hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Address review comment.

Browse Source
This commit is contained in:
Max Schaefer
2023-10-27 10:09:47 +01:00
parent 08cc8b8e80
commit 104700f6d3
6 changed files with 35 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
View File

@@ -24,6 +24,6 @@ where
sourceNode = source.getNode() and
sinkNode = sink.getNode() and
not sourceNode instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
select sinkNode, source, sink,
"A broken or weak cryptographic algorithm (configured $@) depends on $@.",
sinkNode.getInitialization(), "here", sourceNode, "sensitive data from " + sourceNode.describe()
select sinkNode, source, sink, "$@ depends on $@.", sinkNode.getInitialization(),
"A broken or weak cryptographic algorithm", sourceNode,
"sensitive data from " + sourceNode.describe()

10
javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected
View File

@@ -26,8 +26,8 @@ edges
| tst.js:19:17:19:24 | password | tst.js:19:17:19:24 | password |
| tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText |
#select
| tst.js:11:17:11:26 | secretText | tst.js:3:18:3:24 | trusted | tst.js:11:17:11:26 | secretText | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | here | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted |
| tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | here | tst.js:11:17:11:26 | secretText | sensitive data from an access to secretText |
| tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | here | tst.js:17:17:17:25 | o.trusted | sensitive data from an access to trusted |
| tst.js:22:21:22:30 | secretText | tst.js:3:18:3:24 | trusted | tst.js:22:21:22:30 | secretText | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:21:22:21:60 | crypto. ... ', key) | here | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted |
| tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:21:22:21:60 | crypto. ... ', key) | here | tst.js:22:21:22:30 | secretText | sensitive data from an access to secretText |
| tst.js:11:17:11:26 | secretText | tst.js:3:18:3:24 | trusted | tst.js:11:17:11:26 | secretText | $@ depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted |
| tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | $@ depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:11:17:11:26 | secretText | sensitive data from an access to secretText |
| tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | $@ depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:17:17:17:25 | o.trusted | sensitive data from an access to trusted |
| tst.js:22:21:22:30 | secretText | tst.js:3:18:3:24 | trusted | tst.js:22:21:22:30 | secretText | $@ depends on $@. | tst.js:21:22:21:60 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted |
| tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | $@ depends on $@. | tst.js:21:22:21:60 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:22:21:22:30 | secretText | sensitive data from an access to secretText |

4
python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
View File

@@ -23,5 +23,5 @@ where
)
or
operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
select operation, msgPrefix + " (configured $@) is broken or weak, and should not be used.",
operation.getInitialization(), "here"
select operation, "$@ is broken or weak, and should not be used.", operation.getInitialization(),
msgPrefix

8
python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected
View File

@@ -1,4 +1,4 @@
| test_cryptodome.py:11:13:11:42 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 (configured $@) is broken or weak, and should not be used. | test_cryptodome.py:10:10:10:22 | ControlFlowNode for Attribute() | here |
| test_cryptodome.py:16:13:16:42 | ControlFlowNode for Attribute() | The block mode ECB (configured $@) is broken or weak, and should not be used. | test_cryptodome.py:15:10:15:35 | ControlFlowNode for Attribute() | here |
| test_cryptography.py:13:13:13:44 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 (configured $@) is broken or weak, and should not be used. | test_cryptography.py:12:13:12:30 | ControlFlowNode for Attribute() | here |
| test_cryptography.py:22:13:22:58 | ControlFlowNode for Attribute() | The block mode ECB (configured $@) is broken or weak, and should not be used. | test_cryptography.py:21:13:21:30 | ControlFlowNode for Attribute() | here |
| test_cryptodome.py:11:13:11:42 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptodome.py:10:10:10:22 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 |
| test_cryptodome.py:16:13:16:42 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptodome.py:15:10:15:35 | ControlFlowNode for Attribute() | The block mode ECB |
| test_cryptography.py:13:13:13:44 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptography.py:12:13:12:30 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 |
| test_cryptography.py:22:13:22:58 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptography.py:21:13:21:30 | ControlFlowNode for Attribute() | The block mode ECB |

4
ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql
View File

@@ -23,5 +23,5 @@ where
)
or
operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
select operation, msgPrefix + " (configured $@) is broken or weak, and should not be used.",
operation.getInitialization(), "here"
select operation, "$@ is broken or weak, and should not be used.", operation.getInitialization(),
msgPrefix

38
ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.expected
View File

@@ -1,19 +1,19 @@
| broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:4:8:4:34 | call to new | here |
| broken_crypto.rb:8:1:8:18 | call to update | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:8:1:8:4 | weak | here |
| broken_crypto.rb:12:8:12:43 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:12:8:12:43 | call to new | here |
| broken_crypto.rb:16:1:16:18 | call to update | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:16:1:16:4 | weak | here |
| broken_crypto.rb:28:1:28:35 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:28:1:28:35 | call to new | here |
| broken_crypto.rb:37:1:37:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:37:1:37:33 | call to new | here |
| broken_crypto.rb:42:1:42:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:42:1:42:33 | call to new | here |
| broken_crypto.rb:47:1:47:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:47:1:47:33 | call to new | here |
| broken_crypto.rb:52:1:52:29 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:52:1:52:29 | call to new | here |
| broken_crypto.rb:57:1:57:32 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:57:1:57:32 | call to new | here |
| broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:60:1:60:24 | call to new | here |
| broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:62:1:62:30 | call to new | here |
| broken_crypto.rb:67:1:67:31 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:67:1:67:31 | call to new | here |
| broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:70:1:70:24 | call to new | here |
| broken_crypto.rb:72:1:72:30 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | here |
| broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | here |
| broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:75:1:75:24 | call to new | here |
| broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:77:1:77:29 | call to new | here |
| broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:79:1:79:35 | call to new | here |
| broken_crypto.rb:4:8:4:34 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES |
| broken_crypto.rb:8:1:8:18 | call to update | $@ is broken or weak, and should not be used. | broken_crypto.rb:8:1:8:4 | weak | The cryptographic algorithm DES |
| broken_crypto.rb:12:8:12:43 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:12:8:12:43 | call to new | The block mode ECB |
| broken_crypto.rb:16:1:16:18 | call to update | $@ is broken or weak, and should not be used. | broken_crypto.rb:16:1:16:4 | weak | The block mode ECB |
| broken_crypto.rb:28:1:28:35 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:28:1:28:35 | call to new | The block mode ECB |
| broken_crypto.rb:37:1:37:33 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:37:1:37:33 | call to new | The block mode ECB |
| broken_crypto.rb:42:1:42:33 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:42:1:42:33 | call to new | The block mode ECB |
| broken_crypto.rb:47:1:47:33 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:47:1:47:33 | call to new | The block mode ECB |
| broken_crypto.rb:52:1:52:29 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:52:1:52:29 | call to new | The block mode ECB |
| broken_crypto.rb:57:1:57:32 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:57:1:57:32 | call to new | The block mode ECB |
| broken_crypto.rb:60:1:60:24 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES |
| broken_crypto.rb:62:1:62:30 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES |
| broken_crypto.rb:67:1:67:31 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:67:1:67:31 | call to new | The block mode ECB |
| broken_crypto.rb:70:1:70:24 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 |
| broken_crypto.rb:72:1:72:30 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | The block mode ECB |
| broken_crypto.rb:72:1:72:30 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 |
| broken_crypto.rb:75:1:75:24 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 |
| broken_crypto.rb:77:1:77:29 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 |
| broken_crypto.rb:79:1:79:35 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 |