hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Address PR review: add Signature.getInstance sink, HMAC/PBKDF2 whitelist, fix test APIs

Browse Source 
- Model Signature.getInstance() as CryptoAlgoSpec sink (previously only
  Signature constructor was modeled)
- Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512)
  and PBKDF2 to the secure algorithm whitelist
- Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of
  KeyPairGenerator.getInstance() to match their key agreement semantics
- Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1
  from user-reported false positives
- Update change note to document all additions
This commit is contained in:
MarkLee131
2026-03-28 16:51:13 +08:00
parent a9449cc991
commit da4a2238bc
3 changed files with 25 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
View File

@@ -52,7 +52,7 @@ class Test {
// GOOD: EC is a secure algorithm for key pair generation
keyPairGenerator = KeyPairGenerator.getInstance("EC");
// GOOD: ECDSA is a secure algorithm for digital signatures
// GOOD: ECDSA is a secure signature algorithm
Signature ecdsaSig = Signature.getInstance("ECDSA");
// GOOD: ECDH is a secure algorithm for key agreement
@@ -61,24 +61,33 @@ class Test {
// GOOD: EdDSA is a secure algorithm (Edwards-curve Digital Signature Algorithm)
keyPairGenerator = KeyPairGenerator.getInstance("EdDSA");
// GOOD: Ed25519 is a secure algorithm
// GOOD: Ed25519 is a secure algorithm for key pair generation
keyPairGenerator = KeyPairGenerator.getInstance("Ed25519");
// GOOD: Ed448 is a secure algorithm
// GOOD: Ed448 is a secure algorithm for key pair generation
keyPairGenerator = KeyPairGenerator.getInstance("Ed448");
// GOOD: XDH is a secure algorithm for key agreement
keyPairGenerator = KeyPairGenerator.getInstance("XDH");
KeyAgreement xdhKa = KeyAgreement.getInstance("XDH");
// GOOD: X25519 is a secure algorithm for key agreement
keyPairGenerator = KeyPairGenerator.getInstance("X25519");
KeyAgreement x25519Ka = KeyAgreement.getInstance("X25519");
// GOOD: X448 is a secure algorithm for key agreement
keyPairGenerator = KeyPairGenerator.getInstance("X448");
KeyAgreement x448Ka = KeyAgreement.getInstance("X448");
// GOOD: SHA256withECDSA is a secure signature algorithm
Signature sha256Ecdsa = Signature.getInstance("SHA256withECDSA");
// GOOD: HMAC-based SecretKeySpec should not be flagged
new SecretKeySpec(null, "HMACSHA1");
new SecretKeySpec(null, "HMACSHA256");
new SecretKeySpec(null, "HMACSHA384");
new SecretKeySpec(null, "SHA384withECDSA");
// GOOD: PBKDF2 key derivation is a secure algorithm
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
} catch (Exception e) {
// fail
}