Java: weak crypto: do not report weak hash algorithms

2026-04-17 04:54:02 +02:00 · 2024-10-29 21:26:59 -04:00
parent 662a824312
commit 459d16824e
4 changed files with 10 additions and 11 deletions
--- a/java/ql/lib/semmle/code/java/security/Encryption.qll
+++ b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -223,10 +223,7 @@ string getAnInsecureHashAlgorithmName() {
 }

 private string rankedInsecureAlgorithm(int i) {
-  // In this case we know these are being used for encryption, so we want to match
-  // weak hash algorithms too.
-  result =
-    rank[i](string s | s = getAnInsecureAlgorithmName() or s = getAnInsecureHashAlgorithmName())
+  result = rank[i](string s | s = getAnInsecureAlgorithmName())
 }

 private string insecureAlgorithmString(int i) {
--- a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
@@ -30,7 +30,11 @@ class InsecureAlgoLiteral extends InsecureAlgorithm, ShortStringLiteral {
      s.length() > 1 and
      not s.regexpMatch(getSecureAlgorithmRegex()) and
      // Exclude results covered by another query.
-      not s.regexpMatch(getInsecureAlgorithmRegex())
+      not s.regexpMatch(getInsecureAlgorithmRegex()) and
+      // Exclude results covered by `InsecureAlgoProperty`.
+      // This removes duplicates when a string literal is a default value for the property,
+      // such as "MD5" in the following: `props.getProperty("hashAlg2", "MD5")`.
+      not exists(InsecureAlgoProperty insecAlgoProp | this = insecAlgoProp.getAnArgument())
    )
  }