mirror of
https://github.com/github/codeql.git
synced 2025-12-22 19:56:32 +01:00
Adding example alerts
This commit is contained in:
Benjamin Rodes
committed by
Josh Brown
Josh Brown
parent
4c9cc5a21f
commit
6d7ac8de28
@@ -0,0 +1,21 @@
|
|||||||
|
/**
|
||||||
|
* @name Unknown key generation key size
|
||||||
|
* @description
|
||||||
|
* @id cpp/unknown-asymmetric-key-gen-size
|
||||||
|
* @kind problem
|
||||||
|
* @problem.severity error
|
||||||
|
* @precision high
|
||||||
|
* @tags security
|
||||||
|
* external/cwe/cwe-326
|
||||||
|
*/
|
||||||
|
import cpp
|
||||||
|
|
||||||
|
import experimental.crypto.Concepts
|
||||||
|
|
||||||
|
from AsymmetricKeyGeneration op, AsymmetricAlgorithm alg
|
||||||
|
where
|
||||||
|
alg = op.getAlgorithm() and
|
||||||
|
not alg instanceof EllipticCurveAlgorithm and
|
||||||
|
not exists(op.getKeySizeInBits(alg))
|
||||||
|
select op, "Use of unknown asymmetric key size for algorithm $@", alg, alg.getName().toString()
|
||||||
|
|
||||||
@@ -0,0 +1,22 @@
|
|||||||
|
/**
|
||||||
|
* @name Weak asymmetric key generation key size (< 2048 bits)
|
||||||
|
* @description
|
||||||
|
* @id cpp/weak-asymmetric-key-gen-size
|
||||||
|
* @kind problem
|
||||||
|
* @problem.severity error
|
||||||
|
* @precision high
|
||||||
|
* @tags security
|
||||||
|
* external/cwe/cwe-326
|
||||||
|
*/
|
||||||
|
import cpp
|
||||||
|
|
||||||
|
import experimental.crypto.Concepts
|
||||||
|
|
||||||
|
from AsymmetricKeyGeneration op, AsymmetricAlgorithm alg, Expr configSrc, int size
|
||||||
|
where
|
||||||
|
alg = op.getAlgorithm() and
|
||||||
|
not alg instanceof EllipticCurveAlgorithm and
|
||||||
|
configSrc = op.getKeyConfigurationSource(alg) and
|
||||||
|
size = configSrc.getValue().toInt() and
|
||||||
|
size < 2048
|
||||||
|
select op, "Use of weak asymmetric key size (in bits) " + size + " configured at $@ for algorithm $@", configSrc, configSrc.toString(), alg, alg.getName().toString()
|
||||||
@@ -0,0 +1,32 @@
|
|||||||
|
/**
|
||||||
|
* @name Weak block mode
|
||||||
|
* @description Finds uses of symmetric encryption block modes that are weak, obsolete, or otherwise unaccepted.
|
||||||
|
* @id cpp/weak-block-mode
|
||||||
|
* @kind problem
|
||||||
|
* @problem.severity error
|
||||||
|
* @precision high
|
||||||
|
* @tags security
|
||||||
|
* external/cwe/cwe-327
|
||||||
|
*/
|
||||||
|
import cpp
|
||||||
|
import experimental.crypto.Concepts
|
||||||
|
|
||||||
|
from BlockModeAlgorithm alg, string name, string msg, Expr confSink
|
||||||
|
where
|
||||||
|
exists(string tmpMsg |
|
||||||
|
(
|
||||||
|
(name = alg.getBlockModeName() and name = unknownAlgorithm() and tmpMsg = "Use of unrecognized block mode algorithm.")
|
||||||
|
or
|
||||||
|
(
|
||||||
|
name != unknownAlgorithm() and
|
||||||
|
name = alg.getBlockModeName() and
|
||||||
|
not name = ["CBC","CTS","XTS"] and
|
||||||
|
tmpMsg = "Use of weak block mode algorithm " + name + "."
|
||||||
|
)
|
||||||
|
)
|
||||||
|
and
|
||||||
|
if alg.hasConfigurationSink() and alg.configurationSink() != alg
|
||||||
|
then (confSink = alg.configurationSink() and msg = tmpMsg + " Algorithm used at sink: $@.")
|
||||||
|
else (confSink = alg and msg = tmpMsg)
|
||||||
|
)
|
||||||
|
select alg, msg, confSink, confSink.toString()
|
||||||
@@ -0,0 +1,38 @@
|
|||||||
|
/**
|
||||||
|
* @name Weak elliptic curve
|
||||||
|
* @description Finds uses of weak, unknown, or otherwise unaccepted elliptic curve algorithms.
|
||||||
|
* @id cpp/weak-elliptic-curve
|
||||||
|
* @kind problem
|
||||||
|
* @problem.severity error
|
||||||
|
* @precision high
|
||||||
|
* @tags security
|
||||||
|
* external/cwe/cwe-327
|
||||||
|
*/
|
||||||
|
import cpp
|
||||||
|
import experimental.crypto.Concepts
|
||||||
|
|
||||||
|
from EllipticCurveAlgorithm alg, string name, string msg, Expr confSink
|
||||||
|
where
|
||||||
|
exists(string tmpMsg |
|
||||||
|
(
|
||||||
|
(name = alg.getCurveName() and name = unknownAlgorithm() and tmpMsg = "Use of unrecognized curve algorithm.")
