diff --git a/cpp/ql/lib/experimental/Quantum/Language.qll b/cpp/ql/lib/experimental/Quantum/Language.qll index 2d076a1323c..c3e2e3ad55f 100644 --- a/cpp/ql/lib/experimental/Quantum/Language.qll +++ b/cpp/ql/lib/experimental/Quantum/Language.qll @@ -1,6 +1,4 @@ -private import codeql.cryptography.Model -import semmle.code.cpp.ir.IR -import semmle.code.cpp.security.FlowSources as FlowSources +import codeql.quantum.Model import semmle.code.cpp.dataflow.new.DataFlow private import cpp as Lang diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll index 25cdea6accf..72c3ffcfad4 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll @@ -1,7 +1,7 @@ import cpp import semmle.code.cpp.dataflow.new.DataFlow -import experimental.Quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers // import all known alg value consummers +import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers /** * Traces 'known algorithms' to AVCs, specifically diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll index 1e17c64f34c..2566c1188a6 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll @@ -1,8 +1,8 @@ import cpp -import experimental.Quantum.Language +import experimental.quantum.Language import OpenSSLAlgorithmInstanceBase -import experimental.Quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer import AlgToAVCFlow /** diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll index 0dd948c9fae..7483572848e 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll @@ -1,10 +1,10 @@ import cpp -import experimental.Quantum.Language +import experimental.quantum.Language import KnownAlgorithmConstants import Crypto::KeyOpAlg as KeyOpAlg import OpenSSLAlgorithmInstanceBase import PaddingAlgorithmInstance -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers import AlgToAVCFlow import BlockAlgorithmInstance diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll index 4b412da9b55..985e36dbdd7 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll @@ -1,7 +1,7 @@ import cpp -import experimental.Quantum.Language +import experimental.quantum.Language import KnownAlgorithmConstants -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers import AlgToAVCFlow predicate knownOpenSSLConstantToHashFamilyType( diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll index a0f0107d0ac..77caf0bb378 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll @@ -1,5 +1,5 @@ import cpp -import experimental.Quantum.OpenSSL.LibraryDetector +import experimental.quantum.OpenSSL.LibraryDetector predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) { resolveAlgorithmFromCall(e, normalizedName, algType) diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll index 6a206773bfb..dc49c139cf0 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll @@ -1,5 +1,5 @@ -import experimental.Quantum.Language -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +import experimental.quantum.Language +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance { abstract OpenSSLAlgorithmValueConsumer getAVC(); diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll index 219289c7da0..4fb4d081869 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll @@ -1,9 +1,9 @@ import cpp -import experimental.Quantum.Language +import experimental.quantum.Language import OpenSSLAlgorithmInstanceBase -import experimental.Quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants import AlgToAVCFlow -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer /** * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type. diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll index 19777bc06d1..8fa65860b60 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll @@ -1,8 +1,8 @@ import cpp -import experimental.Quantum.Language -import experimental.Quantum.OpenSSL.LibraryDetector -import experimental.Quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.Quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +import experimental.quantum.Language +import experimental.quantum.OpenSSL.LibraryDetector +import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase import OpenSSLAlgorithmValueConsumerBase abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll index cebe7a86a12..ffc9a7c3991 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll @@ -1,7 +1,7 @@ import cpp -import experimental.Quantum.Language -import experimental.Quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +import experimental.quantum.Language +import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase // TODO: can self referential to itself, which is also an algorithm (Known algorithm) /** diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll index 753bb356e7a..b041b986754 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll @@ -2,11 +2,11 @@ // import EVPHashOperation // import EVPHashAlgorithmSource import cpp -import experimental.Quantum.Language +import