Merge pull request #18161 from owen-mc/java/weak-crypto-algo-more-informative

Java: Make `java/weak-cryptographic-algorithm` give a reason why the algo is insecure
2026-04-20 22:44:52 +02:00 · 2025-01-13 23:43:04 +00:00
parent 599411b440 0728b3bd60
commit 883301938b
9 changed files with 67 additions and 41 deletions
--- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -18,10 +18,11 @@ import InsecureCryptoFlow::PathGraph

 from
  InsecureCryptoFlow::PathNode source, InsecureCryptoFlow::PathNode sink, CryptoAlgoSpec spec,
-  BrokenAlgoLiteral algo
+  BrokenAlgoLiteral algo, string reason
 where
  sink.getNode().asExpr() = spec.getAlgoSpec() and
  source.getNode().asExpr() = algo and
+  reason = getInsecureAlgorithmReason(algo.getValue()) and
  InsecureCryptoFlow::flowPath(source, sink)
-select spec, source, sink, "Cryptographic algorithm $@ is weak and should not be used.", algo,
+select spec, source, sink, "Cryptographic algorithm $@ is insecure. " + reason, algo,
  algo.getValue()
--- a/java/ql/src/change-notes/2024-11-29-java-weak-crypto-algorithm-explanation.md
+++ b/java/ql/src/change-notes/2024-11-29-java-weak-crypto-algorithm-explanation.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The query "Use of a broken or risky cryptographic algorithm" (`java/weak-cryptographic-algorithm`) now gives the reason why the cryptographic algorithm is considered weak.