Add SPURIOUS and MISSING to some comments

Author: owen-mc

swift/ql/test/query-tests/Security/CWE-020/SemiAnchoredRegex.swift

@@ -104,7 +104,7 @@ func realWorld(input: String) throws {
 	_ = try Regex(#"^mouse|touch|click|contextmenu|drop|dragover|dragend"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex(#"^xxx:|yyy:"#).ignoresCase().firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
 	_ = try Regex(#"_xxx|_yyy|_zzz$"#).firstMatch(in: input) // $ Alert[swift/missing-regexp-anchor] // BAD (missing anchor)
-	_ = try Regex(#"em|%$"#).firstMatch(in: input) // BAD (missing anchor) [NOT DETECTED] - not flagged at the moment due to the anchor not being for letters
+	_ = try Regex(#"em|%$"#).firstMatch(in: input) // $ MISSING: Alert[swift/missing-regexp-anchor] // BAD (missing anchor) [NOT DETECTED] - not flagged at the moment due to the anchor not being for letters
 
 	// the following are MAYBE OK due to apparent complexity; not flagged
 	_ = try Regex(#"(?:^[#?]?|&)([^=&]+)(?:=([^&]*))?"#).firstMatch(in: input)

swift/ql/test/query-tests/Security/CWE-020/UnanchoredUrlRegex.swift

@@ -104,25 +104,25 @@ func tests(url: String, secure: Bool) throws {
 	_ = try NSRegularExpression(pattern: "verygood.com/?id=" + #"https?:\/\/good.com\/([0-9]+)"#).matches(in: url, range: urlRange)[0] // OK
 
 	_ = try NSRegularExpression(pattern: #"\.com|\.org"#).matches(in: input, range: inputRange) // OK, has no domain name
-	_ = try NSRegularExpression(pattern: #"example\.com|whatever"#).matches(in: input, range: inputRange) // $ Alert[swift/missing-regexp-anchor] // OK, the other disjunction doesn't match a hostname [FALSE POSITIVE]
+	_ = try NSRegularExpression(pattern: #"example\.com|whatever"#).matches(in: input, range: inputRange) // $ SPURIOUS: Alert[swift/missing-regexp-anchor] // OK, the other disjunction doesn't match a hostname [FALSE POSITIVE]
 
 	// tests for the `isLineAnchoredHostnameRegExp` case
 
 	let attackUrl1 =  "evil.com/blabla?\ngood.com"
 	let attackUrl1Range = NSMakeRange(0, attackUrl1.utf16.count)
 	_ = try NSRegularExpression(pattern: "^good\\.com$").matches(in: attackUrl1, range: attackUrl1Range) // OK
-	_ = try NSRegularExpression(pattern: "^good\\.com$", options: .anchorsMatchLines).matches(in: attackUrl1, range: attackUrl1Range) // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
+	_ = try NSRegularExpression(pattern: "^good\\.com$", options: .anchorsMatchLines).matches(in: attackUrl1, range: attackUrl1Range) // $ MISSING: Alert[swift/missing-regexp-anchor] // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
 	_ = try NSRegularExpression(pattern: "(?i)^good\\.com$").matches(in: attackUrl1, range: attackUrl1Range) // OK
-	_ = try NSRegularExpression(pattern: "(?i)^good\\.com$", options: .anchorsMatchLines).matches(in: attackUrl1, range: attackUrl1Range) // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
+	_ = try NSRegularExpression(pattern: "(?i)^good\\.com$", options: .anchorsMatchLines).matches(in: attackUrl1, range: attackUrl1Range) // $ MISSING: Alert[swift/missing-regexp-anchor] // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
 	_ = try NSRegularExpression(pattern: "^good\\.com$|^another\\.com$").matches(in: attackUrl1, range: attackUrl1Range) // OK
-	_ = try NSRegularExpression(pattern: "^good\\.com$|^another\\.com$", options: .anchorsMatchLines).matches(in: attackUrl1, range: attackUrl1Range) // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
+	_ = try NSRegularExpression(pattern: "^good\\.com$|^another\\.com$", options: .anchorsMatchLines).matches(in: attackUrl1, range: attackUrl1Range) // $ MISSING: Alert[swift/missing-regexp-anchor] // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
 
