Python: Ignore weak key-sizes from test-code in weak-crypto-key

RasmusWL · RasmusWL · commit d084261a7933 · 2021-02-19T15:04:41.000+01:00
From looking at old results on LGTM.com, this was quite common (and those alerts
doesn't really provide value).
diff --git a/python/ql/src/Security/CWE-326/WeakCryptoKey.ql b/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
@@ -12,11 +12,13 @@
 import python
 import semmle.python.Concepts
 import semmle.python.dataflow.new.DataFlow
+import semmle.python.filters.Tests
 
 from Cryptography::PublicKey::KeyGeneration keyGen, int keySize, DataFlow::Node origin
 where
   keySize = keyGen.getKeySizeWithOrigin(origin) and
-  keySize < keyGen.minimumSecureKeySize()
+  keySize < keyGen.minimumSecureKeySize() and
+  not origin.getScope().getScope*() instanceof TestScope
 select keyGen,
   "Creation of an " + keyGen.getName() + " key uses $@ bits, which is below " +
     keyGen.minimumSecureKeySize() + " and considered breakable.", origin, keySize.toString()
diff --git a/python/ql/test/query-tests/Security/CWE-326/WeakCryptoKey.expected b/python/ql/test/query-tests/Security/CWE-326/WeakCryptoKey.expected
@@ -1,4 +1,3 @@
-| test_example.py:7:5:7:22 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | test_example.py:7:18:7:21 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:68:1:68:21 | ControlFlowNode for dsa_gen_key() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:69:1:69:19 | ControlFlowNode for ec_gen_key() | Creation of an ECC key uses $@ bits, which is below 224 and considered breakable. | weak_crypto.py:22:11:22:24 | ControlFlowNode for Attribute() | 163 |
 | weak_crypto.py:70:1:70:28 | ControlFlowNode for rsa_gen_key() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |
@@ -8,4 +7,3 @@
 | weak_crypto.py:76:1:76:22 | ControlFlowNode for Attribute() | Creation of an DSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:16:12:16:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:77:1:77:22 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |
 | weak_crypto.py:84:12:84:29 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | weak_crypto.py:12:12:12:15 | ControlFlowNode for IntegerLiteral | 1024 |
-| weak_crypto.py:95:12:95:29 | ControlFlowNode for Attribute() | Creation of an RSA key uses $@ bits, which is below 2048 and considered breakable. | test_example.py:9:23:9:26 | ControlFlowNode for IntegerLiteral | 1024 |
