Remove use of crypto-parameter sink kind

egregius313 · egregius313 · commit b8b2de2f3c18 · 2023-12-11T11:18:39.000-05:00
diff --git a/java/ql/lib/ext/java.security.spec.model.yml b/java/ql/lib/ext/java.security.spec.model.yml
@@ -3,17 +3,14 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["java.security.spec", "DSAParameterSpec", False, "DSAParameterSpec", "", "", "Argument[0..2]", "credentials-key", "manual"]
+      - ["java.security.spec", "DSAPrivateKeySpec", False, "DSAPrivateKeySpec", "", "", "Argument[0..3]", "credentials-key", "manual"]
+      - ["java.security.spec", "DSAPublicKeySpec", False, "DSAPublicKeySpec", "", "", "Argument[0..3]", "credentials-key", "manual"]
+      - ["java.security.spec", "ECPrivateKeySpec", False, "ECPrivateKeySpec", "", "", "Argument[0]", "credentials-key", "manual"]
       - ["java.security.spec", "EncodedKeySpec", False, "EncodedKeySpec", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
       - ["java.security.spec", "PKCS8EncodedKeySpec", False, "PKCS8EncodedKeySpec", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["java.security.spec", "RSAMultiPrimePrivateCrtKeySpec", False, "RSAMultiPrimePrivateCrtKeySpec", "", "", "Argument[0..8]", "credentials-key", "manual"]
+      - ["java.security.spec", "RSAPrivateCrtKeySpec", False, "RSAPrivateCrtKeySpec", "", "", "Argument[0..7]", "credentials-key", "manual"]
+      - ["java.security.spec", "RSAPrivateKeySpec", False, "RSAPrivateKeySpec", "", "", "Argument[0..1]", "credentials-key", "manual"]
+      - ["java.security.spec", "RSAPublicKeySpec", False, "RSAPublicKeySpec", "", "", "Argument[0..1]", "credentials-key", "manual"]
       - ["java.security.spec", "X509EncodedKeySpec", False, "X509EncodedKeySpec", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
-      - ["java.security.spec", "DSAParameterSpec", False, "DSAParameterSpec", "", "", "Argument[0..2]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "DSAPrivateKeySpec", False, "DSAPrivateKeySpec", "", "", "Argument[0..3]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "DSAPublicKeySpec", False, "DSAPublicKeySpec", "", "", "Argument[0..3]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "ECPrivateKeySpec", False, "ECPrivateKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "EncodedKeySpec", False, "EncodedKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "PKCS8EncodedKeySpec", False, "PKCS8EncodedKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "RSAMultiPrimePrivateCrtKeySpec", False, "RSAMultiPrimePrivateCrtKeySpec", "", "", "Argument[0..8]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "RSAPrivateCrtKeySpec", False, "RSAPrivateCrtKeySpec", "", "", "Argument[0..7]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "RSAPrivateKeySpec", False, "RSAPrivateKeySpec", "", "", "Argument[0..1]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "RSAPublicKeySpec", False, "RSAPublicKeySpec", "", "", "Argument[0..1]", "crypto-parameter", "manual"]
-      - ["java.security.spec", "X509EncodedKeySpec", False, "X509EncodedKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
diff --git a/java/ql/lib/ext/javax.crypto.spec.model.yml b/java/ql/lib/ext/javax.crypto.spec.model.yml
@@ -11,31 +11,25 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
-      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[],byte[],int)", "", "Argument[0]", "credentials-password", "hq-generated"]
-      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[],byte[],int,int)", "", "Argument[0]", "credentials-password", "hq-generated"]
       - ["javax.crypto.spec", "DESKeySpec", False, "DESKeySpec", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
       - ["javax.crypto.spec", "DESKeySpec", False, "DESKeySpec", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
       - ["javax.crypto.spec", "DESKeySpec", False, "isParityAdjusted", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
       - ["javax.crypto.spec", "DESKeySpec", False, "isWeak", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
       - ["javax.crypto.spec", "DESedeKeySpec", False, "DESedeKeySpec", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
       - ["javax.crypto.spec", "DESedeKeySpec", False, "DESedeKeySpec", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
       - ["javax.crypto.spec", "DESedeKeySpec", False, "isParityAdjusted", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
-      - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "(byte[],String)", "", "Argument[0]", "credentials-key", "hq-generated"]
-      - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "(byte[],int,int,String)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["javax.crypto.spec", "DHPrivateKeySpec", False, "DHPrivateKeySpec", "", "", "Argument[1..3]", "credentials-key", "manual"]
+      - ["javax.crypto.spec", "DHPublicKeySpec", False, "DHPublicKeySpec", "", "", "Argument[1..3]", "credentials-key", "manual"]
+      - ["javax.crypto.spec", "DSAParameterSpec", False, "DSAParameterSpec", "", "", "Argument[1..3]", "credentials-key", "manual"]
+      - ["javax.crypto.spec", "GCMParameterSpec", False, "GCMParameterSpec", "", "", "Argument[1]", "encryption-iv", "manual"]
       - ["javax.crypto.spec", "IvParameterSpec", False, "IvParameterSpec", "(byte[])", "", "Argument[0]", "encryption-iv", "manual"]
       - ["javax.crypto.spec", "IvParameterSpec", False, "IvParameterSpec", "(byte[],int,int)", "", "Argument[0]", "encryption-iv", "manual"]
-      - ["javax.crypto.spec", "DESedeKeySpec", False, "DESedeKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "DESKeySpec", False, "DESKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "DHPrivateKeySpec", False, "DHPrivateKeySpec", "", "", "Argument[1..3]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "DHPublicKeySpec", False, "DHPublicKeySpec", "", "", "Argument[1..3]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "DHPublicKeySpec", False, "DHPublicKeySpec", "", "", "Argument[1..3]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "DSAParameterSpec", False, "DSAParameterSpec", "", "", "Argument[1..3]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "GCMParameterSpec", False, "GCMParameterSpec", "", "", "Argument[1]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "IvParameterSpec", False, "IvParameterSpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "", "", "Argument[0..1]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "", "", "Argument[0..1]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "PBEParameterSpec", False, "PBEParameterSpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "RC2ParameterSpec", False, "RC2ParameterSpec", "", "", "Argument[1]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "RC5ParameterSpec", False, "RC25arameterSpec", "", "", "Argument[3]", "crypto-parameter", "manual"]
-      - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "", "", "Argument[0]", "crypto-parameter", "manual"]
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "", "", "Argument[1]", "encryption-salt", "manual"]
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[],byte[],int)", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[],byte[],int,int)", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["javax.crypto.spec", "PBEParameterSpec", False, "PBEParameterSpec", "", "", "Argument[0]", "encryption-salt", "manual"]
+      - ["javax.crypto.spec", "RC2ParameterSpec", False, "RC2ParameterSpec", "", "", "Argument[1]", "encryption-iv", "manual"]
+      - ["javax.crypto.spec", "RC5ParameterSpec", False, "RC5ParameterSpec", "", "", "Argument[3]", "encryption-iv", "manual"]
+      - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "(byte[],String)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["javax.crypto.spec", "SecretKeySpec", False, "SecretKeySpec", "(byte[],int,int,String)", "", "Argument[0]", "credentials-key", "hq-generated"]
diff --git a/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
@@ -63,10 +63,6 @@ private class SensitiveActionSink extends WeakRandomnessSink {
   SensitiveActionSink() { this.asExpr() instanceof SensitiveExpr }
 }
 
