Swift: Effect on query tests.

Author: geoffw0

swift/ql/test/query-tests/Security/CWE-1204/StaticInitializationVector.expected

@@ -34,7 +34,7 @@ class Rabbit
 
 protocol BlockMode { }
 
-struct CBC: BlockMode { 
+struct CBC: BlockMode {
 	init(iv: Array<UInt8>) { }
 }
 
@@ -50,7 +50,7 @@ struct CFB: BlockMode {
 final class GCM: BlockMode {
 	enum Mode { case combined, detached }
 	init(iv: Array<UInt8>, additionalAuthenticatedData: Array<UInt8>? = nil, tagLength: Int = 16, mode: Mode = .detached) { }
-	convenience init(iv: Array<UInt8>, authenticationTag: Array<UInt8>, additionalAuthenticatedData: Array<UInt8>? = nil, mode: Mode = .detached) { 
+	convenience init(iv: Array<UInt8>, authenticationTag: Array<UInt8>, additionalAuthenticatedData: Array<UInt8>? = nil, mode: Mode = .detached) {
 		self.init(iv: iv, additionalAuthenticatedData: additionalAuthenticatedData, tagLength: authenticationTag.count, mode: mode)
 	}
 }
@@ -126,7 +126,7 @@ func test() {
 
 	// Rabbit
 	let rb1 = Rabbit(key: key, iv: iv) // BAD
-	let rb2 = Rabbit(key: key, iv: iv2) // BAD [NOT DETECTED]
+	let rb2 = Rabbit(key: key, iv: iv2) // BAD
 	let rb3 = Rabbit(key: keyString, iv: ivString) // BAD
 	let rg1 = Rabbit(key: key, iv: randomIv) // GOOD
 	let rg2 = Rabbit(key: keyString, iv: randomIvString) // GOOD

swift/ql/test/query-tests/Security/CWE-1204/test.swift

@@ -17,10 +17,18 @@ edges
 | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:105:32:105:32 | myConstPassword |
 | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:107:61:107:61 | myConstPassword |
 | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:108:97:108:97 | myConstPassword |
+| test.swift:29:3:29:3 | this string is constant | test.swift:33:10:33:28 | call to getConstantString() |
+| test.swift:33:2:33:34 | call to Array<Element>.init(_:) [Collection element] | test.swift:44:31:44:48 | call to getConstantArray() [Collection element] |
+| test.swift:33:10:33:28 | call to getConstantString() | test.swift:33:10:33:30 | .utf8 |
+| test.swift:33:10:33:30 | .utf8 | test.swift:33:2:33:34 | call to Array<Element>.init(_:) [Collection element] |
 | test.swift:43:39:43:134 | [...] | test.swift:51:30:51:30 | constantPassword |
 | test.swift:43:39:43:134 | [...] | test.swift:56:40:56:40 | constantPassword |
 | test.swift:43:39:43:134 | [...] | test.swift:62:40:62:40 | constantPassword |
 | test.swift:43:39:43:134 | [...] | test.swift:67:34:67:34 | constantPassword |
+| test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:52:30:52:30 | constantStringPassword |
+| test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:57:40:57:40 | constantStringPassword |
+| test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:63:40:63:40 | constantStringPassword |
+| test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | test.swift:68:34:68:34 | constantStringPassword |
 nodes
 | rncryptor.swift:69:24:69:24 | abc123 | semmle.label | abc123 |
 | rncryptor.swift:77:89:77:89 | myConstPassword | semmle.label | myConstPassword |
@@ -41,11 +49,20 @@ nodes
 | rncryptor.swift:105:32:105:32 | myConstPassword | semmle.label | myConstPassword |
 | rncryptor.swift:107:61:107:61 | myConstPassword | semmle.label | myConstPassword |
 | rncryptor.swift:108:97:108:97 | myConstPassword | semmle.label | myConstPassword |
+| test.swift:29:3:29:3 | this string is constant | semmle.label | this string is constant |
+| test.swift:33:2:33:34 | call to Array<Element>.init(_:) [Collection element] | semmle.label | call to Array<Element>.init(_:) [Collection element] |
+| test.swift:33:10:33:28 | call to getConstantString() | semmle.label | call to getConstantString() |
+| test.swift:33:10:33:30 | .utf8 | semmle.label | .utf8 |
 | test.swift:43:39:43:134 | [...] | semmle.label | [...] |
+| test.swift:44:31:44:48 | call to getConstantArray() [Collection element] | semmle.label | call to getConstantArray() [Collection element] |
 | test.swift:51:30:51:30 | constantPassword | semmle.label | constantPassword |
+| test.swift:52:30:52:30 | constantStringPassword | semmle.label | constantStringPassword |
 | test.swift:56:40:56:40 | constantPassword | semmle.label | constantPassword |
+| test.swift:57:40:57:40 | constantStringPassword | semmle.label | constantStringPassword |
 | test.swift:62:40:62:40 | constantPassword | semmle.label | constantPassword |
+| test.swift:63:40:63:40 | constantStringPassword | semmle.label | constantStringPassword |
 | test.swift:67:34:67:34 | constantPassword | semmle.label | constantPassword |
+| test.swift:68:34:68:34 | constantStringPassword | semmle.label | constantStringPassword |
 subpaths
 #select
 | rncryptor.swift:77:89:77:89 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:77:89:77:89 | myConstPassword | The value 'abc123' is used as a constant password. |
@@ -67,6 +84,10 @@ subpaths
 | rncryptor.swift:107:61:107:61 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:107:61:107:61 | myConstPassword | The value 'abc123' is used as a constant password. |
 | rncryptor.swift:108:97:108:97 | myConstPassword | rncryptor.swift:69:24:69:24 | abc123 | rncryptor.swift:108:97:108:97 | myConstPassword | The value 'abc123' is used as a constant password. |
 | test.swift:51:30:51:30 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:51:30:51:30 | constantPassword | The value '[...]' is used as a constant password. |
+| test.swift:52:30:52:30 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:52:30:52:30 | constantStringPassword | The value 'this string is constant' is used as a constant password. |
 | test.swift:56:40:56:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:56:40:56:40 | constantPassword | The value '[...]' is used as a constant password. |
+| test.swift:57:40:57:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:57:40:57:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. |
 | test.swift:62:40:62:40 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:62:40:62:40 | constantPassword | The value '[...]' is used as a constant password. |
+| test.swift:63:40:63:40 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:63:40:63:40 | constantStringPassword | The value 'this string is constant' is used as a constant password. |
 | test.swift:67:34:67:34 | constantPassword | test.swift:43:39:43:134 | [...] | test.swift:67:34:67:34 | constantPassword | The value '[...]' is used as a constant password. |
+| test.swift:68:34:68:34 | constantStringPassword | test.swift:29:3:29:3 | this string is constant | test.swift:68:34:68:34 | constantStringPassword | The value 'this string is constant' is used as a constant password. |

