clean-up and update configurations to have specs as sink

2025-12-21 19:26:31 +01:00 · 2022-10-10 16:18:49 -04:00
parent 0c2cff253f
commit bd76b1fcc0
4 changed files with 99 additions and 141 deletions
--- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -1,24 +1,14 @@
 import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DataFlow2
 // ******* DATAFLOW BELOW *************************************************************************
 /**
 * Asymmetric (RSA, DSA, DH) key length data flow tracking configuration.
 */
-class AsymmetricKeyTrackingConfiguration extends DataFlow2::Configuration {
+class AsymmetricNonECKeyTrackingConfiguration extends DataFlow2::Configuration {
-  AsymmetricKeyTrackingConfiguration() { this = "AsymmetricKeyTrackingConfiguration" }
+  AsymmetricNonECKeyTrackingConfiguration() { this = "AsymmetricNonECKeyTrackingConfiguration" }
  override predicate isSource(DataFlow::Node source) {
    // ! may need to change below to still use `keysize` variable as the source, not the spec
    // ! also need to look into specs for DSA and DH more
    exists(ClassInstanceExpr rsaGenParamSpec |
      rsaGenParamSpec.getConstructedType() instanceof RSAGenParameterSpec and
      rsaGenParamSpec.getArgument(0).(CompileTimeConstantExpr).getIntValue() < 2048 and
      source.asExpr() = rsaGenParamSpec
    )
    or
    source.asExpr().(IntegerLiteral).getIntValue() < 2048
  }
@@ -34,7 +24,23 @@ class AsymmetricKeyTrackingConfiguration extends DataFlow2::Configuration {
        dest.getNode().asExpr() = ma.getQualifier() and
        kpgConfig.hasFlowPath(source, dest)
      ) and
-      sink.asExpr() = ma.getArgument(0) // ! todo: add spec as a sink
+      sink.asExpr() = ma.getArgument(0)
    )
    or
    // TODO: combine below three for less duplicated code
    exists(ClassInstanceExpr rsaKeyGenParamSpec |
      rsaKeyGenParamSpec.getConstructedType() instanceof RSAKeyGenParameterSpec and
      sink.asExpr() = rsaKeyGenParamSpec.getArgument(0)
    )
    or
    exists(ClassInstanceExpr dsaGenParamSpec |
      dsaGenParamSpec.getConstructedType() instanceof DSAGenParameterSpec and
      sink.asExpr() = dsaGenParamSpec.getArgument(0)
    )
    or
    exists(ClassInstanceExpr dhGenParamSpec |
      dhGenParamSpec.getConstructedType() instanceof DHGenParameterSpec and
      sink.asExpr() = dhGenParamSpec.getArgument(0)
    )
  }
 }
@@ -42,17 +48,12 @@ class AsymmetricKeyTrackingConfiguration extends DataFlow2::Configuration {
 /**
 * Asymmetric (EC) key length data flow tracking configuration.
 */
-class AsymmetricECCKeyTrackingConfiguration extends DataFlow2::Configuration {
+class AsymmetricECKeyTrackingConfiguration extends DataFlow2::Configuration {
-  AsymmetricECCKeyTrackingConfiguration() { this = "AsymmetricECCKeyTrackingConfiguration" }
+  AsymmetricECKeyTrackingConfiguration() { this = "AsymmetricECKeyTrackingConfiguration" }
  override predicate isSource(DataFlow::Node source) {
-    // ! may need to change below to still use `keysize` variable as the source, not the spec
+    source.asExpr().(IntegerLiteral).getIntValue() < 256 or
-    exists(ClassInstanceExpr ecGenParamSpec |
+    getECKeySize(source.asExpr().(StringLiteral).getValue()) < 256 // need this for the cases when the key size is embedded in the curve name.
