Merge pull request #20603 from owen-mc/update-broken-algo-qhelp

Many languages: Update broken algo qhelp
2025-12-16 16:53:25 +01:00 · 2025-10-17 12:30:43 +01:00
parent e120e5c3ba 2f22acdd06
commit 66f95bcbcd
6 changed files with 108 additions and 39 deletions
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -3,11 +3,15 @@
  "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.</p>
+<p>Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.</p>

-<p>Many cryptographic algorithms provided by cryptography libraries are known to be weak, or 
-flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted
-data.</p>
+<p>Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:
+</p>
+<ul>
+  <li>If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.</li>
+  <li>If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.</li>
+  <li>If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.</li>
+</ul>

 </overview>
 <recommendation>
--- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -3,11 +3,15 @@
  "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.</p>
+<p>Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.</p>

-<p>Many cryptographic algorithms provided by cryptography libraries are known to be weak, or 
-flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted
-data.</p>
+<p>Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:
+</p>
+<ul>
+  <li>If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.</li>
+  <li>If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.</li>
+  <li>If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.</li>
+</ul>

 </overview>
 <recommendation>
--- a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -4,17 +4,34 @@
 <qhelp>
 	<overview>
 		<p>
-			Using broken or weak cryptographic algorithms can leave data
-			vulnerable to being decrypted or forged by an attacker.
+			Using broken or weak cryptographic algorithms may compromise
+			security guarantees such as confidentiality, integrity, and
+			authenticity.
 		</p>

 		<p>
-			Many cryptographic algorithms provided by cryptography
-			libraries are known to be weak, or flawed. Using such an
-			algorithm means that encrypted or hashed data is less
-			secure than it appears to be.
+			Many cryptographic algorithms are known to be weak or flawed. The
+			security guarantees of a system often rely on the underlying
+			cryptography, so using a weak algorithm can have severe consequences.
+			For example:
 		</p>

+		<ul>
+			<li>
+			If a weak encryption algorithm is used, an attacker may be able to
+			decrypt sensitive data.
+			</li>
+			<li>
+			If a weak hashing algorithm is used to protect data integrity, an
+			attacker may be able to craft a malicious input that has the same
+			hash as a benign one.
+			</li>
+			<li>
+			If a weak algorithm is used for digital signatures, an attacker may
+			be able to forge signatures and impersonate legitimate users.
+			</li>
+		</ul>
+
 	</overview>
 	<recommendation>

--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -3,20 +3,33 @@
 "qhelp.dtd">
 <qhelp>
     <overview>
+
          <p>
-               Using broken or weak cryptographic algorithms can leave data
-               vulnerable to being decrypted or forged by an attacker.
+               Using broken or weak cryptographic algorithms may compromise
+               security guarantees such as confidentiality, integrity, and
+               authenticity.
          </p>

          <p>
-               Many cryptographic algorithms provided by cryptography
-               libraries are known to be weak, or flawed. Using such an
-               algorithm means that encrypted or hashed data is less
-               secure than it appears to be.
+               Many cryptographic algorithms are known to be weak or flawed. The
+               security guarantees of a system often rely on the underlying
+               cryptography, so using a weak algorithm can have severe consequences.
+               For example:
          </p>

+          <ul>
+               <li>
+               If a weak encryption algorithm is used, an attacker may be able to
+               decrypt sensitive data.
+               </li>
+               <li>
+               If a weak algorithm is used for digital signatures, an attacker may
+               be able to forge signatures and impersonate legitimate users.
+               </li>
+          </ul>
+
          <p>
-               This query alerts on any use of a weak cryptographic algorithm, that is
+               This query alerts on any use of a weak cryptographic algorithm that is
               not a hashing algorithm. Use of broken or weak cryptographic hash
               functions are handled by the
               <code>py/weak-sensitive-data-hashing</code> query.
--- a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
+++ b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
@@ -4,14 +4,33 @@
 <qhelp>
  <overview>
    <p>
-      Using broken or weak cryptographic algorithms can leave data
-      vulnerable to being decrypted or forged by an attacker.
+      Using broken or weak cryptographic algorithms may compromise
+      security guarantees such as confidentiality, integrity, and
+      authenticity.
    </p>
+
    <p>
-      Many cryptographic algorithms provided by cryptography
-      libraries are known to be weak, or flawed. Using such an
-      algorithm means that encrypted or hashed data is less
-      secure than it appears to be.
+      Many cryptographic algorithms are known to be weak or flawed. The
+      security guarantees of a system often rely on the underlying
+      cryptography, so using a weak algorithm can have severe consequences.
+      For example:
+    </p>
+
+    <ul>
+      <li>
+      If a weak encryption algorithm is used, an attacker may be able to
+      decrypt sensitive data.
+      </li>
+      <li>
+      If a weak algorithm is used for digital signatures, an attacker may
+      be able to forge signatures and impersonate legitimate users.
+      </li>
+    </ul>
+    <p>
+      This query alerts on any use of a weak cryptographic algorithm that is
+      not a hashing algorithm. Use of broken or weak cryptographic hash
+      functions are handled by the
+      <code>rb/weak-sensitive-data-hashing</code> query.
    </p>
  </overview>
  <recommendation>
--- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -4,19 +4,31 @@
 <qhelp>
     <overview>
 		<p>
-               Using broken or weak cryptographic algorithms can leave data
-               vulnerable to being decrypted or forged by an attacker.
+			Using broken or weak cryptographic algorithms may compromise
+			security guarantees such as confidentiality, integrity, and
+			authenticity.
 		</p>

 		<p>
-               Many cryptographic algorithms provided by cryptography
-               libraries are known to be weak, or flawed. Using such an
-               algorithm means that encrypted or hashed data is less
-               secure than it appears to be.
+			Many cryptographic algorithms are known to be weak or flawed. The
+			security guarantees of a system often rely on the underlying
+			cryptography, so using a weak algorithm can have severe consequences.
+			For example:
 		</p>

+		<ul>
+			<li>
+			If a weak encryption algorithm is used, an attacker may be able to
+			decrypt sensitive data.
+			</li>
+			<li>
+			If a weak algorithm is used for digital signatures, an attacker may
+			be able to forge signatures and impersonate legitimate users.
+			</li>
+		</ul>
+
          <p>
-               This query alerts on any use of a weak cryptographic algorithm, that is
+               This query alerts on any use of a weak cryptographic algorithm that is
               not a hashing algorithm. Use of broken or weak cryptographic hash
               functions are handled by the
               <code>rust/weak-sensitive-data-hashing</code> query.