Make HardcodedCredentials query less noisy.

Considering "cert" and "account" to be sensitive leads to a massive number of false positives, especially on cockroach and kubernetes.

Author: Max Schaefer

ql/src/semmle/go/security/SensitiveActions.qll

@@ -28,7 +28,6 @@ module HeuristicNames {
    * user names or other account information.
    */
   string maybeAccountInfo() {
-    result = "(?is).*acc(ou)?nt.*" or
     result = "(?is).*(puid|username|userid).*"
   }
 
@@ -41,12 +40,6 @@ module HeuristicNames {
     result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
   }
 
-  /**
-   * Gets a regular expression that identifies strings that may indicate the presence of
-   * a certificate.
-   */
-  string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name)).*" }
-
   /**
    * Gets a regular expression that identifies strings that may indicate the presence
    * of sensitive data, with `classification` describing the kind of sensitive data involved.
@@ -57,8 +50,6 @@ module HeuristicNames {
     result = maybeAccountInfo() and classification = SensitiveExpr::id()
     or
     result = maybePassword() and classification = SensitiveExpr::password()
-    or
-    result = maybeCertificate() and classification = SensitiveExpr::certificate()
   }
 
   /**

ql/test/query-tests/Security/CWE-798/main.go

@@ -54,4 +54,8 @@ func main() {
 	i.password = testPassword       // OK
 	secretKey = "secret"            // OK
 	i.password = "--- redacted ---" // OK
+	certsDir := "/certs"            // OK
+	fmt.Println(certsDir)
+	accountParameter := "ACCOUNT"	// OK
+	fmt.Println(accountParameter)
 }