This repository was archived by the owner on Feb 10, 2025. It is now read-only.
[DO NOT MERGE] Rules for generating a cryptographic footprint#1
Draft
[DO NOT MERGE] Rules for generating a cryptographic footprint#1
Conversation
- WIP rules for checking presence of cryptographic ciphers and functions
- Note that testing is iffy - next commit will refactor testing just didn't want to clog up this commit with that.
- Tests apparently require the corresponding queries to be in a parallel query directory structure
- Run with "codeql test run tests/ --search-path=queries/" at the CryptographicFootprint directory
- Removed unnecessary imports on previous test and misc cleanup
- Continuation of a03c976 applied to the rest of the queries
- Also added check for single invocation without comment
- Also update disallowed password tests to correct for indentation error
- Goodbye jank test runs, hello codeql native tests
- No longer limited to existing CWE-327 data flow tracking, this now works on functions as they're being broadly called
- This introduces regex checks for the first time, adapted from CWE-327 implementation - Reusing that requires overwriting their type TCryptographicAlgorithm but this may be a source of refactor later to combine, since CryptographicOperation is not necessary
- Minor cleanup and tweaks for hashing rules
- This would keep default query suites from seeing these rules as part of the codeql/go-queries - Test are now run at the go-queries level with the following command: - codeql test run CryptographicFootprint/tests/ --search-path=.
- Tests are now run with the following from python-queries: - codeql test run CryptographicFootprint/tests/ --search-path=.
- Introduces regex matching type to CryptoLibraries
- Also updated tests for the new Detected X from Y language
urnfdog
commented
Dec 6, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WIP
These rules (attempts to) generate a listing of all cryptographic algorithms and ciphers used in a program. This can be used as a general summary or tweaked to become compliance rules for specific sets of issues.
Tests can be run with the following:
go-queries/CryptographicFootprint/testsgo mod vendorgo-queriescodeql test run CryptographicFootprint/tests/ --search-path=.Currently, this provides a set of rules for Go as CWE-327 is still experimental.
Python already has a check for CWE-327 (
BrokenCryptoAlgorithm.ql) that is likely to get tweaked and then pulled in, and one that is inclusive of ALL cryptographic operations detected, not just weak ones. Update: This is now in progress, and from those rules we now have .* regex matching. However, I'm not likely to extend that too far due to false positives.TODOs