Move language-agnostic model to shared library

nicolaswill · nicolaswill · commit 3dc28c2d17d9 · 2025-02-06T21:54:18.000+01:00
diff --git a/cpp/ql/lib/experimental/Quantum/Language.qll b/cpp/ql/lib/experimental/Quantum/Language.qll
@@ -1,4 +1,4 @@
-private import Base
+private import codeql.cryptography.Model
 private import cpp as Lang
 
 module CryptoInput implements InputSig<Lang::Location> {
diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL.qll
@@ -77,6 +77,8 @@ module OpenSSLModel {
 
     HKDF() { algorithmStringToKDFFetchArgFlow("HKDF", origin, this) }
 
+    override string getRawAlgorithmName() { result = origin.getValue() }
+
     override Crypto::HashAlgorithm getHashAlgorithm() { none() }
 
     override Crypto::LocatableElement getOrigin(string name) {
@@ -89,6 +91,8 @@ module OpenSSLModel {
 
     PKCS12KDF() { algorithmStringToKDFFetchArgFlow("PKCS12KDF", origin, this) }
 
+    override string getRawAlgorithmName() { result = origin.getValue() }
+
     override Crypto::HashAlgorithm getHashAlgorithm() { none() }
 
     override Crypto::NodeBase getOrigin(string name) {
diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml
@@ -6,6 +6,7 @@ extractor: cpp
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/cryptography: ${workspace}
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
   codeql/rangeanalysis: ${workspace}
diff --git a/misc/scripts/cryptography/cbom.sh b/misc/scripts/cryptography/cbom.sh
@@ -2,7 +2,7 @@
 
 CODEQL_PATH="/Users/nicolaswill/Library/Application Support/Code/User/globalStorage/github.vscode-codeql/distribution5/codeql/codeql"
 DATABASE_PATH="/Users/nicolaswill/openssl_codeql/openssl/openssl_db"
-QUERY_FILE="CBOMGraph.ql"
+QUERY_FILE="/Users/nicolaswill/pqc/codeql/cpp/ql/src/experimental/Quantum/CBOMGraph.ql"
 OUTPUT_DIR="graph_output"
 
 python3 generate_cbom.py -c "$CODEQL_PATH" -d "$DATABASE_PATH" -q "$QUERY_FILE" -o "$OUTPUT_DIR"
diff --git a/misc/scripts/cryptography/generate_cbom.py b/misc/scripts/cryptography/generate_cbom.py
diff --git a/shared/cryptography/codeql/cryptography/Model.qll b/shared/cryptography/codeql/cryptography/Model.qll
@@ -94,7 +94,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
      */
     abstract string getAlgorithmName();
 
-     /**
+    /**
      * Gets the raw name of this algorithm from source (no parsing or formatting)
      */
     abstract string getRawAlgorithmName();
@@ -151,7 +151,6 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
     abstract THashType getHashType();
 
     override string getAlgorithmName() { this.hashTypeToNameMapping(this.getHashType(), result) }
-
   }
 
   /**
@@ -199,26 +198,23 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
   }
 
   newtype TEllipticCurveFamilyType =
-  // We're saying by this that all of these have an identical interface / properties / edges
-  NIST() or
-  SEC() or
-  NUMS() or
-  PRIME() or
-  BRAINPOOL() or
-  CURVE25519() or
-  CURVE448() or
-  C2() or
-  SM2() or
-  ES() or
-  OtherEllipticCurveFamilyType()
-
+    // We're saying by this that all of these have an identical interface / properties / edges
+    NIST() or
+    SEC() or
+    NUMS() or
+    PRIME() or
+    BRAINPOOL() or
+    CURVE25519() or
+    CURVE448() or
+    C2() or
+    SM2() or
+    ES() or
+    OtherEllipticCurveFamilyType()
 
   /**
    * Elliptic curve algorithm
    */
   abstract class EllipticCurve extends Algorithm {
-
-
     abstract string getKeySize(Location location);
 
     abstract TEllipticCurveFamilyType getCurveFamilyType();
@@ -235,18 +231,18 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
       // other properties, like field type are possible, but not modeled until considered necessary
     }
 
-    override string getAlgorithmName() { result = this.getRawAlgorithmName().toUpperCase()}
+    override string getAlgorithmName() { result = this.getRawAlgorithmName().toUpperCase() }
 
     /**
      * Mandating that for Elliptic Curves specifically, users are responsible
-     * for providing as the 'raw' name, the official name of the algorithm. 
-     * Casing doesn't matter, we will enforce further naming restrictions on 
-     * `getAlgorithmName` by default. 
+     * for providing as the 'raw' name, the official name of the algorithm.
+     * Casing doesn't matter, we will enforce further naming restrictions on
+     * `getAlgorithmName` by default.
      * Rationale: elliptic curve names can have a lot of variation in their components
      * (e.g., "secp256r1" vs "P-256"), trying to produce generalized set of properties
-     * is possible to capture all cases, but such modeling is likely not necessary. 
-     * if all properties need to be captured, we can reassess how names are generated. 
+     * is possible to capture all cases, but such modeling is likely not necessary.
+     * if all properties need to be captured, we can reassess how names are generated.
      */
-    override abstract string getRawAlgorithmName();
+    abstract override string getRawAlgorithmName();
   }
 }
diff --git a/shared/cryptography/qlpack.yml b/shared/cryptography/qlpack.yml
@@ -0,0 +1,7 @@
+name: codeql/cryptography
+version: 0.0.0-dev
+groups: shared
+library: true
+dependencies:
+  codeql/util: ${workspace}
+warnOnImplicitThis: true

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-private import Base`
	`1`	`+private import codeql.cryptography.Model`
`2`	`2`	`private import cpp as Lang`
`3`	`3`
`4`	`4`	`module CryptoInput implements InputSig<Lang::Location> {`