EXCUSED -> OK

smowton · smowton · commit 5c8534f56e03 · 2020-07-28T11:55:58.000+01:00
diff --git a/ql/test/experimental/CWE-327/UnsafeTLS.go b/ql/test/experimental/CWE-327/UnsafeTLS.go
@@ -114,13 +114,13 @@ func minMaxTlsVersion() {
 	}
 	if insecureFlag {
 		config := &tls.Config{
-			MinVersion: 0, // EXCUSED (guarded by a flag suggesting deliberate insecurity)
+			MinVersion: 0, // OK (guarded by a flag suggesting deliberate insecurity)
 		}
 		_ = config
 	}
 	if oldVersionFlag {
 		config := &tls.Config{
-			MinVersion: 0, // EXCUSED (guarded by a flag suggesting deliberate legacy support)
+			MinVersion: 0, // OK (guarded by a flag suggesting deliberate legacy support)
 		}
 		_ = config
 	}
@@ -130,7 +130,7 @@ func minMaxTlsVersion() {
 		if unknown {
 			version = tls.VersionTLS13
 		} else {
-			version = tls.VersionSSL30 // EXCUSED (flows together with a modern version, suggesting configurable security)
+			version = tls.VersionSSL30 // OK (flows together with a modern version, suggesting configurable security)
 		}
 		config := &tls.Config{
 			MinVersion: version,
@@ -143,7 +143,7 @@ func minMaxTlsVersion() {
 		if unknown {
 			config.MinVersion = tls.VersionTLS13
 		} else {
-			config.MinVersion = tls.VersionSSL30 // EXCUSED (flows together with a modern version, suggesting configurable security)
+			config.MinVersion = tls.VersionSSL30 // OK (flows together with a modern version, suggesting configurable security)
 		}
 		_ = config
 	}
@@ -153,47 +153,47 @@ func minMaxTlsVersion() {
 		if unknown {
 			config.MinVersion = tls.VersionTLS13
 		} else {
-			config.MinVersion = tls.VersionSSL30 // EXCUSED (flows together with a modern version, suggesting configurable security)
+			config.MinVersion = tls.VersionSSL30 // OK (flows together with a modern version, suggesting configurable security)
 		}
 		_ = config
 	}
 	///
 	{
 		insecureConfig := &tls.Config{
-			MinVersion: 0, // EXCUSED (var name suggests deliberate insecurity)
+			MinVersion: 0, // OK (var name suggests deliberate insecurity)
 		}
 		_ = insecureConfig
 	}
 	///
 	{
 		legacyConfig := &tls.Config{
-			MinVersion: 0, // EXCUSED (var name suggests deliberate legacy support)
+			MinVersion: 0, // OK (var name suggests deliberate legacy support)
 		}
 		_ = legacyConfig
 	}
 	///
 	{
 		var insecureConfig tls.Config
-		insecureConfig.MinVersion = 0 // EXCUSED (var name suggests deliberate insecurity)
+		insecureConfig.MinVersion = 0 // OK (var name suggests deliberate insecurity)
 		_ = insecureConfig
 	}
 	///
 	{
 		var legacyConfig tls.Config
-		legacyConfig.MinVersion = 0 // EXCUSED (var name suggests deliberate legacy support)
+		legacyConfig.MinVersion = 0 // OK (var name suggests deliberate legacy support)
 		_ = legacyConfig
 	}
 	///
 	{
 		switch unknown {
 		case oldVersionFlag:
 			config := &tls.Config{
-				MinVersion: 0, // EXCUSED (switch-case name suggests legacy support)
+				MinVersion: 0, // OK (switch-case name suggests legacy support)
 			}
 			_ = config
 		case insecureFlag:
 			config := &tls.Config{
-				MinVersion: 0, // EXCUSED (switch-case name suggests insecurity)
+				MinVersion: 0, // OK (switch-case name suggests insecurity)
 			}
 			_ = config
 		default:
@@ -206,12 +206,12 @@ func minMaxTlsVersion() {
 		switch os.Args[0] {
 		case "oldVersionFlag":
 			config := &tls.Config{
-				MinVersion: 0, // EXCUSED (switch-case name suggests legacy support)
+				MinVersion: 0, // OK (switch-case name suggests legacy support)
 			}
 			_ = config
 		case "insecureFlag":
 			config := &tls.Config{