swift/ql/test/query-tests/Security/CWE-259/ConstantPassword.expected

@@ -46,25 +46,25 @@ func test() {
 	let randomArray = getRandomArray()
 	let variant = Variant.sha2
 	let iterations = 120120
-	
+
 	// HKDF test cases
 	let hkdfb1 = HKDF(password: constantPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // BAD
-	let hkdfb2 = HKDF(password: constantStringPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // BAD [NOT DETECTED]
+	let hkdfb2 = HKDF(password: constantStringPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // BAD
 	let hkdfg1 = HKDF(password: randomPassword, salt: randomArray, info: randomArray, keyLength: 0, variant: variant) // GOOD
 
 	// PBKDF1 test cases
 	let pbkdf1b1 = PKCS5.PBKDF1(password: constantPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD
-	let pbkdf1b2 = PKCS5.PBKDF1(password: constantStringPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD [NOT DETECTED]
+	let pbkdf1b2 = PKCS5.PBKDF1(password: constantStringPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD
 	let pbkdf1g1 = PKCS5.PBKDF1(password: randomPassword, salt: randomArray, iterations: iterations, keyLength: 0) // GOOD
 
 
 	// PBKDF2 test cases
 	let pbkdf2b1 = PKCS5.PBKDF2(password: constantPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD
-	let pbkdf2b2 = PKCS5.PBKDF2(password: constantStringPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD [NOT DETECTED]
+	let pbkdf2b2 = PKCS5.PBKDF2(password: constantStringPassword, salt: randomArray, iterations: iterations, keyLength: 0) // BAD
 	let pbkdf2g1 = PKCS5.PBKDF2(password: randomPassword, salt: randomArray, iterations: iterations, keyLength: 0) // GOOD
 
 	// Scrypt test cases
 	let scryptb1 = Scrypt(password: constantPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // BAD
-	let scryptb2 = Scrypt(password: constantStringPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // BAD [NOT DETECTED]
+	let scryptb2 = Scrypt(password: constantStringPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // BAD
 	let scryptg1 = Scrypt(password: randomPassword, salt: randomArray, dkLen: 64, N: 16384, r: 8, p: 1) // GOOD
-}
+}

swift/ql/test/query-tests/Security/CWE-259/test.swift

@@ -61,7 +61,7 @@ enum Variant {
 
 protocol BlockMode { }
 
-struct CBC: BlockMode { 
+struct CBC: BlockMode {
 	init() { }
 }
 
@@ -98,13 +98,13 @@ func test() {
 	let blockMode = CBC()
 	let padding = Padding.noPadding
 	let variant = Variant.sha2
-	
+
 	let iv = getRandomArray()
 	let ivString = String(cString: iv)
 
 	// AES test cases
-	let ab1 = AES(key: key2, blockMode: blockMode, padding: padding) // BAD [NOT DETECTED]
-	let ab2 = AES(key: key2, blockMode: blockMode) // BAD [NOT DETECTED]
+	let ab1 = AES(key: key2, blockMode: blockMode, padding: padding) // BAD
+	let ab2 = AES(key: key2, blockMode: blockMode) // BAD
 	let ab3 = AES(key: keyString, iv: ivString) // BAD
 	let ab4 = AES(key: keyString, iv: ivString, padding: padding) // BAD