From 03ecd244694ada295d127e64b60e25af61c644af Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Fri, 16 May 2025 11:58:15 +0200
Subject: [PATCH 1/3] Lower the precision of a range of harcoded password
 queries to remove them from query suites.

---
 csharp/ql/src/Configuration/PasswordInConfigurationFile.ql      | 2 +-
 .../src/Security Features/CWE-798/HardcodedConnectionString.ql  | 2 +-
 csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql | 2 +-
 go/ql/src/Security/CWE-798/HardcodedCredentials.ql              | 2 +-
 java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql | 2 +-
 .../ql/src/Security/CWE-313/PasswordInConfigurationFile.ql      | 2 +-
 javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql      | 2 +-
 python/ql/src/Security/CWE-798/HardcodedCredentials.ql          | 2 +-
 ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql    | 2 +-
 swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql       | 2 +-
 swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql b/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
index a2fe7cf2290e..0cc3f9cfca26 100644
--- a/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
+++ b/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.5
- * @precision medium
+ * @precision low
  * @id cs/password-in-configuration
  * @tags security
  *       external/cwe/cwe-013
diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
index 09f4bdca26bf..32508fa9d3fb 100644
--- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql	
+++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql	
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 9.8
- * @precision medium
+ * @precision low
  * @id cs/hardcoded-connection-string-credentials
  * @tags security
  *       external/cwe/cwe-259
diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
index d4291c90fb23..d0aed008261b 100644
--- a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql	
+++ b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql	
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 9.8
- * @precision medium
+ * @precision low
  * @id cs/hardcoded-credentials
  * @tags security
  *       external/cwe/cwe-259
diff --git a/go/ql/src/Security/CWE-798/HardcodedCredentials.ql b/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
index 37ebbad8f68b..d14f24966bef 100644
--- a/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 9.8
- * @precision medium
+ * @precision low
  * @id go/hardcoded-credentials
  * @tags security
  *       external/cwe/cwe-259
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
index 410cea0ed03a..7153ba726da9 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 9.8
- * @precision medium
+ * @precision low
  * @id java/hardcoded-credential-api-call
  * @tags security
  *       external/cwe/cwe-798
diff --git a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
index d00ea7343df5..f00a5092a821 100644
--- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
+++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.5
- * @precision medium
+ * @precision low
  * @id js/password-in-configuration-file
  * @tags security
  *       external/cwe/cwe-256
diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
index a94153e02263..6bb5218ad6ac 100644
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @problem.severity warning
  * @security-severity 9.8
- * @precision high
+ * @precision low
  * @id js/hardcoded-credentials
  * @tags security
  *       external/cwe/cwe-259
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
index c8aecd7204ba..d08223a553bd 100644
--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 9.8
- * @precision medium
+ * @precision low
  * @id py/hardcoded-credentials
  * @tags security
  *       external/cwe/cwe-259
diff --git a/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql b/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
index c568e8d2aafc..bba71760818d 100644
--- a/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
+++ b/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 9.8
- * @precision medium
+ * @precision low
  * @id rb/hardcoded-credentials
  * @tags security
  *       external/cwe/cwe-259
diff --git a/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql b/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
index 4eb9e4548ec9..1eb42b301a9f 100644
--- a/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
+++ b/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 6.8
- * @precision high
+ * @precision low
  * @id swift/constant-password
  * @tags security
  *       external/cwe/cwe-259
diff --git a/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql b/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
index f157478fc8ea..f6758f94bb27 100644
--- a/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
+++ b/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 8.1
- * @precision high
+ * @precision low
  * @id swift/hardcoded-key
  * @tags security
  *       external/cwe/cwe-321

From 530025b7aed25bc07486e1ab657ec470b4508613 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Fri, 16 May 2025 12:02:48 +0200
Subject: [PATCH 2/3] Update integration tests expected output.

