Swift: Add CSV extension points to the encryption queries.

Author: geoffw0

swift/ql/lib/codeql/swift/security/ConstantPasswordExtensions.qll

@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for constant password vulnerabilities. That is,
@@ -65,3 +66,10 @@ private class RnCryptorPasswordSink extends ConstantPasswordSink {
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultPasswordSink extends ConstantPasswordSink {
+  DefaultPasswordSink() { sinkNode(this, "encryption-password") }
+}

swift/ql/lib/codeql/swift/security/ConstantSaltExtensions.qll

@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for constant salt vulnerabilities. That is,
@@ -57,3 +58,10 @@ private class RnCryptorSaltSink extends ConstantSaltSink {
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultSaltSink extends ConstantSaltSink {
+  DefaultSaltSink() { sinkNode(this, "encryption-salt") }
+}

swift/ql/lib/codeql/swift/security/ECBEncryptionExtensions.qll

@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow source for ECB encryption vulnerabilities. That is,
@@ -77,3 +78,10 @@ private class Blowfish extends EcbEncryptionSink {
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultEcbEncryptionSink extends EcbEncryptionSink {
+  DefaultEcbEncryptionSink() { sinkNode(this, "encryption-block-mode") }
+}

swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyExtensions.qll

@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for hard-coded encryption key vulnerabilities. That is,
@@ -59,3 +60,10 @@ private class RnCryptorEncryptionKeySink extends HardcodedEncryptionKeySink {
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultEncryptionKeySink extends HardcodedEncryptionKeySink {
+  DefaultEncryptionKeySink() { sinkNode(this, "encryption-key") }
+}

swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll

@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow source for insecure TLS configuration vulnerabilities. That is,
@@ -59,3 +60,10 @@ private class NsUrlTlsExtensionsSink extends InsecureTlsExtensionsSink {
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultTlsExtensionsSink extends InsecureTlsExtensionsSink {
+  DefaultTlsExtensionsSink() { sinkNode(this, "tls-protocol-version") }
+}

swift/ql/lib/codeql/swift/security/InsufficientHashIterationsExtensions.qll

@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for insufficient hash interation vulnerabilities. That is,
@@ -43,3 +44,10 @@ private class CryptoSwiftHashIterationsSink extends InsufficientHashIterationsSi
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultHashIterationsSink extends InsufficientHashIterationsSink {
+  DefaultHashIterationsSink() { sinkNode(this, "hash-iteration-count") }
+}

swift/ql/lib/codeql/swift/security/StaticInitializationVectorExtensions.qll

@@ -5,6 +5,7 @@
 
 import swift
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
  * A dataflow sink for static initialization vector vulnerabilities. That is,
@@ -58,3 +59,10 @@ private class RnCryptorInitializationVectorSink extends StaticInitializationVect
     )
   }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultInitializationVectorSink extends StaticInitializationVectorSink {
+  DefaultInitializationVectorSink() { sinkNode(this, "encryption-iv") }
+}

swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingExtensions.qll

@@ -6,9 +6,11 @@
 import swift
 import codeql.swift.security.SensitiveExprs
 import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.ExternalFlow
 
 /**
- * A dataflow sink for weak sensitive data hashing vulnerabilities.
+ * A dataflow sink for weak sensitive data hashing vulnerabilities. That is,
+ * a `DataFlow::Node` that is passed into a weak hashing function.
  */
 abstract class WeakSensitiveDataHashingSink extends DataFlow::Node {
   /**
@@ -51,3 +53,14 @@ private class CryptoSwiftWeakHashingSink extends WeakSensitiveDataHashingSink {
 
   override string getAlgorithm() { result = algorithm }
 }
+
+/**
+ * A sink defined in a CSV model.
+ */
+private class DefaultWeakHashingSink extends WeakSensitiveDataHashingSink {
+  string algorithm;
+
+  DefaultWeakHashingSink() { sinkNode(this, "weak-hash-input-" + algorithm) }
+
+  override string getAlgorithm() { result = algorithm }
+}