Add more cases

java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java

@@ -52,6 +52,23 @@ public class HashWithoutSalt {
 		return Base64.getEncoder().encodeToString(cipherBytes);
 	}
 
+	// GOOD - Hash with a given salt stored somewhere else.
+	public String getSHA256Hash(String password, String salt) throws NoSuchAlgorithmException {
+		return hash(password+salt);
+	}
+
+	// GOOD - Hash with a salt for a variable named passwordHash, whose value is a hash used as an input for a hashing function.
+	public String getSHA256Hash3(String passwordHash) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("SHA-256");
+		byte[] messageDigest = md.digest(passwordHash.getBytes());
+		return Base64.getEncoder().encodeToString(messageDigest);
+	}
+
+	private String hash(String payload) {
+		MessageDigest alg = MessageDigest.getInstance("SHA-256");
+		return Base64.getEncoder().encodeToString(alg.digest(payload.getBytes(java.nio.charset.StandardCharsets.UTF_8)));
+	}
+
 	public static byte[] getSalt() throws NoSuchAlgorithmException {
 		SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
 		byte[] salt = new byte[16];

java/ql/test/experimental/query-tests/security/CWE-759/SHA256.java

@@ -0,0 +1,20 @@
+import java.security.MessageDigest;
+
+public class SHA256 {
+  MessageDigest md;
+  public int getBlockSize() {return 32;}
+  public void init() throws Exception {
+    try { md = MessageDigest.getInstance("SHA-256"); }
+    catch (Exception e){
+      System.err.println(e);
+    }
+  }
+
+  public void update(byte[] foo, int start, int len) throws Exception {
+    md.update(foo, start, len);
+  }
+
+  public byte[] digest() throws Exception {
+    return md.digest();
+  }
+}