From 4117cd73a7795b47052dd5c2208b11248ff3a435 Mon Sep 17 00:00:00 2001
From: luchua-bc <shengxin.canada@gmail.com>
Date: Fri, 15 May 2020 16:14:41 +0000
Subject: [PATCH 1/2] Add JBoss logging

---
 java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
index 36a518cdf46c..69221bfbfaab 100644
--- a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
+++ b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
@@ -16,7 +16,7 @@ import PathGraph
  * Gets a regular expression for matching names of variables that indicate the value being held is a credential
  */
 private string getACredentialRegex() {
-  result = "(?i).*pass(wd|word|code|phrase)(?!.*question).*" or
+  result = "(?i).*challenge|pass(wd|word|code|phrase)(?!.*question).*" or
   result = "(?i)(.*username|url).*"
 }
 
@@ -31,14 +31,19 @@ class CredentialExpr extends Expr {
 class LoggerType extends RefType {
   LoggerType() {
     this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J
-    this.hasQualifiedName("org.slf4j", "Logger") //SLF4j and Gradle Logging
+    this.hasQualifiedName("org.slf4j", "Logger") or //SLF4j and Gradle Logging
+    this.hasQualifiedName("org.jboss.logging", "BasicLogger") //JBoss Logging
   }
 }
 
 predicate isSensitiveLoggingSink(DataFlow::Node sink) {
   exists(MethodAccess ma |
     ma.getMethod().getDeclaringType() instanceof LoggerType and
-    (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and //Check low priority log levels which are more likely to be real issues to reduce false positives
+    (
+      ma.getMethod().hasName("debug") or
+      ma.getMethod().hasName("trace") or
+      ma.getMethod().hasName("debugf")
+    ) and //Check low priority log levels which are more likely to be real issues to reduce false positives
     sink.asExpr() = ma.getAnArgument()
   )
 }
@@ -59,3 +64,4 @@ from LoggerConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Outputting $@ to log.", source.getNode(),
   "sensitive information"
+

From 69f2525e62b6ab14e64e1955d1d582e451d1c930 Mon Sep 17 00:00:00 2001
From: Bt2018 <shengxin.canada@gmail.com>
Date: Mon, 18 May 2020 10:02:37 -0400
Subject: [PATCH 2/2] Remove the ending blank lines for auto-format check

---
 java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql | 1 -
 1 file changed, 1 deletion(-)

diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
index 69221bfbfaab..d42ce25a46f9 100644
--- a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
+++ b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
@@ -64,4 +64,3 @@ from LoggerConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Outputting $@ to log.", source.getNode(),
   "sensitive information"
-