-				MinVersion: 0, // EXCUSED (switch-case name suggests insecurity)
+				MinVersion: 0, // OK (switch-case name suggests insecurity)
 			}
 			_ = config
 		default:
@@ -224,7 +224,7 @@ func minMaxTlsVersion() {
 	///
 	if insecureFunc() {
 		config := &tls.Config{
-			MinVersion: 0, // EXCUSED (guarded by function call suggesting deliberate insecurity)
+			MinVersion: 0, // OK (guarded by function call suggesting deliberate insecurity)
 		}
 		_ = config
 	}
@@ -233,21 +233,21 @@ func minMaxTlsVersion() {
 	isInsecurePtr := &isInsecure
 	if *isInsecurePtr {
 		config := &tls.Config{
-			MinVersion: 0, // EXCUSED (guarded by pointer deref suggesting deliberate insecurity)
+			MinVersion: 0, // OK (guarded by pointer deref suggesting deliberate insecurity)
 		}
 		_ = config
 	}
 	///
 	if os.Getenv("DISABLE_TLS_VERIFICATION") == "true" {
 		config := &tls.Config{
-			MinVersion: 0, // EXCUSED (guarded by environment variable)
+			MinVersion: 0, // OK (guarded by environment variable)
 		}
 		_ = config
 	}
 	///
 	if isInsecure == true {
 		config := &tls.Config{
-			MinVersion: 0, // EXCUSED (guarded by comparison)
+			MinVersion: 0, // OK (guarded by comparison)
 		}
 		_ = config
 	}
@@ -368,46 +368,46 @@ func cipherSuites() {
 	if insecureFlag {
 		config := &tls.Config{
 			CipherSuites: []uint16{
-				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (guarded by a flag suggesting deliberate insecurity)
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (guarded by a flag suggesting deliberate insecurity)
 			},
 		}
 		_ = config
 	}
 	if oldVersionFlag {
 		config := &tls.Config{
 			CipherSuites: []uint16{
-				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (guarded by a flag suggesting deliberate legacy support)
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (guarded by a flag suggesting deliberate legacy support)
 			},
 		}
 		_ = config
 	}
 	{
 		insecureConfig := &tls.Config{
 			CipherSuites: []uint16{
-				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (var name suggests deliberate insecurity)
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (var name suggests deliberate insecurity)
 			},
 		}
 		_ = insecureConfig
 	}
 	{
 		legacyConfig := &tls.Config{
 			CipherSuites: []uint16{
-				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (var name suggests deliberate legacy support)
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (var name suggests deliberate legacy support)
 			},
 		}
 		_ = legacyConfig
 	}
 	{
 		var insecureConfig tls.Config
 		insecureConfig.CipherSuites = []uint16{
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (var name suggests deliberate insecurity)
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (var name suggests deliberate insecurity)
 		}
 		_ = insecureConfig
 	}
 	{
 		var legacyConfig tls.Config
 		legacyConfig.CipherSuites = []uint16{
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (var name suggests deliberate legacy support)
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (var name suggests deliberate legacy support)
 		}
 		_ = legacyConfig
 	}
@@ -416,14 +416,14 @@ func cipherSuites() {
 		case oldVersionFlag:
 			config := &tls.Config{
 				CipherSuites: []uint16{
-					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (switch-case name suggests legacy support)
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (switch-case name suggests legacy support)
 				},
 			}
 			_ = config
 		case insecureFlag:
 			config := &tls.Config{
 				CipherSuites: []uint16{
-					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (switch-case name suggests insecurity)