experimental.quantum.Language import semmle.code.cpp.dataflow.new.DataFlow -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase -import experimental.Quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances -import experimental.Quantum.OpenSSL.LibraryDetector +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances +import experimental.quantum.OpenSSL.LibraryDetector abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll index dddcf14c713..3f6e2bd4dc8 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll @@ -1,4 +1,4 @@ -import experimental.Quantum.Language +import experimental.quantum.Language import semmle.code.cpp.dataflow.new.DataFlow abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call { diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll index 009b22cf1b8..3f7ce20d6b3 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll @@ -1,8 +1,8 @@ import cpp -import experimental.Quantum.Language -import experimental.Quantum.OpenSSL.LibraryDetector -import experimental.Quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.Quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +import experimental.quantum.Language +import experimental.quantum.OpenSSL.LibraryDetector +import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase import OpenSSLAlgorithmValueConsumerBase abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSL.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSL.qll index 6b28c4ee8e4..f53812093c4 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSL.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSL.qll @@ -2,8 +2,8 @@ import cpp import semmle.code.cpp.dataflow.new.DataFlow module OpenSSLModel { - import experimental.Quantum.Language - import experimental.Quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances - import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers - import experimental.Quantum.OpenSSL.Operations.OpenSSLOperations + import experimental.quantum.Language + import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances + import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers + import experimental.quantum.OpenSSL.Operations.OpenSSLOperations } diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPCipherInitializer.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPCipherInitializer.qll index 584fd18a64c..fdf60ef757e 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPCipherInitializer.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPCipherInitializer.qll @@ -3,8 +3,8 @@ * Models cipher initialization for EVP cipher operations. */ -import experimental.Quantum.Language -import experimental.Quantum.OpenSSL.CtxFlow as CTXFlow +import experimental.quantum.Language +import experimental.quantum.OpenSSL.CtxFlow as CTXFlow module EncValToInitEncArgConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] } diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPCipherOperation.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPCipherOperation.qll index ae05798ea1f..45c7d41b029 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPCipherOperation.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPCipherOperation.qll @@ -1,8 +1,8 @@ -import experimental.Quantum.Language -import experimental.Quantum.OpenSSL.CtxFlow as CTXFlow +import experimental.quantum.Language +import experimental.quantum.OpenSSL.CtxFlow as CTXFlow import EVPCipherInitializer import OpenSSLOperationBase -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { @@ -16,7 +16,7 @@ private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig { private module AlgGetterToAlgConsumerFlow = DataFlow::Global; -// import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.AlgorithmValueConsumers +// import experimental.quantum.OpenSSL.AlgorithmValueConsumers.AlgorithmValueConsumers // import OpenSSLOperation // class EVPCipherOutput extends CipherOutputArtifact { // EVPCipherOutput() { exists(EVP_Cipher_Operation op | op.getOutputArg() = this) } diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPHashOperation.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPHashOperation.qll index b7771e240a4..45776b6668b 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPHashOperation.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/EVPHashOperation.qll @@ -2,12 +2,12 @@ * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis */ -import experimental.Quantum.Language -import experimental.Quantum.OpenSSL.CtxFlow as CTXFlow -import experimental.Quantum.OpenSSL.LibraryDetector +import experimental.quantum.Language +import experimental.quantum.OpenSSL.CtxFlow as CTXFlow +import experimental.quantum.OpenSSL.LibraryDetector import OpenSSLOperationBase import EVPHashInitializer -import experimental.Quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers // import EVPHashConsumers abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance { diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/OpenSSLOperationBase.