Add Tests and update library

Author: GeekMasher

python/lib/github/cryptography/RandomNumberGenerator.qll

@@ -2,39 +2,39 @@ private import semmle.python.ApiGraphs
 private import semmle.python.Concepts
 private import semmle.python.dataflow.new.DataFlow
 
-abstract class RandomNumberGeneratorSinks extends DataFlow::Node { }
+module RandomNumberGenerator {
+  abstract class Sinks extends DataFlow::Node { }
 
-class OsRandom extends RandomNumberGeneratorSinks {
-  OsRandom() {
-    exists(DataFlow::Node call |
-      // https://docs.python.org/3/library/os.html#os.getrandom
-      call = API::moduleImport("os").getMember("getrandom").getACall() and
-      this = call
-    )
+  class OsRandom extends Sinks {
+    OsRandom() {
+      exists(DataFlow::Node call |
+        // https://docs.python.org/3/library/os.html#os.getrandom
+        call = API::moduleImport("os").getMember("getrandom").getACall() and
+        this = call
+      )
+    }
   }
-}
 
-class PyRandom extends RandomNumberGeneratorSinks {
-  PyRandom() {
-    exists(DataFlow::Node call |
-      (
+  class PyRandom extends Sinks {
+    PyRandom() {
+      exists(DataFlow::Node call |
+        // TODO: does `random.seed(_)` need to be static?
         // https://docs.python.org/3/library/random.html#random.random
-        call = API::moduleImport("random").getMember("random").getACall()
-        or
-        // https://docs.python.org/3/library/random.html#random.randbytes
-        call = API::moduleImport("random").getMember("randbytes").getACall()
-      ) and
-      this = call
-    )
+        call =
+          API::moduleImport("random")
+              .getMember(["random", "randrange", "randint", "randbytes"])
+              .getACall() and
+        this = call
+      )
+    }
   }
-}
 
-class PyUuid extends RandomNumberGeneratorSinks {
+  class PyUuid extends Sinks {
     PyUuid() {
-        exists(DataFlow::Node call |
-            call = API::moduleImport("uuid").getMember("uuid1").getACall() or
-            call = API::moduleImport("uuid").getMember("uuid3").getACall() and
-            this = call
-        )
+      exists(DataFlow::Node call |
+        call = API::moduleImport("uuid").getMember(["uuid1", "uuid3"]).getACall() and
+        this = call
+      )
     }
+  }
 }

python/src/security/CWE-338/WeakPRNG.ql

@@ -14,5 +14,5 @@
 import python
 import github.cryptography.RandomNumberGenerator
 
-from RandomNumberGeneratorSinks rngs
-select rngs.asExpr(), "Using weak PRNG"
+from RandomNumberGenerator::Sinks rngs
+select rngs, "Using weak PRNG"

python/test/security/CWE-338/WeakPRNG.expected

@@ -0,0 +1,7 @@
+| app.py:6:1:6:16 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:11:1:11:15 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:12:1:12:23 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:13:1:13:21 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:15:1:15:20 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:18:1:18:12 | ControlFlowNode for Attribute() | Using weak PRNG |
+| app.py:19:1:19:44 | ControlFlowNode for Attribute() | Using weak PRNG |

python/test/security/CWE-338/WeakPRNG.qlref

@@ -0,0 +1 @@
+security/CWE-338/WeakPRNG.ql

python/test/security/CWE-338/app.py

@@ -0,0 +1,21 @@
+import os
+import random
+import uuid
+
+# os module
+os.getrandom(10)
+
+# random module
+random.seed("8")
+
+random.random()
+random.randrange(0, 10)
+random.randint(0, 10)
+
+random.randbytes(10)
+
+# uuid module
+uuid.uuid1()
+uuid.uuid3(uuid.NAMESPACE_DNS, 'python.org')
+uuid.uuid4()
+uuid.uuid5(uuid.NAMESPACE_DNS, 'python.org')

python/test/security/CWE-338/options

@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=0