---
 .../posix/query-suite/csharp-security-and-quality.qls.expected | 3 ---
 .../posix/query-suite/csharp-security-extended.qls.expected    | 3 ---
 .../posix/query-suite/not_included_in_qls.expected             | 3 +++
 .../query-suite/go-security-and-quality.qls.expected           | 1 -
 .../query-suite/go-security-extended.qls.expected              | 1 -
 .../integration-tests/query-suite/not_included_in_qls.expected | 1 +
 .../java/query-suite/java-security-and-quality.qls.expected    | 1 -
 .../java/query-suite/java-security-extended.qls.expected       | 1 -
 .../java/query-suite/not_included_in_qls.expected              | 1 +
 .../query-suite/javascript-code-scanning.qls.expected          | 1 -
 .../query-suite/javascript-security-and-quality.qls.expected   | 2 --
 .../query-suite/javascript-security-extended.qls.expected      | 2 --
 .../integration-tests/query-suite/not_included_in_qls.expected | 2 ++
 .../integration-tests/query-suite/not_included_in_qls.expected | 1 +
 .../query-suite/python-security-and-quality.qls.expected       | 1 -
 .../query-suite/python-security-extended.qls.expected          | 1 -
 .../integration-tests/query-suite/not_included_in_qls.expected | 1 +
 .../query-suite/ruby-security-and-quality.qls.expected         | 1 -
 .../query-suite/ruby-security-extended.qls.expected            | 1 -
 .../posix/query-suite/not_included_in_qls.expected             | 2 ++
 .../posix/query-suite/swift-code-scanning.qls.expected         | 2 --
 .../posix/query-suite/swift-security-and-quality.qls.expected  | 2 --
 .../posix/query-suite/swift-security-extended.qls.expected     | 2 --
 23 files changed, 11 insertions(+), 25 deletions(-)

diff --git a/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected b/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
index fc0fa2403f96..d4d145986c1b 100644
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
@@ -38,7 +38,6 @@ ql/csharp/ql/src/Concurrency/SynchSetUnsynchGet.ql
 ql/csharp/ql/src/Concurrency/UnsafeLazyInitialization.ql
 ql/csharp/ql/src/Concurrency/UnsynchronizedStaticAccess.ql
 ql/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
-ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
 ql/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
 ql/csharp/ql/src/Diagnostics/CompilerError.ql
 ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
@@ -146,8 +145,6 @@ ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
 ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
 ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
 ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
 ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
diff --git a/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected b/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
index 69f47536e683..48f7ad304a01 100644
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
@@ -1,5 +1,4 @@
 ql/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
-ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
 ql/csharp/ql/src/Diagnostics/CompilerError.ql
 ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
 ql/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
@@ -49,8 +48,6 @@ ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
 ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
 ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
 ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
-ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
 ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
 ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
 ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
diff --git a/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected b/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
index 9604a4aed64e..dff6574dddd0 100644
--- a/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
@@ -26,6 +26,7 @@ ql/csharp/ql/src/Bad Practices/Naming Conventions/DefaultControlNames.ql
 ql/csharp/ql/src/Bad Practices/Naming Conventions/VariableNameTooShort.ql
 ql/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql
 ql/csharp/ql/src/Bad Practices/UseOfSystemOutputStream.ql
+ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
 ql/csharp/ql/src/Dead Code/DeadRefTypes.ql
 ql/csharp/ql/src/Dead Code/NonAssignedFields.ql
 ql/csharp/ql/src/Dead Code/UnusedField.ql
@@ -89,6 +90,8 @@ ql/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql
 ql/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql
 ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
 ql/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql
+ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
+ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
 ql/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql
 ql/csharp/ql/src/Useless code/PointlessForwardingMethod.ql
 ql/csharp/ql/src/definitions.ql
diff --git a/go/ql/integration-tests/query-suite/go-security-and-quality.qls.expected b/go/ql/integration-tests/query-suite/go-security-and-quality.qls.expected
index 46f21d921ef7..634335cd05e3 100644
--- a/go/ql/integration-tests/query-suite/go-security-and-quality.qls.expected
+++ b/go/ql/integration-tests/query-suite/go-security-and-quality.qls.expected
@@ -50,6 +50,5 @@ ql/go/ql/src/Security/CWE-640/EmailInjection.ql
 ql/go/ql/src/Security/CWE-643/XPathInjection.ql
 ql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql
 ql/go/ql/src/Security/CWE-770/UncontrolledAllocationSize.ql
-ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/go/ql/src/Security/CWE-918/RequestForgery.ql
