C++: Fix 'triple DES' false positives.

Author: geoffw0

cpp/ql/src/semmle/code/cpp/security/Encryption.qll

@@ -30,6 +30,9 @@ string getAnInsecureHashAlgorithmName() { result = ["SHA1", "MD5"] }
 /**
  * Gets the regular expression used for matching strings that look like they
  * contain an algorithm that is known to be insecure.
+ *
+ * Consider using `isInsecureEncryption` rather than accessing this regular
+ * expression directly.
  */
 string getInsecureAlgorithmRegex() {
   result =
@@ -49,8 +52,12 @@ string getInsecureAlgorithmRegex() {
  * Holds if `name` looks like it might be related to operations with an
  * insecure encyption algorithm.
  */
-bindingset[name] predicate isInsecureEncryption(string name) {
-  name.regexpMatch(getInsecureAlgorithmRegex())
+bindingset[name]
+predicate isInsecureEncryption(string name) {
+  name.regexpMatch(getInsecureAlgorithmRegex()) and
+  // Check for evidence that an otherwise matching name may in fact not be
+  // related to insecure encrpytion, e.g. "Triple-DES" is not "DES".
+  not name.toUpperCase().regexpMatch(".*TRIPLE.*")
 }
 
 /**

cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected

@@ -5,7 +5,6 @@
 | test2.cpp:182:38:182:45 | ALGO_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
-| test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
@@ -14,6 +13,5 @@
 | test.cpp:59:12:59:25 | SORT_ORDER_DES | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
-| test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |

cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp

@@ -39,7 +39,7 @@ void test_macros(void *data, size_t amount, const char *str)
 	ENCRYPT_WITH_RC2(data, amount); // BAD
 	ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm)
 	ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm)
-	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm)
 	ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak)
 	ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted)
 
@@ -89,7 +89,7 @@ void test_functions(void *data, size_t amount, const char *str)
 	encryptRC2(data, amount); // BAD
 	encryptAES(data, amount); // GOOD (good algorithm)
 	encrypt3DES(data, amount); // GOOD (good enough algorithm)
-	encryptTripleDES(data, amount); // GOOD (good enough algorithm) [FALSE POSITIVE]
+	encryptTripleDES(data, amount); // GOOD (good enough algorithm)
 
 	DESEncrypt(data, amount); // BAD
 	RC2Encrypt(data, amount); // BAD