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/OpenSSLOperationBase.qll index 851d7a4b7e9..4798f5650a9 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/OpenSSLOperationBase.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/Operations/OpenSSLOperationBase.qll @@ -1,4 +1,4 @@ -import experimental.Quantum.Language +import experimental.quantum.Language abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call { abstract Expr getInputArg(); diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/Random.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/Random.qll index eceff874874..e599ed82169 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL/Random.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/Random.qll @@ -1,6 +1,5 @@ import cpp -private import experimental.Quantum.Language -private import codeql.cryptography.Model +private import experimental.quantum.Language private import LibraryDetector private import semmle.code.cpp.dataflow.new.DataFlow @@ -15,7 +14,5 @@ class OpenSSLRandomNumberGeneratorInstance extends Crypto::RandomNumberGeneratio result.asDefiningArgument() = this.(Call).getArgument(0) } - override predicate flowsTo(Crypto::FlowAwareElement other) { - ArtifactUniversalFlow::flow(this.getOutputNode(), other.getInputNode()) - } + override string getGeneratorName() { result = this.(Call).getTarget().getName() } } diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 6bb19968c82..335360caeb2 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -6,8 +6,8 @@ extractor: cpp library: true upgrades: upgrades dependencies: - codeql/cryptography: ${workspace} codeql/dataflow: ${workspace} + codeql/experimental: ${workspace} codeql/mad: ${workspace} codeql/rangeanalysis: ${workspace} codeql/ssa: ${workspace} diff --git a/cpp/ql/src/experimental/Quantum/PrintCBOMGraph.ql b/cpp/ql/src/experimental/Quantum/PrintCBOMGraph.ql index d9658105aeb..f741e3c9f94 100644 --- a/cpp/ql/src/experimental/Quantum/PrintCBOMGraph.ql +++ b/cpp/ql/src/experimental/Quantum/PrintCBOMGraph.ql @@ -6,7 +6,7 @@ * @id cpp/print-cbom-graph */ -import experimental.Quantum.Language +import experimental.quantum.Language query predicate nodes(Crypto::NodeBase node, string key, string value) { Crypto::nodes_graph_impl(node, key, value) diff --git a/java/ql/lib/experimental/Quantum/Language.qll b/java/ql/lib/experimental/Quantum/Language.qll index 6f7dc88157b..572d5716e02 100644 --- a/java/ql/lib/experimental/Quantum/Language.qll +++ b/java/ql/lib/experimental/Quantum/Language.qll @@ -1,4 +1,4 @@ -private import codeql.cryptography.Model +private import codeql.quantum.Model private import java as Language private import semmle.code.java.security.InsecureRandomnessQuery private import semmle.code.java.security.RandomQuery diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 52fa4620b46..036218757a8 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -6,8 +6,8 @@ extractor: java library: true upgrades: upgrades dependencies: - codeql/cryptography: ${workspace} codeql/dataflow: ${workspace} + codeql/experimental: ${workspace} codeql/mad: ${workspace} codeql/rangeanalysis: ${workspace} codeql/regex: ${workspace} diff --git a/java/ql/src/experimental/Quantum/Analysis/ArtifactReuse.qll b/java/ql/src/experimental/Quantum/Analysis/ArtifactReuse.qll index de283f89775..88598e61589 100644 --- a/java/ql/src/experimental/Quantum/Analysis/ArtifactReuse.qll +++ b/java/ql/src/experimental/Quantum/Analysis/ArtifactReuse.qll @@ -1,6 +1,6 @@ import java import semmle.code.java.dataflow.DataFlow -import experimental.Quantum.Language +import experimental.quantum.Language /** * Flow from any function that appears to return a value diff --git a/java/ql/src/experimental/Quantum/Analysis/InsecureNonceSource.ql b/java/ql/src/experimental/Quantum/Analysis/InsecureNonceSource.ql index 9c06884328b..b2c6f919d5f 100644 --- a/java/ql/src/experimental/Quantum/Analysis/InsecureNonceSource.ql +++ b/java/ql/src/experimental/Quantum/Analysis/InsecureNonceSource.ql @@ -8,7 +8,7 @@ * vulnerabilities such as replay attacks or key recovery. */ -import experimental.Quantum.Language +import experimental.quantum.Language predicate isInsecureNonceSource(Crypto::NonceArtifactNode n, Crypto::NodeBase src) { src = n.getSourceNode() and diff --git a/java/ql/src/experimental/Quantum/Analysis/KnownWeakKDFIterationCount.ql b/java/ql/src/experimental/Quantum/Analysis/KnownWeakKDFIterationCount.ql index 439295f74e3..701f3064e92 100644 --- a/java/ql/src/experimental/Quantum/Analysis/KnownWeakKDFIterationCount.ql +++ b/java/ql/src/experimental/Quantum/Analysis/KnownWeakKDFIterationCount.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::KeyDerivationOperationNode op, Literal l where diff --git a/java/ql/src/experimental/Quantum/Analysis/UnknownKDFIterationCount.ql b/java/ql/src/experimental/Quantum/Analysis/UnknownKDFIterationCount.ql index 0c91e66d52b..4ce404f01b0 100644 --- a/java/ql/src/experimental/Quantum/Analysis/UnknownKDFIterationCount.ql +++ b/java/ql/src/experimental/Quantum/Analysis/UnknownKDFIterationCount.