Shared: Add 'card.?no' sensitive data heuristic.

Author: geoffw0

rust/ql/test/library-tests/sensitivedata/test.rs

@@ -313,8 +313,8 @@ fn test_private_info(
 
 	sink(info.financials.my_bank_account_number.as_str()); // $ sensitive=private SPURIOUS: sensitive=id
 	sink(info.financials.credit_card_no.as_str()); // $ sensitive=private
-	sink(info.financials.card_no.as_str()); // $ MISSING: sensitive=private
-	sink(info.financials.cardNumber.as_str()); // $ MISSING: sensitive=private
+	sink(info.financials.card_no.as_str()); // $ sensitive=private
+	sink(info.financials.cardNumber.as_str()); // $ sensitive=private
 	sink(info.financials.card_security_code.as_str()); // $ MISSING: sensitive=private
 	sink(info.financials.credit_rating); // $ sensitive=private
 	sink(info.financials.user_ccn.as_str()); // $ sensitive=private
@@ -368,7 +368,7 @@ fn test_private_info(
 	sink(info.financials.accounting);
 	sink(info.financials.unaccounted);
 	sink(info.financials.multiband);
-	sink(info.financials.wildcard_not_matched);
+	sink(info.financials.wildcard_not_matched); // $ SPURIOUS: sensitive=private
 
 	sink(ContactDetails::FavouriteColor("blue".to_string()));
 }

shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll

@@ -104,7 +104,7 @@ module HeuristicNames {
         // Geographic location - where the user is (or was)
         "latitude|longitude|nationality|" +
         // Financial data - such as credit card numbers, salary, bank accounts, and debts
-        "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|acc(ou)?nt.?(no|num|credit)|routing.?num|"
+        "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|(card|acc(ou)?nt).?(no|num|credit)|routing.?num|"
         + "salary|billing|beneficiary|credit.?(rating|score)|([_-]|\\b)(ccn|cvv|iban)([_-]|\\b)|" +
         // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
         // "e(mail|_mail)|" + // this seems too noisy