Skip to content

Commit f45ea8c

Browse files
owen-mcowen-mc
committed
Make non-path query for encryption only
1 parent 6e6c476 commit f45ea8c

File tree

4 files changed

+216
-344
lines changed

4 files changed

+216
-344
lines changed

go/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,34 @@
11
/**
22
* @name Use of a broken or weak cryptographic algorithm
33
* @description Using broken or weak cryptographic algorithms can compromise security.
4-
* @kind path-problem
4+
* @kind problem
55
* @problem.severity warning
66
* @security-severity 7.5
77
* @precision high
8-
* @id go/weak-crypto-algorithm
8+
* @id go/weak-cryptographic-algorithm
99
* @tags security
1010
* external/cwe/cwe-327
1111
* external/cwe/cwe-328
1212
*/
1313

1414
import go
1515
import semmle.go.security.BrokenCryptoAlgorithmQuery
16-
import BrokenCryptoAlgorithmFlow::PathGraph
1716

18-
from BrokenCryptoAlgorithmFlow::PathNode source, BrokenCryptoAlgorithmFlow::PathNode sink
19-
where BrokenCryptoAlgorithmFlow::flowPath(source, sink)
20-
select sink.getNode(), source, sink, "$@ is used in a weak cryptographic algorithm.",
21-
source.getNode(), "Sensitive data"
17+
from Cryptography::CryptographicOperation operation, string msgPrefix, DataFlow::Node init
18+
where
19+
init = operation.getInitialization() and
20+
// `init` may be a `BlockModeInit`, a `EncryptionAlgorithmInit`, or `operation` itself.
21+
(
22+
not init instanceof BlockModeInit and
23+
exists(Cryptography::CryptographicAlgorithm algorithm |
24+
algorithm = operation.getAlgorithm() and
25+
algorithm.isWeak() and
26+
msgPrefix = "The cryptographic algorithm " + algorithm.getName() and
27+
not algorithm instanceof Cryptography::HashingAlgorithm
28+
)
29+
or
30+
not init instanceof EncryptionAlgorithmInit and
31+
operation.getBlockMode().isWeak() and
32+
msgPrefix = "The block mode " + operation.getBlockMode()
33+
)
34+
select operation, "$@ is broken or weak, and should not be used.", init, msgPrefix

