Python tests: Fix up tests for CWE-312 to not use external locations.

Author: markshannon

python/ql/src/semmle/python/dataflow/Files.qll

@@ -0,0 +1,24 @@
+import python
+import semmle.python.security.TaintTracking
+
+class OpenFile extends TaintKind {
+
+    OpenFile() { this = "file.open" }
+
+    override string repr() { result = "an open file" }
+
+
+}
+
+
+class OpenFileSource extends TaintSource {
+
+    OpenFileSource() {
+        theOpenFunction().(FunctionObject).getACall() = this
+    }
+
+    override predicate isSourceOf(TaintKind kind) {
+        kind instanceof OpenFile
+    }
+
+}

python/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -1,6 +1,8 @@
 edges
+| password_in_cookie.py:7:16:7:27 | dict of externally controlled string | password_in_cookie.py:7:16:7:43 | externally controlled string |
+| password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
+| password_in_cookie.py:7:16:7:43 | externally controlled string | password_in_cookie.py:9:33:9:40 | externally controlled string |
 | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
-parents
 #select
-| test.py:8:35:8:42 | Taint sink | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password | Sensitive data returned by $@ is stored here. | test.py:7:16:7:29 | Taint source | Call returning a password |
-| test.py:14:30:14:39 | Taint sink | test.py:14:30:14:39 | a certificate or key | test.py:14:30:14:39 | a certificate or key | Sensitive data returned by $@ is stored here. | test.py:14:30:14:39 | Taint source | Call returning a certificate or key |
+| test.py:8:35:8:42 | Taint sink | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password | Sensitive data returned by $@ is stored here. | test.py:7:16:7:29 | Taint source | a call returning a password |
+| test.py:14:30:14:39 | Taint sink | test.py:14:30:14:39 | a certificate or key | test.py:14:30:14:39 | a certificate or key | Sensitive data returned by $@ is stored here. | test.py:14:30:14:39 | Taint source | a call returning a certificate or key |

python/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected

@@ -1,11 +1,7 @@
 edges
-| file:///usr/lib/python3.6/keyword.py:65:10:65:34 | an open file | file:///usr/lib/python3.6/keyword.py:66:18:66:19 | an open file |
-| file:///usr/lib/python3.6/keyword.py:70:10:70:22 | an open file | file:///usr/lib/python3.6/keyword.py:73:21:73:22 | an open file |
-| file:///usr/lib/python3.6/keyword.py:90:10:90:39 | an open file | file:///usr/lib/python3.6/keyword.py:91:9:91:10 | an open file |
 | password_in_cookie.py:7:16:7:27 | dict of externally controlled string | password_in_cookie.py:7:16:7:43 | externally controlled string |
 | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password |
 | password_in_cookie.py:7:16:7:43 | externally controlled string | password_in_cookie.py:9:33:9:40 | externally controlled string |
 | test.py:7:16:7:29 | a password | test.py:8:35:8:42 | a password |
-parents
 #select
 | password_in_cookie.py:9:33:9:40 | Taint sink | password_in_cookie.py:7:16:7:43 | a password | password_in_cookie.py:9:33:9:40 | a password | Sensitive data from $@ is stored here. | password_in_cookie.py:7:16:7:43 | Taint source | a request parameter containing a password |

python/ql/test/query-tests/Security/CWE-312/test.py

@@ -1,4 +1,4 @@
-import logging
+#Don't import logging; it transitively imports a lot of stuff
 
 def get_password():
     pass