNode for get_cert() | test.py:15:26:15:29 | ControlFlowNode for cert | $@ is stored here. | test.py:9:12:9:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |

python/ql/test/query-tests/Security/CWE-312-CleartextStorage/CleartextStorage.expected

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ nodes
1515
| test.py:10:25:10:29 | ControlFlowNode for lines | semmle.label | ControlFlowNode for lines |
1616
subpaths
1717
#select
18-
| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | This data storage depends on $@. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | sensitive data (password) |
19-
| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | This data storage depends on $@. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | sensitive data (password) |
20-
| test.py:8:20:8:23 | ControlFlowNode for cert | test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:8:20:8:23 | ControlFlowNode for cert | This data storage depends on $@. | test.py:6:12:6:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
21-
| test.py:10:25:10:29 | ControlFlowNode for lines | test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:10:25:10:29 | ControlFlowNode for lines | This data storage depends on $@. | test.py:6:12:6:21 | ControlFlowNode for get_cert() | sensitive data (certificate) |
18+
| password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | password_in_cookie.py:9:33:9:40 | ControlFlowNode for password | $@ is stored here. | password_in_cookie.py:7:16:7:43 | ControlFlowNode for Attribute() | Sensitive data (password) |
19+
| password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | password_in_cookie.py:16:33:16:40 | ControlFlowNode for password | $@ is stored here. | password_in_cookie.py:14:16:14:43 | ControlFlowNode for Attribute() | Sensitive data (password) |
20+
| test.py:8:20:8:23 | ControlFlowNode for cert | test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:8:20:8:23 | ControlFlowNode for cert | $@ is stored here. | test.py:6:12:6:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |
21+
| test.py:10:25:10:29 | ControlFlowNode for lines | test.py:6:12:6:21 | ControlFlowNode for get_cert() | test.py:10:25:10:29 | ControlFlowNode for lines | $@ is stored here. | test.py:6:12:6:21 | ControlFlowNode for get_cert() | Sensitive data (certificate) |

0 commit comments

Comments
 (0)