go/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected

Lines changed: 29 additions & 83 deletions
Original file line numberDiff line numberDiff line change
@@ -1,83 +1,29 @@
1-
#select
2-
| Crypto.go:36:21:36:28 | password | Crypto.go:36:21:36:28 | password | Crypto.go:36:21:36:28 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:36:21:36:28 | password | Sensitive data |
3-
| Crypto.go:41:22:41:29 | password | Crypto.go:41:22:41:29 | password | Crypto.go:41:22:41:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:41:22:41:29 | password | Sensitive data |
4-
| Crypto.go:46:22:46:29 | password | Crypto.go:46:22:46:29 | password | Crypto.go:46:22:46:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:46:22:46:29 | password | Sensitive data |
5-
| Crypto.go:51:22:51:29 | password | Crypto.go:51:22:51:29 | password | Crypto.go:51:22:51:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:51:22:51:29 | password | Sensitive data |
6-
| Crypto.go:56:22:56:29 | password | Crypto.go:56:22:56:29 | password | Crypto.go:56:22:56:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:56:22:56:29 | password | Sensitive data |
7-
| Crypto.go:61:32:61:39 | password | Crypto.go:61:32:61:39 | password | Crypto.go:61:32:61:39 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:61:32:61:39 | password | Sensitive data |
8-
| Crypto.go:66:30:66:37 | password | Crypto.go:66:30:66:37 | password | Crypto.go:66:30:66:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:66:30:66:37 | password | Sensitive data |
9-
| Crypto.go:68:59:68:83 | call to NewReader | Crypto.go:68:75:68:82 | password | Crypto.go:68:59:68:83 | call to NewReader | $@ is used in a weak cryptographic algorithm. | Crypto.go:68:75:68:82 | password | Sensitive data |
10-
| Crypto.go:72:10:72:24 | ctrStreamWriter [postupdate] | Crypto.go:72:43:72:50 | password | Crypto.go:72:10:72:24 | ctrStreamWriter [postupdate] | $@ is used in a weak cryptographic algorithm. | Crypto.go:72:43:72:50 | password | Sensitive data |
11-
| Crypto.go:78:30:78:37 | password | Crypto.go:78:30:78:37 | password | Crypto.go:78:30:78:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:78:30:78:37 | password | Sensitive data |
12-
| Crypto.go:83:30:83:37 | password | Crypto.go:83:30:83:37 | password | Crypto.go:83:30:83:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:83:30:83:37 | password | Sensitive data |
13-
| Crypto.go:91:21:91:33 | call to getPassword | Crypto.go:91:21:91:33 | call to getPassword | Crypto.go:91:21:91:33 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:91:21:91:33 | call to getPassword | Sensitive data |
14-
| Crypto.go:96:22:96:34 | call to getPassword | Crypto.go:96:22:96:34 | call to getPassword | Crypto.go:96:22:96:34 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:96:22:96:34 | call to getPassword | Sensitive data |
15-
| Crypto.go:101:22:101:34 | call to getPassword | Crypto.go:101:22:101:34 | call to getPassword | Crypto.go:101:22:101:34 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:101:22:101:34 | call to getPassword | Sensitive data |
16-
| Crypto.go:106:22:106:29 | password | Crypto.go:106:22:106:29 | password | Crypto.go:106:22:106:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:106:22:106:29 | password | Sensitive data |
17-
| Crypto.go:111:22:111:29 | password | Crypto.go:111:22:111:29 | password | Crypto.go:111:22:111:29 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:111:22:111:29 | password | Sensitive data |
18-
| Crypto.go:116:32:116:44 | call to getPassword | Crypto.go:116:32:116:44 | call to getPassword | Crypto.go:116:32:116:44 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:116:32:116:44 | call to getPassword | Sensitive data |
19-
| Crypto.go:121:30:121:42 | call to getPassword | Crypto.go:121:30:121:42 | call to getPassword | Crypto.go:121:30:121:42 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:121:30:121:42 | call to getPassword | Sensitive data |
20-
| Crypto.go:123:59:123:88 | call to NewReader | Crypto.go:123:75:123:87 | call to getPassword | Crypto.go:123:59:123:88 | call to NewReader | $@ is used in a weak cryptographic algorithm. | Crypto.go:123:75:123:87 | call to getPassword | Sensitive data |
21-
| Crypto.go:127:10:127:24 | ctrStreamWriter [postupdate] | Crypto.go:127:43:127:55 | call to getPassword | Crypto.go:127:10:127:24 | ctrStreamWriter [postupdate] | $@ is used in a weak cryptographic algorithm. | Crypto.go:127:43:127:55 | call to getPassword | Sensitive data |
