CleartextLogging.qhelp needs more help #17574
Description
codeql/go/ql/src/Security/CWE-312/CleartextLogging.qhelp
Lines 8 to 9 in 590e93d
https://github.com/check-spelling-sandbox/argo-cd/security/code-scanning/7
cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go:49
case strings.HasPrefix(os.Args[1], "Username"):
fmt.Println(creds.Username)
case strings.HasPrefix(os.Args[1], "Password"):
fmt.Println(creds.Password)
flows to a logging call.
CodeQL
default:
errors.CheckError(fmt.Errorf("unknown credential type '%s'", os.Args[1]))
}It's true, this code is printing a password, that's its job. it's a git credential.helper program.
This isn't "logging" a password, it's intentionally "printing" the password.
How does one tell CodeQL that this is intended behavior? Is the only real option to wait for #11427?
The help should say:
<p>
Be aware that the purpose of some programs is to print output.
Do not file tickets complaining about programs doing their jobs, it will not win you any warm fuzzies.
</p>