Java: Extract module HardcodedCredentials from CWE-798

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql

@@ -11,7 +11,7 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentials
 import DataFlow::PathGraph
 
 class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql

@@ -10,7 +10,7 @@
  */
 
 import java
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentials
 
 class EqualsAccess extends MethodAccess {
   EqualsAccess() { getMethod() instanceof EqualsMethod }

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql

@@ -12,7 +12,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow2
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentials
 import DataFlow::PathGraph
 
 class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {

java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql

@@ -10,7 +10,7 @@
  */
 
 import java
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentials
 
 from PasswordVariable f, CompileTimeConstantExpr e
 where

java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll → java/ql/src/semmle/code/java/security/CredentialReceivingApi.qll

@@ -1,8 +1,8 @@
+/** Provides predicates to reason about methods that accept a credential (e.g., username, password, or cryptographic secret). */
+
 import java
 
-/**
- * Holds if callable `c` from a standard Java API expects a password parameter at index `i`.
- */
+/** Holds if callable `c` from a standard Java API expects a password parameter at index `i`. */
 predicate javaApiCallablePasswordParam(Callable c, int i) {
   exists(c.getParameter(i)) and
   javaApiCallablePasswordParam(c.getDeclaringType().getQualifiedName() + ";" +

java/ql/src/Security/CWE/CWE-798/HardcodedCredentials.qll → java/ql/src/semmle/code/java/security/HardcodedCredentials.qll

@@ -1,5 +1,8 @@
+/** Provides classes to analyze the use of hardcoded credentials. */
+
 import java
-import SensitiveApi
+import semmle.code.java.dataflow.DataFlow
+import CredentialReceivingApi
 
 /**
  * An array creation expression of type `byte[]` with
@@ -37,10 +40,8 @@ class HardcodedExpr extends Expr {
   }
 }
 
-/**
- * An argument to a sensitive call, expected to contain credentials.
- */
-abstract class CredentialsSink extends Expr {
+/** An argument to a sensitive call, expected to contain credentials. */
+abstract class CredentialsSink extends DataFlow::Expr {
   Call getSurroundingCall() { this = result.getAnArgument() }
 }
 
@@ -63,24 +64,26 @@ class CredentialsApiSink extends CredentialsSink {
   }
 }
 
-/**
- * A variable whose name indicates that it may hold a password.
- */
-class PasswordVariable extends Variable {
-  PasswordVariable() {
+/** A variable that holds a password. */
+abstract class PasswordVariable extends Variable { }
+
+/** A variable whose name indicates that it may hold a password. */
+private class ByNamePasswordVariable extends PasswordVariable {
+  ByNamePasswordVariable() {
     getName().regexpMatch("(?i)(encrypted|old|new)?pass(wd|word|code|phrase)(chars|value)?")
   }
 }
 
-/**
- * A variable whose name indicates that it may hold a user name.
- */
-class UsernameVariable extends Variable {
-  UsernameVariable() { getName().regexpMatch("(?i)(user|username)") }
+/** A variable that holds a username. */
+abstract class UsernameVariable extends Variable { }
+
+/** A variable whose name indicates that it may hold a username. */
+private class ByNameUsernameVariable extends UsernameVariable {
+  ByNameUsernameVariable() { getName().regexpMatch("(?i)(user|username)") }
 }
 
 /**
- * An argument to a call, where the parameter name corresponding
+ * An argument to a call, where the parameter corresponding
  * to the argument indicates that it may contain credentials.
  */
 class CredentialsSourceSink extends CredentialsSink {