Merge pull request #20024 from geoffw0/moresensitive2

Shared: Improve sensitive data heuristics

Author: geoffw0

javascript/ql/lib/change-notes/2025-07-11-sensitive-data-heuristics.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.

python/ql/lib/change-notes/2025-07-11-sensitive-data-heuristics.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.

ruby/ql/lib/change-notes/2025-07-11-sensitive-data-heuristics.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.

rust/ql/lib/change-notes/2025-07-11-sensitive-data-heuristics.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.

rust/ql/test/library-tests/sensitivedata/CONSISTENCY/PathResolutionConsistency.expected

@@ -1,29 +1,29 @@
 multipleCallTargets
-| test.rs:55:7:55:26 | ... .as_str() |
-| test.rs:56:7:56:21 | ... .as_str() |
-| test.rs:72:7:72:26 | ... .as_str() |
-| test.rs:73:7:73:36 | ... .as_str() |
-| test.rs:74:7:74:34 | ... .as_str() |
-| test.rs:75:7:75:27 | ... .as_str() |
-| test.rs:258:7:258:36 | ... .as_str() |
-| test.rs:260:7:260:33 | ... .as_str() |
-| test.rs:261:7:261:36 | ... .as_str() |
-| test.rs:262:7:262:26 | ... .as_str() |
-| test.rs:266:7:266:28 | ... .as_str() |
-| test.rs:267:7:267:37 | ... .as_str() |
-| test.rs:268:7:268:36 | ... .as_str() |
-| test.rs:271:7:271:32 | ... .as_str() |
-| test.rs:281:7:281:34 | ... .as_str() |
-| test.rs:284:7:284:36 | ... .as_str() |
-| test.rs:288:7:288:39 | ... .as_str() |
-| test.rs:295:7:295:53 | ... .as_str() |
-| test.rs:296:7:296:45 | ... .as_str() |
-| test.rs:298:7:298:39 | ... .as_str() |
-| test.rs:299:7:299:34 | ... .as_str() |
-| test.rs:300:7:300:42 | ... .as_str() |
-| test.rs:302:7:302:48 | ... .as_str() |
-| test.rs:303:7:303:35 | ... .as_str() |
-| test.rs:304:7:304:35 | ... .as_str() |
-| test.rs:313:8:313:19 | num.as_str() |
-| test.rs:324:8:324:19 | num.as_str() |
-| test.rs:343:7:343:39 | ... .as_str() |
+| test.rs:56:7:56:26 | ... .as_str() |
+| test.rs:57:7:57:21 | ... .as_str() |
+| test.rs:73:7:73:26 | ... .as_str() |
+| test.rs:74:7:74:36 | ... .as_str() |
+| test.rs:75:7:75:34 | ... .as_str() |
+| test.rs:76:7:76:27 | ... .as_str() |
+| test.rs:262:7:262:36 | ... .as_str() |
+| test.rs:264:7:264:33 | ... .as_str() |
+| test.rs:265:7:265:36 | ... .as_str() |
+| test.rs:266:7:266:26 | ... .as_str() |
+| test.rs:270:7:270:28 | ... .as_str() |
+| test.rs:271:7:271:37 | ... .as_str() |
+| test.rs:272:7:272:36 | ... .as_str() |
+| test.rs:275:7:275:32 | ... .as_str() |
+| test.rs:285:7:285:34 | ... .as_str() |
+| test.rs:288:7:288:36 | ... .as_str() |
+| test.rs:292:7:292:39 | ... .as_str() |
+| test.rs:299:7:299:53 | ... .as_str() |
+| test.rs:300:7:300:45 | ... .as_str() |
+| test.rs:302:7:302:39 | ... .as_str() |
+| test.rs:303:7:303:34 | ... .as_str() |
+| test.rs:304:7:304:42 | ... .as_str() |
+| test.rs:306:7:306:48 | ... .as_str() |
+| test.rs:307:7:307:35 | ... .as_str() |
+| test.rs:308:7:308:35 | ... .as_str() |
+| test.rs:317:8:317:19 | num.as_str() |
+| test.rs:328:8:328:19 | num.as_str() |
+| test.rs:347:7:347:39 | ... .as_str() |

