Initialization vector models

egregius313 · egregius313 · commit 31b069041f05 · 2023-10-25T14:31:54.000-04:00
diff --git a/java/ql/lib/ext/javax.crypto.spec.model.yml b/java/ql/lib/ext/javax.crypto.spec.model.yml
@@ -23,5 +23,5 @@ extensions:
       - ["javax.crypto.spec", "DESedeKeySpec", False, "isParityAdjusted", "(byte[],int)", "", "Argument[0]", "crypto-parameter", "manual"]
       - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "(byte[],String)", "", "Argument[0]", "crypto-parameter", "manual"]
       - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "(byte[],int,int,String)", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "IvParameterSpec", False, "IvParameterSpec", "(byte[])", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "IvParameterSpec", False, "IvParameterSpec", "(byte[],int,int)", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "IvParameterSpec", False, "IvParameterSpec", "(byte[])", "", "Argument[0]", "encryption-iv", "manual"]
+      - ["javax.crypto.spec", "IvParameterSpec", False, "IvParameterSpec", "(byte[],int,int)", "", "Argument[0]", "encryption-iv", "manual"]
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
@@ -32,6 +32,13 @@ class CryptoKeySink extends CredentialsSinkNode {
   CryptoKeySink() { sinkNode(this, "crypto-parameter") }
 }
 
+/**
+ * A node representing a cryptographic initialization vector being passed to a method.
+ */
+class InitializationVectorSink extends CredentialsSinkNode {
+  InitializationVectorSink() { sinkNode(this, "encryption-iv") }
+}
+
 /**
  * DEPRECATED: Use the `PasswordSink` class instead.
  * Holds if callable `c` from a standard Java API expects a password parameter at index `i`.
