From 05b6700607e437b363633ed2cb1bdd02a0557351 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 25 Nov 2024 09:22:37 -0500 Subject: [PATCH] Java: add SHA384 to list of secure algorithms --- java/ql/lib/semmle/code/java/security/Encryption.qll | 2 +- java/ql/src/change-notes/2024-11-24-sha2.md | 4 ++++ .../security/CWE-327/semmle/tests/WeakHashing.java | 5 ++++- 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 java/ql/src/change-notes/2024-11-24-sha2.md diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll index dae80b19be19..7c9c5ec60dbf 100644 --- a/java/ql/lib/semmle/code/java/security/Encryption.qll +++ b/java/ql/lib/semmle/code/java/security/Encryption.qll @@ -246,7 +246,7 @@ string getInsecureAlgorithmRegex() { string getASecureAlgorithmName() { result = [ - "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))", + "RSA", "SHA-?(256|384|512)", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))", "Blowfish", "ECIES", "SHA3-(256|384|512)" ] } diff --git a/java/ql/src/change-notes/2024-11-24-sha2.md b/java/ql/src/change-notes/2024-11-24-sha2.md new file mode 100644 index 000000000000..395ea04b782e --- /dev/null +++ b/java/ql/src/change-notes/2024-11-24-sha2.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added SHA-384 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA-384. diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java index 8858576cb904..c79c025a41c8 100644 --- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java +++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java @@ -19,7 +19,7 @@ void hashing() throws NoSuchAlgorithmException, IOException { // BAD: Using a strong hashing algorithm but with a weak default MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); - + // GOOD: Using a strong hashing algorithm MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2")); @@ -28,5 +28,8 @@ void hashing() throws NoSuchAlgorithmException, IOException { // GOOD: Using a strong hashing algorithm MessageDigest ok3 = MessageDigest.getInstance("SHA3-512"); + + // GOOD: Using a strong hashing algorithm + MessageDigest ok4 = MessageDigest.getInstance("SHA384"); } }