rust/ql/test/library-tests/sensitivedata/test.rs

@@ -23,7 +23,7 @@ impl MyStruct {
 fn get_password() -> String { get_string() }
 
 fn test_passwords(
-	password: &str, pass_word: &str, passwd: &str, my_password: &str, password_str: &str,
+	password: &str, pass_word: &str, passwd: &str, my_password: &str, password_str: &str, password_confirmation: &str,
 	pass_phrase: &str, passphrase: &str, passPhrase: &str, backup_code: &str,
 	auth_key: &str, authkey: &str, authKey: &str, authentication_key: &str, authenticationkey: &str, authenticationKey: &str, oauth: &str,
 	one_time_code: &str,
@@ -37,6 +37,7 @@ fn test_passwords(
 	sink(passwd); // $ sensitive=password
 	sink(my_password); // $ sensitive=password
 	sink(password_str); // $ sensitive=password
+	sink(password_confirmation); // $ sensitive=password
 	sink(pass_phrase); // $ sensitive=password
 	sink(passphrase); // $ sensitive=password
 	sink(passPhrase); // $ sensitive=password
@@ -48,12 +49,12 @@ fn test_passwords(
 	sink(authentication_key); // $ sensitive=password
 	sink(authenticationkey); // $ sensitive=password
 	sink(authenticationKey); // $ sensitive=password
-	sink(oauth); // $ MISSING: sensitive=password
+	sink(oauth); // $ sensitive=password
 	sink(one_time_code); // $ MISSING: sensitive=password
 
 	sink(ms); // $ MISSING: sensitive=password
 	sink(ms.password.as_str()); // $ sensitive=password
-	sink(ms.mfa.as_str()); // $ MISSING: sensitive=password
+	sink(ms.mfa.as_str()); // $ sensitive=password
 
 	sink(get_password()); // $ sensitive=password
 	let password2 = get_string();
@@ -67,10 +68,10 @@ fn test_passwords(
 	sink(harmless);
 	sink(encrypted_password);
 	sink(password_hash);
-	sink(passwordFile); // $ SPURIOUS: sensitive=password
+	sink(passwordFile);
 
 	sink(ms.harmless.as_str());
-	sink(ms.password_file_path.as_str()); // $ SPURIOUS: sensitive=password
+	sink(ms.password_file_path.as_str());
 	sink(ms.password_enabled.as_str()); // $ SPURIOUS: sensitive=password
 	sink(ms.numfailed.as_str());
 
@@ -127,11 +128,11 @@ fn test_credentials(
 
 	sink(hashkey);
 	sink(hash_key);
-	sink(sessionkeypath); // $ SPURIOUS: sensitive=id
-	sink(account_key_path); // $ SPURIOUS: sensitive=id
+	sink(sessionkeypath);
+	sink(account_key_path);
 
-	sink(ms.get_certificate_url()); // $ SPURIOUS: sensitive=certificate
-	sink(ms.get_certificate_file()); // $ SPURIOUS: sensitive=certificate
+	sink(ms.get_certificate_url());
+	sink(ms.get_certificate_file());
 
 	sink(get_public_key());
 	sink(get_next_token());
@@ -160,16 +161,19 @@ impl DeviceInfo {
 	fn test_device_info(&self, other: &DeviceInfo) {
 		// private device info
 
-		sink(&self.api_key); // $ MISSING: sensitive=id
-		sink(&other.api_key); // $ MISSING: sensitive=id
-		sink(&self.deviceApiToken); // $ MISSING: sensitive=id
-		sink(&self.finger_print); // $ MISSING: sensitive=id
-		sink(&self.ip_address); // $ MISSING: sensitive=id
-		sink(self.macaddr12); // $ MISSING: sensitive=id
-		sink(&self.mac_addr); // $ MISSING: sensitive=id
-		sink(self.mac_addr.values); // $ MISSING: sensitive=id
-		sink(self.mac_addr.values[0]); // $ MISSING: sensitive=id
-		sink(&self.networkMacAddress); // $ MISSING: sensitive=id
+		sink(&self.api_key); // $ sensitive=password
+		sink(&other.api_key); // $ sensitive=password
+		sink(&self.deviceApiToken); // $ sensitive=password
+		sink(self.macaddr12); // $ sensitive=private
+		sink(&self.mac_addr); // $ sensitive=private
+		sink(self.mac_addr.values); // $ sensitive=private
+		sink(self.mac_addr.values[0]); // $ sensitive=private
+		sink(&self.networkMacAddress); // $ sensitive=private
+
+		// dubious (may or may not be private device info, depending on context)
+
+		sink(&self.finger_print);
+		sink(&self.ip_address);
 
