CodeQL library for Python
codeql/python-all 1.0.6 (changelog, source)
Search

Predicate HeuristicNames::nameIndicatesSensitiveData

Holds if name may indicate the presence of sensitive data, and name does not indicate that the data is in fact non-sensitive (for example since it is hashed or encrypted). classification describes the kind of sensitive data involved.

That is, one of the regexps from maybeSensitiveRegexp matches name (with the given classification), and none of the regexps from notSensitiveRegexp matches name.

When the set of names is large, it’s worth using nameIndicatesSensitiveData/1 as a first pass, since that combines all the regexps into one, and should be faster. Then call this predicate to get the classification(s).

Import path

import semmle.python.security.internal.SensitiveDataHeuristics
predicate nameIndicatesSensitiveData(string name, SensitiveDataClassification classification)