-private class CryptographicSink extends WeakRandomnessSink {
-  CryptographicSink() { sinkNode(this, "crypto-parameter") }
-}
-
 private class CredentialsSink extends WeakRandomnessSink instanceof CredentialsSinkNode { }
 
 /**
diff --git a/shared/mad/codeql/mad/ModelValidation.qll b/shared/mad/codeql/mad/ModelValidation.qll
@@ -30,11 +30,10 @@ module KindValidation<KindValidationConfigSig Config> {
           "js-injection", "ldap-injection", "log-injection", "path-injection", "request-forgery",
           "sql-injection", "url-redirection",
           // Java-only currently, but may be shared in the future
-          "bean-validation", "crypto-parameter", "fragment-injection", "groovy-injection",
-          "hostname-verification", "information-leak", "intent-redirection", "jexl-injection",
-          "jndi-injection", "mvel-injection", "ognl-injection", "pending-intents",
-          "response-splitting", "trust-boundary-violation", "template-injection", "xpath-injection",
-          "xslt-injection",
+          "bean-validation", "fragment-injection", "groovy-injection", "hostname-verification",
+          "information-leak", "intent-redirection", "jexl-injection", "jndi-injection",
+          "mvel-injection", "ognl-injection", "pending-intents", "response-splitting",
+          "trust-boundary-violation", "template-injection", "xpath-injection", "xslt-injection",
           // JavaScript-only currently, but may be shared in the future
           "mongodb.sink", "nosql-injection", "unsafe-deserialization",
           // Swift-only currently, but may be shared in the future

Original file line number	Diff line number	Diff line change
`@@ -63,10 +63,6 @@ private class SensitiveActionSink extends WeakRandomnessSink {`
`63`	`63`	`SensitiveActionSink() { this.asExpr() instanceof SensitiveExpr }`
`64`	`64`	`}`
`65`	`65`
`66`		`-private class CryptographicSink extends WeakRandomnessSink {`
`67`		`- CryptographicSink() { sinkNode(this, "crypto-parameter") }`
`68`		`-}`
`69`		`-`
`70`	`66`	`private class CredentialsSink extends WeakRandomnessSink instanceof CredentialsSinkNode { }`
`71`	`67`
`72`	`68`	`/**`