 		// not private device info
 
@@ -267,26 +271,26 @@ fn test_private_info(
 	sink(info.emergency_contact.as_str()); // $ sensitive=private
 	sink(info.name_of_employer.as_str()); // $ sensitive=private
 
-	sink(&info.gender); // $ MISSING: sensitive=private
-	sink(info.genderString.as_str()); // $ MISSING: sensitive=private
+	sink(&info.gender); // $ sensitive=private
+	sink(info.genderString.as_str()); // $ sensitive=private
 	let sex = "Male";
 	let gender = Gender::Female;
 	let a = Gender::Female;
-	sink(sex); // $ MISSING: sensitive=private
-	sink(gender); // $ MISSING: sensitive=private
+	sink(sex); // $ sensitive=private
+	sink(gender); // $ sensitive=private
 	sink(a); // $ MISSING: sensitive=private
 
-	sink(info.patient_id); // $ MISSING: sensitive=private
-	sink(info.linkedPatientId); // $ MISSING: sensitive=private
-	sink(info.patient_record.as_str()); // $ MISSING: sensitive=private
-	sink(info.patient_record.trim()); // $ MISSING: sensitive=private
+	sink(info.patient_id); // $ sensitive=private
+	sink(info.linkedPatientId); // $ sensitive=private
+	sink(info.patient_record.as_str()); // $ sensitive=private
+	sink(info.patient_record.trim()); // $ sensitive=private
 	sink(&info.medical_notes); // $ sensitive=private
 	sink(info.medical_notes[0].as_str()); // $ sensitive=private
 	for n in info.medical_notes.iter() {
 		sink(n.as_str()); // $ MISSING: sensitive=private
 	}
-	sink(info.confidentialMessage.as_str()); // $ MISSING: sensitive=private
-	sink(info.confidentialMessage.to_lowercase()); // $ MISSING: sensitive=private
+	sink(info.confidentialMessage.as_str()); // $ sensitive=secret
+	sink(info.confidentialMessage.to_lowercase()); // $ sensitive=secret
 
 	sink(info.latitude); // $ sensitive=private
 	let x = info.longitude.unwrap();
@@ -296,12 +300,12 @@ fn test_private_info(
 	sink(info.financials.credit_card_no.as_str()); // $ sensitive=private
 	sink(info.financials.credit_rating); // $ sensitive=private
 	sink(info.financials.user_ccn.as_str()); // $ sensitive=private
-	sink(info.financials.cvv.as_str()); // $ MISSING: sensitive=private
-	sink(info.financials.beneficiary.as_str()); // $ MISSING: sensitive=private
-	sink(info.financials.routing_number); // $ MISSING: sensitive=private
-	sink(info.financials.routingNumberText.as_str()); // $ MISSING: sensitive=private
-	sink(info.financials.iban.as_str()); // $ MISSING: sensitive=private
-	sink(info.financials.iBAN.as_str()); // $ MISSING: sensitive=private
+	sink(info.financials.cvv.as_str()); // $ sensitive=private
+	sink(info.financials.beneficiary.as_str()); // $ sensitive=private
+	sink(info.financials.routing_number); // $ sensitive=private
+	sink(info.financials.routingNumberText.as_str()); // $ sensitive=private
+	sink(info.financials.iban.as_str()); // $ sensitive=private
+	sink(info.financials.iBAN.as_str()); // $ sensitive=private
 
 	sink(ContactDetails::HomePhoneNumber("123".to_string())); // $ sensitive=private
 	sink(ContactDetails::MobileNumber("123".to_string())); // $ sensitive=private
@@ -343,8 +347,8 @@ fn test_private_info(
 	sink(info.financials.harmless.as_str());
 	sink(info.financials.num_accounts); // $ SPURIOUS: sensitive=id
 	sink(info.financials.total_accounts); // $ SPURIOUS: sensitive=id
-	sink(info.financials.accounting); // $ SPURIOUS: sensitive=id
-	sink(info.financials.unaccounted); // $ SPURIOUS: sensitive=id
+	sink(info.financials.accounting);
+	sink(info.financials.unaccounted);
 	sink(info.financials.multiband);
 