      getECKeySize(ecGenParamSpec.getArgument(0).(StringLiteral).getValue()) < 256 and
      source.asExpr() = ecGenParamSpec
    )
    or
    source.asExpr().(IntegerLiteral).getIntValue() < 256
  }
  override predicate isSink(DataFlow::Node sink) {
@@ -69,6 +70,12 @@ class AsymmetricECCKeyTrackingConfiguration extends DataFlow2::Configuration {
      ) and
      sink.asExpr() = ma.getArgument(0)
    )
    or
    exists(ClassInstanceExpr ecGenParamSpec |
      ecGenParamSpec.getConstructedType() instanceof ECGenParameterSpec and
      //getECKeySize(ecGenParamSpec.getArgument(0).(StringLiteral).getValue()) < 256 and
      sink.asExpr() = ecGenParamSpec.getArgument(0)
    )
  }
 }
@@ -76,7 +83,7 @@ class AsymmetricECCKeyTrackingConfiguration extends DataFlow2::Configuration {
 * Symmetric (AES) key length data flow tracking configuration.
 */
 class SymmetricKeyTrackingConfiguration extends DataFlow2::Configuration {
-  SymmetricKeyTrackingConfiguration() { this = "SymmetricKeyTrackingConfiguration2" }
+  SymmetricKeyTrackingConfiguration() { this = "SymmetricKeyTrackingConfiguration" }
  override predicate isSource(DataFlow::Node source) {
    source.asExpr().(IntegerLiteral).getIntValue() < 128
@@ -99,14 +106,9 @@ class SymmetricKeyTrackingConfiguration extends DataFlow2::Configuration {
  }
 }
-// ! below predicate doesn't work
+// ********************** Need the below models for the above configs **********************
-// predicate hasInsufficientKeySize2(DataFlow::PathNode source, DataFlow::PathNode sink) {
+// todo: move some/all of below to Encryption.qll or elsewhere?
-//   exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink))
+/** Data flow configuration tracking flow from a key generator to an `init` method call. */
 //   or
 //   exists(SymmetricKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink))
 // }
 // ******** Need the below models for the above configs ********
 /** Taint configuration tracking flow from a key generator to a `init` method call. */
 private class KeyGeneratorInitConfiguration extends DataFlow::Configuration {
  KeyGeneratorInitConfiguration() { this = "KeyGeneratorInitConfiguration" }
@@ -122,10 +124,7 @@ private class KeyGeneratorInitConfiguration extends DataFlow::Configuration {
  }
 }
-/**
+/** Data flow configuration tracking flow from a keypair generator to an `initialize` method call. */
 * Taint configuration tracking flow from a keypair generator to
 * an `initialize` method call.
 */
 private class KeyPairGeneratorInitConfiguration extends DataFlow::Configuration {
  KeyPairGeneratorInitConfiguration() { this = "KeyPairGeneratorInitConfiguration" }
@@ -141,28 +140,24 @@ private class KeyPairGeneratorInitConfiguration extends DataFlow::Configuration
  }
 }
 // ! move some/all of below to Encryption.qll or elsewhere?
