Better qldoc for timing attacks

artem-smotrakov · artem-smotrakov · commit bd7e7b1371cb · 2021-08-01T10:18:37.000+02:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll
@@ -12,10 +12,10 @@ import semmle.code.java.dataflow.FlowSources
 abstract private class ProduceCryptoCall extends MethodAccess {
   Expr output;
 
-  /** Return the result of cryptographic operation. */
+  /** Gets the result of cryptographic operation. */
   Expr output() { result = output }
 
-  /** Return a type of the result of cryptographic operation such as MAC, signature or ciphertext. */
+  /** Gets a type of cryptographic operation such as MAC, signature or ciphertext. */
   abstract string getResultType();
 }
 
@@ -186,6 +186,7 @@ class CryptoOperationSource extends DataFlow::Node {
     )
   }
 
+  /** Gets a method call that produces cryptographic result. */
   ProduceCryptoCall getCall() { result = call }
 }
 
@@ -198,7 +199,7 @@ private class NonConstantTimeEqualsCall extends MethodAccess {
   }
 }
 
-/** Static methods that use a non-constant-time algorithm for comparing inputs. */
+/** A static method that uses a non-constant-time algorithm for comparing inputs. */
 private class NonConstantTimeComparisonCall extends StaticMethodAccess {
   NonConstantTimeComparisonCall() {
     getMethod().hasQualifiedName("java.util", "Arrays", ["equals", "deepEquals"]) or

Original file line number	Diff line number	Diff line change
`@@ -12,10 +12,10 @@ import semmle.code.java.dataflow.FlowSources`
`12`	`12`	`abstract private class ProduceCryptoCall extends MethodAccess {`
`13`	`13`	`Expr output;`
`14`	`14`
`15`		`- /** Return the result of cryptographic operation. */`
	`15`	`+ /** Gets the result of cryptographic operation. */`
`16`	`16`	`Expr output() { result = output }`
`17`	`17`
`18`		`- /** Return a type of the result of cryptographic operation such as MAC, signature or ciphertext. */`
	`18`	`+ /** Gets a type of cryptographic operation such as MAC, signature or ciphertext. */`
`19`	`19`	`abstract string getResultType();`
`20`	`20`	`}`
`21`	`21`
`@@ -186,6 +186,7 @@ class CryptoOperationSource extends DataFlow::Node {`
`186`	`186`	`)`
`187`	`187`	`}`
`188`	`188`
	`189`	`+ /** Gets a method call that produces cryptographic result. */`
`189`	`190`	`ProduceCryptoCall getCall() { result = call }`
`190`	`191`	`}`
`191`	`192`
`@@ -198,7 +199,7 @@ private class NonConstantTimeEqualsCall extends MethodAccess {`
`198`	`199`	`}`
`199`	`200`	`}`
`200`	`201`
`201`		`-/** Static methods that use a non-constant-time algorithm for comparing inputs. */`
	`202`	`+/** A static method that uses a non-constant-time algorithm for comparing inputs. */`
`202`	`203`	`private class NonConstantTimeComparisonCall extends StaticMethodAccess {`
`203`	`204`	`NonConstantTimeComparisonCall() {`
`204`	`205`	`getMethod().hasQualifiedName("java.util", "Arrays", ["equals", "deepEquals"]) or`