 ql/go/ql/src/Summary/LinesOfCode.ql
diff --git a/go/ql/integration-tests/query-suite/go-security-extended.qls.expected b/go/ql/integration-tests/query-suite/go-security-extended.qls.expected
index a206ef2364ab..12db20e22f5c 100644
--- a/go/ql/integration-tests/query-suite/go-security-extended.qls.expected
+++ b/go/ql/integration-tests/query-suite/go-security-extended.qls.expected
@@ -28,6 +28,5 @@ ql/go/ql/src/Security/CWE-640/EmailInjection.ql
 ql/go/ql/src/Security/CWE-643/XPathInjection.ql
 ql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql
 ql/go/ql/src/Security/CWE-770/UncontrolledAllocationSize.ql
-ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/go/ql/src/Security/CWE-918/RequestForgery.ql
 ql/go/ql/src/Summary/LinesOfCode.ql
diff --git a/go/ql/integration-tests/query-suite/not_included_in_qls.expected b/go/ql/integration-tests/query-suite/not_included_in_qls.expected
index 751c76041a29..bca9992e6005 100644
--- a/go/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/go/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -6,6 +6,7 @@ ql/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
 ql/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql
 ql/go/ql/src/Security/CWE-078/StoredCommand.ql
 ql/go/ql/src/Security/CWE-079/StoredXss.ql
+ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/go/ql/src/definitions.ql
 ql/go/ql/src/experimental/CWE-090/LDAPInjection.ql
 ql/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
diff --git a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected
index 85d7e7d0960d..f4317f8e2a5c 100644
--- a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected
@@ -196,7 +196,6 @@ ql/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
 ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
 ql/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
 ql/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
-ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
 ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
 ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
 ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
diff --git a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected
index d5f4cbf1ccc4..209777cf4d98 100644
--- a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected
@@ -99,7 +99,6 @@ ql/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
 ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
 ql/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
 ql/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
-ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
 ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
 ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
 ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
diff --git a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected
index 0fbc365c1343..d0378fa2ea4c 100644
--- a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected
+++ b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected
@@ -158,6 +158,7 @@ ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
 ql/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
 ql/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
 ql/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
 ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
 ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
 ql/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
diff --git a/javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected b/javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected
index 7f7ab7aa326d..1cf124ce3cf6 100644
--- a/javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected
+++ b/javascript/ql/integration-tests/query-suite/javascript-code-scanning.qls.expected
@@ -75,7 +75,6 @@ ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
 ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
 ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
 ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
-ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
 ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
 ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql
diff --git a/javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected b/javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected
index 63f6629f7bfd..eb4acd38e39b 100644
--- a/javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected
+++ b/javascript/ql/integration-tests/query-suite/javascript-security-and-quality.qls.expected
@@ -144,7 +144,6 @@ ql/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
 ql/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
 ql/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
 ql/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
-ql/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
 ql/javascript/ql/src/Security/CWE-326/InsufficientKeySize.ql
 ql/javascript/ql/src/Security/CWE-327/BadRandomness.ql
 ql/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -173,7 +172,6 @@ ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
 ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
 ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
 ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
-ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
 ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
 ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
diff --git a/javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected b/javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected
index 29ae7fd6939e..a5b5cfefdbc2 100644