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::KeyDerivationOperationNode op, Element e, string msg where diff --git a/java/ql/src/experimental/Quantum/Examples/BrokenCrypto.ql b/java/ql/src/experimental/Quantum/Examples/BrokenCrypto.ql index 020ac1b8925..b4e9de9ac94 100644 --- a/java/ql/src/experimental/Quantum/Examples/BrokenCrypto.ql +++ b/java/ql/src/experimental/Quantum/Examples/BrokenCrypto.ql @@ -1,58 +1,55 @@ /** -* @name Use of a broken or risky cryptographic algorithm -* @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security. -* @kind problem -* @problem.severity warning -* @security-severity 7.5 -* @precision high -* @id java/weak-cryptographic-algorithm-new-model -* @tags security -* external/cwe/cwe-327 -* external/cwe/cwe-328 -*/ - - + * @name Use of a broken or risky cryptographic algorithm + * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security. + * @kind problem + * @problem.severity warning + * @security-severity 7.5 + * @precision high + * @id java/weak-cryptographic-algorithm-new-model + * @tags security + * external/cwe/cwe-327 + * external/cwe/cwe-328 + */ //THIS QUERY IS A REPLICA OF: https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql //but uses the **NEW MODELLING** -import experimental.Quantum.Language - +import experimental.quantum.Language /** * Gets the name of an algorithm that is known to be insecure. */ string getAnInsecureAlgorithmName() { - result = - [ - "DES", "RC2", "RC4", "RC5", - // ARCFOUR is a variant of RC4 - "ARCFOUR", - // Encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay and other attacks - "ECB", - // CBC mode of operation with PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks - "AES/CBC/PKCS[57]Padding" - ] - } - - private string rankedInsecureAlgorithm(int i) { - result = rank[i](string s | s = getAnInsecureAlgorithmName()) - } - - private string insecureAlgorithmString(int i) { - i = 1 and result = rankedInsecureAlgorithm(i) - or - result = rankedInsecureAlgorithm(i) + "|" + insecureAlgorithmString(i - 1) - } - - /** - * Gets the regular expression used for matching strings that look like they - * contain an algorithm that is known to be insecure. - */ - string getInsecureAlgorithmRegex() { - result = algorithmRegex(insecureAlgorithmString(max(int i | exists(rankedInsecureAlgorithm(i))))) - } + result = + [ + "DES", "RC2", "RC4", "RC5", + // ARCFOUR is a variant of RC4 + "ARCFOUR", + // Encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay and other attacks + "ECB", + // CBC mode of operation with PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks + "AES/CBC/PKCS[57]Padding" + ] +} - bindingset[algorithmString] +private string rankedInsecureAlgorithm(int i) { + result = rank[i](string s | s = getAnInsecureAlgorithmName()) +} + +private string insecureAlgorithmString(int i) { + i = 1 and result = rankedInsecureAlgorithm(i) + or + result = rankedInsecureAlgorithm(i) + "|" + insecureAlgorithmString(i - 1) +} + +/** + * Gets the regular expression used for matching strings that look like they + * contain an algorithm that is known to be insecure. + */ +string getInsecureAlgorithmRegex() { + result = algorithmRegex(insecureAlgorithmString(max(int i | exists(rankedInsecureAlgorithm(i))))) +} + +bindingset[algorithmString] private string algorithmRegex(string algorithmString) { // Algorithms usually appear in names surrounded by characters that are not // alphabetical characters in the same case. This handles the upper and lower @@ -67,11 +64,12 @@ private string algorithmRegex(string algorithmString) { "((^|.*[A-Z]{2}|.*[^a-zA-Z])(" + algorithmString.toLowerCase() + ")([^a-z].*|$))" } -from Crypto::Algorithm alg -where alg.getAlgorithmName().regexpMatch(getInsecureAlgorithmRegex()) and -// Exclude RSA/ECB/.* ciphers. -not alg.getAlgorithmName().regexpMatch("RSA/ECB.*") and -// Exclude German and French sentences. -not alg.getAlgorithmName().regexpMatch(".*\\p{IsLowercase} des \\p{IsLetter}.*") +from Crypto::Algorithm alg +where + alg.getAlgorithmName().regexpMatch(getInsecureAlgorithmRegex()) and + // Exclude RSA/ECB/.* ciphers. + not alg.getAlgorithmName().regexpMatch("RSA/ECB.*") and + // Exclude German and French sentences. + not alg.getAlgorithmName().regexpMatch(".*\\p{IsLowercase} des \\p{IsLetter}.