Merge branch 'main' into turbo/experimental-suite

Add experimental,ml-generated tags
2026-06-05 21:47:10 +02:00 · 2022-12-14 16:31:03 +01:00 · 2022-08-22 15:59:39 +02:00
144 changed files with 402 additions and 7 deletions
--- a/Bugs/RedundantNullCheckParam.ql
+++ b/Bugs/RedundantNullCheckParam.ql
@@ -9,6 +9,7 @@
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
@@ -10,6 +10,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-20
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
@@ -12,6 +12,7 @@
 * @security-severity 7.5
 * @tags security
 *       external/cwe/cwe-020
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
@@ -9,6 +9,7 @@
 *       maintainability
 *       security
 *       external/cwe/cwe-1041
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
@@ -10,6 +10,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-1126
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
@@ -7,6 +7,7 @@
 * @tags reliability
 *       security
 *       external/cwe/cwe-120
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
@@ -8,6 +8,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-125
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
@@ -8,6 +8,7 @@
 *       correctness
 *       external/cwe/cwe-190
 *       external/cwe/cwe-128
+ *       experimental
 * @id cpp/multiplication-overflow-in-alloc
 */

--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
@@ -8,6 +8,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-190
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
@@ -10,6 +10,7 @@
 *       security
 *       external/cwe/cwe-200
 *       external/cwe/cwe-264
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
@@ -9,6 +9,7 @@
 *       security
 *       external/cwe/cwe-243
 *       external/cwe/cwe-252
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
@@ -13,6 +13,7 @@
 *       external/cwe/cwe-200
 *       external/cwe/cwe-560
 *       external/cwe/cwe-687
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
@@ -9,6 +9,7 @@
 * @id cpp/drop-linux-privileges-outoforder
 * @tags security
 *       external/cwe/cwe-273
+ *       experimental
 * @precision medium
 */

--- a/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
@@ -6,6 +6,7 @@
 * @id cpp/pam-auth-bypass
 * @tags security
 *       external/cwe/cwe-285
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
@@ -7,6 +7,7 @@
 * @id cpp/private-cleartext-write
 * @tags security
 *       external/cwe/cwe-359
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
@@ -12,6 +12,7 @@
 * @security-severity 7.5
 * @tags security
 *       external/cwe/cwe-362
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
@@ -8,6 +8,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-377
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
@@ -9,6 +9,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-401
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
@@ -7,6 +7,7 @@
 * @precision medium
 * @tags security
 *       external/cwe/cwe-415
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
@@ -9,6 +9,7 @@
 *       security
 *       external/cwe/cwe-476
 *       external/cwe/cwe-415
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
@@ -11,6 +11,7 @@
 *       external/cwe/cwe-561
 *       external/cwe/cwe-691
 *       external/cwe/cwe-478
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
@@ -8,6 +8,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-670
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
@@ -8,6 +8,7 @@
 * @tags security
 *       external/cwe/cwe-675
 *       external/cwe/cwe-666
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
@@ -11,6 +11,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-691
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
@@ -9,6 +9,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-691
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
@@ -10,6 +10,7 @@
 *       external/cwe/cwe-703
 *       external/cwe/cwe-248
 *       external/cwe/cwe-390
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
@@ -9,6 +9,7 @@
 *       security
 *       external/cwe/cwe-754
 *       external/cwe/cwe-908
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
@@ -9,6 +9,7 @@
 * @precision medium
 * @tags security
 *       external/cwe/cwe-758
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
@@ -10,6 +10,7 @@
 *       readability
 *       external/cwe/cwe-783
 *       external/cwe/cwe-480
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
@@ -10,6 +10,7 @@
 *       security
 *       external/cwe/cwe-783
 *       external/cwe/cwe-480
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
@@ -7,6 +7,7 @@
 * @tags reliability
 *       security
 *       external/cwe/cwe-787
+ *       experimental
 */

 import cpp
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -9,6 +9,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-788
+ *       experimental
 */

 import cpp
--- a/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
+++ b/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
@@ -11,6 +11,7 @@
 *       external/cwe/cwe-023
 *       external/cwe/cwe-036
 *       external/cwe/cwe-073
+ *       experimental
 */

 import csharp
--- a/csharp/ql/src/experimental/CWE-918/RequestForgery.ql
+++ b/csharp/ql/src/experimental/CWE-918/RequestForgery.ql
@@ -7,6 +7,7 @@
 * @id cs/request-forgery
 * @tags security
 *       external/cwe/cwe-918
+ *       experimental
 */

