Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java: Improve weak crypto query #17869

Merged
merged 1 commit into from
Nov 24, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions java/ql/lib/semmle/code/java/security/Encryption.qll
Original file line number Diff line number Diff line change
Expand Up @@ -223,10 +223,7 @@ string getAnInsecureHashAlgorithmName() {
}

private string rankedInsecureAlgorithm(int i) {
// In this case we know these are being used for encryption, so we want to match
// weak hash algorithms too.
result =
rank[i](string s | s = getAnInsecureAlgorithmName() or s = getAnInsecureHashAlgorithmName())
result = rank[i](string s | s = getAnInsecureAlgorithmName())
}

private string insecureAlgorithmString(int i) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,11 @@ class InsecureAlgoLiteral extends InsecureAlgorithm, ShortStringLiteral {
s.length() > 1 and
not s.regexpMatch(getSecureAlgorithmRegex()) and
// Exclude results covered by another query.
not s.regexpMatch(getInsecureAlgorithmRegex())
not s.regexpMatch(getInsecureAlgorithmRegex()) and
// Exclude results covered by `InsecureAlgoProperty`.
// This removes duplicates when a string literal is a default value for the property,
// such as "MD5" in the following: `props.getProperty("hashAlg2", "MD5")`.
not exists(InsecureAlgoProperty insecAlgoProp | this = insecAlgoProp.getAnArgument())
)
}

Expand Down
4 changes: 4 additions & 0 deletions java/ql/src/change-notes/2024-10-29-weak-crypto-hash.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `java/weak-cryptographic-algorithm` query has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. The `java/potentially-weak-cryptographic-algorithm` query has been updated to report these uses instead.
Original file line number Diff line number Diff line change
@@ -1,14 +1,8 @@
#select
| Test.java:19:20:19:50 | getInstance(...) | Test.java:19:45:19:49 | "DES" | Test.java:19:45:19:49 | "DES" | Cryptographic algorithm $@ is weak and should not be used. | Test.java:19:45:19:49 | "DES" | DES |
| Test.java:42:14:42:38 | getInstance(...) | Test.java:42:33:42:37 | "RC2" | Test.java:42:33:42:37 | "RC2" | Cryptographic algorithm $@ is weak and should not be used. | Test.java:42:33:42:37 | "RC2" | RC2 |
| WeakHashing.java:21:30:21:92 | getInstance(...) | WeakHashing.java:21:86:21:90 | "MD5" : String | WeakHashing.java:21:56:21:91 | getProperty(...) | Cryptographic algorithm $@ is weak and should not be used. | WeakHashing.java:21:86:21:90 | "MD5" | MD5 |
edges
| WeakHashing.java:21:86:21:90 | "MD5" : String | WeakHashing.java:21:56:21:91 | getProperty(...) | provenance | MaD:1 |
models
| 1 | Summary: java.util; Properties; true; getProperty; (String,String); ; Argument[1]; ReturnValue; value; manual |
nodes
| Test.java:19:45:19:49 | "DES" | semmle.label | "DES" |
| Test.java:42:33:42:37 | "RC2" | semmle.label | "RC2" |
| WeakHashing.java:21:56:21:91 | getProperty(...) | semmle.label | getProperty(...) |
| WeakHashing.java:21:86:21:90 | "MD5" : String | semmle.label | "MD5" : String |
subpaths
Loading