 /** The Java class `java.security.spec.ECGenParameterSpec`. */
 private class ECGenParameterSpec extends RefType {
  ECGenParameterSpec() { this.hasQualifiedName("java.security.spec", "ECGenParameterSpec") }
 }
-/** The Java class `java.security.spec.ECGenParameterSpec`. */
+/** The Java class `java.security.spec.RSAKeyGenParameterSpec`. */
-private class RSAGenParameterSpec extends RefType {
+private class RSAKeyGenParameterSpec extends RefType {
-  RSAGenParameterSpec() { this.hasQualifiedName("java.security.spec", "RSAKeyGenParameterSpec") }
+  RSAKeyGenParameterSpec() { this.hasQualifiedName("java.security.spec", "RSAKeyGenParameterSpec") }
 }
-/** Returns the key size in the EC algorithm string */
+/** The Java class `java.security.spec.DSAGenParameterSpec`. */
-bindingset[algorithm]
+private class DSAGenParameterSpec extends RefType {
-private int getECKeySize(string algorithm) {
+  DSAGenParameterSpec() { this.hasQualifiedName("java.security.spec", "DSAGenParameterSpec") }
-  algorithm.matches("sec%") and // specification such as "secp256r1"
+}
-  result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
+
-  or
+/** The Java class `javax.crypto.spec.DHGenParameterSpec`. */
-  algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
+private class DHGenParameterSpec extends RefType {
-  result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+  DHGenParameterSpec() { this.hasQualifiedName("javax.crypto.spec", "DHGenParameterSpec") }
  or
  (algorithm.matches("prime%") or algorithm.matches("c2tnb%")) and //specification such as "prime192v2"
  result = algorithm.regexpCapture(".*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
 }
 /** The `init` method declared in `javax.crypto.KeyGenerator`. */
@@ -181,21 +176,21 @@ private class KeyPairGeneratorInitMethod extends Method {
  }
 }
 /** Returns the key size in the EC algorithm string */
 bindingset[algorithm]
 private int getECKeySize(string algorithm) {
  algorithm.matches("sec%") and // specification such as "secp256r1"
  result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
  or
  algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
  result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
  or
  (algorithm.matches("prime%") or algorithm.matches("c2tnb%")) and //specification such as "prime192v2"
  result = algorithm.regexpCapture(".*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
 }
 // ******* DATAFLOW ABOVE *************************************************************************
 // ************************************************************************************************
 // ************************************************************************************************
 // ******* OLD/UNUSED OR EXPERIMENTAL CODE BELOW **************************************************
 class UnsafeSymmetricKeySize extends IntegerLiteral {
  UnsafeSymmetricKeySize() { this.getIntValue() < 128 }
 }
 class UnsafeAsymmetricKeySize extends IntegerLiteral {
  UnsafeAsymmetricKeySize() { this.getIntValue() < 2048 }
 }
 // TODO:
 // ! todo #0a: find a better way to combine the two needed taint-tracking configs so can go back to having a path-graph...
 // ! todo #0b: possible to combine the 3 dataflow configs?
 // todo #1: make representation of source that can be shared across the configs
 // todo #2: make representation of sink that can be shared across the configs
 // todo #3: make list of algo names more easily reusable (either as constant-type variable at top of file, or model as own class to share, etc.)
-// todo #4: refactor to be more like the Python version? (or not possible because of lack of DataFlow::Node for void method in Java?)
+// todo #4: refactor to be more like the Python (or C#) version? (or not possible because of lack of DataFlow::Node for void method in Java?)
--- a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -14,31 +14,9 @@
 import java
 import semmle.code.java.security.InsufficientKeySizeQuery
 // * Original:
 //import DataFlow::PathGraph
 // from Expr e, string msg
 // where hasInsufficientKeySize(e, msg)
 // * Test data-flow config with just Asymmetric:
 // select e, msg
 // from
 //   AsymmetricKeyTrackingConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
 //   KeyTrackingConfiguration cfg2 //, DataFlow::PathNode source2, DataFlow::PathNode sink2
 // where
 //   //cfg.hasFlowPath(source, sink) //or
 //   cfg2.hasFlowPath(source, sink)
 // select sink.getNode(), source, sink, "The $@ of an asymmetric key should be at least 2048 bits.",
 //   sink.getNode(), "size"
 // * Data-Flow path-graph with All configs: (but doesn't track algo name properly...)
