Swift: Upgrade SecKeyCopyExternalRepresentation source to be considered a password / key rather than a miscellaneous credential.

geoffw0 · geoffw0 · commit 22ed20dd7c29 · 2023-12-14T18:04:34.000Z
diff --git a/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Security.qll b/swift/ql/lib/codeql/swift/frameworks/StandardLibrary/Security.qll
@@ -8,6 +8,6 @@ private import codeql.swift.dataflow.ExternalFlow
 
 private class SensitiveSources extends SourceModelCsv {
   override predicate row(string row) {
-    row = ";;false;SecKeyCopyExternalRepresentation(_:_:);;;ReturnValue;sensitive-credential"
+    row = ";;false;SecKeyCopyExternalRepresentation(_:_:);;;ReturnValue;sensitive-password"
   }
 }
diff --git a/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected b/swift/ql/test/query-tests/Security/CWE-311/SensitiveExprs.expected
@@ -175,4 +175,4 @@
 | testURL.swift:73:52:73:67 | call to get_secret_key() | label:get_secret_key, type:credential |
 | testURL.swift:75:53:75:69 | call to get_cert_string() | label:get_cert_string, type:credential |
 | testURL.swift:96:51:96:51 | certificate | label:certificate, type:credential |
-| testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | label:credential, type:credential |
+| testURL.swift:104:16:104:57 | call to SecKeyCopyExternalRepresentation(_:_:) | label:password, type:password |

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,6 @@ private import codeql.swift.dataflow.ExternalFlow`
`8`	`8`
`9`	`9`	`private class SensitiveSources extends SourceModelCsv {`
`10`	`10`	`override predicate row(string row) {`
`11`		`- row = ";;false;SecKeyCopyExternalRepresentation(_:_:);;;ReturnValue;sensitive-credential"`
	`11`	`+ row = ";;false;SecKeyCopyExternalRepresentation(_:_:);;;ReturnValue;sensitive-password"`
`12`	`12`	`}`
`13`	`13`	`}`