--- a/javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected
+++ b/javascript/ql/integration-tests/query-suite/javascript-security-extended.qls.expected
@@ -59,7 +59,6 @@ ql/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql
 ql/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
 ql/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
 ql/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
-ql/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
 ql/javascript/ql/src/Security/CWE-326/InsufficientKeySize.ql
 ql/javascript/ql/src/Security/CWE-327/BadRandomness.ql
 ql/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -88,7 +87,6 @@ ql/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
 ql/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
 ql/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
 ql/javascript/ql/src/Security/CWE-776/XmlBomb.ql
-ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
 ql/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
 ql/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
diff --git a/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected b/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected
index a6c808c6cbfb..34c4df3d6fae 100644
--- a/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/javascript/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -53,7 +53,9 @@ ql/javascript/ql/src/RegExp/BackspaceEscape.ql
 ql/javascript/ql/src/RegExp/MalformedRegExp.ql
 ql/javascript/ql/src/Security/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
 ql/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
+ql/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
 ql/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
+ql/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
 ql/javascript/ql/src/Security/trest/test.ql
 ql/javascript/ql/src/Statements/EphemeralLoop.ql
diff --git a/python/ql/integration-tests/query-suite/not_included_in_qls.expected b/python/ql/integration-tests/query-suite/not_included_in_qls.expected
index 9921f13aa558..05108abc2060 100644
--- a/python/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/python/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -58,6 +58,7 @@ ql/python/ql/src/Metrics/NumberOfStatements.ql
 ql/python/ql/src/Metrics/TransitiveImports.ql
 ql/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
 ql/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
+ql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/python/ql/src/Statements/AssertLiteralConstant.ql
 ql/python/ql/src/Statements/C_StyleParentheses.ql
 ql/python/ql/src/Statements/DocStrings.ql
diff --git a/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected b/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected
index 4560c92f36d6..e391dea95cd7 100644
--- a/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected
+++ b/python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected
@@ -133,7 +133,6 @@ ql/python/ql/src/Security/CWE-730/ReDoS.ql
 ql/python/ql/src/Security/CWE-730/RegexInjection.ql
 ql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
 ql/python/ql/src/Security/CWE-776/XmlBomb.ql
-ql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql
 ql/python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql
 ql/python/ql/src/Security/CWE-943/NoSqlInjection.ql
diff --git a/python/ql/integration-tests/query-suite/python-security-extended.qls.expected b/python/ql/integration-tests/query-suite/python-security-extended.qls.expected
index 398da79f01e4..1b255c6a0d05 100644
--- a/python/ql/integration-tests/query-suite/python-security-extended.qls.expected
+++ b/python/ql/integration-tests/query-suite/python-security-extended.qls.expected
@@ -43,7 +43,6 @@ ql/python/ql/src/Security/CWE-730/ReDoS.ql
 ql/python/ql/src/Security/CWE-730/RegexInjection.ql
 ql/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
 ql/python/ql/src/Security/CWE-776/XmlBomb.ql
-ql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/python/ql/src/Security/CWE-918/FullServerSideRequestForgery.ql
 ql/python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql
 ql/python/ql/src/Security/CWE-943/NoSqlInjection.ql
diff --git a/ruby/ql/integration-tests/query-suite/not_included_in_qls.expected b/ruby/ql/integration-tests/query-suite/not_included_in_qls.expected
index ea96d413106e..59aef4e12c1d 100644
--- a/ruby/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/ruby/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -30,6 +30,7 @@ ql/ruby/ql/src/queries/metrics/FLinesOfCode.ql
 ql/ruby/ql/src/queries/metrics/FLinesOfComments.ql
 ql/ruby/ql/src/queries/modeling/GenerateModel.ql
 ql/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
+ql/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
 ql/ruby/ql/src/queries/variables/UnusedParameter.ql
 ql/ruby/ql/src/utils/modeleditor/ApplicationModeEndpoints.ql
 ql/ruby/ql/src/utils/modeleditor/FrameworkModeAccessPaths.ql
diff --git a/ruby/ql/integration-tests/query-suite/ruby-security-and-quality.qls.expected b/ruby/ql/integration-tests/query-suite/ruby-security-and-quality.qls.expected
index 604a4c223fbd..0d1af0f29d93 100644
--- a/ruby/ql/integration-tests/query-suite/ruby-security-and-quality.qls.expected
+++ b/ruby/ql/integration-tests/query-suite/ruby-security-and-quality.qls.expected
@@ -41,7 +41,6 @@ ql/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql
 ql/ruby/ql/src/queries/security/cwe-601/UrlRedirect.ql
 ql/ruby/ql/src/queries/security/cwe-611/Xxe.ql
 ql/ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.ql
