Swift: Effect of fixing string interpolation bug.

2023-09-21 16:50:36 +01:00 · 2023-09-21 16:50:36 +01:00 · 839b9635b9
--- a/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
+++ b/swift/ql/test/query-tests/Security/CWE-311/CleartextStorageDatabase.expected
@ -8,8 +8,6 @@ edges
 | file://:0:0:0:0 | value | file://:0:0:0:0 | [post] self [value] |
 | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery |
 | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery |
-| sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:48:27:48:27 | deleteQuery |
-| sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:57:34:57:34 | id |
 | testCoreData2.swift:23:13:23:13 | value | file://:0:0:0:0 | value |
 | testCoreData2.swift:37:2:37:2 | [post] obj [myValue] | testCoreData2.swift:37:2:37:2 | [post] obj |
 | testCoreData2.swift:37:16:37:16 | bankAccountNo | testCoreData2.swift:37:2:37:2 | [post] obj [myValue] |
@ -205,8 +203,6 @@ nodes
 | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | semmle.label | medicalNotes |
 | sqlite3_c_api.swift:46:27:46:27 | insertQuery | semmle.label | insertQuery |
 | sqlite3_c_api.swift:47:27:47:27 | updateQuery | semmle.label | updateQuery |
-| sqlite3_c_api.swift:48:27:48:27 | deleteQuery | semmle.label | deleteQuery |
-| sqlite3_c_api.swift:57:34:57:34 | id | semmle.label | id |
 | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | semmle.label | medicalNotes |
 | testCoreData2.swift:23:13:23:13 | value | semmle.label | value |
 | testCoreData2.swift:37:2:37:2 | [post] obj | semmle.label | [post] obj |
@ -478,8 +474,6 @@ subpaths
 #select
 | sqlite3_c_api.swift:46:27:46:27 | insertQuery | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | sqlite3_c_api.swift:46:27:46:27 | insertQuery | This operation stores 'insertQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:42:69:42:69 | medicalNotes | medicalNotes |
 | sqlite3_c_api.swift:47:27:47:27 | updateQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:47:27:47:27 | updateQuery | This operation stores 'updateQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes |
-| sqlite3_c_api.swift:48:27:48:27 | deleteQuery | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:48:27:48:27 | deleteQuery | This operation stores 'deleteQuery' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes |
-| sqlite3_c_api.swift:57:34:57:34 | id | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | sqlite3_c_api.swift:57:34:57:34 | id | This operation stores 'id' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:43:49:43:49 | medicalNotes | medicalNotes |
 | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | This operation stores 'medicalNotes' in a database. It may contain unencrypted sensitive data from $@. | sqlite3_c_api.swift:58:36:58:36 | medicalNotes | medicalNotes |
 | testCoreData2.swift:37:2:37:2 | obj | testCoreData2.swift:37:16:37:16 | bankAccountNo | testCoreData2.swift:37:2:37:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:37:16:37:16 | bankAccountNo | bankAccountNo |
 | testCoreData2.swift:39:2:39:2 | obj | testCoreData2.swift:39:28:39:28 | bankAccountNo | testCoreData2.swift:39:2:39:2 | [post] obj | This operation stores 'obj' in a database. It may contain unencrypted sensitive data from $@. | testCoreData2.swift:39:28:39:28 | bankAccountNo | bankAccountNo |
--- a/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift
+++ b/swift/ql/test/query-tests/Security/CWE-311/sqlite3_c_api.swift
@ -45,7 +45,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, id: Int32, medicalNotes: String) {

 	let _ = sqlite3_exec(db, insertQuery, nil, nil, nil) // BAD (sensitive data)
 	let _ = sqlite3_exec(db, updateQuery, nil, nil, nil) // BAD (sensitive data)
-	let _ = sqlite3_exec(db, deleteQuery, nil, nil, nil) // GOOD [FALSE POSITIVE]
+	let _ = sqlite3_exec(db, deleteQuery, nil, nil, nil) // GOOD

 	// --- sensitive data in bindings ---

@ -54,7 +54,7 @@ func test_sqlite3_c_api(db: OpaquePointer?, id: Int32, medicalNotes: String) {
 	var stmt1: OpaquePointer?

 	if (sqlite3_prepare(db, varQuery, -1, &stmt1, nil) == SQLITE_OK) { // GOOD
-		if (sqlite3_bind_int(stmt1, 1, id) == SQLITE_OK) { // GOOD [FALSE POSITIVE]
+		if (sqlite3_bind_int(stmt1, 1, id) == SQLITE_OK) { // GOOD
 			if (sqlite3_bind_text(stmt1, 2, medicalNotes, -1, SQLITE_TRANSIENT) == SQLITE_OK) { // BAD (sensitive data)
 				// ...
 			}