Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Commit 2751552

Browse files
smowtonsmowton
committed
Insecure-TLS: Reintroduce tests for InsecureCipherSuites()
These stopped producing an alert because they used a variable name that acknowledges an insecure setup
1 parent db97600 commit 2751552

File tree

2 files changed

+22
-19
lines changed

2 files changed

+22
-19
lines changed

ql/test/experimental/CWE-327/UnsafeTLS.expected

Lines changed: 15 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -14,18 +14,18 @@ edges
1414
| UnsafeTLS.go:305:5:305:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:304:18:306:4 | slice literal |
1515
| UnsafeTLS.go:313:5:313:45 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:312:18:314:4 | slice literal |
1616
| UnsafeTLS.go:329:53:329:93 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:329:25:329:94 | call to append |
17-
| UnsafeTLS.go:334:21:334:46 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:336:26:336:58 | call to append |
18-
| UnsafeTLS.go:334:21:334:46 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:336:54:336:54 | implicit dereference : CipherSuite |
17+
| UnsafeTLS.go:334:13:334:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:336:26:336:58 | call to append |
18+
| UnsafeTLS.go:334:13:334:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:336:54:336:54 | implicit dereference : CipherSuite |
1919
| UnsafeTLS.go:336:54:336:54 | implicit dereference : CipherSuite | UnsafeTLS.go:336:26:336:58 | call to append |
2020
| UnsafeTLS.go:336:54:336:54 | implicit dereference : CipherSuite | UnsafeTLS.go:336:54:336:54 | implicit dereference : CipherSuite |
21-
| UnsafeTLS.go:342:21:342:46 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:344:40:344:40 | implicit dereference : CipherSuite |
22-
| UnsafeTLS.go:342:21:342:46 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:346:25:346:36 | cipherSuites |
21+
| UnsafeTLS.go:342:13:342:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:344:40:344:40 | implicit dereference : CipherSuite |
22+
| UnsafeTLS.go:342:13:342:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:346:25:346:36 | cipherSuites |
2323
| UnsafeTLS.go:344:40:344:40 | implicit dereference : CipherSuite | UnsafeTLS.go:344:40:344:40 | implicit dereference : CipherSuite |
2424
| UnsafeTLS.go:344:40:344:40 | implicit dereference : CipherSuite | UnsafeTLS.go:346:25:346:36 | cipherSuites |
25-
| UnsafeTLS.go:351:21:351:46 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:353:40:353:56 | implicit dereference : CipherSuite |
26-
| UnsafeTLS.go:351:21:351:46 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:355:25:355:36 | cipherSuites |
27-
| UnsafeTLS.go:353:40:353:56 | implicit dereference : CipherSuite | UnsafeTLS.go:353:40:353:56 | implicit dereference : CipherSuite |
28-
| UnsafeTLS.go:353:40:353:56 | implicit dereference : CipherSuite | UnsafeTLS.go:355:25:355:36 | cipherSuites |
25+
| UnsafeTLS.go:351:13:351:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:353:40:353:48 | implicit dereference : CipherSuite |
26+
| UnsafeTLS.go:351:13:351:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:355:25:355:36 | cipherSuites |
27+
| UnsafeTLS.go:353:40:353:48 | implicit dereference : CipherSuite | UnsafeTLS.go:353:40:353:48 | implicit dereference : CipherSuite |
28+
| UnsafeTLS.go:353:40:353:48 | implicit dereference : CipherSuite | UnsafeTLS.go:355:25:355:36 | cipherSuites |
2929
| UnsafeTLS.go:363:5:363:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:362:18:364:4 | slice literal |
3030
| UnsafeTLS.go:371:5:371:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:370:18:372:4 | slice literal |
3131
| UnsafeTLS.go:379:5:379:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:378:18:380:4 | slice literal |
@@ -101,14 +101,14 @@ nodes
101101
| UnsafeTLS.go:313:5:313:45 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : uint16 | semmle.label | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : uint16 |
102102
| UnsafeTLS.go:329:25:329:94 | call to append | semmle.label | call to append |
103103
| UnsafeTLS.go:329:53:329:93 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : uint16 | semmle.label | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : uint16 |
104-
| UnsafeTLS.go:334:21:334:46 | call to InsecureCipherSuites : slice type | semmle.label | call to InsecureCipherSuites : slice type |
104+
| UnsafeTLS.go:334:13:334:38 | call to InsecureCipherSuites : slice type | semmle.label | call to InsecureCipherSuites : slice type |
105105
| UnsafeTLS.go:336:26:336:58 | call to append | semmle.label | call to append |
106106
| UnsafeTLS.go:336:54:336:54 | implicit dereference : CipherSuite | semmle.label | implicit dereference : CipherSuite |
107-
| UnsafeTLS.go:342:21:342:46 | call to InsecureCipherSuites : slice type | semmle.label | call to InsecureCipherSuites : slice type |
107+
| UnsafeTLS.go:342:13:342:38 | call to InsecureCipherSuites : slice type | semmle.label | call to InsecureCipherSuites : slice type |
108108
| UnsafeTLS.go:344:40:344:40 | implicit dereference : CipherSuite | semmle.label | implicit dereference : CipherSuite |
109109
| UnsafeTLS.go:346:25:346:36 | cipherSuites | semmle.label | cipherSuites |
110-
| UnsafeTLS.go:351:21:351:46 | call to InsecureCipherSuites : slice type | semmle.label | call to InsecureCipherSuites : slice type |
111-
| UnsafeTLS.go:353:40:353:56 | implicit dereference : CipherSuite | semmle.label | implicit dereference : CipherSuite |
110+
| UnsafeTLS.go:351:13:351:38 | call to InsecureCipherSuites : slice type | semmle.label | call to InsecureCipherSuites : slice type |
111+
| UnsafeTLS.go:353:40:353:48 | implicit dereference : CipherSuite | semmle.label | implicit dereference : CipherSuite |
112112
| UnsafeTLS.go:355:25:355:36 | cipherSuites | semmle.label | cipherSuites |
113113
| UnsafeTLS.go:362:18:364:4 | slice literal | semmle.label | slice literal |
114114
| UnsafeTLS.go:363:5:363:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | semmle.label | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 |
@@ -165,6 +165,9 @@ nodes
165165
| UnsafeTLS.go:304:18:306:4 | slice literal | UnsafeTLS.go:305:5:305:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:304:18:306:4 | slice literal | Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. |
166166
| UnsafeTLS.go:312:18:314:4 | slice literal | UnsafeTLS.go:313:5:313:45 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:312:18:314:4 | slice literal | Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256. |
167167
| UnsafeTLS.go:329:25:329:94 | call to append | UnsafeTLS.go:329:53:329:93 | selection of TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:329:25:329:94 | call to append | Use of an insecure cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256. |
168+
| UnsafeTLS.go:336:26:336:58 | call to append | UnsafeTLS.go:334:13:334:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:336:26:336:58 | call to append | Use of an insecure cipher suite. |
169+
| UnsafeTLS.go:346:25:346:36 | cipherSuites | UnsafeTLS.go:342:13:342:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:346:25:346:36 | cipherSuites | Use of an insecure cipher suite. |
170+
| UnsafeTLS.go:355:25:355:36 | cipherSuites | UnsafeTLS.go:351:13:351:38 | call to InsecureCipherSuites : slice type | UnsafeTLS.go:355:25:355:36 | cipherSuites | Use of an insecure cipher suite. |
168171
| UnsafeTLS.go:362:18:364:4 | slice literal | UnsafeTLS.go:363:5:363:47 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:362:18:364:4 | slice literal | Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. |
169172
| UnsafeTLS.go:432:19:434:5 | slice literal | UnsafeTLS.go:433:6:433:48 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:432:19:434:5 | slice literal | Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. |
170173
| UnsafeTLS.go:456:19:458:5 | slice literal | UnsafeTLS.go:457:6:457:48 | selection of TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : uint16 | UnsafeTLS.go:456:19:458:5 | slice literal | Use of an insecure cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. |