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (switch-case name suggests insecurity)
 				},
 			}
 			_ = config
@@ -440,14 +440,14 @@ func cipherSuites() {
 		case "oldVersionFlag":
 			config := &tls.Config{
 				CipherSuites: []uint16{
-					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (switch-case name suggests legacy support)
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (switch-case name suggests legacy support)
 				},
 			}
 			_ = config
 		case "insecureFlag":
 			config := &tls.Config{
 				CipherSuites: []uint16{
-					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (switch-case name suggests insecurity)
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (switch-case name suggests insecurity)
 				},
 			}
 			_ = config

Original file line number	Diff line number	Diff line change
`@@ -114,13 +114,13 @@ func minMaxTlsVersion() {`
`114`	`114`	`}`
`115`	`115`	`if insecureFlag {`
`116`	`116`	`config := &tls.Config{`
`117`		`- MinVersion: 0, // EXCUSED (guarded by a flag suggesting deliberate insecurity)`
	`117`	`+ MinVersion: 0, // OK (guarded by a flag suggesting deliberate insecurity)`
`118`	`118`	`}`
`119`	`119`	`_ = config`
`120`	`120`	`}`
`121`	`121`	`if oldVersionFlag {`
`122`	`122`	`config := &tls.Config{`
`123`		`- MinVersion: 0, // EXCUSED (guarded by a flag suggesting deliberate legacy support)`
	`123`	`+ MinVersion: 0, // OK (guarded by a flag suggesting deliberate legacy support)`
`124`	`124`	`}`
`125`	`125`	`_ = config`
`126`	`126`	`}`
`@@ -130,7 +130,7 @@ func minMaxTlsVersion() {`
`130`	`130`	`if unknown {`
`131`	`131`	`version = tls.VersionTLS13`
`132`	`132`	`} else {`
`133`		`- version = tls.VersionSSL30 // EXCUSED (flows together with a modern version, suggesting configurable security)`
	`133`	`+ version = tls.VersionSSL30 // OK (flows together with a modern version, suggesting configurable security)`
`134`	`134`	`}`
`135`	`135`	`config := &tls.Config{`
`136`	`136`	`MinVersion: version,`
`@@ -143,7 +143,7 @@ func minMaxTlsVersion() {`
`143`	`143`	`if unknown {`
`144`	`144`	`config.MinVersion = tls.VersionTLS13`
`145`	`145`	`} else {`
`146`		`- config.MinVersion = tls.VersionSSL30 // EXCUSED (flows together with a modern version, suggesting configurable security)`
	`146`	`+ config.MinVersion = tls.VersionSSL30 // OK (flows together with a modern version, suggesting configurable security)`
`147`	`147`	`}`
`148`	`148`	`_ = config`
`149`	`149`	`}`
`@@ -153,47 +153,47 @@ func minMaxTlsVersion() {`
`153`	`153`	`if unknown {`
`154`	`154`	`config.MinVersion = tls.VersionTLS13`
`155`	`155`	`} else {`
`156`		`- config.MinVersion = tls.VersionSSL30 // EXCUSED (flows together with a modern version, suggesting configurable security)`
	`156`	`+ config.MinVersion = tls.VersionSSL30 // OK (flows together with a modern version, suggesting configurable security)`
`157`	`157`	`}`
`158`	`158`	`_ = config`
`159`	`159`	`}`
`160`	`160`	`///`
`161`	`161`	`{`
`162`	`162`	`insecureConfig := &tls.Config{`
`163`		`- MinVersion: 0, // EXCUSED (var name suggests deliberate insecurity)`
	`163`	`+ MinVersion: 0, // OK (var name suggests deliberate insecurity)`
`164`	`164`	`}`
`165`	`165`	`_ = insecureConfig`
`166`	`166`	`}`
`167`	`167`	`///`
`168`	`168`	`{`
`169`	`169`	`legacyConfig := &tls.Config{`
`170`		`- MinVersion: 0, // EXCUSED (var name suggests deliberate legacy support)`
	`170`	`+ MinVersion: 0, // OK (var name suggests deliberate legacy support)`
`171`	`171`	`}`
`172`	`172`	`_ = legacyConfig`
`173`	`173`	`}`
`174`	`174`	`///`
`175`	`175`	`{`
`176`	`176`	`var insecureConfig tls.Config`
