diff --git a/java/ql/src/experimental/quantum/Examples/WeakBlockModes.ql b/java/ql/src/experimental/quantum/Examples/WeakBlockModes.ql index 53e4d38216a..c5fb224ea1f 100644 --- a/java/ql/src/experimental/quantum/Examples/WeakBlockModes.ql +++ b/java/ql/src/experimental/quantum/Examples/WeakBlockModes.ql @@ -1,6 +1,6 @@ /** * @name Weak AES Block mode - * @id java/quantum/weak-block-modes + * @id java/quantum/examples/weak-block-modes * @description An AES cipher is in use with an insecure block mode * @kind problem * @problem.severity error diff --git a/java/ql/src/experimental/quantum/Examples/WeakHash.ql b/java/ql/src/experimental/quantum/Examples/WeakHash.ql index 573265705ba..e7b9c95a9c0 100644 --- a/java/ql/src/experimental/quantum/Examples/WeakHash.ql +++ b/java/ql/src/experimental/quantum/Examples/WeakHash.ql @@ -1,7 +1,7 @@ /** * @name Weak hashes * @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak. - * @id java/quantum/weak-hash + * @id java/quantum/examples/weak-hash * @kind problem * @problem.severity error * @tags external/cwe/cwe-327 diff --git a/java/ql/src/experimental/quantum/Examples/WeakKDFIterationCount.ql b/java/ql/src/experimental/quantum/Examples/WeakKDFIterationCount.ql index 71dfb87b70c..98f97335eae 100644 --- a/java/ql/src/experimental/quantum/Examples/WeakKDFIterationCount.ql +++ b/java/ql/src/experimental/quantum/Examples/WeakKDFIterationCount.ql @@ -1,7 +1,7 @@ /** * @name Weak known key derivation function iteration count * @description Detects key derivation operations with a known weak iteration count. - * @id java/quantum/weak-kdf-iteration-count + * @id java/quantum/examples/weak-kdf-iteration-count * @kind path-problem * @problem.severity error * @tags quantum diff --git a/java/ql/src/experimental/quantum/Examples/WeakKDFKeySize.ql b/java/ql/src/experimental/quantum/Examples/WeakKDFKeySize.ql index 772f2e7a5a3..3d0be43392f 100644 --- a/java/ql/src/experimental/quantum/Examples/WeakKDFKeySize.ql +++ b/java/ql/src/experimental/quantum/Examples/WeakKDFKeySize.ql @@ -1,7 +1,7 @@ /** * @name Weak known key derivation function output length * @description Detects key derivation operations with a known weak output length - * @id java/quantum/weak-kdf-key-size + * @id java/quantum/examples/weak-kdf-key-size * @kind path-problem * @problem.severity error * @tags quantum diff --git a/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.ql b/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.ql index 2f67a4c9767..6b5ca79de0f 100644 --- a/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.ql +++ b/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.ql @@ -1,7 +1,7 @@ /** * @name Weak symmetric ciphers * @description Finds uses of cryptographic symmetric cipher algorithms that are unapproved or otherwise weak. - * @id java/quantum/weak-ciphers + * @id java/quantum/examples/weak-ciphers * @kind problem * @problem.severity error * @tags external/cwe/cwe-327 @@ -16,6 +16,9 @@ import Crypto::KeyOpAlg as KeyOpAlg from Crypto::KeyOperationAlgorithmNode alg, KeyOpAlg::AlgorithmType algType where algType = alg.getAlgorithmType() and + // NOTE: an org may disallow all but AES we could similarly look for + // algType != KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES()) + // This is a more comprehensive check than looking for all weak ciphers ( algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES()) or algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES()) or diff --git a/java/ql/src/experimental/quantum/InventorySlices/UnknownOperationAlgorithm.ql b/java/ql/src/experimental/quantum/InventorySlices/UnknownOperationAlgorithm.ql index 8469924a850..08f6cae731f 100644 --- a/java/ql/src/experimental/quantum/InventorySlices/UnknownOperationAlgorithm.ql +++ b/java/ql/src/experimental/quantum/InventorySlices/UnknownOperationAlgorithm.ql @@ -1,7 +1,7 @@ /** * @name Operations with unknown algorithm * @description Outputs operations where the algorithm applied is unknown - * @id java/quantum/slices/operation-with-unknown-algorithm + * @id java/quantum/examples/slices/operation-with-unknown-algorithm * @kind problem * @severity info * @tags quantum diff --git a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java index 2a65a8baa75..03fd21386cf 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java @@ -57,7 +57,7 @@ class BadMacUse { SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256"); Mac mac = Mac.getInstance("HmacSHA256"); mac.init(macKey); - byte[] computedMac = mac.doFinal(plaintext); // $Alert[java/quantum/bad-mac-order-decrypt-to-mac] + byte[] computedMac = mac.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac] if (!MessageDigest.isEqual(receivedMac, computedMac)) { throw new SecurityException("MAC verification failed"); @@ -77,7 +77,7 @@ class BadMacUse { // Encrypt the plaintext Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); cipher.init(Cipher.ENCRYPT_MODE, encryptionKey, new SecureRandom()); - byte[] ciphertext = cipher.doFinal(plaintext); // $Alert[java/quantum/bad-mac-order-encrypt-plaintext-also-in-mac] + byte[] ciphertext = cipher.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac] // Concatenate ciphertext and MAC byte[] output = new byte[ciphertext.length + computedMac.length]; diff --git a/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java b/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java index f1b8878d63a..549c56dbd98 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java @@ -17,7 +17,7 @@ public class InsecureIVorNonceSource { SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce] + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce] cipher.update(plaintext); return cipher.doFinal(); } @@ -30,7 +30,7 @@ public class InsecureIVorNonceSource { SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-source] + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source] cipher.update(plaintext); return cipher.doFinal(); } @@ -46,7 +46,7 @@ public class InsecureIVorNonceSource { SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce] + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce] cipher.update(plaintext); return cipher.doFinal(); } @@ -62,7 +62,7 @@ public class InsecureIVorNonceSource { SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce] + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce] cipher.update(plaintext); return cipher.doFinal(); } @@ -78,7 +78,7 @@ public class InsecureIVorNonceSource { SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce] + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce] cipher.update(plaintext); return cipher.doFinal(); } @@ -94,7 +94,7 @@ public class InsecureIVorNonceSource { SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-source] + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source] cipher.update(plaintext); return cipher.doFinal(); } @@ -203,7 +203,7 @@ public class InsecureIVorNonceSource { SecretKeySpec keySpec = new SecretKeySpec(key, "AES"); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); - cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]] + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]] cipher.update(plaintext); return cipher.doFinal(); } diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java index 35b9dd40748..c330bf82a05 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java @@ -2,15 +2,15 @@ import java.security.