Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Shared: Improve sensitive data heuristics#20024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
geoffw0 wants to merge11 commits intogithub:main
base:main
Choose a base branch
Loading
fromgeoffw0:moresensitive2

Conversation

geoffw0
Copy link
Contributor

@geoffw0geoffw0 commentedJul 11, 2025
edited
Loading

Improve sensitive data heuristics, by adding new matching heuristics and new exclusions. This is very, very loosely based on an initial version by Copilot, though I had to cut or refine the majority of those suggestions to get good results (testing with Rust).

I will start DCA runs on all affected languages. I do anticipate some further refinements may be required as common patterns vary slightly between languages.

  • check DCA (Javascript).
  • check DCA (Python).
  • check DCA (Ruby).
  • check DCA (Rust).
  • check DCA (Swift).
  • add change notes.

There are three things I'd like opinions about:

  • are you happy with the changes to heuristics in this PR?
  • would you be happy if I made a follow-up PR enabling thee(mail|_mail) heuristic? Its labelled with a comment "seems too noisy", but I don't understand what motivated that - it always worked very well in my tests (Swift + Rust).
  • would you be happy if I made a follow-up disabling or narrowing theuid heuristic (([uU]|^|_|[a-z](?=U))([uU][iI][dD]))? I believe its responsible for a lot of false positive results because UID might stand for "User ID" (likely sensitive) or just "Unique ID" (which may or may not be sensitive, often they aren't). What are your experiences? (@andersfugmann FYI as we discussed this recently)

@CopilotCopilotAI review requested due to automatic review settingsJuly 11, 2025 09:12
@geoffw0geoffw0 requested review froma team ascode ownersJuly 11, 2025 09:12
@geoffw0geoffw0 added the Ruby labelJul 11, 2025
@geoffw0geoffw0 requested review froma team ascode ownersJuly 11, 2025 09:12
@geoffw0geoffw0 added RustPull requests that update Rust code Swift javascriptPull requests that update Javascript code labelsJul 11, 2025
Copy link
Contributor

@CopilotCopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This PR improves sensitive data heuristics across multiple programming languages by enhancing the regular expressions used to identify sensitive data patterns. The changes add new matching patterns for various types of sensitive information while also improving exclusions to reduce false positives.

  • Expands detection patterns for authentication data (oauth, api keys, mfa), financial information (cvv, iban, routing numbers), health data (gender, patient records), and device information (IP addresses, MAC addresses, fingerprints)
  • Adds "confidential" to secret detection patterns and improves the trusted pattern exclusion
  • Enhances exclusion patterns to reduce false positives for file paths, URLs, and accounting-related terms

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
FileDescription
swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qllUpdates sensitive data detection patterns for Swift
rust/ql/lib/codeql/rust/security/internal/SensitiveDataHeuristics.qllUpdates sensitive data detection patterns for Rust
ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qllUpdates sensitive data detection patterns for Ruby
python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qllUpdates sensitive data detection patterns for Python
javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qllUpdates sensitive data detection patterns for JavaScript
rust/ql/test/library-tests/sensitivedata/test.rsUpdates test expectations to reflect improved heuristics

@geoffw0
Copy link
ContributorAuthor

geoffw0 commentedJul 11, 2025
edited
Loading

Based on DCA results across all affected languages I think I'm going to:

  • remove the new patternip.?addr (too often the matched value is an external "public" IP address, not our own or a users that might be considered identifying information). ✅
  • remove the new patternfinger.?print (sometimes this is a fingerprint identifying our machine (or credit card!), but often it's just a hash of some impersonal data). ✅
  • allow a bit of time for your feedback / change requests.
  • re-run DCA on all languages.

@aschackmull
Copy link
Contributor

I have no strong opinions on the changes to the heuristics - if the changes are tested and seem to improve things, then I'm all 👍 .
I do have a couple of high-level comments that you may take or leave:

  • Would you consider changing this from a pyrameterized file to a properly shared library?
  • Would you consider enabling the shared heuristics for the remaining languages as well? I know Java has some existing heuristics, and C# probably does as well - it would be nice to get the changes tested forall languages.

@jketema
Copy link
Contributor

jketema commentedJul 16, 2025
edited
Loading

Would you consider changing this from a pyrameterized file to a properly shared library?

#19984 does slightly more, but I'm not sure how to judge the DCA results (which is why it's in draft; happy to open it up for review).

@geoffw0
Copy link
ContributorAuthor

#19984 does slightly more, but I'm not sure how to judge the DCA results (which is why it's in draft; happy to open it up for review).

I'll take a look...

Would you consider enabling the shared heuristics for the remaining languages as well?

I would love to, I'll raise the idea in Q2 planning.

@joefarebrother
Copy link
Contributor

would you be happy if I made a follow-up PR enabling the e(mail|_mail) heuristic? Its labelled with a comment "seems too noisy", but I don't understand what motivated that - it always worked very well in my tests (Swift + Rust).

I think the main motivation there was in the context of "sensitive data stored unencrypted / in plaintext" queries
where it seemed odd to alert for that for emails (but was sensible for some other categories of "private data" considered there)

but feel free to enable it if you're happy with the results

@geoffw0
Copy link
ContributorAuthor

Ah that's helpful context - I think I will try enabling the e-mail heuristic in a separate follow-up PR, but pay very close attention to results on the sensitive data storage queries. It won't be too much effort lost if it doesn't work out.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

Copilot code reviewCopilotCopilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentationjavascriptPull requests that update Javascript codeJSPythonRubyRustPull requests that update Rust codeSwift
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

4 participants
@geoffw0@aschackmull@jketema@joefarebrother
[8]ページ先頭
©2009-2025 Movatter.jp