diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll index 9659fb92843..c19d51a2f4b 100644 --- a/java/ql/lib/semmle/code/java/security/Encryption.qll +++ b/java/ql/lib/semmle/code/java/security/Encryption.qll @@ -252,6 +252,7 @@ string getASecureAlgorithmName() { "Blowfish", "ECIES" // ! Blowfish not actually secure based on https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 ?? // ! hmm, other sources imply that it is secure... // ! also no DH here, etc.? + // ! also is ECB matched with AES? ] } diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll index 39ded30d012..9aef9b44c6b 100644 --- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll @@ -155,6 +155,26 @@ private predicate hasShortAESKey(MethodAccess ma, string msg) { bindingset[type] private predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) { ma.getMethod() instanceof KeyPairGeneratorInitMethod and + ma.getQualifier() instanceof JavaSecurityKeyPairGenerator and + ma.getQualifier().getBasicBlock() instanceof JavaSecurityKeyPairGenerator and + //ma.getQualifier().getBasicBlock().getNode(2) instanceof JavaSecurityKeyPairGenerator and + // ma.getQualifier() + // .getBasicBlock() + // .getANode() + // .(JavaSecurityKeyPairGenerator) + // .getAlgoSpec() + // .(StringLiteral) + // .getValue() + // .toUpperCase() = type and + //ma.getQualifier().getBasicBlock().getAPredecessor() instanceof JavaSecurityKeyPairGenerator and + ma.getQualifier() + .getBasicBlock() + .getAPredecessor() + .(JavaSecurityKeyPairGenerator) + .getAlgoSpec() + .(StringLiteral) + .getValue() + .toUpperCase() = type and // flow needed to correctly determine algorithm type and // not match to ANY asymmetric algorithm exists( diff --git a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql index 149e2d40675..66bf459f5f7 100644 --- a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql +++ b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql @@ -4,6 +4,7 @@ * allow an attacker to compromise security. * @kind path-problem * @problem.severity error + * @security-severity 7.5 * @precision high * @id java/insufficient-key-size * @tags security @@ -12,10 +13,12 @@ import java import semmle.code.java.security.InsufficientKeySizeQuery +import DataFlow::PathGraph // from Expr e, string msg // where hasInsufficientKeySize(e, msg) // select e, msg from AsymmetricKeyTrackingConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink where cfg.hasFlowPath(source, sink) -select sink, source, sink, "The size of this RSA key should be at least 2048 bits." +select sink.getNode(), source, sink, "The $@ of an asymmetric key should be at least 2048 bits.", + sink.getNode(), "size" diff --git a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java index 4bd29e2b3e8..c5f151128fa 100644 --- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java +++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java @@ -106,7 +106,7 @@ public class InsufficientKeySizeTest { test(keysize); } - public void test(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { + public static void test(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException { KeyPairGenerator keyPairGen19 = KeyPairGenerator.getInstance("RSA"); // BAD: Key size is less than 128 keyPairGen19.initialize(keySize); // $ hasInsufficientKeySize