feat: add rsa/ecb/... variants to the list of secure algorithms

2026-04-25 08:45:14 +02:00 · 2024-05-13 11:11:07 -07:00
parent ad2eacfd2f
commit dd223ed704
2 changed files with 3 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
@@ -15,6 +15,7 @@ private class ShortStringLiteral extends StringLiteral {
 class BrokenAlgoLiteral extends ShortStringLiteral {
  BrokenAlgoLiteral() {
    this.getValue().regexpMatch(getInsecureAlgorithmRegex()) and
+    not this.getValue().regexpMatch(getASecureAlgorithmName()) and
    // Exclude German and French sentences.
    not this.getValue().regexpMatch(".*\\p{IsLowercase} des \\p{IsLetter}.*")
  }
--- a/java/ql/lib/semmle/code/java/security/Encryption.qll
+++ b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -250,7 +250,8 @@ string getASecureAlgorithmName() {
  result =
    [
      "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
-      "Blowfish", "ECIES"
+      "Blowfish", "ECIES", "RSA/ECB/OAEPWithSHA-1AndMGF1Padding", "RSA/ECB/PKCS1Padding",
+      "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
    ]
 }