SAST: Detect "privacy violation" issues when applications may mishandle private information
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Background
We occasionally receive support requests or queries about why we don't detect CWE-359-type violations. In some competing tools these are reported under the name "Privacy Violation" and indicate that a piece of possibly-private data is possibly being mishandled.
When analyzed, these findings often seem to be derived from a simple strategy: find variables that are named email, address, or some other private-seeming name, then report if anything possibly-suspicious is done with them. In some cases the "possibly suspicious" activity can be as routine (and non-malicious) as collecting a username in the frontend, and sending it to the backend so the user can log in.
Ultimately, the user goal behind such a rule is to detect potential privacy violations.
Proposal
Option: New workflow
This type of problem might be better solved by a privacy-analysis-focused workflow rather than by reporting vulnerabilities.
Option: Write a rule
It would be possible to build a rule that does a basic form of analysis, and that reports results with low/info severity, as a way to address the customer request.
If we shipped such a rule, we would need to be sure it doesn't create too much noise for users. We could achieve this by making the rule opt-in. We do not currently split the ruleset but could imagine having a default ruleset plus optional add-on rules, like a "privacy-focused" ruleset or similar.