 	let attackUrl2 =  "evil.com/blabla?\ngood.com/"
 	let attackUrl2Range = NSMakeRange(0, attackUrl2.utf16.count)
 	_ = try NSRegularExpression(pattern: "^good\\.com/").matches(in: attackUrl2, range: attackUrl2Range) // OK
-	_ = try NSRegularExpression(pattern: "^good\\.com/", options: .anchorsMatchLines).matches(in: attackUrl2, range: attackUrl2Range) // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
+	_ = try NSRegularExpression(pattern: "^good\\.com/", options: .anchorsMatchLines).matches(in: attackUrl2, range: attackUrl2Range) // $ MISSING: Alert[swift/missing-regexp-anchor] // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
 	_ = try NSRegularExpression(pattern: "(?i)^good\\.com/").matches(in: attackUrl2, range: attackUrl2Range) // OK
-	_ = try NSRegularExpression(pattern: "(?i)^good\\.com/", options: .anchorsMatchLines).matches(in: attackUrl2, range: attackUrl2Range) // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
+	_ = try NSRegularExpression(pattern: "(?i)^good\\.com/", options: .anchorsMatchLines).matches(in: attackUrl2, range: attackUrl2Range) // $ MISSING: Alert[swift/missing-regexp-anchor] // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
 	_ = try NSRegularExpression(pattern: "^good\\.com/|^another\\.com/").matches(in: attackUrl2, range: attackUrl2Range) // OK
-	_ = try NSRegularExpression(pattern: "^good\\.com/|^another\\.com/", options: .anchorsMatchLines).matches(in: attackUrl2, range: attackUrl2Range) // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
+	_ = try NSRegularExpression(pattern: "^good\\.com/|^another\\.com/", options: .anchorsMatchLines).matches(in: attackUrl2, range: attackUrl2Range) // $ MISSING: Alert[swift/missing-regexp-anchor] // BAD [NOT DETECTED]: with the .anchorsMatchLines option this matches the attack URL
 }

swift/ql/test/query-tests/Security/CWE-020/test.swift

@@ -73,8 +73,8 @@ func testHostnames(myUrl: URL) throws {
 	_ = try Regex(#"^https?://api.example.com/"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 	_ = try Regex(#"^http[s]?://?sub1\.sub2\.example\.com/f/(.+)"#).firstMatch(in: tainted) // GOOD (it has a capture group after the TLD, so should be ignored)
 	_ = try Regex(#"^https://[a-z]*.example.com$"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
-	_ = try Regex(#"^(example.dev|example.com)"#).firstMatch(in: tainted) // $ Alert[swift/missing-regexp-anchor] // GOOD (any extended hostname wouldn't be included in the capture group) [FALSE POSITIVE]
-	_ = try Regex(#"^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] Alert[swift/incomplete-hostname-regexp] Alert[swift/incomplete-hostname-regexp] Alert[swift/missing-regexp-anchor] // BAD (incomplete hostname x3, missing anchor x 1)
+	_ = try Regex(#"^(example.dev|example.com)"#).firstMatch(in: tainted) // $ SPURIOUS: Alert[swift/missing-regexp-anchor] // GOOD (any extended hostname wouldn't be included in the capture group) [FALSE POSITIVE]
+	_ = try Regex(#"^protos?://(localhost|.+.example.net|.+.example-a.com|.+.example-b.com|.+.example.internal)"#).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] Alert[swift/missing-regexp-anchor] // BAD (incomplete hostname x3, missing anchor x 1)
 
 	_ = try Regex(#"^http://(..|...)\.example\.com/index\.html"#).firstMatch(in: tainted) // GOOD (wildcards are intentional)
 	_ = try Regex(#"^http://.\.example\.com/index\.html"#).firstMatch(in: tainted) // GOOD (the wildcard is intentional)
@@ -85,7 +85,7 @@ func testHostnames(myUrl: URL) throws {
 