*") select alg, "Cryptographic algorithm $@ is weak and should not be used.", alg, -alg.getAlgorithmName() + alg.getAlgorithmName() diff --git a/java/ql/src/experimental/Quantum/Examples/InsecureOrUnknownNonceAtOperation.ql b/java/ql/src/experimental/Quantum/Examples/InsecureOrUnknownNonceAtOperation.ql index a9eb70076a0..fc2387fda37 100644 --- a/java/ql/src/experimental/Quantum/Examples/InsecureOrUnknownNonceAtOperation.ql +++ b/java/ql/src/experimental/Quantum/Examples/InsecureOrUnknownNonceAtOperation.ql @@ -4,7 +4,7 @@ * @kind problem */ -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::NonceArtifactNode n, Crypto::KeyOperationNode op, Crypto::FlowAwareElement src, string msg diff --git a/java/ql/src/experimental/Quantum/Examples/TestAESGCMNonce.ql b/java/ql/src/experimental/Quantum/Examples/TestAESGCMNonce.ql index 985527318ff..096cfa82216 100644 --- a/java/ql/src/experimental/Quantum/Examples/TestAESGCMNonce.ql +++ b/java/ql/src/experimental/Quantum/Examples/TestAESGCMNonce.ql @@ -2,7 +2,7 @@ * @name "PQC Test" */ -import experimental.Quantum.Language +import experimental.quantum.Language class AESGCMAlgorithmNode extends Crypto::KeyOperationAlgorithmNode { AESGCMAlgorithmNode() { diff --git a/java/ql/src/experimental/Quantum/Examples/TestCipher.ql b/java/ql/src/experimental/Quantum/Examples/TestCipher.ql index 503d6003922..2b1d6ebcf06 100644 --- a/java/ql/src/experimental/Quantum/Examples/TestCipher.ql +++ b/java/ql/src/experimental/Quantum/Examples/TestCipher.ql @@ -2,7 +2,7 @@ * @name "Key operation slice table demo query" */ -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::KeyOperationNode op, Crypto::KeyOperationAlgorithmNode a, diff --git a/java/ql/src/experimental/Quantum/Examples/TestCipherKey.ql b/java/ql/src/experimental/Quantum/Examples/TestCipherKey.ql index c489320528d..9408aac7e3b 100644 --- a/java/ql/src/experimental/Quantum/Examples/TestCipherKey.ql +++ b/java/ql/src/experimental/Quantum/Examples/TestCipherKey.ql @@ -2,7 +2,7 @@ * @name "PQC Test" */ -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::KeyOperationNode op, Crypto::CipherAlgorithmNode a, Crypto::KeyArtifactNode k where diff --git a/java/ql/src/experimental/Quantum/Examples/TestHash.ql b/java/ql/src/experimental/Quantum/Examples/TestHash.ql index 76ef6951a7e..b319c95a62b 100644 --- a/java/ql/src/experimental/Quantum/Examples/TestHash.ql +++ b/java/ql/src/experimental/Quantum/Examples/TestHash.ql @@ -2,7 +2,7 @@ * @name "Hash operation slice table demo query" */ -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::HashOperationNode op, Crypto::HashAlgorithmNode alg where alg = op.getAKnownAlgorithm() diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricAlgorithm.ql index 1e5a7c5bced..7ae2a0f0888 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::AlgorithmNode a where Crypto::isKnownAsymmetricAlgorithm(a) diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricCipherAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricCipherAlgorithm.ql index 962a6b72015..c7242ed11c5 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricCipherAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricCipherAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::KeyOperationAlgorithmNode a where a.getAlgorithmType() instanceof Crypto::KeyOpAlg::AsymmetricCipherAlgorithm diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricOperationAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricOperationAlgorithm.ql index 0900401b80d..a14a0dfbaba 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricOperationAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownAsymmetricOperationAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::OperationNode op, Crypto::AlgorithmNode a where a = op.getAKnownAlgorithm() and Crypto::isKnownAsymmetricAlgorithm(a) diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownCipherAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownCipherAlgorithm.ql index 4096fe16d29..f126c3d9ae1 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownCipherAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownCipherAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language // TODO: should there be a cipher algorithm node? from Crypto::KeyOperationAlgorithmNode a diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownEllipticCurveAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownEllipticCurveAlgorithm.ql index 048bcd8182c..c3f69d91cb7 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownEllipticCurveAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownEllipticCurveAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::EllipticCurveNode a select a, "Instance of elliptic curve algorithm " + a.getAlgorithmName() diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingAlgorithm.ql index 632872725e7..ed24b62364d 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::HashAlgorithmNode a select a, "Instance of hashing algorithm " + a.getAlgorithmName() diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingOperation.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingOperation.ql index b3556393173..23fc6235e80 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingOperation.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingOperation.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::HashOperationNode op select op, "Known hashing operation" diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingOperationAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingOperationAlgorithm.ql index ce0f4d37d4d..8af3c09dd10 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingOperationAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownHashingOperationAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::OperationNode op, Crypto::HashAlgorithmNode a where a = op.getAKnownAlgorithm() diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationAlgorithm.ql index 584ffef0bbf..e0970353a98 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::KeyDerivationAlgorithmNode alg select alg, "Known key derivation algorithm " + alg.getAlgorithmName() diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationOperation.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationOperation.ql index 8c77b2aa984..240a4ea3fc5 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationOperation.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationOperation.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::KeyDerivationOperationNode op select op, "Known key derivation operation" diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationOperationAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationOperationAlgorithm.ql index cf9a4e96f4d..9afbd7d7f2f 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationOperationAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownKeyDerivationOperationAlgorithm.ql @@ -1,11 +1,12 @@ /** * @name Detects operations where the algorithm applied is a known key derivation algorithm - * @id java/crypto_inventory_slices/operation_with_known_key_derivation_algorithm + * @id java/cryptography-inventory-slices/operation-known-key-derivation-algorithm + * @description This query identifies operations that utilize a known key derivation algorithm. * @kind problem */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::OperationNode op, Crypto::KeyDerivationAlgorithmNode a where a = op.getAKnownAlgorithm() diff --git a/java/ql/src/experimental/Quantum/InventorySlices/KnownSymmetricCipherAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/KnownSymmetricCipherAlgorithm.ql index 21949f1c8c6..d8467305df9 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/KnownSymmetricCipherAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/KnownSymmetricCipherAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Crypto::KeyOperationAlgorithmNode a where a.getAlgorithmType() instanceof Crypto::KeyOpAlg::SymmetricCipherAlgorithm diff --git a/java/ql/src/experimental/Quantum/InventorySlices/LikelyCryptoAPIFunction.ql b/java/ql/src/experimental/Quantum/InventorySlices/LikelyCryptoAPIFunction.ql index 0076c478dec..d02524a7df3 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/LikelyCryptoAPIFunction.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/LikelyCryptoAPIFunction.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language from Callable f, Parameter p, Crypto::OperationNode op where diff --git a/java/ql/src/experimental/Quantum/InventorySlices/UnknownOperationAlgorithm.ql b/java/ql/src/experimental/Quantum/InventorySlices/UnknownOperationAlgorithm.ql index 61a27c75dac..7559579d863 100644 --- a/java/ql/src/experimental/Quantum/InventorySlices/UnknownOperationAlgorithm.ql +++ b/java/ql/src/experimental/Quantum/InventorySlices/UnknownOperationAlgorithm.ql @@ -5,7 +5,7 @@ */ import java -import experimental.Quantum.Language +import experimental.quantum.Language //TODO: can we have an unknown node concept? from Crypto::OperationNode op, Element e, string msg diff --git a/java/ql/src/experimental/Quantum/PrintCBOMGraph.ql b/java/ql/src/experimental/Quantum/PrintCBOMGraph.ql index 063cda564b6..bc79d5d4ce6 100644 --- a/java/ql/src/experimental/Quantum/PrintCBOMGraph.ql +++ b/java/ql/src/experimental/Quantum/PrintCBOMGraph.ql @@ -6,7 +6,7 @@ * @id java/print-cbom-graph */ -import experimental.Quantum.Language +import experimental.quantum.Language query predicate nodes(Crypto::NodeBase node, string key, string value) { Crypto::nodes_graph_impl(node, key, value) diff --git a/shared/cryptography/codeql/cryptography/Model.qll b/shared/experimental/codeql/quantum/Model.qll similarity index 100% rename from shared/cryptography/codeql/cryptography/Model.qll rename to shared/experimental/codeql/quantum/Model.qll diff --git a/shared/cryptography/qlpack.yml b/shared/experimental/qlpack.yml similarity index 64% rename from shared/cryptography/qlpack.yml rename to shared/experimental/qlpack.yml index 768c64a0704..2976c56ba49 100644 --- a/shared/cryptography/qlpack.yml +++ b/shared/experimental/qlpack.yml @@ -1,4 +1,4 @@ -name: codeql/cryptography +name: codeql/experimental version: 0.0.0-dev groups: shared library: true