22-
| Crypto.go:133:30:133:37 | password | Crypto.go:133:30:133:37 | password | Crypto.go:133:30:133:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:133:30:133:37 | password | Sensitive data |
23-
| Crypto.go:138:30:138:37 | password | Crypto.go:138:30:138:37 | password | Crypto.go:138:30:138:37 | password | $@ is used in a weak cryptographic algorithm. | Crypto.go:138:30:138:37 | password | Sensitive data |
24-
| Crypto.go:198:22:198:34 | call to getPassword | Crypto.go:198:22:198:34 | call to getPassword | Crypto.go:198:22:198:34 | call to getPassword | $@ is used in a weak cryptographic algorithm. | Crypto.go:198:22:198:34 | call to getPassword | Sensitive data |
25-
| Crypto.go:205:8:205:10 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:205:8:205:10 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
26-
| Crypto.go:206:10:206:12 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:206:10:206:12 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
27-
| Crypto.go:207:20:207:33 | passwordString | Crypto.go:207:20:207:33 | passwordString | Crypto.go:207:20:207:33 | passwordString | $@ is used in a weak cryptographic algorithm. | Crypto.go:207:20:207:33 | passwordString | Sensitive data |
28-
| Crypto.go:208:10:208:12 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:208:10:208:12 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
29-
| Crypto.go:210:17:210:19 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:210:17:210:19 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
30-
| Crypto.go:211:11:211:13 | buf | Crypto.go:202:9:202:16 | password | Crypto.go:211:11:211:13 | buf | $@ is used in a weak cryptographic algorithm. | Crypto.go:202:9:202:16 | password | Sensitive data |
31-
edges
32-
| Crypto.go:68:75:68:82 | password | Crypto.go:68:59:68:83 | call to NewReader | provenance | MaD:1 |
33-
| Crypto.go:72:27:72:51 | call to NewReader | Crypto.go:72:10:72:24 | ctrStreamWriter [postupdate] | provenance | MaD:2 |
34-
| Crypto.go:72:43:72:50 | password | Crypto.go:72:27:72:51 | call to NewReader | provenance | MaD:1 |
35-
| Crypto.go:123:75:123:87 | call to getPassword | Crypto.go:123:59:123:88 | call to NewReader | provenance | MaD:1 |
36-
| Crypto.go:127:27:127:56 | call to NewReader | Crypto.go:127:10:127:24 | ctrStreamWriter [postupdate] | provenance | MaD:2 |
37-
| Crypto.go:127:43:127:55 | call to getPassword | Crypto.go:127:27:127:56 | call to NewReader | provenance | MaD:1 |
38-
| Crypto.go:202:9:202:16 | password | Crypto.go:205:8:205:10 | buf | provenance | |
39-
| Crypto.go:202:9:202:16 | password | Crypto.go:206:10:206:12 | buf | provenance | |
40-
| Crypto.go:202:9:202:16 | password | Crypto.go:208:10:208:12 | buf | provenance | |
41-
| Crypto.go:202:9:202:16 | password | Crypto.go:210:17:210:19 | buf | provenance | |
42-
| Crypto.go:202:9:202:16 | password | Crypto.go:211:11:211:13 | buf | provenance | |
43-
models
44-
| 1 | Summary: bytes; ; false; NewReader; ; ; Argument[0]; ReturnValue; taint; manual |
45-
| 2 | Summary: io; ; false; Copy; ; ; Argument[1]; Argument[0]; taint; manual |
46-
nodes
47-
| Crypto.go:36:21:36:28 | password | semmle.label | password |
48-
| Crypto.go:41:22:41:29 | password | semmle.label | password |
49-
| Crypto.go:46:22:46:29 | password | semmle.label | password |
50-
| Crypto.go:51:22:51:29 | password | semmle.label | password |
51-
| Crypto.go:56:22:56:29 | password | semmle.label | password |
52-
| Crypto.go:61:32:61:39 | password | semmle.label | password |
53-
| Crypto.go:66:30:66:37 | password | semmle.label | password |
54-
| Crypto.go:68:59:68:83 | call to NewReader | semmle.label | call to NewReader |
55-
| Crypto.go:68:75:68:82 | password | semmle.label | password |
56-
| Crypto.go:72:10:72:24 | ctrStreamWriter [postupdate] | semmle.label | ctrStreamWriter [postupdate] |
57-
| Crypto.go:72:27:72:51 | call to NewReader | semmle.label | call to NewReader |
58-
| Crypto.go:72:43:72:50 | password | semmle.label | password |
59-
| Crypto.go:78:30:78:37 | password | semmle.label | password |
60-
| Crypto.go:83:30:83:37 | password | semmle.label | password |
61-
| Crypto.go:91:21:91:33 | call to getPassword | semmle.label | call to getPassword |
62-
| Crypto.go:96:22:96:34 | call to getPassword | semmle.label | call to getPassword |
63-
| Crypto.go:101:22:101:34 | call to getPassword | semmle.label | call to getPassword |
64-
