Skip to content

Commit 0fc6b5e

Browse files
jbjjbj
committed
Java: diff-informed StaticInitializationVector
This query was made diff-informed by shifting the secondary configuration to run after the primary. The test had to change because the query now does more than just present the results of data flow.
1 parent 8c8f3ed commit 0fc6b5e

File tree

7 files changed

+117
-35
lines changed

7 files changed

+117
-35
lines changed

java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ private class ArrayUpdate extends Expr {
8181
}
8282

8383
private predicate arrayUpdateSrc(DataFlow::Node source) {
84-
source.asExpr() instanceof StaticByteArrayCreation
84+
StaticInitializationVectorFlow::flow(source, _)
8585
}
8686

8787
private predicate arrayUpdateSink(DataFlow::Node sink) {
@@ -92,7 +92,7 @@ private module ArrayUpdateFlowFwd = DataFlow::SimpleGlobal<arrayUpdateSrc/1>;
9292

9393
private module ArrayUpdateFlow = ArrayUpdateFlowFwd::Graph<arrayUpdateSink/1>;
9494

95-
private predicate arrayReachesUpdate(StaticByteArrayCreation array) {
95+
predicate arrayReachesUpdate(StaticByteArrayCreation array) {
9696
exists(ArrayUpdateFlow::PathNode src | src.isSource() and src.getNode().asExpr() = array)
9797
}
9898

@@ -102,7 +102,6 @@ private predicate arrayReachesUpdate(StaticByteArrayCreation array) {
102102
private class StaticInitializationVectorSource extends DataFlow::Node {
103103
StaticInitializationVectorSource() {
104104
exists(StaticByteArrayCreation array | array = this.asExpr() |
105-
not arrayReachesUpdate(array) and
106105
// Reduce FPs from utility methods that return an empty array in an exceptional case
107106
not exists(ReturnStmt ret |
108107
array.getADimension().(CompileTimeConstantExpr).getIntValue() = 0 and

java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ import semmle.code.java.security.StaticInitializationVectorQuery
1616
import StaticInitializationVectorFlow::PathGraph
1717

1818
from StaticInitializationVectorFlow::PathNode source, StaticInitializationVectorFlow::PathNode sink
19-
where StaticInitializationVectorFlow::flowPath(source, sink)
19+
where
20+
StaticInitializationVectorFlow::flowPath(source, sink) and
21+
not arrayReachesUpdate(source.getNode().asExpr())
2022
select sink.getNode(), source, sink, "A $@ should not be used for encryption.", source.getNode(),
2123
"static initialization vector"

java/ql/test/query-tests/security/CWE-1204/StaticInitializationVector.expected

Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
#select
2+
| StaticInitializationVector.java:19:51:19:56 | ivSpec | StaticInitializationVector.java:13:21:13:81 | new byte[] : byte[] | StaticInitializationVector.java:19:51:19:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:13:21:13:81 | new byte[] | static initialization vector |
3+
| StaticInitializationVector.java:32:51:32:56 | ivSpec | StaticInitializationVector.java:26:21:26:32 | new byte[] : byte[] | StaticInitializationVector.java:32:51:32:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:26:21:26:32 | new byte[] | static initialization vector |
4+
| StaticInitializationVector.java:48:51:48:56 | ivSpec | StaticInitializationVector.java:39:21:39:32 | new byte[] : byte[] | StaticInitializationVector.java:48:51:48:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:39:21:39:32 | new byte[] | static initialization vector |
5+
| StaticInitializationVector.java:64:51:64:56 | ivSpec | StaticInitializationVector.java:55:30:58:9 | new byte[][] : byte[][] | StaticInitializationVector.java:64:51:64:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:55:30:58:9 | new byte[][] | static initialization vector |
6+
| StaticInitializationVector.java:80:51:80:56 | ivSpec | StaticInitializationVector.java:71:30:74:9 | new byte[][] : byte[][] | StaticInitializationVector.java:80:51:80:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:71:30:74:9 | new byte[][] | static initialization vector |
7+
| StaticInitializationVector.java:96:51:96:56 | ivSpec | StaticInitializationVector.java:88:13:88:23 | new byte[] : byte[] | StaticInitializationVector.java:96:51:96:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:88:13:88:23 | new byte[] | static initialization vector |
8+
| StaticInitializationVector.java:96:51:96:56 | ivSpec | StaticInitializationVector.java:89:13:89:24 | new byte[] : byte[] | StaticInitializationVector.java:96:51:96:56 | ivSpec | A $@ should not be used for encryption. | StaticInitializationVector.java:89:13:89:24 | new byte[] | static initialization vector |
9+
edges
10+
| StaticInitializationVector.java:13:21:13:81 | new byte[] : byte[] | StaticInitializationVector.java:15:61:15:62 | iv : byte[] | provenance | |
11+
| StaticInitializationVector.java:15:35:15:63 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:19:51:19:56 | ivSpec | provenance | Sink:MaD:45855 |
12+
| StaticInitializationVector.java:15:61:15:62 | iv : byte[] | StaticInitializationVector.java:15:35:15:63 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:45875 |
13+
| StaticInitializationVector.java:26:21:26:32 | new byte[] : byte[] | StaticInitializationVector.java:28:61:28:62 | iv : byte[] | provenance | |
14+
| StaticInitializationVector.java:28:35:28:63 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:32:51:32:56 | ivSpec | provenance | Sink:MaD:45855 |
15+
| StaticInitializationVector.java:28:61:28:62 | iv : byte[] | StaticInitializationVector.java:28:35:28:63 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:45875 |
16+
| StaticInitializationVector.java:39:21:39:32 | new byte[] : byte[] | StaticInitializationVector.java:44:54:44:55 | iv : byte[] | provenance | |
17+
| StaticInitializationVector.java:44:34:44:56 | new IvParameterSpec(...) : IvParameterSpec | StaticInitializationVector.java:48:51:48:56 | ivSpec | provenance | Sink:MaD:45855 |
18+
| StaticInitializationVector.java:44:54:44:55 | iv : byte[] | StaticInitializationVector.java:44:34:44:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45874 |
19+
| StaticInitializationVector.java:55:30:58:9 | new byte[][] : byte[][] | StaticInitializationVector.java:60:61:60:72 | ...[...] : byte[] | provenance | |
20+
| StaticInitializationVector.java:60:35:60:73 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:64:51:64:56 | ivSpec | provenance | Sink:MaD:45855 |
21+
| StaticInitializationVector.java:60:61:60:72 | ...[...] : byte[] | StaticInitializationVector.java:60:35:60:73 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:45875 |
22+
| StaticInitializationVector.java:71:30:74:9 | new byte[][] : byte[][] | StaticInitializationVector.java:76:61:76:72 | ...[...] : byte[] | provenance | |
23+
| StaticInitializationVector.java:76:35:76:73 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:80:51:80:56 | ivSpec | provenance | Sink:MaD:45855 |
24+
| StaticInitializationVector.java:76:61:76:72 | ...[...] : byte[] | StaticInitializationVector.java:76:35:76:73 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:45875 |
25+
| StaticInitializationVector.java:87:24:90:9 | {...} : byte[][] [[]] : byte[] | StaticInitializationVector.java:92:61:92:63 | ivs : byte[][] [[]] : byte[] | provenance | |
26+
| StaticInitializationVector.java:88:13:88:23 | new byte[] : byte[] | StaticInitializationVector.java:87:24:90:9 | {...} : byte[][] [[]] : byte[] | provenance | |
27+
| StaticInitializationVector.java:89:13:89:24 | new byte[] : byte[] | StaticInitializationVector.java:87:24:90:9 | {...} : byte[][] [[]] : byte[] | provenance | |
28+
| StaticInitializationVector.java:92:35:92:67 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:96:51:96:56 | ivSpec | provenance | Sink:MaD:45855 |
29+
| StaticInitializationVector.java:92:61:92:63 | ivs : byte[][] [[]] : byte[] | StaticInitializationVector.java:92:61:92:66 | ...[...] : byte[] | provenance | |
30+
| StaticInitializationVector.java:92:61:92:66 | ...[...] : byte[] | StaticInitializationVector.java:92:35:92:67 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:45875 |
31+
| StaticInitializationVector.java:103:21:103:32 | new byte[] : byte[] | StaticInitializationVector.java:108:61:108:62 | iv : byte[] | provenance | |
32+
| StaticInitializationVector.java:108:35:108:63 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:112:51:112:56 | ivSpec | provenance | Sink:MaD:45855 |
33+
| StaticInitializationVector.java:108:61:108:62 | iv : byte[] | StaticInitializationVector.java:108:35:108:63 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:45875 |
34+
| StaticInitializationVector.java:120:21:120:32 | new byte[] : byte[] | StaticInitializationVector.java:125:61:125:62 | iv : byte[] | provenance | |
35+
| StaticInitializationVector.java:125:35:125:63 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:129:51:129:56 | ivSpec | provenance | Sink:MaD:45855 |
36+
| StaticInitializationVector.java:125:61:125:62 | iv : byte[] | StaticInitializationVector.java:125:35:125:63 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:45875 |
37+
| StaticInitializationVector.java:136:30:136:41 | new byte[] : byte[] | StaticInitializationVector.java:140:26:140:36 | randomBytes : byte[] | provenance | |
38+
| StaticInitializationVector.java:139:21:139:32 | new byte[] : byte[] | StaticInitializationVector.java:142:61:142:62 | iv : byte[] | provenance | |
39+
| StaticInitializationVector.java:140:26:140:36 | randomBytes : byte[] | StaticInitializationVector.java:140:42:140:43 | iv [post update] : byte[] | provenance | MaD:44199 |
40+
| StaticInitializationVector.java:140:42:140:43 | iv [post update] : byte[] | StaticInitializationVector.java:142:61:142:62 | iv : byte[] | provenance | |
41+
| StaticInitializationVector.java:142:35:142:63 | new GCMParameterSpec(...) : GCMParameterSpec | StaticInitializationVector.java:146:51:146:56 | ivSpec | provenance | Sink:MaD:45855 |
42+
| StaticInitializationVector.java:142:61:142:62 | iv : byte[] | StaticInitializationVector.java:142:35:142:63 | new GCMParameterSpec(...) : GCMParameterSpec | provenance | MaD:45875 |
43+
| StaticInitializationVector.java:172:30:172:43 | new byte[] : byte[] | StaticInitializationVector.java:174:16:174:26 | randomBytes : byte[] | provenance | |
44+
| StaticInitializationVector.java:174:16:174:26 | randomBytes : byte[] | StaticInitializationVector.java:179:21:179:32 | generate(...) : byte[] | provenance | |
45+
| StaticInitializationVector.java:179:21:179:32 | generate(...) : byte[] | StaticInitializationVector.java:181:54:181:55 | iv : byte[] | provenance | |
46+
| StaticInitializationVector.java:181:34:181:56 | new IvParameterSpec(...) : IvParameterSpec | StaticInitializationVector.java:185:51:185:56 | ivSpec | provenance | Sink:MaD:45855 |
47+
| StaticInitializationVector.java:181:54:181:55 | iv : byte[] | StaticInitializationVector.java:181:34:181:56 | new IvParameterSpec(...) : IvParameterSpec | provenance | MaD:45874 |
48+
nodes
49+
| StaticInitializationVector.java:13:21:13:81 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
50+
| StaticInitializationVector.java:15:35:15:63 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec |
51+
| StaticInitializationVector.java:15:61:15:62 | iv : byte[] | semmle.label | iv : byte[] |
52+
| StaticInitializationVector.java:19:51:19:56 | ivSpec | semmle.label | ivSpec |
53+
| StaticInitializationVector.java:26:21:26:32 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
54+
| StaticInitializationVector.java:28:35:28:63 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec |
55+
| StaticInitializationVector.java:28:61:28:62 | iv : byte[] | semmle.label | iv : byte[] |
56+
| StaticInitializationVector.java:32:51:32:56 | ivSpec | semmle.label | ivSpec |
57+
| StaticInitializationVector.java:39:21:39:32 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
58+
| StaticInitializationVector.java:44:34:44:56 | new IvParameterSpec(...) : IvParameterSpec | semmle.label | new IvParameterSpec(...) : IvParameterSpec |
59+
| StaticInitializationVector.java:44:54:44:55 | iv : byte[] | semmle.label | iv : byte[] |
60+
| StaticInitializationVector.java:48:51:48:56 | ivSpec | semmle.label | ivSpec |
61+
| StaticInitializationVector.java:55:30:58:9 | new byte[][] : byte[][] | semmle.label | new byte[][] : byte[][] |
62+
| StaticInitializationVector.java:60:35:60:73 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec |
63+
| StaticInitializationVector.java:60:61:60:72 | ...[...] : byte[] | semmle.label | ...[...] : byte[] |
64+
| StaticInitializationVector.java:64:51:64:56 | ivSpec | semmle.label | ivSpec |
65+
| StaticInitializationVector.java:71:30:74:9 | new byte[][] : byte[][] | semmle.label | new byte[][] : byte[][] |
66+
| StaticInitializationVector.java:76:35:76:73 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec |
67+
| StaticInitializationVector.java:76:61:76:72 | ...[...] : byte[] | semmle.label | ...[...] : byte[] |
68+
| StaticInitializationVector.java:80:51:80:56 | ivSpec | semmle.label | ivSpec |
69+
| StaticInitializationVector.java:87:24:90:9 | {...} : byte[][] [[]] : byte[] | semmle.label | {...} : byte[][] [[]] : byte[] |
70+
| StaticInitializationVector.java:88:13:88:23 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
71+
| StaticInitializationVector.java:89:13:89:24 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
72+
| StaticInitializationVector.java:92:35:92:67 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec |
73+
| StaticInitializationVector.java:92:61:92:63 | ivs : byte[][] [[]] : byte[] | semmle.label | ivs : byte[][] [[]] : byte[] |
74+
| StaticInitializationVector.java:92:61:92:66 | ...[...] : byte[] | semmle.label | ...[...] : byte[] |
75+
| StaticInitializationVector.java:96:51:96:56 | ivSpec | semmle.label | ivSpec |
76+
| StaticInitializationVector.java:103:21:103:32 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
77+
| StaticInitializationVector.java:108:35:108:63 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec |
78+
| StaticInitializationVector.java:108:61:108:62 | iv : byte[] | semmle.label | iv : byte[] |
79+
| StaticInitializationVector.java:112:51:112:56 | ivSpec | semmle.label | ivSpec |
80+
| StaticInitializationVector.java:120:21:120:32 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
81+
| StaticInitializationVector.java:125:35:125:63 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec |
82+
| StaticInitializationVector.java:125:61:125:62 | iv : byte[] | semmle.label | iv : byte[] |
83+
| StaticInitializationVector.java:129:51:129:56 | ivSpec | semmle.label | ivSpec |
84+
| StaticInitializationVector.java:136:30:136:41 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
85+
| StaticInitializationVector.java:139:21:139:32 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
86+
| StaticInitializationVector.java:140:26:140:36 | randomBytes : byte[] | semmle.label | randomBytes : byte[] |
87+
| StaticInitializationVector.java:140:42:140:43 | iv [post update] : byte[] | semmle.label | iv [post update] : byte[] |
88+
| StaticInitializationVector.java:142:35:142:63 | new GCMParameterSpec(...) : GCMParameterSpec | semmle.label | new GCMParameterSpec(...) : GCMParameterSpec |
89+
| StaticInitializationVector.java:142:61:142:62 | iv : byte[] | semmle.label | iv : byte[] |
90+
| StaticInitializationVector.java:146:51:146:56 | ivSpec | semmle.label | ivSpec |
91+
| StaticInitializationVector.java:172:30:172:43 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
92+
| StaticInitializationVector.java:174:16:174:26 | randomBytes : byte[] | semmle.label | randomBytes : byte[] |
93+
| StaticInitializationVector.java:179:21:179:32 | generate(...) : byte[] | semmle.label | generate(...) : byte[] |
94+
| StaticInitializationVector.java:181:34:181:56 | new IvParameterSpec(...) : IvParameterSpec | semmle.label | new IvParameterSpec(...) : IvParameterSpec |
95+
| StaticInitializationVector.java:181:54:181:55 | iv : byte[] | semmle.label | iv : byte[] |
96+
| StaticInitializationVector.java:185:51:185:56 | ivSpec | semmle.label | ivSpec |
97+
subpaths

0 commit comments

Comments
 (0)