hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into wild-crest-ql

Browse Source
This commit is contained in:
Paolo Tranquilli
2026-03-30 12:04:16 +02:00
parent 6fad5b823c 8349bd50ba
commit 1d028382da
246 changed files with 11552 additions and 3487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
* The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.

4
java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.

16
java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
View File

@@ -132,7 +132,21 @@ private predicate inBitwiseAnd(Expr exp) {
/** Holds if overflow/underflow is irrelevant for this expression. */
predicate overflowIrrelevant(Expr exp) {
inBitwiseAnd(exp) or
exp.getEnclosingCallable() instanceof HashCodeMethod
exp.getEnclosingCallable() instanceof HashCodeMethod or
arithmeticUsedInBoundsCheck(exp)
}
/**
* Holds if `exp` is an arithmetic expression used directly as an operand of a
* comparison in an `if`-condition, indicating it is part of a bounds check
* rather than a vulnerable computation. For example, in
* `if (off + len > array.length)`, the addition is the bounds check itself.
*/
private predicate arithmeticUsedInBoundsCheck(ArithExpr exp) {
exists(ComparisonExpr comp |
comp.getAnOperand() = exp and
comp.getEnclosingStmt() instanceof IfStmt
)
}
/**

14
java/ql/lib/semmle/code/java/security/Encryption.qll
View File

@@ -259,7 +259,13 @@ string getASecureAlgorithmName() {
result =
[
"RSA", "SHA-?(256|384|512)", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
"Blowfish", "ECIES", "SHA3-(256|384|512)"
"Blowfish", "ECIES", "SHA3-(256|384|512)",
// Elliptic Curve algorithms: EC (key generation), ECDSA (signatures), ECDH (key agreement),
// EdDSA/Ed25519/Ed448 (Edwards-curve signatures), XDH/X25519/X448 (key agreement).
// These are modern, secure algorithms recommended by NIST and other standards bodies.
"EC", "ECDSA", "ECDH", "EdDSA", "Ed25519", "Ed448", "XDH", "X25519", "X448",
// HMAC-based algorithms and key derivation functions.
"HMACSHA(1|256|384|512)", "HmacSHA(1|256|384|512)", "PBKDF2"
]
}
@@ -366,9 +372,13 @@ class JavaSecuritySignature extends JavaSecurityAlgoSpec {
exists(Constructor c | c.getAReference() = this |
c.getDeclaringType().hasQualifiedName("java.security", "Signature")
)
or
exists(Method m | m.getAReference() = this |
m.hasQualifiedName("java.security", "Signature", "getInstance")
)
}
override Expr getAlgoSpec() { result = this.(ConstructorCall).getArgument(0) }
override Expr getAlgoSpec() { result = this.(Call).getArgument(0) }
}
/** A call to the `getInstance` method declared in `java.security.KeyPairGenerator`. */