| Crypto.go:106:22:106:29 | password | semmle.label | password |
65-
| Crypto.go:111:22:111:29 | password | semmle.label | password |
66-
| Crypto.go:116:32:116:44 | call to getPassword | semmle.label | call to getPassword |
67-
| Crypto.go:121:30:121:42 | call to getPassword | semmle.label | call to getPassword |
68-
| Crypto.go:123:59:123:88 | call to NewReader | semmle.label | call to NewReader |
69-
| Crypto.go:123:75:123:87 | call to getPassword | semmle.label | call to getPassword |
70-
| Crypto.go:127:10:127:24 | ctrStreamWriter [postupdate] | semmle.label | ctrStreamWriter [postupdate] |
71-
| Crypto.go:127:27:127:56 | call to NewReader | semmle.label | call to NewReader |
72-
| Crypto.go:127:43:127:55 | call to getPassword | semmle.label | call to getPassword |
73-
| Crypto.go:133:30:133:37 | password | semmle.label | password |
74-
| Crypto.go:138:30:138:37 | password | semmle.label | password |
75-
| Crypto.go:198:22:198:34 | call to getPassword | semmle.label | call to getPassword |
76-
| Crypto.go:202:9:202:16 | password | semmle.label | password |
77-
| Crypto.go:205:8:205:10 | buf | semmle.label | buf |
78-
| Crypto.go:206:10:206:12 | buf | semmle.label | buf |
79-
| Crypto.go:207:20:207:33 | passwordString | semmle.label | passwordString |
80-
| Crypto.go:208:10:208:12 | buf | semmle.label | buf |
81-
| Crypto.go:210:17:210:19 | buf | semmle.label | buf |
82-
| Crypto.go:211:11:211:13 | buf | semmle.label | buf |
83-
subpaths
1+
| encryption.go:30:2:30:36 | call to Encrypt | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
2+
| encryption.go:34:2:34:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
3+
| encryption.go:38:2:38:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
4+
| encryption.go:42:2:42:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
5+
| encryption.go:46:2:46:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
6+
| encryption.go:50:2:50:47 | call to CryptBlocks | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
7+
| encryption.go:54:2:54:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
8+
| encryption.go:56:22:56:91 | struct literal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
9+
| encryption.go:59:21:59:68 | &... [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
10+
| encryption.go:59:22:59:68 | struct literal | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
11+
| encryption.go:59:22:59:68 | struct literal [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
12+
| encryption.go:60:10:60:24 | ctrStreamWriter [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
13+
| encryption.go:65:2:65:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
14+
| encryption.go:69:2:69:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:28:2:28:31 | ... := ...[0] | The cryptographic algorithm DES |
15+
| encryption.go:76:2:76:32 | call to Encrypt | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
16+
| encryption.go:80:2:80:38 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
17+
| encryption.go:84:2:84:38 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
18+
| encryption.go:88:2:88:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
19+
| encryption.go:92:2:92:42 | call to Seal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
20+
| encryption.go:96:2:96:43 | call to CryptBlocks | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
21+
| encryption.go:100:2:100:41 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
22+
| encryption.go:102:22:102:87 | struct literal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
23+
| encryption.go:105:21:105:68 | &... [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
24+
| encryption.go:105:22:105:68 | struct literal | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
25+
| encryption.go:105:22:105:68 | struct literal [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
26+
| encryption.go:106:10:106:24 | ctrStreamWriter [postupdate] | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
27+
| encryption.go:111:2:111:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
28+
| encryption.go:115:2:115:45 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:74:2:74:40 | ... := ...[0] | The cryptographic algorithm TRIPLEDES |
29+
| encryption.go:166:2:166:33 | call to XORKeyStream | $@ is broken or weak, and should not be used. | encryption.go:166:2:166:33 | call to XORKeyStream | The cryptographic algorithm RC4 |

0 commit comments

Comments
 (0)