 // from DataFlow::PathNode source, DataFlow::PathNode sink
 // where exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) //or
 // //exists(AsymmetricECCKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) //or
 // //exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
 // select sink.getNode(), source, sink, "This $@ is too small, and flows to $@.", source.getNode(),
 //   "key size", sink.getNode(), "here"
 // * Taint-tracking with kpg to track algo names
 from DataFlow::Node source, DataFlow::Node sink
 where
-  exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlow(source, sink)) or
+  exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlow(source, sink)) or
-  exists(AsymmetricECCKeyTrackingConfiguration config2 | config2.hasFlow(source, sink)) or
+  exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlow(source, sink)) or
  exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlow(source, sink))
 select sink, "This $@ is too small and creates a key $@.", source, "key size", sink, "here"
--- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java
+++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java
@@ -36,8 +36,8 @@ public class InsufficientKeySizeTest {
            // test with spec
            // BAD: Key size is less than 2048
            KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("RSA");
-            RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null);
+            RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null); // $ hasInsufficientKeySize
-            keyPairGen3.initialize(rsaSpec); // $ hasInsufficientKeySize
+            keyPairGen3.initialize(rsaSpec);
            // BAD: Key size is less than 2048
            KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
@@ -54,15 +54,15 @@ public class InsufficientKeySizeTest {
            KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DSA");
            keyPairGen4.initialize(2048); // Safe
-            // test with spec?
+            // test with spec
-            // // BAD: Key size is less than 2048
+            // BAD: Key size is less than 2048
-            // KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("DSA");
+            KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("DSA");
-            // DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, null);
+            DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, 0); // $ hasInsufficientKeySize
-            // keyPairGen5.initialize(dsaSpec); // $ hasInsufficientKeySize
+            keyPairGen5.initialize(dsaSpec);
-            // // BAD: Key size is less than 2048
+            // BAD: Key size is less than 2048
-            // KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("DSA");
+            KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("DSA");
-            // keyPairGen6.initialize(new DSAGenParameterSpec(1024, null)); // $ hasInsufficientKeySize
+            keyPairGen6.initialize(new DSAGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize
        }
        // DH (Asymmetric)
@@ -75,15 +75,15 @@ public class InsufficientKeySizeTest {
            KeyPairGenerator keyPairGen17 = KeyPairGenerator.getInstance("DH");
            keyPairGen17.initialize(2048); // Safe
-            // test with spec?
+            // test with spec
-            // // BAD: Key size is less than 2048
+            // BAD: Key size is less than 2048
-            // KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
+            KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
-            // DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, null);
+            DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, 0); // $ hasInsufficientKeySize
-            // keyPairGen3.initialize(dhSpec); // $ hasInsufficientKeySize
+            keyPairGen3.initialize(dhSpec);
-            // // BAD: Key size is less than 2048
+            // BAD: Key size is less than 2048
-            // KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DH");
+            KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DH");
-            // keyPairGen4.initialize(new DHGenParameterSpec(1024, null)); // $ hasInsufficientKeySize
+            keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize
        }
        // EC (Asymmetric)
@@ -91,8 +91,8 @@ public class InsufficientKeySizeTest {
        {
            // BAD: Key size is less than 256
            KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1");
+            ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize
-            keyPairGen5.initialize(ecSpec1); // $ hasInsufficientKeySize
+            keyPairGen5.initialize(ecSpec1);
            // BAD: Key size is less than 256
            KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
@@ -105,18 +105,18 @@ public class InsufficientKeySizeTest {
            // BAD: Key size is less than 256
            KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2");
+            ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2"); // $ hasInsufficientKeySize
-            keyPairGen8.initialize(ecSpec3); // $ hasInsufficientKeySize
+            keyPairGen8.initialize(ecSpec3);
            // BAD: Key size is less than 256
            KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3");
+            ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3"); // $ hasInsufficientKeySize
