Python: Handle _ in sensitive-data-sources

Author: RasmusWL

python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll

@@ -50,7 +50,7 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of secret
    * or trusted data.
    */
-  string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
+  string maybeSecret() { result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted).*" }
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence of

python/ql/test/experimental/dataflow/sensitive-data/test.py

@@ -39,7 +39,7 @@ def encrypt_password(pwd):
 
 # some prefixes makes us ignore it as a source
 not_found.isSecret
-not_found.is_secret # $ SPURIOUS: SensitiveDataSource=secret
+not_found.is_secret
 
 def my_func(non_sensitive_name):
     x = non_sensitive_name()