How can I add additional sources and sinks to a predefined rule(QL)?

[willpowerforever]

For example, the SensitiveLoggingQuery only track very few sensitive variable:

codeql/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll

Line 55 in fe34aa3

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

If I want to add more sensitive variable, how can I do it?

I can definitely create a new data flow analysis rule. But I want to know if there is simpler way to achieve the same.

[smowton]

You can extend the abstract class SensitiveLoggerSource to create a customised version of SensitiveInfoLog.ql:

/**
 * @name Insertion of sensitive information into log files
 * @description Writing sensitive information to log files can allow that
 *              information to be leaked to an attacker more easily.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 7.5
 * @precision medium
 * @id java/sensitive-log-customised
 * @tags security
 *       external/cwe/cwe-532
 */

import java
import semmle.code.java.security.SensitiveLoggingQuery
import SensitiveLoggerFlow::PathGraph

class MySource extends SensitiveLoggerSource {
  MySource() {
    // Characterise your source dataflow node, e.g. this.asExpr().(MethodCall).getTarget().hasQualifiedName(...)
  }
}

from SensitiveLoggerFlow::PathNode source, SensitiveLoggerFlow::PathNode sink
where SensitiveLoggerFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This $@ is written to a log file.", source.getNode(),
  "potentially sensitive information"

Alternatively you can insert an extension of SensitiveLoggerSource into Customizations.qll so that the original java/sensitive-log query will pick them up.

If you want to use such a Customizations.qll in the context of a codeql-action run then you'll need to create a custom bundle: see https://github.com/advanced-security/codeql-bundle-action?tab=readme-ov-file#customizations

[willpowerforever]

thank you for the answer! It works!