Swift: Extend swift/weak-sensitive-data-hashing, swift/weak-password-hashing sinks

[geoffw0]

Extend sinks for swift/weak-sensitive-data-hashing and swift/weak-password-hashing, specifically the sinks that model CryptoKit. It turns out many calls to these functions are (implicitly) made with a metatype as the qualifier (e.g. Insecure.MD5.Type rather than Insecure.MD5), which the models-as-data sinks don't match (reliably?). The new sinks added here accept calls that have the metatype as qualifier.

This was seen in the wild but I had to make the tests more realistic before it affected tests - see commit-by-commit, where you can see many results lost when I made the tests closer to reality, then gained back with the new models. On the real world database we simply gain a result that was previously missed.

MRVA also shows a handful of new results (for swift/weak-sensitive-data-hashing); I'll start a DCA run shortly as well.

---

It seems likely we miss other sources / sinks besides these ones due to similar patterns involving metatypes. There's an opportunity to improve modelling here - but a better solution would be to resolve metatypes for models-as-data, so that these new models are not required. This is left as future work.

[Copilot]

Pull request overview

This PR extends the Swift security models for weak hashing to correctly treat CryptoKit hashing calls as sinks even when the call is qualified by a metatype (for example Insecure.MD5.Type / Insecure.MD5.self), and updates the Swift query tests and expected results accordingly.

Changes:

• Added additional CryptoKit sink rows for hash(bufferPointer:) across relevant weak-hashing queries.
• Introduced metatype-qualified sink matching for weak sensitive-data hashing and weak password hashing.
• Updated CWE-328 Swift tests and .expected outputs; added a change note documenting the analysis-impacting change.

Show a summary per file

File	Description
swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll	Adds CryptoKit hash(bufferPointer:) sinks and a metatype-qualified sink class for MD5/SHA1.
swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll	Adds CryptoKit hash(bufferPointer:) sinks and a metatype-qualified sink class for SHA256/SHA384/SHA512.
swift/ql/test/query-tests/Security/CWE-328/testCryptoKit.swift	Makes stubs more CryptoKit-like, adds new test cases for metatype-qualified calls, and fixes a test function name typo.
swift/ql/test/query-tests/Security/CWE-328/WeakSensitiveDataHashing.expected	Updates expected results to reflect new sink coverage and added test cases.
swift/ql/test/query-tests/Security/CWE-328/WeakPasswordHashing.expected	Updates expected results to reflect new sink coverage and added test cases.
swift/ql/src/change-notes/2026-05-26-hashing-sinks.md	Documents that the queries may produce additional results after improved sink recognition.

Copilot's findings

• Files reviewed: 6/6 changed files
• Comments generated: 3

[geoffw0]

I see what you mean, but consistency is not a goal for tests like these. We actually want as much variation as we can to maximize test coverage (though it is unlikely the semicolons will make any difference).

[jketema]

Is there actually a bug in MaD here, and should we be using the predicate I added here: #21831?

[jketema]

LGTM if DCA is happy. You might want to address at least the two typos Copilot spotted, and fix the formatting of course.

[geoffw0]

Is there actually a bug in MaD here

Yes, this can probably be described as either a bug or a missing feature, possibly in ExternalFlow.qlls interpretElement0.

should we be using the predicate I added here: #21831?

What do you think getDeclaredInterfaceType() can do for us here?

You might want to address at least the two typos Copilot spotted, and fix the formatting of course.

Concerned addressed, or in one case, answered.