Shared: Improve sensitive data heuristics

[geoffw0]

Improve sensitive data heuristics, by adding new matching heuristics and new exclusions. This is very, very loosely based on an initial version by Copilot, though I had to cut or refine the majority of those suggestions to get good results (testing with Rust).

I will start DCA runs on all affected languages. I do anticipate some further refinements may be required as common patterns vary slightly between languages.

• check DCA (Javascript).
• check DCA (Python).
• check DCA (Ruby).
• check DCA (Rust).
• check DCA (Swift).
• add change notes.

There are three things I'd like opinions about:

• are you happy with the changes to heuristics in this PR?
• would you be happy if I made a follow-up PR enabling the e(mail|_mail) heuristic? Its labelled with a comment "seems too noisy", but I don't understand what motivated that - it always worked very well in my tests (Swift + Rust).
• would you be happy if I made a follow-up disabling or narrowing the uid heuristic (([uU]|^|_|[a-z](?=U))([uU][iI][dD]))? I believe its responsible for a lot of false positive results because UID might stand for "User ID" (likely sensitive) or just "Unique ID" (which may or may not be sensitive, often they aren't). What are your experiences? (@andersfugmann FYI as we discussed this recently)

[Copilot]

Pull Request Overview

This PR improves sensitive data heuristics across multiple programming languages by enhancing the regular expressions used to identify sensitive data patterns. The changes add new matching patterns for various types of sensitive information while also improving exclusions to reduce false positives.

• Expands detection patterns for authentication data (oauth, api keys, mfa), financial information (cvv, iban, routing numbers), health data (gender, patient records), and device information (IP addresses, MAC addresses, fingerprints)
• Adds "confidential" to secret detection patterns and improves the trusted pattern exclusion
• Enhances exclusion patterns to reduce false positives for file paths, URLs, and accounting-related terms

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll	Updates sensitive data detection patterns for Swift
rust/ql/lib/codeql/rust/security/internal/SensitiveDataHeuristics.qll	Updates sensitive data detection patterns for Rust
ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll	Updates sensitive data detection patterns for Ruby
python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll	Updates sensitive data detection patterns for Python
javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll	Updates sensitive data detection patterns for JavaScript
rust/ql/test/library-tests/sensitivedata/test.rs	Updates test expectations to reflect improved heuristics

[geoffw0]

Based on DCA results across all affected languages I think I'm going to:

• remove the new pattern ip.?addr (too often the matched value is an external "public" IP address, not our own or a users that might be considered identifying information). ✅
• remove the new pattern finger.?print (sometimes this is a fingerprint identifying our machine (or credit card!), but often it's just a hash of some impersonal data). ✅
• allow a bit of time for your feedback / change requests.
• re-run DCA on all languages.

[aschackmull]

I have no strong opinions on the changes to the heuristics - if the changes are tested and seem to improve things, then I'm all 👍 .
I do have a couple of high-level comments that you may take or leave:

• Would you consider changing this from a pyrameterized file to a properly shared library?
• Would you consider enabling the shared heuristics for the remaining languages as well? I know Java has some existing heuristics, and C# probably does as well - it would be nice to get the changes tested for all languages.

[jketema]

Would you consider changing this from a pyrameterized file to a properly shared library?

#19984 does slightly more, but I'm not sure how to judge the DCA results (which is why it's in draft; happy to open it up for review).

[geoffw0]

#19984 does slightly more, but I'm not sure how to judge the DCA results (which is why it's in draft; happy to open it up for review).

I'll take a look...

Would you consider enabling the shared heuristics for the remaining languages as well?

I would love to, I'll raise the idea in Q2 planning.

[joefarebrother]

would you be happy if I made a follow-up PR enabling the e(mail|_mail) heuristic? Its labelled with a comment "seems too noisy", but I don't understand what motivated that - it always worked very well in my tests (Swift + Rust).

I think the main motivation there was in the context of "sensitive data stored unencrypted / in plaintext" queries
where it seemed odd to alert for that for emails (but was sensible for some other categories of "private data" considered there)

but feel free to enable it if you're happy with the results

[geoffw0]

Ah that's helpful context - I think I will try enabling the e-mail heuristic in a separate follow-up PR, but pay very close attention to results on the sensitive data storage queries. It won't be too much effort lost if it doesn't work out.

[geoffw0]

Merged in latest main (and fixed merge conflicts as SensitiveDataHeuristics.qll is now a shared file). I'm hoping to get this merged soon.

[aibaars]

Changes look good to me. A bit curious about _iter suffix though.

[aibaars]

What is the reason for adding (?!_iter) ?

[geoffw0]

In Rust there are library methods called from_trusted_iterator, where "trusted" means it's trusted not to overrun the container (or something along those lines), not anything to do with secret or confidential data. There's actually quite a lot of flow from those calls to sinks, i.e. it's causing a good number of false positive results, not to mention wobble in nightly DCA runs. So the exclusion is a bit specific, but I'm very keen to add it.

There is a test case sink(MyArray::from_trusted_iterator(iter)); that resembles (simplified) what we see in the wild.

[aibaars]

Ah makes sense, thanks for clarifying.