|
||||||
|
or
|
||||||
|
(
|
||||||
|
name != unknownAlgorithm() and
|
||||||
|
name = alg.getCurveName() and
|
||||||
|
not name = ["SECP256R1", "PRIME256V1",//P-256
|
||||||
|
"SECP384R1", //P-384
|
||||||
|
"SECP521R1", //P-521
|
||||||
|
"NUMSP256T1",
|
||||||
|
"NUMSP384T1",
|
||||||
|
"NUMSP512T1",
|
||||||
|
"ED25519", "X25519"] and
|
||||||
|
tmpMsg = "Use of weak curve algorithm " + name + "."
|
||||||
|
)
|
||||||
|
)
|
||||||
|
and
|
||||||
|
if alg.hasConfigurationSink() and alg.configurationSink() != alg
|
||||||
|
then (confSink = alg.configurationSink() and msg = tmpMsg + " Algorithm used at sink: $@.")
|
||||||
|
else (confSink = alg and msg = tmpMsg)
|
||||||
|
)
|
||||||
|
select alg, msg, confSink, confSink.toString()
|
||||||
@@ -0,0 +1,35 @@
|
|||||||
|
/**
|
||||||
|
* @name Weak cryptography
|
||||||
|
* @description Finds explicit uses of symmetric encryption algorithms that are weak, unknown, or otherwise unaccepted.
|
||||||
|
* @kind problem
|
||||||
|
* @id cpp/weak-crypto/banned-encryption-algorithms
|
||||||
|
* @problem.severity error
|
||||||
|
* @precision high
|
||||||
|
* @tags security
|
||||||
|
* external/cwe/cwe-327
|
||||||
|
*/
|
||||||
|
|
||||||
|
import cpp
|
||||||
|
import experimental.crypto.Concepts
|
||||||
|
|
||||||
|
|
||||||
|
from SymmetricEncryptionAlgorithm alg, Expr confSink, string msg
|
||||||
|
where
|
||||||
|
exists (string resMsg |
|
||||||
|
(
|
||||||
|
if alg.getEncryptionName() = unknownAlgorithm()
|
||||||
|
then (
|
||||||
|
alg instanceof Literal and resMsg = "Use of unrecognized symmetric encryption algorithm: " + alg.(Literal).getValueText().toString() + "."
|
||||||
|
or
|
||||||
|
not alg instanceof Literal and resMsg = "Use of unrecognized symmetric encryption algorithm."
|
||||||
|
)
|
||||||
|
else (not alg.getEncryptionName().matches("AES%") and resMsg = "Use of banned symmetric encryption algorithm: " + alg.getEncryptionName() + ".")
|
||||||
|
)
|
||||||
|
and
|
||||||
|
(
|
||||||
|
if alg.hasConfigurationSink() and alg.configurationSink() != alg
|
||||||
|
then (confSink = alg.configurationSink() and msg = resMsg + " Algorithm used at sink: $@.")
|
||||||
|
else (confSink = alg and msg = resMsg)
|
||||||
|
)
|
||||||
|
)
|
||||||
|
select alg, msg, confSink, confSink.toString()
|
||||||
36
cpp/ql/src/experimental/crypto/example_alerts/WeakHashes.ql
Normal file
36
cpp/ql/src/experimental/crypto/example_alerts/WeakHashes.ql
Normal file
@@ -0,0 +1,36 @@
|
|||||||
|
/**
|
||||||
|
* @name Weak cryptography
|
||||||
|
* @description Finds explicit uses of cryptographic hash algorithms that are weak and obsolete.
|
||||||
|
* @kind problem
|
||||||
|
* @id cpp/weak-crypto/banned-hash-algorithms
|
||||||
|
* @problem.severity error
|
||||||
|
* @precision high
|
||||||
|
* @tags security
|
||||||
|
* external/cwe/cwe-327
|
||||||
|
*/
|
||||||
|
|
||||||
|
import cpp
|
||||||
|
import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow
|
||||||
|
import experimental.crypto.Concepts
|
||||||
|
|
||||||
|
from HashAlgorithm alg, Expr confSink, string msg
|
||||||
|
where
|
||||||
|
exists(string name, string msgTmp | name = alg.getHashName() |
|
||||||
|
not name = ["SHA256", "SHA384", "SHA512"] and
|
||||||
|
(
|
||||||
|
if name = unknownAlgorithm()
|
||||||
|
then
|
||||||
|
(
|
||||||
|
not alg instanceof Literal and msgTmp = "Use of unrecognized hash algorithm."
|
||||||
|
or
|
||||||
|
alg instanceof Literal and msgTmp = "Use of unrecognized hash algorithm: " + alg.(Literal).getValueText().toString() + "."
|
||||||
|
|
||||||
|
)
|
||||||
|
else msgTmp = "Use of banned hash algorithm " + name + "."
|
||||||
|
)
|
||||||
|
and
|
||||||
|
if alg.hasConfigurationSink() and alg.configurationSink() != alg
|
||||||
|
then (confSink = alg.configurationSink() and msg = msgTmp + " Algorithm used at sink: $@.")
|
||||||
|
else (confSink = alg and msg = msgTmp)
|
||||||
|
)
|
||||||
|
select alg, msg, confSink, confSink.toString()
|
||||||
Reference in New Issue
Block a user