 	sink(ContactDetails::FavouriteColor("blue".to_string()));
@@ -362,5 +366,5 @@ impl MyArray {
 
 fn test_iterator() {
 	let iter = std::iter::repeat(1).take(10);
-	sink(MyArray::from_trusted_iterator(iter)); // $ SPURIOUS: sensitive=secret
+	sink(MyArray::from_trusted_iterator(iter));
 }

shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll

@@ -56,15 +56,16 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of secret
    * or trusted data.
    */
-  string maybeSecret() { result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted).*" }
+  string maybeSecret() {
+    result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted(?!_iter)|confidential).*"
+  }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence of
    * user names or other account information.
    */
   string maybeAccountInfo() {
-    result = "(?is).*acc(ou)?nt.*" or
-    result = "(?is).*(puid|user.?name|user.?id|session.?(id|key)).*" or
+    result = "(?is).*(acc(ou)?nt|puid|user.?(name|id)|session.?(id|key)).*" or
     result = "(?s).*([uU]|^|_|[a-z](?=U))([uU][iI][dD]).*"
   }
 
@@ -73,8 +74,9 @@ module HeuristicNames {
    * a password or an authorization key.
    */
   string maybePassword() {
-    result = "(?is).*pass(wd|word|code|.?phrase)(?!.*question).*" or
-    result = "(?is).*(auth(entication|ori[sz]ation)?).?key.*"
+    result =
+      "(?is).*(pass(wd|word|code|.?phrase)(?!.*question)|(auth(entication|ori[sz]ation)?).?key|oauth|"
+        + "api.?(key|token)|([_-]|\\b)mfa([_-]|\\b)).*"
   }
 
   /**
@@ -90,7 +92,7 @@ module HeuristicNames {
   string maybePrivate() {
     result =
       "(?is).*(" +
-        // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
+        // Inspired by multiple sources including the list on https://cwe.mitre.org/data/definitions/359.html
         // Government identifiers, such as Social Security Numbers
         "social.?security|employer.?identification|national.?insurance|resident.?id|" +
         "passport.?(num|no)|([_-]|\\b)ssn([_-]|\\b)|" +
@@ -102,17 +104,19 @@ module HeuristicNames {
         // Geographic location - where the user is (or was)
         "latitude|longitude|nationality|" +
         // Financial data - such as credit card numbers, salary, bank accounts, and debts
-        "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|acc(ou)?nt.?(no|num|credit)|" +
-        "salary|billing|credit.?(rating|score)|([_-]|\\b)ccn([_-]|\\b)|" +
+        "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|acc(ou)?nt.?(no|num|credit)|routing.?num|"
+        + "salary|billing|beneficiary|credit.?(rating|score)|([_-]|\\b)(ccn|cvv|iban)([_-]|\\b)|" +
         // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
         // "e(mail|_mail)|" + // this seems too noisy
         // Health - medical conditions, insurance status, prescription records
-        "birth.?da(te|y)|da(te|y).?(of.?)?birth|" +
-        "medical|(health|care).?plan|healthkit|appointment|prescription|" +
+        "birth.?da(te|y)|da(te|y).?(of.?)?birth|gender|([_-]|\\b)sex([_-]|\\b)|" +
+        "medical|(health|care).?plan|healthkit|appointment|prescription|patient.?(id|record)|" +
         "blood.?(type|alcohol|glucose|pressure)|heart.?(rate|rhythm)|body.?(mass|fat)|" +
         "menstrua|pregnan|insulin|inhaler|" +
         // Relationships - work and family
-        "employ(er|ee)|spouse|maiden.?name" +
+        "employ(er|ee)|spouse|maiden.?name|" +
+        // Device information
+        "mac.?addr" +
         // ---
         ").*"
   }
@@ -146,7 +150,8 @@ module HeuristicNames {
    */
   string notSensitiveRegexp() {
     result =
-      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|(?<!pass)code)|certain|concert|secretar|accountant|accountab).*"
+      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|(?<!pass)code)|"
+        + "certain|concert|secretar|account(ant|ab|ing|ed)|file|path|([_-]|\\b)url).*"
   }
 
   /**

swift/ql/lib/change-notes/2025-07-11-sensitive-data-heuristics.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.