 	_ = try Regex(id(id(id(#"test.example.com$"#)))).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 
-	let hostname = #"test.example.com$"# // BAD (incomplete hostname) [NOT DETECTED]
+	let hostname = #"test.example.com$"# // $ MISSING: Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname) [NOT DETECTED]
 	_ = try Regex("\(hostname)").firstMatch(in: tainted)
 
 	var domain = MyDomain("")
@@ -97,17 +97,17 @@ func testHostnames(myUrl: URL) throws {
 	}
 	_ = try convert1(MyDomain(#"test.example.com$"#)).firstMatch(in: tainted) // $ Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname)
 
-	let domains = [ MyDomain(#"test.example.com$"#) ]  // BAD (incomplete hostname) [NOT DETECTED]
+	let domains = [ MyDomain(#"test.example.com$"#) ]  // $ MISSING: Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname) [NOT DETECTED]
 	func convert2(_ domain: MyDomain) throws -> Regex<AnyRegexOutput> {
 		return try Regex(domain.hostname)
 	}
 	_ = try domains.map({ try convert2($0).firstMatch(in: tainted) })
 
 	let primary = "example.com$"
-	_ = try Regex("test." + primary).firstMatch(in: tainted) // BAD (incomplete hostname) [NOT DETECTED]
-	_ = try Regex("test." + "example.com$").firstMatch(in: tainted) // BAD (incomplete hostname) [NOT DETECTED]
-	_ = try Regex(#"^http://localhost:8000|" + "^https?://.+\.example\.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) [NOT DETECTED]
-	_ = try Regex(#"^http://localhost:8000|" + "^https?://.+.example\.com/"#).firstMatch(in: tainted) // BAD (incomplete hostname) [NOT DETECTED]
+	_ = try Regex("test." + primary).firstMatch(in: tainted) // $ MISSING: Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname) [NOT DETECTED]
+	_ = try Regex("test." + "example.com$").firstMatch(in: tainted) // $ MISSING: Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname) [NOT DETECTED]
+	_ = try Regex(#"^http://localhost:8000|" + "^https?://.+\.example\.com/"#).firstMatch(in: tainted) // $ MISSING: Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname) [NOT DETECTED]
+	_ = try Regex(#"^http://localhost:8000|" + "^https?://.+.example\.com/"#).firstMatch(in: tainted) // $ MISSING: Alert[swift/incomplete-hostname-regexp] // BAD (incomplete hostname) [NOT DETECTED]
 
 	let harmless = #"^http://test.example.com"# // GOOD (never used as a regex)
 }

swift/ql/test/query-tests/Security/CWE-089/other.swift

@@ -55,9 +55,9 @@ func test_heuristic(db: MyDatabase) throws {
 	db.execute4(remoteString as! Sql) // $ Alert
 
 	db.query(sql: remoteString) // $ Alert
-	db.query(sqlLiteral: remoteString) // BAD [NOT DETECTED]
-	db.query(sqlStatement: remoteString) // BAD [NOT DETECTED]
-	db.query(sqliteStatement: remoteString) // BAD [NOT DETECTED]
+	db.query(sqlLiteral: remoteString) // $ MISSING: Alert // BAD [NOT DETECTED]
+	db.query(sqlStatement: remoteString) // $ MISSING: Alert // BAD [NOT DETECTED]
+	db.query(sqliteStatement: remoteString) // $ MISSING: Alert // BAD [NOT DETECTED]
 
 	db.doSomething(sqlIndex: Int(remoteString) ?? 0) // GOOD
 	db.doSomething(sqliteContext: remoteString as! Sql) // GOOD

swift/ql/test/query-tests/Security/CWE-134/UncontrolledFormatString.swift

@@ -148,7 +148,7 @@ func tests() throws {
         _ = vasprintf_l(nil, nil, "%s", getVaList([cstr])) // GOOD: format not tainted
     })
 
-    myFormatMessage(string: tainted, "abc") // BAD [NOT DETECTED]
+    myFormatMessage(string: tainted, "abc") // $ MISSING: Alert // BAD [NOT DETECTED]
     myFormatMessage(string: "%s", tainted) // GOOD: format not tainted
 
