Crypto: Add Java cryptographic check queries #20568
+218
−1
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| /** | ||
| * @name Insecure nonce at a cipher operation | ||
| * @id java/quantum/insecure-nonce | ||
| * @description A nonce is generated from a source that is not secure. This can lead to | ||
| * vulnerabilities such as replay attacks or key recovery. | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @tags quantum | ||
| * experimental | ||
| */ | ||
|
|
||
| import experimental.quantum.Language | ||
|
|
||
| predicate isInsecureNonceSource(Crypto::NonceArtifactNode n, Crypto::NodeBase src) { | ||
| src = n.getSourceNode() and | ||
| not src.asElement() instanceof SecureRandomnessInstance | ||
| } | ||
|
|
||
| from Crypto::KeyOperationNode op, Crypto::NodeBase src | ||
| where isInsecureNonceSource(op.getANonce(), src) | ||
| select op, "Operation uses insecure nonce source $@", src, src.toString() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| /** | ||
| * @name Cipher not AES-GCM mode | ||
| * @id java/quantum/non-aes-gcm | ||
| * @description An AES cipher is in use without GCM | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @tags quantum | ||
| * experimental | ||
| */ | ||
|
|
||
| import experimental.quantum.Language | ||
|
|
||
| class NonAESGCMAlgorithmNode extends Crypto::KeyOperationAlgorithmNode { | ||
| NonAESGCMAlgorithmNode() { | ||
| this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and | ||
| this.getModeOfOperation().getModeType() != Crypto::KeyOpAlg::GCM() | ||
| } | ||
| } | ||
|
|
||
| from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode | ||
| where op.getAKnownAlgorithm() instanceof NonAESGCMAlgorithmNode and | ||
| codeNode = op.getAnOutputArtifact() | ||
| select op, "Non-AES-GCM instance." | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| /** | ||
| * @name Reuse of cryptographic nonce | ||
| * @description Reuse of nonce in cryptographic operations can lead to vulnerabilities. | ||
| * @id java/quantum/reused-nonce | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision medium | ||
| * @tags quantum | ||
| * experimental | ||
| */ | ||
|
|
||
| import java | ||
| import ArtifactReuse | ||
|
|
||
| from Crypto::NonceArtifactNode nonce1, Crypto::NonceArtifactNode nonce2 | ||
| where isArtifactReuse(nonce1, nonce2) | ||
| select nonce1, "Reuse with nonce $@", nonce2, nonce2.toString() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,24 @@ | ||||||
| /** | ||||||
| * @name Weak Asymetric Key Size | ||||||
|
There was a problem hiding this comment. Corrected spelling of 'Asymetric' to 'Asymmetric'.
Suggested change
Copilot uses AI. Check for mistakes. |
||||||
| * @id java/quantum/weak-asymmetric-key-size | ||||||
| * @description An asymmetric cipher with a short key size is in use | ||||||
| * @kind problem | ||||||
| * @problem.severity error | ||||||
| * @precision high | ||||||
| * @tags quantum | ||||||
| * experimental | ||||||
| */ | ||||||
|
|
||||||
| import java | ||||||
| import experimental.quantum.Language | ||||||
|
|
||||||
| from Crypto::KeyOperationAlgorithmNode op, DataFlow::Node configSrc, int keySize, string algName | ||||||
| where | ||||||
| keySize = op.getKeySizeFixed() and | ||||||
| keySize < 2048 and | ||||||
| algName = op.getAlgorithmName() and | ||||||
| // Can't be an elliptic curve | ||||||
| not Crypto::isEllipticCurveAlgorithmName(algName) | ||||||
| select op, | ||||||
| "Use of weak asymmetric key size (int bits)" + keySize.toString() + " for algorithm " + | ||||||
|
There was a problem hiding this comment. The error message formatting is unclear. '(int bits)' should be '(' + keySize.toString() + ' bits)' for proper readability.
