don't include mode-of-operation into the algorithm names

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll

@@ -31,22 +31,14 @@ private module AlgorithmNames {
   }
 
   predicate isStrongEncryptionAlgorithm(string name) {
-    name = [appendMode("AES"), "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
-  }
-
-  /**
-   * Gets the name with a mode of operation added as a suffix.
-   */
-  bindingset[name]
-  private string appendMode(string name) {
-    result = name + ["", "CBC", "ECB", "CFB", "OFB", "CTR", "GCM"]
+    name = ["AES", "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
   }
 
   predicate isWeakEncryptionAlgorithm(string name) {
     name =
       [
-        appendMode("DES"), appendMode("3DES"), "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2",
-        "ARC4", "RC4", "ARCFOUR", "ARC5", "RC5"
+        "DES", "3DES", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR",
+        "ARC5", "RC5"
       ]
   }
 
@@ -93,11 +85,12 @@ abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {
 
   /**
    * Holds if the name of this algorithm matches `name` modulo case,
-   * white space, dashes, and underscores.
+   * white space, dashes, underscores, and anything after a dash in the name.
    */
   bindingset[name]
   predicate matchesName(string name) {
-    name.toUpperCase().regexpReplaceAll("[-_ ]", "") = getName()
+    name.toUpperCase().regexpCapture("^(\\w+)(?:-.*)?$", 1).regexpReplaceAll("[-_ ]", "") =
+      getName()
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected

@@ -4,8 +4,8 @@
 | tst.js:14:14:14:60 | CryptoJ ... e: 2 }) | Creation of an symmetric PBKDF2 key uses 64 bits, which is below 128 and considered breakable. |
 | tst.js:15:14:15:60 | CryptoJ ... e: 2 }) | Creation of an symmetric EVPKDF key uses 64 bits, which is below 128 and considered breakable. |
 | tst.js:19:12:19:57 | forge.r ... rd, 64) | Creation of an symmetric RC2 key uses 64 bits, which is below 128 and considered breakable. |
-| tst.js:26:12:26:53 | forge.c ... , key2) | Creation of an symmetric AESCBC key uses 64 bits, which is below 128 and considered breakable. |
-| tst.js:30:12:30:56 | forge.c ... , key3) | Creation of an symmetric 3DESCBC key uses 64 bits, which is below 128 and considered breakable. |
+| tst.js:26:12:26:53 | forge.c ... , key2) | Creation of an symmetric AES key uses 64 bits, which is below 128 and considered breakable. |
+| tst.js:30:12:30:56 | forge.c ... , key3) | Creation of an symmetric 3DES key uses 64 bits, which is below 128 and considered breakable. |
 | tst.js:35:13:35:43 | crypto. ... an(512) | Creation of an asymmetric key uses 512 bits, which is below 2048 and considered breakable. |
 | tst.js:39:13:39:33 | new Nod ... : 512}) | Creation of an asymmetric RSA key uses 512 bits, which is below 2048 and considered breakable. |
 | tst.js:43:1:43:31 | key.gen ...  65537) | Creation of an asymmetric RSA key uses 512 bits, which is below 2048 and considered breakable. |

python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll

@@ -31,22 +31,14 @@ private module AlgorithmNames {
   }
 
   predicate isStrongEncryptionAlgorithm(string name) {
-    name = [appendMode("AES"), "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
-  }
-
-  /**
-   * Gets the name with a mode of operation added as a suffix.
-   */
-  bindingset[name]
-  private string appendMode(string name) {
-    result = name + ["", "CBC", "ECB", "CFB", "OFB", "CTR", "GCM"]
+    name = ["AES", "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
   }
 
   predicate isWeakEncryptionAlgorithm(string name) {
     name =
       [
-        appendMode("DES"), appendMode("3DES"), "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2",
-        "ARC4", "RC4", "ARCFOUR", "ARC5", "RC5"
+        "DES", "3DES", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR",
+        "ARC5", "RC5"
       ]
   }
 
@@ -93,11 +85,12 @@ abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {
 
   /**
    * Holds if the name of this algorithm matches `name` modulo case,
-   * white space, dashes, and underscores.
+   * white space, dashes, underscores, and anything after a dash in the name.
    */
   bindingset[name]
   predicate matchesName(string name) {
-    name.toUpperCase().regexpReplaceAll("[-_ ]", "") = getName()
+    name.toUpperCase().regexpCapture("^(\\w+)(?:-.*)?$", 1).regexpReplaceAll("[-_ ]", "") =
+      getName()
   }
 
   /**