*; public class InsufficientAsymmetricKeySize{ public static void test() throws Exception{ KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA"); - keyPairGen1.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size] + keyPairGen1.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size] keyPairGen1.generateKeyPair(); KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA"); - keyPairGen2.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size] + keyPairGen2.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size] keyPairGen2.generateKeyPair(); KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH"); - keyPairGen3.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size] + keyPairGen3.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size] keyPairGen3.generateKeyPair(); KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA"); diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java index 6435004931a..cc3b9a859d1 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java @@ -12,19 +12,19 @@ public class WeakHashing { props.load(new FileInputStream("example.properties")); // BAD: Using a weak hashing algorithm even with a secure default - MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $Alert[java/quantum/weak-hash] + MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $Alert[java/quantum/examples/weak-hash] // BAD: Using a weak hashing algorithm even with a secure default - MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/weak-hash] + MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/examples/weak-hash] // BAD: Using a strong hashing algorithm but with a weak default - MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $Alert[java/quantum/weak-hash] + MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $Alert[java/quantum/examples/weak-hash] // BAD: Using a weak hash - MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $Alert[java/quantum/weak-hash] + MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $Alert[java/quantum/examples/weak-hash] // BAD: Property does not exist and default (used value) is unknown - MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $Alert[java/quantum/unknown-hash] + MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $Alert[java/quantum/examples/unknown-hash] java.util.Properties props2 = new java.util.Properties(); @@ -32,13 +32,13 @@ public class WeakHashing { // BAD: "hashAlg2" is not visible in the file loaded for props2, should be an unknown // FALSE NEGATIVE for unknown hash - MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $Alert[java/quantum/unknown-hash] + MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash] // GOOD: Using a strong hashing algorithm MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2")); // BAD?: Property does not exist (considered unknown) and but default is secure - MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $Alert[java/quantum/unknown-hash] + MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash] // GOOD: Using a strong hashing algorithm MessageDigest ok3 = MessageDigest.getInstance("SHA3-512"); diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java index c5d55a941d2..13f6d03ec72 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java @@ -29,7 +29,7 @@ public class Test { public void pbkdf2LowIteration(String password) throws Exception { byte[] salt = generateSalt(16); int iterationCount = 10; // $Source - PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/weak-kdf-iteration-count] + PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/examples/weak-kdf-iteration-count] SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); byte[] key = factory.generateSecret(spec).getEncoded(); } @@ -42,7 +42,7 @@ public class Test { */ public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $Source byte[] salt = generateSalt(16); - PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/unknown-kdf-iteration-count] + PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $Alert[java/quantum/examples/unknown-kdf-iteration-count] SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); byte[] key = factory.generateSecret(spec).getEncoded(); } diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected index 5792287fae6..c9e5a5b8a81 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected @@ -1,5 +1,5 @@ #select | Test.java:47:22:47:49 | KeyDerivation | Key derivation operation with unknown iteration: $@ | Test.java:43:53:43:70 | iterationCount | iterationCount | testFailures -| Test.java:45:94:45:145 | // $Alert[java/quantum/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/unknown-kdf-iteration-count] | +| Test.java:45:94:45:145 | // $Alert[java/quantum/examples/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/examples/unknown-kdf-iteration-count] | | Test.java:47:22:47:49 | Key derivation operation with unknown iteration: $@ | Unexpected result: Alert | diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/Test.java b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/Test.java index 9e2487ff32d..21619c8c574 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/Test.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/Test.java @@ -21,7 +21,7 @@ public class Test { byte[] salt = generateSalt(16); int iterationCount = 100_000; int keySize = 64; // $Source - PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $Alert[java/quantum/weak-kdf-key-size] + PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $Alert[java/quantum/examples/weak-kdf-key-size] SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); byte[] key = factory.generateSecret(spec).getEncoded(); }