Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce

java/ql/lib/experimental/quantum/JCA.qll

@@ -1095,21 +1095,6 @@ module JCAModel {
     }
   }
 
-  /**
-   * An instance of `java.security.SecureRandom.nextBytes(byte[])` call.
-   * This is already generally modeled for Java in CodeQL, but
-   * we model it again as part of the crypto API model to have a cohesive model.
-   */
-  class JavaSecuritySecureRandom extends Crypto::RandomNumberGenerationInstance instanceof Call {
-    JavaSecuritySecureRandom() {
-      this.getCallee().hasQualifiedName("java.security", "SecureRandom", "nextBytes")
-    }
-
-    override Crypto::DataFlowNode getOutputNode() { result.asExpr() = this.(Call).getArgument(0) }
-
-    override string getGeneratorName() { result = this.(Call).getCallee().getName() }
-  }
-
   class KeyGeneratorGenerateCall extends Crypto::KeyGenerationOperationInstance instanceof MethodCall
   {
     Crypto::KeyArtifactType type;

java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Insecure nonce (static value or weak random source)
+ * @id java/quantum/insecure-iv-or-nonce
+ * @description A nonce is generated from a source that is not secure. This can lead to
+ *              vulnerabilities such as replay attacks or key recovery.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src
+where
+  nonce.getSourceNode() = src and
+  not src.asElement() instanceof SecureRandomnessInstance
+select nonce, "Nonce or IV uses insecure nonce source $@", src, src.toString()

java/ql/src/experimental/quantum/Analysis/InsecureNonceSource.ql

@@ -1,22 +0,0 @@
-/**
- * @name Insecure nonce at a cipher operation
- * @id java/quantum/insecure-nonce
- * @description A nonce is generated from a source that is not secure. This can lead to
- *              vulnerabilities such as replay attacks or key recovery.
- * @kind problem
- * @problem.severity error
- * @precision high
- * @tags quantum
- *       experimental
- */
-
-import experimental.quantum.Language
-
-predicate isInsecureNonceSource(Crypto::NonceArtifactNode n, Crypto::NodeBase src) {
-  src = n.getSourceNode() and
-  not src.asElement() instanceof SecureRandomnessInstance
-}
-
-from Crypto::KeyOperationNode op, Crypto::NodeBase src
-where isInsecureNonceSource(op.getANonce(), src)
-select op, "Operation uses insecure nonce source $@", src, src.toString()