How can I add additional sources and sinks to a predefined rule(QL)? #18830
Replies: 2 comments
-
|
You can extend the abstract class /**
* @name Insertion of sensitive information into log files
* @description Writing sensitive information to log files can allow that
* information to be leaked to an attacker more easily.
* @kind path-problem
* @problem.severity warning
* @security-severity 7.5
* @precision medium
* @id java/sensitive-log-customised
* @tags security
* external/cwe/cwe-532
*/
import java
import semmle.code.java.security.SensitiveLoggingQuery
import SensitiveLoggerFlow::PathGraph
class MySource extends SensitiveLoggerSource {
MySource() {
// Characterise your source dataflow node, e.g. this.asExpr().(MethodCall).getTarget().hasQualifiedName(...)
}
}
from SensitiveLoggerFlow::PathNode source, SensitiveLoggerFlow::PathNode sink
where SensitiveLoggerFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This $@ is written to a log file.", source.getNode(),
"potentially sensitive information"Alternatively you can insert an extension of If you want to use such a Customizations.qll in the context of a codeql-action run then you'll need to create a custom bundle: see https://github.com/advanced-security/codeql-bundle-action?tab=readme-ov-file#customizations |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
thank you for the answer! It works! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
For example, the SensitiveLoggingQuery only track very few sensitive variable:
codeql/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
Line 55 in fe34aa3
If I want to add more sensitive variable, how can I do it?
I can definitely create a new data flow analysis rule. But I want to know if there is simpler way to achieve the same.
Beta Was this translation helpful? Give feedback.
All reactions