hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: CWE-757: update docs and user facing text

Browse Source
This commit is contained in:
Alex Denisov
2022-09-08 10:31:23 +02:00
parent d18ad665b6
commit d455a557be
3 changed files with 19 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
swift/ql/src/queries/Security/CWE-757/InsecureTLS.qhelp
View File

@@ -12,7 +12,7 @@
</recommendation>
<example>
<p>Consider specifying newer <code>tls_protocol_version_t</code> explicitly, or omitting it completely as the OS will use secure defaults.</p>
<p>Specify newer <code>tls_protocol_version_t</code> explicitly, or omit it completely as the OS will use secure defaults.</p>
<sample src="SecureTLS.swift" />
@@ -22,7 +22,6 @@
<li>
<a href="https://support.apple.com/en-gb/guide/security/sec100a75d12/web">Apple Platform Security - TLS security</a>
<a href="https://developer.apple.com/documentation/security/preventing_insecure_network_connections">Preventing Insecure Network Connections</a>
<a href="https://cwe.mitre.org/data/definitions/757.html">CWE-757: Selection of Less-Secure Algorithm During Negotiation</a>
</li>
</references>

4
swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Insecure TLS configuration
* @description TLS v1.0 and v1.1 versions are known to be vulnerable.. TLS v1.2 or v1.3 should be used instead.
* @description TLS v1.0 and v1.1 versions are known to be vulnerable. TLS v1.2 or v1.3 should be used instead.
* @kind path-problem
* @problem.severity error
* @security-severity TODO
@@ -52,4 +52,4 @@ class InsecureTlsConfig extends TaintTracking::Configuration {
from InsecureTlsConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
where config.hasFlowPath(sourceNode, sinkNode)
select sinkNode.getNode(), sourceNode, sinkNode, "Insecure TLS configuration"
select sinkNode.getNode(), sourceNode, sinkNode, "This TLS configuration is insecure."

32
swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.expected
View File

@@ -68,19 +68,19 @@ subpaths
| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] : | file://:0:0:0:0 | .TLSVersion : | InsecureTLS.swift:165:47:165:51 | .TLSVersion |
| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] : | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] : | file://:0:0:0:0 | .TLSVersion : | InsecureTLS.swift:165:47:165:51 | .TLSVersion : |
#select
| InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | Insecure TLS configuration |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | Insecure TLS configuration |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | Insecure TLS configuration |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | Insecure TLS configuration |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | Insecure TLS configuration |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | InsecureTLS.swift:102:10:102:33 | .TLSv10 : | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | Insecure TLS configuration |
| InsecureTLS.swift:122:47:122:47 | version | InsecureTLS.swift:127:25:127:48 | .TLSv11 : | InsecureTLS.swift:122:47:122:47 | version | Insecure TLS configuration |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion | InsecureTLS.swift:163:20:163:43 | .TLSv10 : | InsecureTLS.swift:165:47:165:51 | .TLSVersion | Insecure TLS configuration |
| file://:0:0:0:0 | value | InsecureTLS.swift:40:47:40:70 | .TLSv10 : | file://:0:0:0:0 | value | Insecure TLS configuration |
| file://:0:0:0:0 | value | InsecureTLS.swift:45:47:45:70 | .TLSv11 : | file://:0:0:0:0 | value | Insecure TLS configuration |
| file://:0:0:0:0 | value | InsecureTLS.swift:57:47:57:70 | .TLSv10 : | file://:0:0:0:0 | value | Insecure TLS configuration |
| file://:0:0:0:0 | value | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | file://:0:0:0:0 | value | Insecure TLS configuration |
| file://:0:0:0:0 | value | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | file://:0:0:0:0 | value | Insecure TLS configuration |
| file://:0:0:0:0 | value | InsecureTLS.swift:102:10:102:33 | .TLSv10 : | file://:0:0:0:0 | value | Insecure TLS configuration |
| file://:0:0:0:0 | value | InsecureTLS.swift:127:25:127:48 | .TLSv11 : | file://:0:0:0:0 | value | Insecure TLS configuration |
| file://:0:0:0:0 | value | InsecureTLS.swift:163:20:163:43 | .TLSv10 : | file://:0:0:0:0 | value | Insecure TLS configuration |
| InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | This TLS configuration is insecure. |
| InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | This TLS configuration is insecure. |
| InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | This TLS configuration is insecure. |
| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | This TLS configuration is insecure. |
| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | This TLS configuration is insecure. |
| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | InsecureTLS.swift:102:10:102:33 | .TLSv10 : | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | This TLS configuration is insecure. |
| InsecureTLS.swift:122:47:122:47 | version | InsecureTLS.swift:127:25:127:48 | .TLSv11 : | InsecureTLS.swift:122:47:122:47 | version | This TLS configuration is insecure. |
| InsecureTLS.swift:165:47:165:51 | .TLSVersion | InsecureTLS.swift:163:20:163:43 | .TLSv10 : | InsecureTLS.swift:165:47:165:51 | .TLSVersion | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:40:47:40:70 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:45:47:45:70 | .TLSv11 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:57:47:57:70 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:102:10:102:33 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:127:25:127:48 | .TLSv11 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |
| file://:0:0:0:0 | value | InsecureTLS.swift:163:20:163:43 | .TLSv10 : | file://:0:0:0:0 | value | This TLS configuration is insecure. |