`177`		`- insecureConfig.MinVersion = 0 // EXCUSED (var name suggests deliberate insecurity)`
	`177`	`+ insecureConfig.MinVersion = 0 // OK (var name suggests deliberate insecurity)`
`178`	`178`	`_ = insecureConfig`
`179`	`179`	`}`
`180`	`180`	`///`
`181`	`181`	`{`
`182`	`182`	`var legacyConfig tls.Config`
`183`		`- legacyConfig.MinVersion = 0 // EXCUSED (var name suggests deliberate legacy support)`
	`183`	`+ legacyConfig.MinVersion = 0 // OK (var name suggests deliberate legacy support)`
`184`	`184`	`_ = legacyConfig`
`185`	`185`	`}`
`186`	`186`	`///`
`187`	`187`	`{`
`188`	`188`	`switch unknown {`
`189`	`189`	`case oldVersionFlag:`
`190`	`190`	`config := &tls.Config{`
`191`		`- MinVersion: 0, // EXCUSED (switch-case name suggests legacy support)`
	`191`	`+ MinVersion: 0, // OK (switch-case name suggests legacy support)`
`192`	`192`	`}`
`193`	`193`	`_ = config`
`194`	`194`	`case insecureFlag:`
`195`	`195`	`config := &tls.Config{`
`196`		`- MinVersion: 0, // EXCUSED (switch-case name suggests insecurity)`
	`196`	`+ MinVersion: 0, // OK (switch-case name suggests insecurity)`
`197`	`197`	`}`
`198`	`198`	`_ = config`
`199`	`199`	`default:`
`@@ -206,12 +206,12 @@ func minMaxTlsVersion() {`
`206`	`206`	`switch os.Args[0] {`
`207`	`207`	`case "oldVersionFlag":`
`208`	`208`	`config := &tls.Config{`
`209`		`- MinVersion: 0, // EXCUSED (switch-case name suggests legacy support)`
	`209`	`+ MinVersion: 0, // OK (switch-case name suggests legacy support)`
`210`	`210`	`}`
`211`	`211`	`_ = config`
`212`	`212`	`case "insecureFlag":`
`213`	`213`	`config := &tls.Config{`
`214`		`- MinVersion: 0, // EXCUSED (switch-case name suggests insecurity)`
	`214`	`+ MinVersion: 0, // OK (switch-case name suggests insecurity)`
`215`	`215`	`}`
`216`	`216`	`_ = config`
`217`	`217`	`default:`
`@@ -224,7 +224,7 @@ func minMaxTlsVersion() {`
`224`	`224`	`///`
`225`	`225`	`if insecureFunc() {`
`226`	`226`	`config := &tls.Config{`
`227`		`- MinVersion: 0, // EXCUSED (guarded by function call suggesting deliberate insecurity)`
	`227`	`+ MinVersion: 0, // OK (guarded by function call suggesting deliberate insecurity)`
`228`	`228`	`}`
`229`	`229`	`_ = config`
`230`	`230`	`}`
`@@ -233,21 +233,21 @@ func minMaxTlsVersion() {`
`233`	`233`	`isInsecurePtr := &isInsecure`
`234`	`234`	`if *isInsecurePtr {`
`235`	`235`	`config := &tls.Config{`
`236`		`- MinVersion: 0, // EXCUSED (guarded by pointer deref suggesting deliberate insecurity)`
	`236`	`+ MinVersion: 0, // OK (guarded by pointer deref suggesting deliberate insecurity)`
`237`	`237`	`}`
`238`	`238`	`_ = config`
`239`	`239`	`}`
`240`	`240`	`///`
`241`	`241`	`if os.Getenv("DISABLE_TLS_VERIFICATION") == "true" {`
`242`	`242`	`config := &tls.Config{`
`243`		`- MinVersion: 0, // EXCUSED (guarded by environment variable)`
	`243`	`+ MinVersion: 0, // OK (guarded by environment variable)`
`244`	`244`	`}`
`245`	`245`	`_ = config`
`246`	`246`	`}`
`247`	`247`	`///`
`248`	`248`	`if isInsecure == true {`
`249`	`249`	`config := &tls.Config{`
`250`		`- MinVersion: 0, // EXCUSED (guarded by comparison)`
	`250`	`+ MinVersion: 0, // OK (guarded by comparison)`
`251`	`251`	`}`
`252`	`252`	`_ = config`
`253`	`253`	`}`
`@@ -368,46 +368,46 @@ func cipherSuites() {`
`368`	`368`	`if insecureFlag {`
`369`	`369`	`config := &tls.Config{`
`370`	`370`	`CipherSuites: []uint16{`
`371`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (guarded by a flag suggesting deliberate insecurity)`
	`371`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (guarded by a flag suggesting deliberate insecurity)`
`372`	`372`	`},`
`373`	`373`	`}`
