From bf32b5a8fd58e1447cb9686eaff849d5ee358dee Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Tue, 19 Jul 2022 14:50:12 +0100 Subject: [PATCH] Reiview suggestions - add doc comment, reword description, simplify a part --- .../java/security/StaticInitializationVectorQuery.qll | 6 +++--- .../Security/CWE/CWE-1204/StaticInitializationVector.ql | 9 ++------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll index ce8db741336..bea53097e83 100644 --- a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll +++ b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll @@ -1,3 +1,5 @@ +/** Definitions for the Static Initialization Vector query. */ + import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.TaintTracking2 @@ -73,9 +75,7 @@ private class ArrayUpdateConfig extends TaintTracking2::Configuration { source.asExpr() instanceof StaticByteArrayCreation } - override predicate isSink(DataFlow::Node sink) { - exists(ArrayUpdate update | update.getArray() = sink.asExpr()) - } + override predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(ArrayUpdate upd).getArray() } } /** diff --git a/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql b/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql index 24e24b0f41c..3a30d670e08 100644 --- a/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql +++ b/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql @@ -1,12 +1,7 @@ /** * @name Using a static initialization vector for encryption - * @description A cipher needs an initialization vector (IV) in some cases, - * for example, when CBC or GCM modes are used. IVs are used to randomize the encryption, - * therefore they should be unique and ideally unpredictable. - * Otherwise, the same plaintexts result in same ciphertexts under a given secret key. - * If a static IV is used for encryption, this lets an attacker learn - * if the same data pieces are transferred or stored, - * or this can help the attacker run a dictionary attack. + * @description An initialization vector (IV) used for ciphers of certain modes (such as CBC or GCM) should be unique and unpredicateble. + * Otherwise, if the same IV is used with a the same secret key then the same plaintext results in same ciphertext, which weakens the encryption. * @kind path-problem * @problem.severity warning * @precision high