     _ = MyString(format: tainted, "abc") // $ Alert

swift/ql/test/query-tests/Security/CWE-311/testAlamofire.swift

@@ -159,25 +159,25 @@ func test1(username: String, password: String, email: String, harmless: String)
 	let params1 = ["value": email]
 	let params2 = ["value": harmless]
 
-	AF.request("http://example.com/", parameters: params1) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", parameters: params1) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", parameters: params2) // GOOD (not sensitive)
-	AF.request("http://example.com/", parameters: params1, encoding: URLEncoding.default) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", parameters: params1, encoding: URLEncoding.default) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", parameters: params2, encoding: URLEncoding.default) // GOOD (not sensitive)
-	AF.request("http://example.com/", parameters: params1, encoder: URLEncodedFormParameterEncoder.default) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", parameters: params1, encoder: URLEncodedFormParameterEncoder.default) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", parameters: params2, encoder: URLEncodedFormParameterEncoder.default) // GOOD (not sensitive)
-	AF.download("http://example.com/", parameters: params1) // BAD [NOT DETECTED]
+	AF.download("http://example.com/", parameters: params1) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.download("http://example.com/", parameters: params2) // GOOD (not sensitive)
 
 	let params3 = ["values": ["...", email, "..."]]
 	let params4 = ["values": ["...", harmless, "..."]]
 
-	AF.request("http://example.com/", method:.post, parameters: params3) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", method:.post, parameters: params3) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", method:.post, parameters: params4) // GOOD (not sensitive)
 
 	let params5 = MyEncodable(value: email)
 	let params6 = MyEncodable(value: harmless)
 
-	AF.request("http://example.com/", parameters: params5) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", parameters: params5) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", parameters: params6) // GOOD (not sensitive)
 
 	// request headers
@@ -187,32 +187,32 @@ func test1(username: String, password: String, email: String, harmless: String)
 	let headers1: HTTPHeaders = ["Authorization": username + ":" + password]
 	let headers2: HTTPHeaders = ["Value": harmless]
 
-	AF.request("http://example.com/", headers: headers1) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", headers: headers1) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", headers: headers2) // GOOD (not sensitive)
-	AF.streamRequest("http://example.com/", headers: headers1) // BAD [NOT DETECTED]
+	AF.streamRequest("http://example.com/", headers: headers1) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.streamRequest("http://example.com/", headers: headers2) // GOOD (not sensitive)
 
 	let headers3 = HTTPHeaders(["Authorization": username + ":" + password])
 	let headers4 = HTTPHeaders(["Value": harmless])
 
-	AF.request("http://example.com/", headers: headers3) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", headers: headers3) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", headers: headers4) // GOOD (not sensitive)
-	AF.download("http://example.com/", headers: headers1) // BAD [NOT DETECTED]
+	AF.download("http://example.com/", headers: headers1) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.download("http://example.com/", headers: headers2) // GOOD (not sensitive)
 
 	var headers5 = HTTPHeaders([:])
 	var headers6 = HTTPHeaders([:])
 	headers5.add(name: "Authorization", value: username + ":" + password)
 	headers6.add(name: "Data", value: harmless)
 
-	AF.request("http://example.com/", headers: headers5) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", headers: headers5) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", headers: headers6) // GOOD (not sensitive)
 
 	var headers7 = HTTPHeaders([:])
 	var headers8 = HTTPHeaders([:])
 	headers7.update(name: "Authorization", value: username + ":" + password)
 	headers8.update(name: "Data", value: harmless)
 
-	AF.request("http://example.com/", headers: headers7) // BAD [NOT DETECTED]
+	AF.request("http://example.com/", headers: headers7) // $ MISSING: Alert[swift/cleartext-transmission] // BAD [NOT DETECTED]
 	AF.request("http://example.com/", headers: headers8) // GOOD (not sensitive)
 }

swift/ql/test/query-tests/Security/CWE-311/testCoreData.swift

@@ -124,16 +124,16 @@ class SecureKeyStore {
 func test5(obj : NSManagedObject) {
 	// more variants...
 