-ql/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
 ql/ruby/ql/src/queries/security/cwe-829/InsecureDownload.ql
 ql/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql
 ql/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
diff --git a/ruby/ql/integration-tests/query-suite/ruby-security-extended.qls.expected b/ruby/ql/integration-tests/query-suite/ruby-security-extended.qls.expected
index 706b9a9a363a..b2b0a0d7b27e 100644
--- a/ruby/ql/integration-tests/query-suite/ruby-security-extended.qls.expected
+++ b/ruby/ql/integration-tests/query-suite/ruby-security-extended.qls.expected
@@ -40,7 +40,6 @@ ql/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql
 ql/ruby/ql/src/queries/security/cwe-601/UrlRedirect.ql
 ql/ruby/ql/src/queries/security/cwe-611/Xxe.ql
 ql/ruby/ql/src/queries/security/cwe-732/WeakCookieConfiguration.ql
-ql/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
 ql/ruby/ql/src/queries/security/cwe-829/InsecureDownload.ql
 ql/ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql
 ql/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
diff --git a/swift/ql/integration-tests/posix/query-suite/not_included_in_qls.expected b/swift/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
index 64c776d96d1d..ced293a493b9 100644
--- a/swift/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
+++ b/swift/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
@@ -1,5 +1,7 @@
 ql/swift/ql/src/AlertSuppression.ql
 ql/swift/ql/src/experimental/Security/CWE-022/UnsafeUnpack.ql
+ql/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
+ql/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
 ql/swift/ql/src/queries/Summary/FlowSources.ql
 ql/swift/ql/src/queries/Summary/QuerySinks.ql
 ql/swift/ql/src/queries/Summary/RegexEvals.ql
diff --git a/swift/ql/integration-tests/posix/query-suite/swift-code-scanning.qls.expected b/swift/ql/integration-tests/posix/query-suite/swift-code-scanning.qls.expected
index bee12dbfb8fa..7b2583382006 100644
--- a/swift/ql/integration-tests/posix/query-suite/swift-code-scanning.qls.expected
+++ b/swift/ql/integration-tests/posix/query-suite/swift-code-scanning.qls.expected
@@ -14,12 +14,10 @@ ql/swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql
 ql/swift/ql/src/queries/Security/CWE-1333/ReDoS.ql
 ql/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql
 ql/swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql
-ql/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
 ql/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
 ql/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql
 ql/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql
 ql/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql
-ql/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
 ql/swift/ql/src/queries/Security/CWE-327/ECBEncryption.ql
 ql/swift/ql/src/queries/Security/CWE-328/WeakPasswordHashing.ql
 ql/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql
diff --git a/swift/ql/integration-tests/posix/query-suite/swift-security-and-quality.qls.expected b/swift/ql/integration-tests/posix/query-suite/swift-security-and-quality.qls.expected
index 412d0816affc..f1d01d4d0658 100644
--- a/swift/ql/integration-tests/posix/query-suite/swift-security-and-quality.qls.expected
+++ b/swift/ql/integration-tests/posix/query-suite/swift-security-and-quality.qls.expected
@@ -15,12 +15,10 @@ ql/swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql
 ql/swift/ql/src/queries/Security/CWE-1333/ReDoS.ql
 ql/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql
 ql/swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql
-ql/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
 ql/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
 ql/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql
 ql/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql
 ql/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql
-ql/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
 ql/swift/ql/src/queries/Security/CWE-327/ECBEncryption.ql
 ql/swift/ql/src/queries/Security/CWE-328/WeakPasswordHashing.ql
 ql/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql
diff --git a/swift/ql/integration-tests/posix/query-suite/swift-security-extended.qls.expected b/swift/ql/integration-tests/posix/query-suite/swift-security-extended.qls.expected
index 412d0816affc..f1d01d4d0658 100644
--- a/swift/ql/integration-tests/posix/query-suite/swift-security-extended.qls.expected
+++ b/swift/ql/integration-tests/posix/query-suite/swift-security-extended.qls.expected
@@ -15,12 +15,10 @@ ql/swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql
 ql/swift/ql/src/queries/Security/CWE-1333/ReDoS.ql
 ql/swift/ql/src/queries/Security/CWE-134/UncontrolledFormatString.ql
 ql/swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql
-ql/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
 ql/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
 ql/swift/ql/src/queries/Security/CWE-311/CleartextTransmission.ql
 ql/swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql
 ql/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql
-ql/swift/ql/src/queries/Security/CWE-321/HardcodedEncryptionKey.ql
 ql/swift/ql/src/queries/Security/CWE-327/ECBEncryption.ql
 ql/swift/ql/src/queries/Security/CWE-328/WeakPasswordHashing.ql
 ql/swift/ql/src/queries/Security/CWE-328/WeakSensitiveDataHashing.ql

From dabeddb62dc485ba5f73f55f3747b344ef366b9e Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Fri, 16 May 2025 12:48:38 +0200
Subject: [PATCH 3/3] Add change-notes.

