Python: Exclude certificate classification fo sensitive data queries #17314
Conversation
…t-storage and cleartext-logging queries
joefarebrother
force-pushed
the
python-x509-cert
branch
from
c4194a5
to
a8591c7
Compare
| def get_password(): | ||
| return "password" |
There was a problem hiding this comment.
@joefarebrother Could you elaborate on the rationale behind this change? The non-Python3 version tests certificate and password writes. Whereas the Python3 test now seems to have switched from testing certificate writes to testing password writes.
There was a problem hiding this comment.
No significant reason. Would it be best to include tests for both?
There was a problem hiding this comment.
My interpretation is that this -py3 test is here to ensure we properly support writing through pathlib.Path methods for this query, so LGTM 👍
Co-authored-by: Sid Shankar <sidshank@github.com>
python/ql/lib/semmle/python/security/dataflow/CleartextLoggingCustomizations.qll
Outdated
Show resolved
Hide resolved
python/ql/lib/semmle/python/security/dataflow/CleartextStorageCustomizations.qll
Outdated
Show resolved
Hide resolved
| def get_password(): | ||
| return "password" |
There was a problem hiding this comment.
My interpretation is that this -py3 test is here to ensure we properly support writing through pathlib.Path methods for this query, so LGTM 👍
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
A certificate, such as an SSL certificate or x509 certificate, often does not contain sensitive data, so the cleartext storage and cleartext logging queries result in false positive alerts when considering them. This PR excludes certificates as sources for these queries.