Swift: Address false positives.

geoffw0 · geoffw0 · commit 034daa9b3576 · 2023-12-15T13:29:49.000Z
diff --git a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingExtensions.qll
@@ -111,3 +111,18 @@ private class DefaultWeakPasswordHashingSink extends WeakPasswordHashingSink {
 
   override string getAlgorithm() { result = algorithm }
 }
+
+/**
+ * A barrier for weak password hashing, when it occurs inside of
+ * certain cryptographic algorithms as part of their design.
+ */
+class WeakPasswordHashingImplementationBarrier extends WeakPasswordHashingBarrier {
+  WeakPasswordHashingImplementationBarrier() {
+    this.asParameter()
+        .getDeclaringFunction()
+        .(Function)
+        .getDeclaringDecl*()
+        .(NominalTypeDecl)
+        .getName() = ["HMAC", "PBKDF1", "PBKDF2"]
+  }
+}