-	obj.setValue(createSecureKey(), forKey: "myKey") // BAD [NOT DETECTED]
+	obj.setValue(createSecureKey(), forKey: "myKey") // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
 	obj.setValue(generateSecretKey(), forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 	obj.setValue(getCertificate(), forKey: "myKey") // $ Alert[swift/cleartext-storage-database]
 
 	let gen = KeyGen()
 	let v = gen.generate()
 
-	obj.setValue(KeyGen().generate(), forKey: "myKey") // BAD [NOT DETECTED]
-	obj.setValue(gen.generate(), forKey: "myKey") // BAD [NOT DETECTED]
-	obj.setValue(v, forKey: "myKey") // BAD [NOT DETECTED]
-	obj.setValue(KeyManager().generateKey(), forKey: "myKey") // BAD [NOT DETECTED]
-	obj.setValue(SecureKeyStore().getEncryptionKey(), forKey: "myKey") // BAD [NOT DETECTED]
+	obj.setValue(KeyGen().generate(), forKey: "myKey") // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
+	obj.setValue(gen.generate(), forKey: "myKey") // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
+	obj.setValue(v, forKey: "myKey") // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
+	obj.setValue(KeyManager().generateKey(), forKey: "myKey") // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
+	obj.setValue(SecureKeyStore().getEncryptionKey(), forKey: "myKey") // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
 }

swift/ql/test/query-tests/Security/CWE-311/testCoreData2.swift

@@ -35,21 +35,21 @@ func testCoreData2_1(obj: MyManagedObject2, maybeObj: MyManagedObject2?, value:
 	// @NSManaged fields of an NSManagedObject...
 	obj.myValue = value // GOOD (not sensitive)
 	obj.myValue = bankAccountNo // $ Alert[swift/cleartext-storage-database]
-	obj.myBankAccountNumber = value // BAD [NOT DETECTED]
+	obj.myBankAccountNumber = value // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
 	obj.myBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database]
-	obj.myBankAccountNumber2 = value // BAD [NOT DETECTED]
+	obj.myBankAccountNumber2 = value // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
 	obj.myBankAccountNumber2 = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	obj.notStoredBankAccountNumber = value // GOOD (not stored in the database)
-	obj.notStoredBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database] // GOOD (not stored in the datbase) [FALSE POSITIVE]
+	obj.notStoredBankAccountNumber = bankAccountNo // $ SPURIOUS: Alert[swift/cleartext-storage-database] // GOOD (not stored in the datbase) [FALSE POSITIVE]
 
 	maybeObj?.myValue = value // GOOD (not sensitive)
 	maybeObj?.myValue = bankAccountNo // $ Alert[swift/cleartext-storage-database]
-	maybeObj?.myBankAccountNumber = value // BAD [NOT DETECTED]
+	maybeObj?.myBankAccountNumber = value // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
 	maybeObj?.myBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database]
-	maybeObj?.myBankAccountNumber2 = value // BAD [NOT DETECTED]
+	maybeObj?.myBankAccountNumber2 = value // $ MISSING: Alert[swift/cleartext-storage-database] // BAD [NOT DETECTED]
 	maybeObj?.myBankAccountNumber2 = bankAccountNo // $ Alert[swift/cleartext-storage-database]
 	maybeObj?.notStoredBankAccountNumber = value // GOOD (not stored in the database)
-	maybeObj?.notStoredBankAccountNumber = bankAccountNo // $ Alert[swift/cleartext-storage-database] // GOOD (not stored in the datbase) [FALSE POSITIVE]
+	maybeObj?.notStoredBankAccountNumber = bankAccountNo // $ SPURIOUS: Alert[swift/cleartext-storage-database] // GOOD (not stored in the datbase) [FALSE POSITIVE]
 }
 
 class testCoreData2_2 {
@@ -102,5 +102,5 @@ func testCoreData2_3(dbObj: MyManagedObject2, maybeObj: MyManagedObject2?, conta
 	var f: MyContainer?
 	f?.value = e.value
 	dbObj.myValue = e.value // $ Alert[swift/cleartext-storage-database]
-	dbObj.myValue = e.value2 // $ Alert[swift/cleartext-storage-database] // GOOD [FALSE POSITIVE]
+	dbObj.myValue = e.value2 // $ SPURIOUS: Alert[swift/cleartext-storage-database] // GOOD [FALSE POSITIVE]
 }