Crypto: more ID renaming to include "examples", fix singleton issues with ql-for-ql, use formatted test for WeakAsymmetricKeyGenSize (add post processing in the qlref), misc expected files updated (test passed locally but on rerun vscode reports failures, known bug with vscode unit tests).

java/ql/lib/experimental/quantum/JCA.qll

@@ -230,7 +230,7 @@ module JCAModel {
   bindingset[name]
   predicate key_agreement_name_to_type_known(Crypto::TKeyAgreementType type, string name) {
     type = Crypto::DH() and
-    name.toUpperCase() in ["DH"]
+    name.toUpperCase() = "DH"
     or
     type = Crypto::EDH() and
     name.toUpperCase() = "EDH"
@@ -1659,7 +1659,7 @@ module JCAModel {
     Expr getOutput() { result = output }
 
     Expr getInput() {
-      super.getMethod().hasStringSignature(["doFinal(byte[])"]) and result = this.getArgument(0)
+      super.getMethod().hasStringSignature("doFinal(byte[])") and result = this.getArgument(0)
       or
       super.getMethod().hasStringSignature("update(byte[])") and result = this.getArgument(0)
     }

java/ql/src/experimental/quantum/Examples/BadMacOrderDecryptToMac.ql

@@ -1,7 +1,7 @@
 /**
  * @name Bad MAC order: decrypt to mac
  * @description MAC should be on a cipher, not a raw message
- * @id java/quantum/bad-mac-order-decrypt-to-mac
+ * @id java/quantum/examples/bad-mac-order-decrypt-to-mac
  * @kind path-problem
  * @problem.severity error
  * @tags quantum

java/ql/src/experimental/quantum/Examples/BadMacOrderMacOnEncryptPlaintext.ql

@@ -1,7 +1,7 @@
 /**
  * @name Bad MAC order: Mac and Encryption share the same plaintext
  * @description MAC should be on a cipher, not a raw message
- * @id java/quantum/bad-mac-order-encrypt-plaintext-also-in-mac
+ * @id java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac
  * @kind path-problem
  * @problem.severity error
  * @tags quantum

java/ql/src/experimental/quantum/Examples/InsecureIVorNonceSource.ql

@@ -1,6 +1,6 @@
 /**
  * @name Insecure nonce/iv (static value or weak random source)
- * @id java/quantum/insecure-iv-or-nonce
+ * @id java/quantum/examples/insecure-iv-or-nonce
  * @description A nonce/iv is generated from a source that is not secure. This can lead to
  *              vulnerabilities such as replay attacks or key recovery. Insecure generation
  *              is any static nonce, or any known insecure source for a nonce/iv if

java/ql/src/experimental/quantum/Examples/NonAESGCMCipher.ql

@@ -1,6 +1,6 @@
 /**
  * @name Cipher not AES-GCM mode
- * @id java/quantum/non-aes-gcm
+ * @id java/quantum/examples/non-aes-gcm
  * @description An AES cipher is in use without GCM
  * @kind problem
  * @problem.severity error

java/ql/src/experimental/quantum/Examples/ReusedNonce.ql

@@ -1,7 +1,7 @@
 /**
  * @name Reuse of cryptographic nonce
  * @description Reuse of nonce in cryptographic operations can lead to vulnerabilities.
- * @id java/quantum/reused-nonce
+ * @id java/quantum/examples/reused-nonce
  * @kind path-problem
  * @problem.severity error
  * @tags quantum

java/ql/src/experimental/quantum/Examples/UnknownHash.ql

@@ -1,7 +1,7 @@
 /**
  * @name Unknown hashes
  * @description Finds uses of cryptographic hashing algorithms of unknown type.
- * @id java/quantum/unknown-hash
+ * @id java/quantum/examples/unknown-hash
  * @kind problem
  * @problem.severity error
  * @tags quantum

java/ql/src/experimental/quantum/Examples/UnknownIVorNonceSource.ql

@@ -1,6 +1,6 @@
 /**
  * @name Unknown nonce/iv source
- * @id java/quantum/unknown-iv-or-nonce-source
+ * @id java/quantum/examples/unknown-iv-or-nonce-source
  * @description A nonce/iv is generated from a source that is not secure. Failure to initialize
  *              an IV or nonce properly can lead to vulnerabilities such as replay attacks or key recovery.
  *              IV may be unknown at a decryption operation (IV would be provided alongside the ciphertext).