-            keyPairGen9.initialize(ecSpec4); // $ hasInsufficientKeySize
+            keyPairGen9.initialize(ecSpec4);
            // BAD: Key size is less than 256
            KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1");
+            ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1"); // $ hasInsufficientKeySize
-            keyPairGen10.initialize(ecSpec5); // $ hasInsufficientKeySize
+            keyPairGen10.initialize(ecSpec5);
            // GOOD: Key size is no less than 256
            KeyPairGenerator keyPairGen11 = KeyPairGenerator.getInstance("EC");
@@ -125,8 +125,8 @@ public class InsufficientKeySizeTest {
            // BAD: Key size is less than 256
            KeyPairGenerator keyPairGen12 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2");
+            ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2"); // $ hasInsufficientKeySize
-            keyPairGen12.initialize(ecSpec7); // $ hasInsufficientKeySize
+            keyPairGen12.initialize(ecSpec7);
            // GOOD: Key size is no less than 256
            KeyPairGenerator keyPairGen13 = KeyPairGenerator.getInstance("EC");
@@ -135,8 +135,8 @@ public class InsufficientKeySizeTest {
            // BAD: Key size is less than 256
            KeyPairGenerator keyPairGen14 = KeyPairGenerator.getInstance("EC");
-            ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1");
+            ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1"); // $ hasInsufficientKeySize
-            keyPairGen14.initialize(ecSpec9); // $ hasInsufficientKeySize
+            keyPairGen14.initialize(ecSpec9);
            // GOOD: Key size is no less than 256
            KeyPairGenerator keyPairGen15 = KeyPairGenerator.getInstance("EC");
@@ -194,7 +194,7 @@ public class InsufficientKeySizeTest {
         // Test variable passed to other method(s) - Asymmetric, EC
         {
-            ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // test ECGenParameterSpec variable
+            ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize // test ECGenParameterSpec variable
            KeyPairGenerator keyPairGen22 = KeyPairGenerator.getInstance("EC"); // test KeyPairGenerator variable
            testAsymmetricEC(ecSpec, keyPairGen22);
@@ -237,18 +237,17 @@ public class InsufficientKeySizeTest {
    public static void testAsymmetricEC(ECGenParameterSpec spec, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
        // BAD: Key size is less than 256
        KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
-        keyPairGen.initialize(spec); // $ hasInsufficientKeySize
+        keyPairGen.initialize(spec); // sink is now at above where `spec` variable is initialized
        // BAD: Key size is less than 256
-        ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1");
+        ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize
-        kpg.initialize(ecSpec); // $ hasInsufficientKeySize
+        kpg.initialize(ecSpec);
    }
    // ToDo testing:
-    // todo #1: add tests for keysize variable passed to specs
+    // ? todo #1: add tests for keysize variable passed to specs - not needed if spec is sink now
    // ? todo #2: add tests with DH and DSA specs? (or do those specs not make dev specify keysize?)
    // ? todo #3: add test for retrieving a key from elsewhere?
-    // todo #4: add barrier-guard tests (see FP from OpenIdentityPlatform/OpenAM)
+    // ? todo #4: add barrier-guard tests (see FP from OpenIdentityPlatform/OpenAM)
    // ? todo #5: add tests for updated keysize variable?: e.g. keysize = 1024; keysize += 1024; so when it's used it is correctly 2048.
    // ? todo #6: consider if some flow paths for keysize variables will be too hard to track how the keysize is updated (e.g. if calling some other method to get keysize, etc....)
 }
--- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql
+++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql
@@ -7,25 +7,11 @@ class InsufficientKeySizeTest extends InlineExpectationsTest {
  override string getARelevantTag() { result = "hasInsufficientKeySize" }
  // * Path-problem
  // override predicate hasActualResult(Location location, string element, string tag, string value) {
  //   tag = "hasInsufficientKeySize" and
  //   exists(DataFlow::PathNode source, DataFlow::PathNode sink |
  //     exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
  //     exists(AsymmetricECCKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
  //     exists(SymmetricKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink))
  //   |
  //     sink.getNode().getLocation() = location and
  //     element = sink.getNode().toString() and
  //     value = ""
  //   )
  // }
  // * Not path-problem
  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasInsufficientKeySize" and
    exists(DataFlow::Node source, DataFlow::Node sink |
-      exists(AsymmetricKeyTrackingConfiguration config1 | config1.hasFlow(source, sink)) or
+      exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlow(source, sink)) or
-      exists(AsymmetricECCKeyTrackingConfiguration config2 | config2.hasFlow(source, sink)) or
+      exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlow(source, sink)) or
      exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlow(source, sink))
    |
      sink.getLocation() = location and