Shared: Fix and simplify the exclusion for 'encrypted' values.

geoffw0 · geoffw0 · commit 5ed78d1a4a34 · 2026-05-06T14:43:52.000+01:00
diff --git a/rust/ql/test/library-tests/sensitivedata/test.rs b/rust/ql/test/library-tests/sensitivedata/test.rs
@@ -42,8 +42,8 @@ fn test_passwords(
 	sink(password_str); // $ sensitive=password
 	sink(password_confirmation); // $ sensitive=password
 	sink(profile_password); // $ sensitive=password
-	sink(unencrypted_password); // $ MISSING: sensitive=password
-	sink(unencoded_password); // $ MISSING: sensitive=password
+	sink(unencrypted_password); // $ sensitive=password
+	sink(unencoded_password); // $ sensitive=password
 	sink(pass_phrase); // $ sensitive=password
 	sink(passphrase); // $ sensitive=password
 	sink(passPhrase); // $ sensitive=password
diff --git a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
@@ -150,7 +150,7 @@ module HeuristicNames {
    */
   string notSensitiveRegexp() {
     result =
-      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|(?<!pass)code)|"
+      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|(?<!un)en(crypt|code)|"
         + "certain|concert|secretar|wildcard|coauthor|account(ant|ab|ing|ed)|(?<!pro)file|path|([_-]|\\b)url).*"
   }
 

Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ module HeuristicNames {`
`150`	`150`	`*/`
`151`	`151`	`string notSensitiveRegexp() {`
`152`	`152`	`result =`
`153`		`- "(?is).*([^\\w$.-]\|redact\|censor\|obfuscate\|hash\|md5\|sha\|random\|((?<!un)(en))?(crypt\|(?<!pass)code)\|"`
	`153`	`+ "(?is).*([^\\w$.-]\|redact\|censor\|obfuscate\|hash\|md5\|sha\|random\|(?<!un)en(crypt\|code)\|"`
`154`	`154`	`+ "certain\|concert\|secretar\|wildcard\|coauthor\|account(ant\|ab\|ing\|ed)\|(?<!pro)file\|path\|([_-]\|\\b)url).*"`
`155`	`155`	`}`
`156`	`156`