hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Crypto: Modify suggested queries per misc. side conversations on standards. Remove redundant query. Fix QL-for-QL issues.

Browse Source
This commit is contained in:
REDMOND\brodes
2025-10-08 10:21:06 -04:00
parent cf88e3f52d
commit 1b1b333e8b
9 changed files with 59 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
java/ql/src/experimental/quantum/Analysis/NonceReuse.ql
View File

@@ -1,17 +0,0 @@
/**
* @name Reuse of cryptographic nonce
* @description Reuse of nonce in cryptographic operations can lead to vulnerabilities.
* @id java/quantum/reused-nonce
* @kind problem
* @problem.severity error
* @precision medium
* @tags quantum
* experimental
*/
import java
import ArtifactReuse
from Crypto::NonceArtifactNode nonce1, Crypto::NonceArtifactNode nonce2
where isArtifactReuse(nonce1, nonce2)
select nonce1, "Reuse with nonce $@", nonce2, nonce2.toString()

2
java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql
View File

@@ -4,7 +4,7 @@
* @id java/quantum/reused-nonce
* @kind problem
* @problem.severity error
* @precision medium
* @precision high
* @tags quantum
* experimental
*/

6
java/ql/src/experimental/quantum/Analysis/WeakAsymmetric.ql
View File

@@ -1,5 +1,5 @@
/**
* @name Weak Asymetric Key Size
* @name Weak Asymmetric Key Size
* @id java/quantum/weak-asymmetric-key-size
* @description An asymmetric cipher with a short key size is in use
* @kind problem
@@ -20,5 +20,5 @@ where
// Can't be an elliptic curve
not Crypto::isEllipticCurveAlgorithmName(algName)
select op,
"Use of weak asymmetric key size (int bits)" + keySize.toString() + " for algorithm " +
algName.toString() + " at config source $@", configSrc, configSrc.toString()
"Use of weak asymmetric key size (" + keySize.toString() + " bits) for algorithm " +
algName.toString() + " at config source $@", configSrc, configSrc.toString()

14
java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql
View File

@@ -15,15 +15,17 @@ import experimental.quantum.Language
class WeakAESBlockModeAlgNode extends Crypto::KeyOperationAlgorithmNode {
WeakAESBlockModeAlgNode() {
this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and
(this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or
this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or
this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or
this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR()
(
this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or
this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or
this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or
this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR()
)
}
}
from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode
where op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and
codeNode = op.getAnOutputArtifact()
where
op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and
codeNode = op.getAnOutputArtifact()
select op, "Weak AES block mode instance."

25
java/ql/src/experimental/quantum/Analysis/WeakHashing.ql
View File

@@ -1,19 +1,34 @@
/**
* @name Weak hashes
* @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak.
* @id java/quantum/slices/weak-hashes
* @id java/quantum/weak-hashes
* @kind problem
* @problem.severity error
* @precision high
* @tags external/cwe/cwe-327
* quantum
* experimental
*/
import java
import experimental.quantum.Language
from Crypto::HashAlgorithmNode alg, string name, string msg
from Crypto::HashAlgorithmNode alg, Crypto::HashType htype, string msg
where
name = alg.getAlgorithmName() and
not name in ["SHA256", "SHA384", "SHA512", "SHA-256", "SHA-384", "SHA-512"] and
msg = "Use of unapproved hash algorithm or API " + name + "."
htype = alg.getHashType() and
(
htype != Crypto::SHA2() and
msg = "Use of unapproved hash algorithm or API " + htype.toString() + "."
or
htype = Crypto::SHA2() and
not exists(alg.getDigestLength()) and
msg =
"Use of approved hash algorithm or API type " + htype.toString() + " but unknown digest size."
or
htype = Crypto::SHA2() and
alg.getDigestLength() < 256 and
msg =
"Use of approved hash algorithm or API type " + htype.toString() + " but weak digest size (" +
alg.getDigestLength() + ")."
)
select alg, msg