ql/test/experimental/CWE-327/UnsafeTLS.go

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -331,26 +331,26 @@ func cipherSuites() {
331331
{
332332
config := &tls.Config{}
333333
config.CipherSuites = make([]uint16, 0)
334-
insecureSuites := tls.InsecureCipherSuites()
335-
for _, v := range insecureSuites {
334+
suites := tls.InsecureCipherSuites()
335+
for _, v := range suites {
336336
config.CipherSuites = append(config.CipherSuites, v.ID) // BAD
337337
}
338338
}
339339
{
340340
config := &tls.Config{}
341341
cipherSuites := make([]uint16, 0)
342-
insecureSuites := tls.InsecureCipherSuites()
343-
for _, v := range insecureSuites {
342+
suites := tls.InsecureCipherSuites()
343+
for _, v := range suites {
344344
cipherSuites = append(cipherSuites, v.ID)
345345
}
346346
config.CipherSuites = cipherSuites // BAD
347347
}
348348
{
349349
config := &tls.Config{}
350350
cipherSuites := make([]uint16, 0)
351-
insecureSuites := tls.InsecureCipherSuites()
352-
for i := range insecureSuites {
353-
cipherSuites = append(cipherSuites, insecureSuites[i].ID)
351+
suites := tls.InsecureCipherSuites()
352+
for i := range suites {
353+
cipherSuites = append(cipherSuites, suites[i].ID)
354354
}
355355
config.CipherSuites = cipherSuites // BAD
356356
}

0 commit comments

Comments
 (0)