java/ql/src/experimental/quantum/Examples/UnknownKDFIterationCount.ql

@@ -1,7 +1,7 @@
 /**
  * @name Unknown key derivation function iteration count
  * @description Detects key derivation operations with an unknown iteration count.
- * @id java/quantum/unknown-kdf-iteration-count
+ * @id java/quantum/examples/unknown-kdf-iteration-count
  * @kind problem
  * @problem.severity error
  * @tags quantum

java/ql/src/experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql

@@ -1,6 +1,6 @@
 /**
  * @name Weak Asymmetric Key Size
- * @id java/quantum/weak-asymmetric-key-gen-size
+ * @id java/quantum/examples/weak-asymmetric-key-gen-size
  * @description An asymmetric key of known size is less than 2048 bits for any non-elliptic curve key operation.
  * @kind path-problem
  * @problem.severity error

java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.ql

@@ -26,6 +26,7 @@ where
     algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2()) or
     algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4()) or
     algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA()) or
-    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SKIPJACK())
   )
 select alg, "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "."

java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected

@@ -9,3 +9,5 @@ nodes
 | BadMacUse.java:54:28:54:53 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
 | BadMacUse.java:60:42:60:50 | plaintext | semmle.label | plaintext |
 subpaths
+testFailures
+| BadMacUse.java:67:118:67:128 | // $Source | Missing result: Source |

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/WeakAsymmetricKeyGenSize.qlref

@@ -1 +1,4 @@
-experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql
+query: experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/UnknownKDFIterationCount.expected

@@ -1,5 +1,5 @@
 #select
 | Test.java:47:22:47:49 | KeyDerivation | Key derivation operation with unknown iteration: $@ | Test.java:43:53:43:70 | iterationCount | iterationCount |
 testFailures
-| Test.java:45:94:45:145 | // $Alert[java/quantum/examples/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/examples/unknown-kdf-iteration-count] |
+| Test.java:45:94:45:154 | // $Alert[java/quantum/examples/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/examples/unknown-kdf-iteration-count] |
 | Test.java:47:22:47:49 | Key derivation operation with unknown iteration: $@ | Unexpected result: Alert |

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java

@@ -30,7 +30,7 @@ public class Test {
         byte[] blowfishEncrypted = blowfishCipher.doFinal(data);
 
         // BAD: RC2 (unsafe)
-        KeyGenerator rc2KeyGen = KeyGenerator.getInstance("RC2");
+        KeyGenerator rc2KeyGen = KeyGenerator.getInstance("RC2"); // $Alert
         SecretKey rc2Key = rc2KeyGen.generateKey();
         Cipher rc2Cipher = Cipher.getInstance("RC2"); // $Alert
         rc2Cipher.init(Cipher.ENCRYPT_MODE, rc2Key);

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/WeakSymmetricCipher.expected

@@ -1,15 +1,14 @@
-#select
 | Test.java:12:59:12:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
 | Test.java:14:47:14:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
+| Test.java:19:62:19:69 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
+| Test.java:21:50:21:57 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
+| Test.java:26:64:26:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. |
+| Test.java:28:52:28:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. |
+| Test.java:33:59:33:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. |
+| Test.java:35:47:35:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. |
 | Test.java:40:59:40:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. |
 | Test.java:42:47:42:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. |
-testFailures
-| Test.java:19:73:19:82 | // $Alert | Missing result: Alert |
-| Test.java:21:61:21:70 | // $Alert | Missing result: Alert |
-| Test.java:26:77:26:86 | // $Alert | Missing result: Alert |
-| Test.java:28:65:28:74 | // $Alert | Missing result: Alert |
-| Test.java:35:55:35:64 | // $Alert | Missing result: Alert |
-| Test.java:47:69:47:78 | // $Alert | Missing result: Alert |
-| Test.java:49:57:49:66 | // $Alert | Missing result: Alert |
-| Test.java:54:77:54:86 | // $Alert | Missing result: Alert |
-| Test.java:56:65:56:74 | // $Alert | Missing result: Alert |
+| Test.java:47:60:47:65 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. |
+| Test.java:49:48:49:53 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. |
+| Test.java:54:64:54:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |
+| Test.java:56:52:56:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |