Python: Make py/weak-cryptographic-algorithm a path-problem

RasmusWL · RasmusWL · commit 12bb05522ac0 · 2020-01-22T13:45:14.000+01:00
and stop using deprecated hasFlow
diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -1,14 +1,15 @@
 /**
  * @name Use of a broken or weak cryptographic algorithm
  * @description Using broken or weak cryptographic algorithms can compromise security.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision high
  * @id py/weak-cryptographic-algorithm
  * @tags security
  *       external/cwe/cwe-327
  */
 import python
+import semmle.python.security.Paths
 import semmle.python.security.SensitiveData
 import semmle.python.security.Crypto
 
@@ -25,7 +26,6 @@ class BrokenCryptoConfiguration extends TaintTracking::Configuration {
 }
 
 
-from BrokenCryptoConfiguration config, SensitiveDataSource src, WeakCryptoSink sink
-where config.hasFlow(src, sink)
-
-select sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", src , src.toString()
+from BrokenCryptoConfiguration config, TaintedPathSource src, TaintedPathSink sink
+where config.hasFlowPath(src, sink)
+select sink.getSink(), src, sink, "$@ is used in a broken or weak cryptographic algorithm.", src.getSource(), "Sensitive data"
diff --git a/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected b/python/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected
@@ -1,2 +1,8 @@
-| test_cryptography.py:8:29:8:37 | Use of weak crypto algorithm | Sensitive data from $@ is used in a broken or weak cryptographic algorithm. | test_cryptography.py:5:17:5:30 | Taint source | Taint source |
-| test_pycrypto.py:7:27:7:35 | Use of weak crypto algorithm ARC4 | Sensitive data from $@ is used in a broken or weak cryptographic algorithm. | test_pycrypto.py:5:17:5:30 | Taint source | Taint source |
+edges
+| test_cryptography.py:5:17:5:30 | a password | test_cryptography.py:8:29:8:37 | a password |
+| test_cryptography.py:5:17:5:30 | a password | test_cryptography.py:8:29:8:37 | a password |
+| test_pycrypto.py:5:17:5:30 | a password | test_pycrypto.py:7:27:7:35 | a password |
+| test_pycrypto.py:5:17:5:30 | a password | test_pycrypto.py:7:27:7:35 | a password |
+#select
+| test_cryptography.py:8:29:8:37 | dangerous | test_cryptography.py:5:17:5:30 | a password | test_cryptography.py:8:29:8:37 | a password | $@ is used in a broken or weak cryptographic algorithm. | test_cryptography.py:5:17:5:30 | get_password() | Sensitive data |
+| test_pycrypto.py:7:27:7:35 | dangerous | test_pycrypto.py:5:17:5:30 | a password | test_pycrypto.py:7:27:7:35 | a password | $@ is used in a broken or weak cryptographic algorithm. | test_pycrypto.py:5:17:5:30 | get_password() | Sensitive data |
