From 005dfdffdb87c1991d4171d274cbbebfc4355ff8 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 7 Feb 2022 14:07:02 +0000
Subject: [PATCH 1/4] C++: Speed up cpp/cleartext-transmission ('Encrypted'
 class).

---
 .../CWE/CWE-311/CleartextTransmission.ql      | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
index b45c11532fd..06f81a8cf19 100644
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -168,6 +168,18 @@ class NetworkRecv extends NetworkSendRecv {
   override Recv target;
 }
 
+predicate encryptionFunction(Function f)
+{
+  f.getName()
+  .toLowerCase()
+  .regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
+}
+
+predicate encryptionType(Type t)
+{
+  t.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
+}
+
 /**
  * An expression that is an argument or return value from an encryption /
  * decryption call. This is quite inclusive to minimize false positives, for
@@ -177,10 +189,7 @@ class NetworkRecv extends NetworkSendRecv {
 class Encrypted extends Expr {
   Encrypted() {
     exists(FunctionCall fc |
-      fc.getTarget()
-          .getName()
-          .toLowerCase()
-          .regexpMatch(".*(crypt|encode|decode|hash|securezero).*") and
+      encryptionFunction(fc.getTarget()) and
       (
         this = fc or
         this = fc.getAnArgument()
@@ -189,7 +198,7 @@ class Encrypted extends Expr {
     or
     exists(Type t |
       this.getType().refersTo(t) and
-      t.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
+      encryptionType(t)
     )
   }
 }

From d1b68713147b8699df4f1e2246642166091a2b67 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 7 Feb 2022 17:32:52 +0000
Subject: [PATCH 2/4] C++: Restrict type.

---
 cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
index 06f81a8cf19..565a2216a72 100644
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -175,7 +175,7 @@ predicate encryptionFunction(Function f)
   .regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
 }
 
-predicate encryptionType(Type t)
+predicate encryptionType(UserType t)
 {
   t.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
 }

From 6727069893a499f21be0a6a48d5ebb54f5b9fdeb Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 7 Feb 2022 17:33:11 +0000
Subject: [PATCH 3/4] C++: Autoformat.

---
 .../src/Security/CWE/CWE-311/CleartextTransmission.ql  | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
index 565a2216a72..1b3b1660423 100644
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -168,15 +168,11 @@ class NetworkRecv extends NetworkSendRecv {
   override Recv target;
 }
 
-predicate encryptionFunction(Function f)
-{
-  f.getName()
-  .toLowerCase()
-  .regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
+predicate encryptionFunction(Function f) {
+  f.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
 }
 
-predicate encryptionType(UserType t)
-{
+predicate encryptionType(UserType t) {
   t.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
 }
 

From 6005f3d2d495eba8e48a307e7818a7838e4b9789 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Tue, 8 Feb 2022 09:13:44 +0000
Subject: [PATCH 4/4] C++: Add pragma[noinline].

---
 cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
index 1b3b1660423..8a9d4f9b991 100644
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -168,10 +168,12 @@ class NetworkRecv extends NetworkSendRecv {
   override Recv target;
 }
 
+pragma[noinline]
 predicate encryptionFunction(Function f) {
   f.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
 }
 
+pragma[noinline]
 predicate encryptionType(UserType t) {
   t.getName().toLowerCase().regexpMatch(".*(crypt|encode|decode|hash|securezero).*")
 }