add draft code to find algo type to replace tainttracking configs

2026-03-27 09:48:16 +01:00 · 2022-10-04 23:21:15 -04:00
parent d3b1a04c13
commit 8ffd2522e7
4 changed files with 26 additions and 2 deletions
--- a/java/ql/lib/semmle/code/java/security/Encryption.qll
+++ b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -252,6 +252,7 @@ string getASecureAlgorithmName() {
      "Blowfish", "ECIES" // ! Blowfish not actually secure based on https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 ??
      // ! hmm, other sources imply that it is secure...
      // ! also no DH here, etc.?
+      // ! also is ECB matched with AES?
    ]
 }

--- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -155,6 +155,26 @@ private predicate hasShortAESKey(MethodAccess ma, string msg) {
 bindingset[type]
 private predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+  ma.getQualifier() instanceof JavaSecurityKeyPairGenerator and
+  ma.getQualifier().getBasicBlock() instanceof JavaSecurityKeyPairGenerator and
+  //ma.getQualifier().getBasicBlock().getNode(2) instanceof JavaSecurityKeyPairGenerator and
+  // ma.getQualifier()
+  //     .getBasicBlock()
+  //     .getANode()
+  //     .(JavaSecurityKeyPairGenerator)
+  //     .getAlgoSpec()
+  //     .(StringLiteral)
+  //     .getValue()
+  //     .toUpperCase() = type and
+  //ma.getQualifier().getBasicBlock().getAPredecessor() instanceof JavaSecurityKeyPairGenerator and
+  ma.getQualifier()
+      .getBasicBlock()
+      .getAPredecessor()
+      .(JavaSecurityKeyPairGenerator)
+      .getAlgoSpec()
+      .(StringLiteral)
+      .getValue()
+      .toUpperCase() = type and
  // flow needed to correctly determine algorithm type and
  // not match to ANY asymmetric algorithm
  exists(