 import csharp
--- a/Features/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/Features/CWE-1004/CookieWithoutHttpOnly.ql
@@ -10,6 +10,7 @@
 * @id cs/web/cookie-httponly-not-set
 * @tags security
 *       external/cwe/cwe-1004
+ *       experimental
 */

 import csharp
--- a/Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+++ b/Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -5,6 +5,7 @@
 * @tags security
 *       cryptography
 *       external/cwe/cwe-327
+ *       experimental
 * @id cs/azure-storage/unsafe-usage-of-client-side-encryption-version
 * @problem.severity error
 * @precision high
--- a/Features/CWE-614/CookieWithoutSecure.ql
+++ b/Features/CWE-614/CookieWithoutSecure.ql
@@ -10,6 +10,7 @@
 * @tags security
 *       external/cwe/cwe-319
 *       external/cwe/cwe-614
+ *       experimental
 */

 import csharp
--- a/Features/CWE-759/HashWithoutSalt.ql
+++ b/Features/CWE-759/HashWithoutSalt.ql
@@ -6,6 +6,7 @@
 * @id cs/hash-without-salt
 * @tags security
 *       external/cwe-759
+ *       experimental
 */

 import csharp
--- a/Features/Serialization/DefiningDatasetRelatedType.ql
+++ b/Features/Serialization/DefiningDatasetRelatedType.ql
@@ -5,6 +5,7 @@
 * @problem.severity warning
 * @id cs/dataset-serialization/defining-dataset-related-type
 * @tags security
+ *       experimental
 */

 import csharp
--- a/Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
+++ b/Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
@@ -6,6 +6,7 @@
 * @precision medium
 * @id cs/dataset-serialization/defining-potentially-unsafe-xml-serializer
 * @tags security
+ *       experimental
 */

 import csharp
--- a/Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
+++ b/Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
@@ -6,6 +6,7 @@
 * @precision medium
 * @id cs/dataset-serialization/unsafe-type-used-data-contract-serializer
 * @tags security
+ *       experimental
 */

 import csharp
--- a/Features/Serialization/XmlDeserializationWithDataSet.ql
+++ b/Features/Serialization/XmlDeserializationWithDataSet.ql
@@ -6,6 +6,7 @@
 * @precision medium
 * @id cs/dataset-serialization/xml-deserialization-with-dataset
 * @tags security
+ *       experimental
 */

 import csharp
--- a/Features/backdoor/DangerousNativeFunctionCall.ql
+++ b/Features/backdoor/DangerousNativeFunctionCall.ql
@@ -7,6 +7,7 @@
 * @id cs/backdoor/dangerous-native-functions
 * @tags security
 *       solorigate
+ *       experimental
 */

 import csharp
--- a/Features/backdoor/PotentialTimeBomb.ql
+++ b/Features/backdoor/PotentialTimeBomb.ql
@@ -7,6 +7,7 @@
 * @id cs/backdoor/potential-time-bomb
 * @tags security
 *       solorigate
+ *       experimental
 */

 import csharp
--- a/Features/backdoor/ProcessNameToHashTaintFlow.ql
+++ b/Features/backdoor/ProcessNameToHashTaintFlow.ql
@@ -4,6 +4,7 @@
 * @kind path-problem
 * @tags security
 *       solorigate
+ *       experimental
 * @problem.severity warning
 * @precision medium
 * @id cs/backdoor/process-name-to-hash-function
--- a/go/ql/src/experimental/CWE-090/LDAPInjection.ql
+++ b/go/ql/src/experimental/CWE-090/LDAPInjection.ql
@@ -7,6 +7,7 @@
 * @id go/ldap-injection
 * @tags security
 *       external/cwe/cwe-90
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
@@ -10,6 +10,7 @@
 * @id go/cookie-httponly-not-set
 * @tags security
 *       external/cwe/cwe-1004
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql
+++ b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql
@@ -8,6 +8,7 @@
 *       correctness
 *       external/cwe/cwe-561
 *       external/cwe/cwe-285
+ *       experimental
 * @precision very-high
 */

--- a/go/ql/src/experimental/CWE-321/HardcodedKeys.ql
+++ b/go/ql/src/experimental/CWE-321/HardcodedKeys.ql
@@ -6,6 +6,7 @@
 * @id go/hardcoded-key
 * @tags security
 *       external/cwe/cwe-321
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithm.ql
+++ b/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithm.ql
@@ -5,8 +5,9 @@
 * @problem.severity error
 * @id go/weak-crypto-algorithm
 * @tags security
- *         external/cwe/cwe-327
- *         external/cwe/cwe-328
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-328
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/CWE-369/DivideByZero.ql
+++ b/go/ql/src/experimental/CWE-369/DivideByZero.ql
@@ -6,6 +6,7 @@
 * @id go/divide-by-zero
 * @tags security
 *       external/cwe/cwe-369
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/CWE-400/DatabaseCallInLoop.ql
+++ b/go/ql/src/experimental/CWE-400/DatabaseCallInLoop.ql
@@ -6,6 +6,9 @@
 * @problem.severity warning
 * @precision high
 * @id go/examples/database-call-in-loop
+ * @tags security
+ *       external/cwe/cwe-400
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
+++ b/go/ql/src/experimental/CWE-79/HTMLTemplateEscapingPassthrough.ql
@@ -7,6 +7,7 @@
 * @id go/html-template-escaping-passthrough
 * @tags security
 *       external/cwe/cwe-79
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql
+++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql
@@ -8,6 +8,8 @@
 * @tags external/cwe/cwe-807
 *       external/cwe/cwe-247
 *       external/cwe/cwe-350
+ *       security
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
+++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
@@ -6,6 +6,8 @@
 * @kind problem
 * @problem.severity warning
 * @tags external/cwe/cwe-840
+ *       experimental
+ *       security
 */

 import go
--- a/go/ql/src/experimental/CWE-918/SSRF.ql
+++ b/go/ql/src/experimental/CWE-918/SSRF.ql
@@ -6,6 +6,7 @@
 * @problem.severity error
 * @precision high
 * @tags security
+ *       experimental
 *       external/cwe/cwe-918
 */

--- a/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
+++ b/go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
@@ -9,6 +9,7 @@
 * @tags security
 *       external/cwe/cwe-942
 *       external/cwe/cwe-346
+ *       experimental
 */

 import go
--- a/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql
+++ b/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql
@@ -8,6 +8,7 @@
 * @tags security
 *       external/cwe/cwe-119
 *       external/cwe/cwe-126
+ *       experimental
 */

 import go
--- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
@@ -8,6 +8,7 @@
 * @id java/insecure-spring-actuator-config
 * @tags security
 *       external/cwe/cwe-016
+ *       experimental
 */

 /*
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
@@ -8,6 +8,7 @@
 * @id java/spring-boot-exposed-actuators
 * @tags security
 *       external/cwe/cwe-16
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
@@ -12,6 +12,7 @@
 *       external/cwe/cwe-074
 *       external/cwe/cwe-400
 *       external/cwe/cwe-502
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
@@ -8,6 +8,7 @@
 * @id java/openstream-called-on-tainted-url
 * @tags security
 *       external/cwe/cwe-036
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
@@ -9,6 +9,7 @@
 * @id java/file-path-injection
 * @tags security
 *       external/cwe-073
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -9,6 +9,7 @@
 * @tags security
 *       external/cwe/cwe-078
 *       external/cwe/cwe-088
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
@@ -9,6 +9,7 @@
 * @id java/mybatis-annotation-sql-injection
 * @tags security
 *       external/cwe/cwe-089
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
@@ -9,6 +9,7 @@
 * @id java/mybatis-xml-sql-injection
 * @tags security
 *       external/cwe/cwe-089
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
@@ -8,6 +8,7 @@
 * @id java/beanshell-injection
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
@@ -8,6 +8,7 @@
 * @id java/android-insecure-dex-loading
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
@@ -8,6 +8,7 @@
 * @id java/jshell-injection
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
@@ -8,6 +8,7 @@
 * @id java/javaee-expression-injection
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -9,6 +9,7 @@
 * @tags security
 *       external/cwe/cwe-094
 *       external/cwe/cwe-095
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -8,6 +8,7 @@
 * @id java/unsafe-eval
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql
@@ -7,6 +7,7 @@
 * @id java/spring-view-manipulation-implicit
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql
@@ -7,6 +7,7 @@
 * @id java/spring-view-manipulation
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.ql
@@ -0,0 +1 @@
+
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql
@@ -7,6 +7,7 @@
 * @id java/tomcat-disabled-httponly
 * @tags security
 *       external/cwe/cwe-1004
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -8,6 +8,7 @@
 * @id java/sensitive-cookie-not-httponly
 * @tags security
 *       external/cwe/cwe-1004
+ *       experimental
 */

 /*
--- a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
@@ -7,6 +7,7 @@
 * @problem.severity error
 * @tags security
 *       external/cwe/cwe-200
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
@@ -7,6 +7,7 @@
 * @problem.severity warning
 * @tags security
 *       external/cwe/cwe-200
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
@@ -10,6 +10,7 @@
 * @id java/possible-timing-attack-against-signature
 * @tags security
 *       external/cwe/cwe-208
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
@@ -8,6 +8,7 @@
 * @id java/timing-attack-against-headers-value
 * @tags security
 *       external/cwe/cwe-208
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
@@ -11,6 +11,7 @@
 * @id java/timing-attack-against-signature
 * @tags security
 *       external/cwe/cwe-208
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -9,6 +9,7 @@
 * @id java/jxbrowser/disabled-certificate-validation
 * @tags security
 *       external/cwe/cwe-295
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
@@ -8,6 +8,7 @@
 * @id java/ignored-hostname-verification
 * @tags security
 *       external/cwe/cwe-297
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
@@ -9,6 +9,7 @@
 * @id java/insecure-ldaps-endpoint
 * @tags security
 *       external/cwe/cwe-297
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
@@ -8,6 +8,7 @@
 * @id java/disabled-certificate-revocation-checking
 * @tags security
 *       external/cwe/cwe-299
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.ql
@@ -6,6 +6,7 @@
 * @id java/hardcoded-jwt-key
 * @tags security
 *       external/cwe/cwe-321
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -0,0 +1,154 @@
+/**
+ * @name Weak encryption: Insufficient key size
+ * @description Finds uses of encryption algorithms with too small a key size
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @id java/insufficient-key-size
+ * @tags security
+ *       external/cwe/cwe-326
+ *       experimental
+ */
+
+import java
+import semmle.code.java.security.Encryption
+import semmle.code.java.dataflow.TaintTracking
+
+/** The Java class `java.security.spec.ECGenParameterSpec`. */
+class ECGenParameterSpec extends RefType {
+  ECGenParameterSpec() { this.hasQualifiedName("java.security.spec", "ECGenParameterSpec") }
+}
+
+/** The `init` method declared in `javax.crypto.KeyGenerator`. */
+class KeyGeneratorInitMethod extends Method {
+  KeyGeneratorInitMethod() {
+    this.getDeclaringType() instanceof KeyGenerator and
+    this.hasName("init")
+  }
+}
+
+/** The `initialize` method declared in `java.security.KeyPairGenerator`. */
+class KeyPairGeneratorInitMethod extends Method {
+  KeyPairGeneratorInitMethod() {
+    this.getDeclaringType() instanceof KeyPairGenerator and
+    this.hasName("initialize")
+  }
+}
+
+/** Returns the key size in the EC algorithm string */
+bindingset[algorithm]
+int getECKeySize(string algorithm) {
+  algorithm.matches("sec%") and // specification such as "secp256r1"
+  result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
+  or
+  algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
+  result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+  or
+  (algorithm.matches("prime%") or algorithm.matches("c2tnb%")) and //specification such as "prime192v2"
+  result = algorithm.regexpCapture(".*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+}
+
+/** Taint configuration tracking flow from a key generator to a `init` method call. */
+class KeyGeneratorInitConfiguration extends TaintTracking::Configuration {
+  KeyGeneratorInitConfiguration() { this = "KeyGeneratorInitConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof JavaxCryptoKeyGenerator
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof KeyGeneratorInitMethod and
+      sink.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+/** Taint configuration tracking flow from a keypair generator to a `initialize` method call. */
+class KeyPairGeneratorInitConfiguration extends TaintTracking::Configuration {
+  KeyPairGeneratorInitConfiguration() { this = "KeyPairGeneratorInitConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof JavaSecurityKeyPairGenerator
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+      sink.asExpr() = ma.getQualifier()
+    )
+  }
+}
+
+/** Holds if a symmetric `KeyGenerator` implementing encryption algorithm `type` and initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
+bindingset[type]
+predicate hasShortSymmetricKey(MethodAccess ma, string msg, string type) {
+  ma.getMethod() instanceof KeyGeneratorInitMethod and
+  exists(
+    JavaxCryptoKeyGenerator jcg, KeyGeneratorInitConfiguration cc, DataFlow::PathNode source,
+    DataFlow::PathNode dest
+  |
+    jcg.getAlgoSpec().(StringLiteral).getValue() = type and
+    source.getNode().asExpr() = jcg and
+    dest.getNode().asExpr() = ma.getQualifier() and
+    cc.hasFlowPath(source, dest)
+  ) and
+  ma.getArgument(0).(IntegerLiteral).getIntValue() < 128 and
+  msg = "Key size should be at least 128 bits for " + type + " encryption."
+}
+
+/** Holds if an AES `KeyGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
+predicate hasShortAESKey(MethodAccess ma, string msg) { hasShortSymmetricKey(ma, msg, "AES") }
+
+/** Holds if an asymmetric `KeyPairGenerator` implementing encryption algorithm `type` and initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
+bindingset[type]
+predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
+  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+  exists(
+    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kc,
+    DataFlow::PathNode source, DataFlow::PathNode dest
+  |
+    jpg.getAlgoSpec().(StringLiteral).getValue().toUpperCase() = type and
+    source.getNode().asExpr() = jpg and
+    dest.getNode().asExpr() = ma.getQualifier() and
+    kc.hasFlowPath(source, dest)
+  ) and
+  ma.getArgument(0).(IntegerLiteral).getIntValue() < 2048 and
+  msg = "Key size should be at least 2048 bits for " + type + " encryption."
+}
+
+/** Holds if a DSA `KeyPairGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
+predicate hasShortDSAKeyPair(MethodAccess ma, string msg) {
+  hasShortAsymmetricKeyPair(ma, msg, "DSA") or hasShortAsymmetricKeyPair(ma, msg, "DH")
+}
+
+/** Holds if a RSA `KeyPairGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
+predicate hasShortRSAKeyPair(MethodAccess ma, string msg) {
+  hasShortAsymmetricKeyPair(ma, msg, "RSA")
+}
+
+/** Holds if an EC `KeyPairGenerator` initialized by `ma` uses an insufficient key size. `msg` provides a human-readable description of the problem. */
+predicate hasShortECKeyPair(MethodAccess ma, string msg) {
+  ma.getMethod() instanceof KeyPairGeneratorInitMethod and
+  exists(
+    JavaSecurityKeyPairGenerator jpg, KeyPairGeneratorInitConfiguration kc,
+    DataFlow::PathNode source, DataFlow::PathNode dest, ClassInstanceExpr cie
+  |
+    jpg.getAlgoSpec().(StringLiteral).getValue().matches("EC%") and // ECC variants such as ECDH and ECDSA
+    source.getNode().asExpr() = jpg and
+    dest.getNode().asExpr() = ma.getQualifier() and
+    kc.hasFlowPath(source, dest) and
+    DataFlow::localExprFlow(cie, ma.getArgument(0)) and
+    ma.getArgument(0).getType() instanceof ECGenParameterSpec and
+    getECKeySize(cie.getArgument(0).(StringLiteral).getValue()) < 256
+  ) and
+  msg = "Key size should be at least 256 bits for EC encryption."
+}
+
+from Expr e, string msg
+where
+  hasShortAESKey(e, msg) or
+  hasShortDSAKeyPair(e, msg) or
+  hasShortRSAKeyPair(e, msg) or
+  hasShortECKeyPair(e, msg)
+select e, msg
--- a/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
@@ -8,6 +8,7 @@
 * @id java/unsafe-tls-version
 * @tags security
 *       external/cwe/cwe-327
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
@@ -7,6 +7,7 @@
 * @id java/unvalidated-cors-origin-set
 * @tags security
 *       external/cwe/cwe-346
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
@@ -8,6 +8,7 @@
 * @id java/ip-address-spoofing
 * @tags security
 *       external/cwe/cwe-348
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -8,6 +8,7 @@
 * @id java/jsonp-injection
 * @tags security
 *       external/cwe/cwe-352
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
@@ -7,6 +7,7 @@
 * @problem.severity warning
 * @tags security
 *       external/cwe/cwe-400
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
@@ -8,6 +8,7 @@
 * @id java/unsafe-reflection
 * @tags security
 *       external/cwe/cwe-470
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql
@@ -7,6 +7,7 @@
 * @id java/main-method-in-enterprise-bean
 * @tags security
 *       external/cwe/cwe-489
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
@@ -7,6 +7,7 @@
 * @id java/main-method-in-web-components
 * @tags security
 *       external/cwe/cwe-489
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql
@@ -8,6 +8,7 @@
 * @id java/struts-development-mode
 * @tags security
 *       external/cwe/cwe-489
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
@@ -10,6 +10,7 @@
 * @id java/unsafe-deserialization-rmi
 * @tags security
 *       external/cwe/cwe-502
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
@@ -9,6 +9,7 @@
 * @id java/unsafe-deserialization-spring-exporter-in-configuration-class
 * @tags security
 *       external/cwe/cwe-502
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
@@ -9,6 +9,7 @@
 * @id java/unsafe-deserialization-spring-exporter-in-xml-configuration
 * @tags security
 *       external/cwe/cwe-502
+ *       experimental
 */

 import java
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
turbo	118daaba5c	Merge branch 'main' into turbo/experimental-suite	2022-12-14 16:31:03 +01:00
turbo	ce2b59ae4a	Add experimental,ml-generated tags	2022-08-22 15:59:39 +02:00