C++: Deprecate some old terminology.

geoffw0 · geoffw0 · commit fc69c16ba605 · 2020-06-29T18:03:16.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -18,7 +18,7 @@ abstract class InsecureCryptoSpec extends Locatable {
 }
 
 Function getAnInsecureFunction() {
-  result.getName().regexpMatch(algorithmBlacklistRegex()) and
+  result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
   exists(result.getACallToThisFunction())
 }
 
@@ -33,7 +33,7 @@ class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
 }
 
 Macro getAnInsecureMacro() {
-  result.getName().regexpMatch(algorithmBlacklistRegex()) and
+  result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
   exists(result.getAnInvocation())
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -1,12 +1,13 @@
 /**
  * Provides predicates relating to encryption in C and C++.
  */
+
 import cpp
 
 /**
  * Returns an algorithm that is known to be insecure.
  */
-string algorithmBlacklist() {
+string getAnInsecureAlgorithmName() {
   result = "DES" or
   result = "RC2" or
   result = "RC4" or
@@ -18,7 +19,7 @@ string algorithmBlacklist() {
  * Returns the name of a hash algorithm that is insecure if it is being used for
  * encryption (but it is hard to know when that is happening).
  */
-string hashAlgorithmBlacklist() {
+string getAnInsecureHashAlgorithmName() {
   result = "SHA1" or
   result = "MD5"
 }
@@ -27,23 +28,23 @@ string hashAlgorithmBlacklist() {
  * Returns a regular expression for matching strings that look like they
  * contain an algorithm that is known to be insecure.
  */
-string algorithmBlacklistRegex() {
+string getInsecureAlgorithmRegex() {
   result =
     // algorithms usually appear in names surrounded by characters that are not
     // alphabetical characters in the same case. This handles the upper and lower
     // case cases
-    "(^|.*[^A-Z])(" + strictconcat(algorithmBlacklist(), "|") + ")([^A-Z].*|$)" + "|" +
+    "(^|.*[^A-Z])(" + strictconcat(getAnInsecureAlgorithmName(), "|") + ")([^A-Z].*|$)" + "|" +
       // for lowercase, we want to be careful to avoid being confused by camelCase
       // hence we require two preceding uppercase letters to be sure of a case switch,
       // or a preceding non-alphabetic character
-      "(^|.*[A-Z]{2}|.*[^a-zA-Z])(" + strictconcat(algorithmBlacklist().toLowerCase(), "|") +
+      "(^|.*[A-Z]{2}|.*[^a-zA-Z])(" + strictconcat(getAnInsecureAlgorithmName().toLowerCase(), "|") +
       ")([^a-z].*|$)"
 }
 
 /**
  * Returns an algorithms that is known to be secure.
  */
-string algorithmWhitelist() {
+string getASecureAlgorithmName() {
   result = "RSA" or
   result = "SHA256" or
   result = "CCM" or
@@ -57,16 +58,44 @@ string algorithmWhitelist() {
  * Returns a regular expression for matching strings that look like they
  * contain an algorithm that is known to be secure.
  */
-string algorithmWhitelistRegex() {
-  // The implementation of this is a duplicate of algorithmBlacklistRegex, as
+string getSecureAlgorithmRegex() {
+  // The implementation of this is a duplicate of getInsecureAlgorithmRegex, as
   // it isn't possible to have string -> string functions at the moment
   // algorithms usually appear in names surrounded by characters that are not
   // alphabetical characters in the same case. This handles the upper and lower
   // case cases
-  result = "(^|.*[^A-Z])" + algorithmWhitelist() + "([^A-Z].*|$)"
+  result = "(^|.*[^A-Z])" + getASecureAlgorithmName() + "([^A-Z].*|$)"
   or
   // for lowercase, we want to be careful to avoid being confused by camelCase
   // hence we require two preceding uppercase letters to be sure of a case
   // switch, or a preceding non-alphabetic character
-  result = "(^|.*[A-Z]{2}|.*[^a-zA-Z])" + algorithmWhitelist().toLowerCase() + "([^a-z].*|$)"
+  result = "(^|.*[A-Z]{2}|.*[^a-zA-Z])" + getASecureAlgorithmName().toLowerCase() + "([^a-z].*|$)"
 }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use `getAnInsecureAlgorithmName()`
+ * instead.
+ */
+deprecated string algorithmBlacklist() { result = getAnInsecureAlgorithmName() }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use
+ * `getAnInsecureHashAlgorithmName()` instead.
+ */
+deprecated string hashAlgorithmBlacklist() { result = getAnInsecureHashAlgorithmName() }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use `getInsecureAlgorithmRegex()` instead.
+ */
+deprecated string algorithmBlacklistRegex() { result = getInsecureAlgorithmRegex() }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use `getASecureAlgorithmName()`
+ * instead.
+ */
+deprecated string algorithmWhitelist() { result = getASecureAlgorithmName() }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use `getSecureAlgorithmRegex()` instead.
+ */
+deprecated string algorithmWhitelistRegex() { result = getSecureAlgorithmRegex() }

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ abstract class InsecureCryptoSpec extends Locatable {`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`Function getAnInsecureFunction() {`
`21`		`- result.getName().regexpMatch(algorithmBlacklistRegex()) and`
	`21`	`+ result.getName().regexpMatch(getInsecureAlgorithmRegex()) and`
`22`	`22`	`exists(result.getACallToThisFunction())`
`23`	`23`	`}`
`24`	`24`
`@@ -33,7 +33,7 @@ class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`Macro getAnInsecureMacro() {`
`36`		`- result.getName().regexpMatch(algorithmBlacklistRegex()) and`
	`36`	`+ result.getName().regexpMatch(getInsecureAlgorithmRegex()) and`
`37`	`37`	`exists(result.getAnInvocation())`
`38`	`38`	`}`
`39`	`39`