Java: move EncryptedSensitiveMethodCall into Sanitizers.qll

MarkLee131 · MarkLee131 · commit 51e2a5418b75 · 2026-04-29T20:56:36.000+08:00
Address review feedback by moving the shared method-name-based encryption/hash/digest
check into Sanitizers.qll, and reference it from both CleartextStorageQuery.qll and
SensitiveLoggingQuery.qll instead of duplicating the definition.
diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll
@@ -2,6 +2,7 @@
 
 import java
 private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.Sanitizers
 private import semmle.code.java.security.SensitiveActions
 
 /** A sink representing persistent storage that saves data in clear text. */
@@ -76,17 +77,6 @@ private class DefaultCleartextStorageSanitizer extends CleartextStorageSanitizer
   }
 }
 
-/**
- * Method call for encrypting sensitive information. As there are various implementations of
- * encryption (reversible and non-reversible) from both JDK and third parties, this class simply
- * checks method name to take a best guess to reduce false positives.
- */
-private class EncryptedSensitiveMethodCall extends MethodCall {
-  EncryptedSensitiveMethodCall() {
-    this.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"])
-  }
-}
-
 /** Flow configuration for encryption methods flowing to inputs of persistent storage. */
 private module EncryptedValueFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof EncryptedSensitiveMethodCall }
diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
@@ -63,3 +63,14 @@ class RegexpCheckBarrier extends DataFlow::Node {
     exists(RegexMatch rm | rm instanceof Annotation | this.asExpr() = rm.getString())
   }
 }
+
+/**
+ * A method call for encrypting, hashing, or digesting sensitive information. As there are various
+ * implementations of encryption (reversible and non-reversible) from both JDK and third parties,
+ * this class simply checks the method name to take a best guess to reduce false positives.
+ */
+class EncryptedSensitiveMethodCall extends MethodCall {
+  EncryptedSensitiveMethodCall() {
+    this.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"])
+  }
+}
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -125,12 +125,7 @@ private class DefaultSensitiveLoggerBarrier extends SensitiveLoggerBarrier {
  * This is consistent with the treatment of encryption in `CleartextStorageQuery.qll` (CWE-312).
  */
 private class EncryptionBarrier extends SensitiveLoggerBarrier {
-  EncryptionBarrier() {
-    exists(MethodCall mc |
-      this.asExpr() = mc and
-      mc.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"])
-    )
-  }
+  EncryptionBarrier() { this.asExpr() instanceof EncryptedSensitiveMethodCall }
 }
 
 /** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */
