github
diff --git a/‎rust/ql/lib/codeql/rust/security/SensitiveData.qll‎
Lines changed: 28 additions & 36 deletions b/‎rust/ql/lib/codeql/rust/security/SensitiveData.qll‎
Lines changed: 28 additions & 36 deletions
@@ -22,64 +22,56 @@ abstract class SensitiveData extends DataFlow::Node {
 }
 
 /**
- * A function that might produce sensitive data.
- */
-private class SensitiveDataFunction extends Function {
-  SensitiveDataClassification classification;
-
-  SensitiveDataFunction() {
-    HeuristicNames::nameIndicatesSensitiveData(this.getName().getText(), classification)
-  }
-
-  SensitiveDataClassification getClassification() { result = classification }
-}
-
-/**
- * A function call data flow node that might produce sensitive data.
+ * A function call or enum variant data flow node that might produce sensitive data.
  */
 private class SensitiveDataCall extends SensitiveData {
   SensitiveDataClassification classification;
 
   SensitiveDataCall() {
-    classification =
-      this.asExpr()
-          .getAstNode()
-          .(CallExprBase)
-          .getStaticTarget()
-          .(SensitiveDataFunction)
-          .getClassification()
+    exists(CallExprBase call, string name |
+      call = this.asExpr().getExpr() and
+      name =
+        [
+          call.getStaticTarget().(Function).getName().getText(),
+          call.(CallExpr).getVariant().getName().getText(),
+        ] and
+      HeuristicNames::nameIndicatesSensitiveData(name, classification)
+    )
   }
 
   override SensitiveDataClassification getClassification() { result = classification }
 }
 
 /**
- * A variable that might contain sensitive data.
+ * A variable access data flow node that might be sensitive data.
  */
-private class SensitiveDataVariable extends Variable {
+private class SensitiveVariableAccess extends SensitiveData {
   SensitiveDataClassification classification;
 
-  SensitiveDataVariable() {
-    HeuristicNames::nameIndicatesSensitiveData(this.getText(), classification)
+  SensitiveVariableAccess() {
+    HeuristicNames::nameIndicatesSensitiveData(this.asExpr()
+          .getExpr()
+          .(VariableAccess)
+          .getVariable()
+          .(Variable)
+          .getText(), classification)
   }
 
-  SensitiveDataClassification getClassification() { result = classification }
+  override SensitiveDataClassification getClassification() { result = classification }
 }
 
+private Expr fieldExprParentField(FieldExpr fe) { result = fe.getParentNode() }
+
 /**
- * A variable access data flow node that might produce sensitive data.
+ * A field access data flow node that might be sensitive data.
  */
-private class SensitiveVariableAccess extends SensitiveData {
+private class SensitiveFieldAccess extends SensitiveData {
   SensitiveDataClassification classification;
 
-  SensitiveVariableAccess() {
-    classification =
-      this.asExpr()
-          .getAstNode()
-          .(VariableAccess)
-          .getVariable()
-          .(SensitiveDataVariable)
-          .getClassification()
+  SensitiveFieldAccess() {
+    exists(FieldExpr fe | fieldExprParentField*(fe) = this.asExpr().getExpr() |
+      HeuristicNames::nameIndicatesSensitiveData(fe.getIdentifier().getText(), classification)
+    )
   }
 
   override SensitiveDataClassification getClassification() { result = classification }