Merge pull request github#16482 from grakshith/rakshith/tune-java-crypto

atorralba · web-flow · commit 7336dd1ae55b · 2024-06-10T17:27:35.000+02:00
Java: Add RSA/ECB/OEAP ciphers to the list of secure algorithms
diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
@@ -15,6 +15,8 @@ private class ShortStringLiteral extends StringLiteral {
 class BrokenAlgoLiteral extends ShortStringLiteral {
   BrokenAlgoLiteral() {
     this.getValue().regexpMatch(getInsecureAlgorithmRegex()) and
+    // Exclude RSA/ECB/.* ciphers.
+    not this.getValue().regexpMatch("RSA/ECB.*") and
     // Exclude German and French sentences.
     not this.getValue().regexpMatch(".*\\p{IsLowercase} des \\p{IsLetter}.*")
   }
diff --git a/java/ql/src/change-notes/2024-05-13-rsa-ecb-secure.md b/java/ql/src/change-notes/2024-05-13-rsa-ecb-secure.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ private class ShortStringLiteral extends StringLiteral {`
`15`	`15`	`class BrokenAlgoLiteral extends ShortStringLiteral {`
`16`	`16`	`BrokenAlgoLiteral() {`
`17`	`17`	`this.getValue().regexpMatch(getInsecureAlgorithmRegex()) and`
	`18`	`+ // Exclude RSA/ECB/.* ciphers.`
	`19`	`+ not this.getValue().regexpMatch("RSA/ECB.*") and`
`18`	`20`	`// Exclude German and French sentences.`
`19`	`21`	`not this.getValue().regexpMatch(".\\p{IsLowercase} des \\p{IsLetter}.")`
`20`	`22`	`}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: majorAnalysis
 +---
 +* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.