From 561321f69d28a76d71dbda47e9f4ac155a939e62 Mon Sep 17 00:00:00 2001
From: Jami Cogswell <jcogs33@Jamis-MacBook-Pro.local>
Date: Sun, 24 Nov 2024 16:32:31 -0500
Subject: [PATCH] Java: add SHA224 and SHA384 to list of secure algorithms

---
 java/ql/lib/semmle/code/java/security/Encryption.qll         | 4 ++--
 java/ql/src/change-notes/2024-11-24-sha2.md                  | 4 ++++
 .../security/CWE-327/semmle/tests/WeakHashing.java           | 5 ++++-
 3 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 java/ql/src/change-notes/2024-11-24-sha2.md

diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll
index 80b41233bde3..ce06d927a3dd 100644
--- a/java/ql/lib/semmle/code/java/security/Encryption.qll
+++ b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -249,8 +249,8 @@ string getInsecureAlgorithmRegex() {
 string getASecureAlgorithmName() {
   result =
     [
-      "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
-      "Blowfish", "ECIES", "SHA3-(224|256|384|512)"
+      "RSA", "SHA-?(224|256|384|512)", "SHA3-(224|256|384|512)", "CCM", "GCM",
+      "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))", "Blowfish", "ECIES"
     ]
 }
 
diff --git a/java/ql/src/change-notes/2024-11-24-sha2.md b/java/ql/src/change-notes/2024-11-24-sha2.md
new file mode 100644
index 000000000000..19461c179d53
--- /dev/null
+++ b/java/ql/src/change-notes/2024-11-24-sha2.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SHA-224 and SHA-384 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of these algorithms.
diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java
index 8858576cb904..c79c025a41c8 100644
--- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java
+++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java
@@ -19,7 +19,7 @@ void hashing() throws NoSuchAlgorithmException, IOException {
 
         // BAD: Using a strong hashing algorithm but with a weak default
         MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5"));
-        
+
         // GOOD: Using a strong hashing algorithm
         MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
 
@@ -28,5 +28,8 @@ void hashing() throws NoSuchAlgorithmException, IOException {
 
         // GOOD: Using a strong hashing algorithm
         MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");
+
+         // GOOD: Using a strong hashing algorithm
+        MessageDigest ok4 = MessageDigest.getInstance("SHA384");
     }
 }