Add unit tests

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.ql

@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureKeysTest implements TestSig {
+  string getARelevantTag() { result = "insecure-key" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-key" and
+    exists(InsecureBiometricKeyParamCall call | usesLocalAuth() |
+      call.getLocation() = location and
+      element = call.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureKeysTest>

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java

@@ -0,0 +1,21 @@
+import android.security.keystore.KeyGenParameterSpec;
+import android.hardware.biometrics.BiometricPrompt;
+import android.security.keystore.KeyProperties;
+
+class Test {
+    void test() {
+        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
+        builder.setUserAuthenticationRequired(false); // $insecure-key
+        builder.setInvalidatedByBiometricEnrollment(false); // $insecure-key
+        builder.setUserAuthenticationValidityDurationSeconds(30); // $insecure-key
+    }
+}
+
+class Callback extends BiometricPrompt.AuthenticationCallback {
+    public static void useKey(BiometricPrompt.CryptoObject key) {}
+
+    @Override
+    public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+        useKey(result.getCryptoObject());
+    }
+}

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.expected

@@ -0,0 +1,2 @@
+testFailures
+failures

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.ql

@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureKeysTest implements TestSig {
+  string getARelevantTag() { result = "insecure-key" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-key" and
+    exists(InsecureBiometricKeyParamCall call | usesLocalAuth() |
+      call.getLocation() = location and
+      element = call.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureKeysTest>

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/Test.java

@@ -0,0 +1,13 @@
+import android.security.keystore.KeyGenParameterSpec;
+import android.hardware.biometrics.BiometricPrompt;
+import android.security.keystore.KeyProperties;
+
+class Test {
+    void test() {
+        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
+        // No alert as there is no use of biometric authentication in this application.
+        builder.setUserAuthenticationRequired(false); 
+        builder.setInvalidatedByBiometricEnrollment(false); 
+        builder.setUserAuthenticationValidityDurationSeconds(30); 
+    }
+}

java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0