Python: Make py/hardcoded-credentials a path-problem

RasmusWL · RasmusWL · commit c5091f1ce79d · 2020-01-22T13:45:14.000+01:00
and stop using deprecated hasFlow
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -1,7 +1,7 @@
 /**
  * @name Hard-coded credentials
  * @description Credentials are hard coded in the source code of the application.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision medium
  * @id py/hardcoded-credentials
@@ -12,6 +12,7 @@
  */
 
 import python
+import semmle.python.security.Paths
 import semmle.python.security.TaintTracking
 import semmle.python.filters.Tests
 
@@ -155,9 +156,9 @@ class HardcodedCredentialsConfiguration extends TaintTracking::Configuration {
 
 
 
-from HardcodedCredentialsConfiguration config, TaintSource src, TaintSink sink
+from HardcodedCredentialsConfiguration config, TaintedPathSource src, TaintedPathSink sink
 
-where config.hasFlow(src, sink) and
-not any(TestScope test).contains(src.(ControlFlowNode).getNode())
+where config.hasFlowPath(src, sink) and
+not any(TestScope test).contains(src.getAstNode())
 
-select sink, "Use of hardcoded credentials from $@.", src, src.toString()
+select sink.getSink(), src, sink, "Use of $@.", src.getSource(), "hardcoded credentials"
diff --git a/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -1,2 +1,8 @@
-| test.py:14:18:14:25 | Taint sink | Use of hardcoded credentials from $@. | test.py:5:12:5:24 | Taint source | Taint source |
-| test.py:15:18:15:25 | Taint sink | Use of hardcoded credentials from $@. | test.py:6:12:6:25 | Taint source | Taint source |
+edges
+| test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value |
+| test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value |
+| test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value |
+| test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value |
+#select
+| test.py:14:18:14:25 | USERNAME | test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value | Use of $@. | test.py:5:12:5:24 | Str | hardcoded credentials |
+| test.py:15:18:15:25 | PASSWORD | test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value | Use of $@. | test.py:6:12:6:25 | Str | hardcoded credentials |
