hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce

Browse Source
This commit is contained in:
REDMOND\brodes
2025-10-08 11:41:21 -04:00
parent 143be8cc35
commit bd34b6ce02
3 changed files with 19 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
java/ql/lib/experimental/quantum/JCA.qll
View File

@@ -1095,21 +1095,6 @@ module JCAModel {
} }
} }
/**
* An instance of `java.security.SecureRandom.nextBytes(byte[])` call.
* This is already generally modeled for Java in CodeQL, but
* we model it again as part of the crypto API model to have a cohesive model.
*/
class JavaSecuritySecureRandom extends Crypto::RandomNumberGenerationInstance instanceof Call {
JavaSecuritySecureRandom() {
this.getCallee().hasQualifiedName("java.security", "SecureRandom", "nextBytes")
}
override Crypto::DataFlowNode getOutputNode() { result.asExpr() = this.(Call).getArgument(0) }
override string getGeneratorName() { result = this.(Call).getCallee().getName() }
}
class KeyGeneratorGenerateCall extends Crypto::KeyGenerationOperationInstance instanceof MethodCall class KeyGeneratorGenerateCall extends Crypto::KeyGenerationOperationInstance instanceof MethodCall
{ {
Crypto::KeyArtifactType type; Crypto::KeyArtifactType type;

19
java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql Normal file
View File

@@ -0,0 +1,19 @@
/**
* @name Insecure nonce (static value or weak random source)
* @id java/quantum/insecure-iv-or-nonce
* @description A nonce is generated from a source that is not secure. This can lead to
* vulnerabilities such as replay attacks or key recovery.
* @kind problem
* @problem.severity error
* @precision high
* @tags quantum
* experimental
*/
import experimental.quantum.Language
from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src
where
nonce.getSourceNode() = src and
not src.asElement() instanceof SecureRandomnessInstance
select nonce, "Nonce or IV uses insecure nonce source $@", src, src.toString()

22
java/ql/src/experimental/quantum/Analysis/InsecureNonceSource.ql
View File

@@ -1,22 +0,0 @@
/**
* @name Insecure nonce at a cipher operation
* @id java/quantum/insecure-nonce
* @description A nonce is generated from a source that is not secure. This can lead to
* vulnerabilities such as replay attacks or key recovery.
* @kind problem
* @problem.severity error
* @precision high
* @tags quantum
* experimental
*/
import experimental.quantum.Language
predicate isInsecureNonceSource(Crypto::NonceArtifactNode n, Crypto::NodeBase src) {
src = n.getSourceNode() and
not src.asElement() instanceof SecureRandomnessInstance
}
from Crypto::KeyOperationNode op, Crypto::NodeBase src
where isInsecureNonceSource(op.getANonce(), src)
select op, "Operation uses insecure nonce source $@", src, src.toString()