C++: respond to PR comments on InsufficientKeySize

rdmarsh2 · rdmarsh2 · commit 103796dfa875 · 2022-02-16T14:58:29.000-05:00
diff --git a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -2,7 +2,7 @@
  * @name Use of a cryptographic algorithm with insufficient key size
  * @description Using cryptographic algorithms with too small a key size can
  *              allow an attacker to compromise security.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id cpp/insufficient-key-size
@@ -43,13 +43,13 @@ class KeyStrengthFlow extends DataFlow::Configuration {
 }
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, KeyStrengthFlow conf, FunctionCall fc,
+  DataFlow::PathNode source, DataFlow::PathNode sink, KeyStrengthFlow conf, FunctionCall fc, int param,
   string name, int bits
 where
   conf.hasFlowPath(source, sink) and
-  sink.getNode().asExpr() = fc.getArgument(1) and
+  sink.getNode().asExpr() = fc.getArgument(param) and
   fc.getTarget().hasGlobalName(name) and
-  bits = getMinimumKeyStrength(name, _) and
+  bits = getMinimumKeyStrength(name, param) and
   source.getNode().asInstruction().(ConstantValueInstruction).getValue().toInt() < bits
 select fc, source, sink,
   "The key size $@ is less than the recommended key size of " + bits.toString() + " bits.", source,
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-326/InsufficientKeySize.expected
@@ -1,3 +1,3 @@
-| test.cpp:32:5:32:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:32:45:32:48 | 1024 | test.cpp:32:45:32:48 | 1024 | The key size $@ is insufficient for security | test.cpp:32:45:32:48 | 1024 | 1024 |
-| test.cpp:33:5:33:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:33:49:33:52 | 1024 | test.cpp:33:49:33:52 | 1024 | The key size $@ is insufficient for security | test.cpp:33:49:33:52 | 1024 | 1024 |
-| test.cpp:35:5:35:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:35:43:35:46 | 1024 | test.cpp:35:43:35:46 | 1024 | The key size $@ is insufficient for security | test.cpp:35:43:35:46 | 1024 | 1024 |
+| test.cpp:34:5:34:38 | call to EVP_PKEY_CTX_set_dsa_paramgen_bits | test.cpp:34:45:34:48 | 1024 | test.cpp:34:45:34:48 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:34:45:34:48 | 1024 | 1024 |
+| test.cpp:35:5:35:42 | call to EVP_PKEY_CTX_set_dh_paramgen_prime_len | test.cpp:35:49:35:52 | 1024 | test.cpp:35:49:35:52 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:35:49:35:52 | 1024 | 1024 |
+| test.cpp:37:5:37:36 | call to EVP_PKEY_CTX_set_rsa_keygen_bits | test.cpp:37:43:37:46 | 1024 | test.cpp:37:43:37:46 | 1024 | The key size $@ is less than the recommended key size of 2048 bits. | test.cpp:37:43:37:46 | 1024 | 1024 |