---
 .../ql/src/change-notes/2025-05-16-hardcoded-credentials.md   | 4 ++++
 go/ql/src/change-notes/2025-05-16-hardcoded-credentials.md    | 4 ++++
 java/ql/src/change-notes/2025-05-16-hardcoded-credentials.md  | 4 ++++
 .../ql/src/change-notes/2025-05-16-hardcoded-credentials.md   | 4 ++++
 .../ql/src/change-notes/2025-05-16-hardcoded-credentials.md   | 4 ++++
 ruby/ql/src/change-notes/2025-05-16-hardcoded-credentials.md  | 4 ++++
 swift/ql/src/change-notes/2025-05-16-hardcoded-credentials.md | 4 ++++
 7 files changed, 28 insertions(+)
 create mode 100644 csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
 create mode 100644 go/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
 create mode 100644 java/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
 create mode 100644 javascript/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
 create mode 100644 python/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
 create mode 100644 ruby/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
 create mode 100644 swift/ql/src/change-notes/2025-05-16-hardcoded-credentials.md

diff --git a/csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md b/csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
new file mode 100644
index 000000000000..6255db9c199f
--- /dev/null
+++ b/csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries `cs/password-in-configuration`, `cs/hardcoded-credentials` and `cs/hardcoded-connection-string-credentials` have been removed from all query suites.
diff --git a/go/ql/src/change-notes/2025-05-16-hardcoded-credentials.md b/go/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
new file mode 100644
index 000000000000..b25a9b3d056b
--- /dev/null
+++ b/go/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `go/hardcoded-credentials` has been removed from all query suites.
diff --git a/java/ql/src/change-notes/2025-05-16-hardcoded-credentials.md b/java/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
new file mode 100644
index 000000000000..18340ca87745
--- /dev/null
+++ b/java/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/hardcoded-credential-api-call` has been removed from all query suites.
diff --git a/javascript/ql/src/change-notes/2025-05-16-hardcoded-credentials.md b/javascript/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
new file mode 100644
index 000000000000..99af2e2c448d
--- /dev/null
+++ b/javascript/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries `js/hardcoded-credentials` and `js/password-in-configuration-file` have been removed from all query suites.
diff --git a/python/ql/src/change-notes/2025-05-16-hardcoded-credentials.md b/python/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
new file mode 100644
index 000000000000..ee550ce449b0
--- /dev/null
+++ b/python/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `py/hardcoded-credentials` has been removed from all query suites.
diff --git a/ruby/ql/src/change-notes/2025-05-16-hardcoded-credentials.md b/ruby/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
new file mode 100644
index 000000000000..684b1b3ea78f
--- /dev/null
+++ b/ruby/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `rb/hardcoded-credentials` has been removed from all query suites.
diff --git a/swift/ql/src/change-notes/2025-05-16-hardcoded-credentials.md b/swift/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
new file mode 100644
index 000000000000..cc524d8c34da
--- /dev/null
+++ b/swift/ql/src/change-notes/2025-05-16-hardcoded-credentials.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries `swift/hardcoded-key` and `swift/constant-password` have been removed from all query suites.