`374`	`374`	`_ = config`
`375`	`375`	`}`
`376`	`376`	`if oldVersionFlag {`
`377`	`377`	`config := &tls.Config{`
`378`	`378`	`CipherSuites: []uint16{`
`379`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (guarded by a flag suggesting deliberate legacy support)`
	`379`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (guarded by a flag suggesting deliberate legacy support)`
`380`	`380`	`},`
`381`	`381`	`}`
`382`	`382`	`_ = config`
`383`	`383`	`}`
`384`	`384`	`{`
`385`	`385`	`insecureConfig := &tls.Config{`
`386`	`386`	`CipherSuites: []uint16{`
`387`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (var name suggests deliberate insecurity)`
	`387`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (var name suggests deliberate insecurity)`
`388`	`388`	`},`
`389`	`389`	`}`
`390`	`390`	`_ = insecureConfig`
`391`	`391`	`}`
`392`	`392`	`{`
`393`	`393`	`legacyConfig := &tls.Config{`
`394`	`394`	`CipherSuites: []uint16{`
`395`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (var name suggests deliberate legacy support)`
	`395`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (var name suggests deliberate legacy support)`
`396`	`396`	`},`
`397`	`397`	`}`
`398`	`398`	`_ = legacyConfig`
`399`	`399`	`}`
`400`	`400`	`{`
`401`	`401`	`var insecureConfig tls.Config`
`402`	`402`	`insecureConfig.CipherSuites = []uint16{`
`403`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (var name suggests deliberate insecurity)`
	`403`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (var name suggests deliberate insecurity)`
`404`	`404`	`}`
`405`	`405`	`_ = insecureConfig`
`406`	`406`	`}`
`407`	`407`	`{`
`408`	`408`	`var legacyConfig tls.Config`
`409`	`409`	`legacyConfig.CipherSuites = []uint16{`
`410`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (var name suggests deliberate legacy support)`
	`410`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (var name suggests deliberate legacy support)`
`411`	`411`	`}`
`412`	`412`	`_ = legacyConfig`
`413`	`413`	`}`
`@@ -416,14 +416,14 @@ func cipherSuites() {`
`416`	`416`	`case oldVersionFlag:`
`417`	`417`	`config := &tls.Config{`
`418`	`418`	`CipherSuites: []uint16{`
`419`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (switch-case name suggests legacy support)`
	`419`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (switch-case name suggests legacy support)`
`420`	`420`	`},`
`421`	`421`	`}`
`422`	`422`	`_ = config`
`423`	`423`	`case insecureFlag:`
`424`	`424`	`config := &tls.Config{`
`425`	`425`	`CipherSuites: []uint16{`
`426`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (switch-case name suggests insecurity)`
	`426`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (switch-case name suggests insecurity)`
`427`	`427`	`},`
`428`	`428`	`}`
`429`	`429`	`_ = config`
`@@ -440,14 +440,14 @@ func cipherSuites() {`
`440`	`440`	`case "oldVersionFlag":`
`441`	`441`	`config := &tls.Config{`
`442`	`442`	`CipherSuites: []uint16{`
`443`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (switch-case name suggests legacy support)`
	`443`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (switch-case name suggests legacy support)`
`444`	`444`	`},`
`445`	`445`	`}`
`446`	`446`	`_ = config`
`447`	`447`	`case "insecureFlag":`
`448`	`448`	`config := &tls.Config{`
`449`	`449`	`CipherSuites: []uint16{`
`450`		`- tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // EXCUSED (switch-case name suggests insecurity)`
	`450`	`+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, // OK (switch-case name suggests insecurity)`
`451`	`451`	`},`
`452`	`452`	`}`
`453`	`453`	`_ = config`