Merge pull request #16482 from grakshith/rakshith/tune-java-crypto

Java: Add RSA/ECB/OEAP ciphers to the list of secure algorithms
github · Jun 10, 2024 · 7336dd1 · 7336dd1
2 parents 7ecf1f9 + 798a736
commit 7336dd1
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
@@ -15,6 +15,8 @@ private class ShortStringLiteral extends StringLiteral {
 class BrokenAlgoLiteral extends ShortStringLiteral {
   BrokenAlgoLiteral() {
     this.getValue().regexpMatch(getInsecureAlgorithmRegex()) and
+    // Exclude RSA/ECB/.* ciphers.
+    not this.getValue().regexpMatch("RSA/ECB.*") and
     // Exclude German and French sentences.
     not this.getValue().regexpMatch(".*\\p{IsLowercase} des \\p{IsLetter}.*")
   }

diff --git a/java/ql/src/change-notes/2024-05-13-rsa-ecb-secure.md b/java/ql/src/change-notes/2024-05-13-rsa-ecb-secure.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.