Suggested change
Copilot uses AI. Check for mistakes. |
||||||
| algName.toString() + " at config source $@", configSrc, configSrc.toString() | ||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| /** | ||
| * @name Weak AES Block mode | ||
| * @id java/quantum/weak-block-modes | ||
| * @description An AES cipher is in use with an insecure block mode | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @tags quantum | ||
| * experimental | ||
| */ | ||
|
|
||
| import java | ||
| import experimental.quantum.Language | ||
|
|
||
| class WeakAESBlockModeAlgNode extends Crypto::KeyOperationAlgorithmNode { | ||
| WeakAESBlockModeAlgNode() { | ||
| this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and | ||
| (this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or | ||
| this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or | ||
| this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or | ||
| this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR() | ||
| ) | ||
| } | ||
| } | ||
|
|
||
| from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode | ||
| where op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and | ||
| codeNode = op.getAnOutputArtifact() | ||
| select op, "Weak AES block mode instance." |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| /** | ||
| * @name Weak hashes | ||
| * @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak. | ||
| * @id java/quantum/slices/weak-hashes | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @tags external/cwe/cwe-327 | ||
|
There was a problem hiding this comment. This needs |
||
| */ | ||
|
|
||
| import java | ||
| import experimental.quantum.Language | ||
|
|
||
| from Crypto::HashAlgorithmNode alg, string name, string msg | ||
| where | ||
| name = alg.getAlgorithmName() and | ||
| not name in ["SHA256", "SHA384", "SHA512", "SHA-256", "SHA-384", "SHA-512"] and | ||
|
There was a problem hiding this comment. Like the comment on symmetric algorithms, the hash family and hash digest size should be used rather than string comparisons. The appropriate predicates/classes to use would be Typing this out also makes me realize we need to standardize those predicate and class names... |
||
| msg = "Use of unapproved hash algorithm or API " + name + "." | ||
| select alg, msg | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| /** | ||
| * @name Weak known key derivation function iteration count | ||
| * @description Detects key derivation operations with a known weak iteration count. | ||
| * @id java/quantum/weak-kdf-iteration-count | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @tags quantum | ||
| * experimental | ||
| */ | ||
|
|
||
| import java | ||
| import experimental.quantum.Language | ||
|
|
||
| from Crypto::KeyDerivationOperationNode op, Literal l | ||
| where | ||
| op.getIterationCount().asElement() = l and | ||
| l.getValue().toInt() < 100000 | ||
| select op, "Key derivation operation configures iteration count below 100k: $@", l, | ||
| l.getValue().toString() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| /** | ||
| * @name Weak known key derivation function output length | ||
| * @description Detects key derivation operations with a known weak output length | ||
| * @id java/quantum/weak-kdf-iteration-count | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @tags quantum | ||
| * experimental | ||
| */ | ||
|
|
||
| import java | ||
| import experimental.quantum.Language | ||
|
|
||
| from Crypto::KeyDerivationOperationNode op, Literal l | ||
| where | ||
| op.getOutputKeySize().asElement() = l and | ||
| l.getValue().toInt() < 256 | ||
| select op, "Key derivation operation configures output key length below 256: $@", l, | ||
| l.getValue().toString() | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| /** | ||
| * @name Cipher is Weak RSA Implementation | ||
| * @id java/quantum/weak-rsa | ||
| * @description RSA with a key length <2048 found | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @tags quantum | ||
| * experimental | ||
| */ | ||
|
|
||
| import experimental.quantum.Language | ||
|
|
||
| class WeakRSAAlgorithmNode extends Crypto::KeyOperationAlgorithmNode { | ||
Check warningCode scanning / CodeQL Acronyms should be PascalCase/camelCase. Warning |
||
| WeakRSAAlgorithmNode() { | ||
| this.getAlgorithmType() = Crypto::KeyOpAlg::TAsymmetricCipher(Crypto::KeyOpAlg::RSA()) and | ||
| this.getKeySizeFixed() < 2048 | ||
| } | ||
| } | ||
|
|
||
| from Crypto::KeyOperationNode op, string message | ||
| where op.getAKnownAlgorithm() instanceof WeakRSAAlgorithmNode and | ||
| message = "Weak RSA instance found with key length <2048" | ||
| select op, message | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| /** | ||
| * @name Weak symmetric ciphers | ||
| * @description Finds uses of cryptographic symmetric cipher algorithms that are unapproved or otherwise weak. | ||
| * @id java/quantum/slices/weak-ciphers | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @tags external/cwe/cwe-327 | ||
|
There was a problem hiding this comment. This needs |
||
| */ | ||
|
|
||
| import java | ||
| import experimental.quantum.Language | ||
|
|
||
| from Crypto::KeyOperationAlgorithmNode alg, string name, string msg | ||
| where | ||
| name = alg.getAlgorithmName() and | ||
| name in ["DES", "TripleDES", "DoubleDES", "RC2", "RC4", "IDEA", "Blowfish"] and | ||
|
There was a problem hiding this comment. Rather than comparing name strings, the standardized types in Crypto::KeyOpAlg should be compared against |
||
| msg = "Use of unapproved symmetric cipher algorithm or API: " + name + "." | ||
| select alg, msg | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's not actually we want we want, chatting with @nicolaswill in a side channel, so disregard.