Predicate HeuristicNames::nameIndicatesSensitiveData
Holds if name
may indicate the presence of sensitive data, and
name
does not indicate that the data is in fact non-sensitive (for example since
it is hashed or encrypted). classification
describes the kind of sensitive data
involved.
That is, one of the regexps from maybeSensitiveRegexp
matches name
(with the
given classification), and none of the regexps from notSensitiveRegexp
matches
name
.
When the set of names is large, it’s worth using nameIndicatesSensitiveData/1
as a first
pass, since that combines all the regexps into one, and should be faster. Then call this
predicate to get the classification(s).
Import path
import semmle.python.security.internal.SensitiveDataHeuristics
predicate nameIndicatesSensitiveData(string name, SensitiveDataClassification classification)