4
java/ql/src/experimental/quantum/Analysis/WeakKDFKeySize.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Weak known key derivation function output length
* @description Detects key derivation operations with a known weak output length
* @id java/quantum/weak-kdf-iteration-count
* @id java/quantum/weak-kdf-key-size
* @kind problem
* @problem.severity error
* @precision high
@@ -17,4 +17,4 @@ where
op.getOutputKeySize().asElement() = l and
l.getValue().toInt() < 256
select op, "Key derivation operation configures output key length below 256: $@", l,
l.getValue().toString()
l.getValue().toString()

9
java/ql/src/experimental/quantum/Analysis/WeakRSA.ql
View File

@@ -11,14 +11,15 @@
import experimental.quantum.Language
class WeakRSAAlgorithmNode extends Crypto::KeyOperationAlgorithmNode {
WeakRSAAlgorithmNode() {
class WeakRsaAlgorithmNode extends Crypto::KeyOperationAlgorithmNode {
WeakRsaAlgorithmNode() {
this.getAlgorithmType() = Crypto::KeyOpAlg::TAsymmetricCipher(Crypto::KeyOpAlg::RSA()) and
this.getKeySizeFixed() < 2048
}
}
from Crypto::KeyOperationNode op, string message
where op.getAKnownAlgorithm() instanceof WeakRSAAlgorithmNode and
message = "Weak RSA instance found with key length <2048"
where
op.getAKnownAlgorithm() instanceof WeakRsaAlgorithmNode and
message = "Weak RSA instance found with key length <2048"
select op, message

23
java/ql/src/experimental/quantum/Analysis/WeakSymmetricCiphers.ql
View File

@@ -1,19 +1,30 @@
/**
* @name Weak symmetric ciphers
* @description Finds uses of cryptographic symmetric cipher algorithms that are unapproved or otherwise weak.
* @id java/quantum/slices/weak-ciphers
* @id java/quantum/weak-ciphers
* @kind problem
* @problem.severity error
* @precision high
* @tags external/cwe/cwe-327
* quantum
* experimental
*/
import java
import experimental.quantum.Language
import Crypto::KeyOpAlg as KeyOpAlg
from Crypto::KeyOperationAlgorithmNode alg, string name, string msg
from Crypto::KeyOperationAlgorithmNode alg, KeyOpAlg::AlgorithmType algType, string msg
where
name = alg.getAlgorithmName() and
name in ["DES", "TripleDES", "DoubleDES", "RC2", "RC4", "IDEA", "Blowfish"] and
msg = "Use of unapproved symmetric cipher algorithm or API: " + name + "."
select alg, msg
algType = alg.getAlgorithmType() and
(
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES()) or
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES()) or
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DOUBLE_DES()) or
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2()) or
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4()) or
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA()) or
algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
) and
msg = "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "."
select alg, msg

6
shared/quantum/codeql/quantum/experimental/Standardization.qll
View File

@@ -344,7 +344,7 @@ module Types {
/**
* Elliptic curve algorithms
*/
newtype TEllipticCurveFamilyType =
newtype TEllipticCurveType =
NIST() or
SEC() or
NUMS() or
@@ -357,7 +357,7 @@ module Types {
ES() or
OtherEllipticCurveType()
class EllipticCurveFamilyType extends TEllipticCurveFamilyType {
class EllipticCurveType extends TEllipticCurveType {
string toString() {
this = NIST() and result = "NIST"
or
@@ -445,7 +445,7 @@ module Types {
*/
bindingset[rawName]
predicate ellipticCurveNameToKnownKeySizeAndFamilyMapping(
string rawName, int keySize, TEllipticCurveFamilyType curveFamily
string rawName, int keySize, TEllipticCurveType curveFamily
) {
exists(string curveName | curveName = rawName.toUpperCase() |
isSecCurve(curveName, keySize) and curveFamily = SEC()