@@ -28,7 +28,7 @@ Function getAnInsecureEncryptionFunction() {
2828/**
2929 * A function with additional evidence it is related to encryption.
3030 */
31- Function getAdditionalEvidenceFunction ( ) {
31+ Function getAnAdditionalEvidenceFunction ( ) {
3232 (
3333 isEncryptionAdditionalEvidence ( result .getName ( ) ) or
3434 isEncryptionAdditionalEvidence ( result .getAParameter ( ) .getName ( ) )
@@ -47,7 +47,7 @@ Macro getAnInsecureEncryptionMacro() {
4747/**
4848 * A macro with additional evidence it is related to encryption.
4949 */
50- Macro getAdditionalEvidenceMacro ( ) {
50+ Macro getAnAdditionalEvidenceMacro ( ) {
5151 isEncryptionAdditionalEvidence ( result .getName ( ) ) and
5252 exists ( result .getAnInvocation ( ) )
5353}
@@ -63,61 +63,78 @@ EnumConstant getAnInsecureEncryptionEnumConst() { isInsecureEncryption(result.ge
6363EnumConstant getAdditionalEvidenceEnumConst ( ) { isEncryptionAdditionalEvidence ( result .getName ( ) ) }
6464
6565/**
66- * A function call we have a high confidence is related to use of an insecure
67- * encryption algorithm .
66+ * A function call we have a high confidence is related to use of an insecure encryption algorithm, along
67+ * with an associated `Element` which might be the best point to blame, and a description of that element .
6868 */
69- class InsecureFunctionCall extends FunctionCall {
70- Element blame ;
71- string explain ;
69+ predicate getInsecureEncryptionEvidence ( FunctionCall fc , Element blame , string description ) {
70+ // find use of an insecure algorithm name
71+ (
72+ fc .getTarget ( ) = getAnInsecureEncryptionFunction ( ) and
73+ blame = fc and
74+ description = "call to " + fc .getTarget ( ) .getName ( )
75+ or
76+ exists ( MacroInvocation mi |
77+ (
78+ mi .getAnExpandedElement ( ) = fc or
79+ mi .getAnExpandedElement ( ) = fc .getAnArgument ( )
80+ ) and
81+ mi .getMacro ( ) = getAnInsecureEncryptionMacro ( ) and
82+ blame = mi and
83+ description = "invocation of macro " + mi .getMacro ( ) .getName ( )
84+ )
85+ or
86+ exists ( EnumConstantAccess ec |
87+ ec = fc .getAnArgument ( ) and
88+ ec .getTarget ( ) = getAnInsecureEncryptionEnumConst ( ) and
89+ blame = ec and
90+ description = "access of enum constant " + ec .getTarget ( ) .getName ( )
91+ )
92+ ) and
93+ // find additional evidence that this function is related to encryption.
94+ (
95+ fc .getTarget ( ) = getAnAdditionalEvidenceFunction ( )
96+ or
97+ exists ( MacroInvocation mi |
98+ (
99+ mi .getAnExpandedElement ( ) = fc or
100+ mi .getAnExpandedElement ( ) = fc .getAnArgument ( )
101+ ) and
102+ mi .getMacro ( ) = getAnAdditionalEvidenceMacro ( )
103+ )
104+ or
105+ exists ( EnumConstantAccess ec |
106+ ec = fc .getAnArgument ( ) and
107+ ec .getTarget ( ) = getAdditionalEvidenceEnumConst ( )
108+ )
109+ )
110+ }
111+
112+ /**
113+ * An element that is the `blame` of an `InsecureFunctionCall`.
114+ */
115+ class BlamedElement extends Element {
116+ string description ;
117+
118+ BlamedElement ( ) { getInsecureEncryptionEvidence ( _, this , description ) }
72119
73- InsecureFunctionCall ( ) {
74- // find use of an insecure algorithm name
75- (
76- getTarget ( ) = getAnInsecureEncryptionFunction ( ) and
77- blame = this and
78- explain = "function call"
79- or
80- exists ( MacroInvocation mi |
81- (
82- mi .getAnExpandedElement ( ) = this or
83- mi .getAnExpandedElement ( ) = this .getAnArgument ( )
84- ) and
85- mi .getMacro ( ) = getAnInsecureEncryptionMacro ( ) and
86- blame = mi and
87- explain = "macro invocation"
88- )
89- or
90- exists ( EnumConstantAccess ec |
91- ec = this .getAnArgument ( ) and
92- ec .getTarget ( ) = getAnInsecureEncryptionEnumConst ( ) and
93- blame = ec and
94- explain = "enum constant access"
95- )
96- ) and
97- // find additional evidence that this function is related to encryption.
98- (
99- getTarget ( ) = getAdditionalEvidenceFunction ( )
100- or
101- exists ( MacroInvocation mi |
102- (
103- mi .getAnExpandedElement ( ) = this or
104- mi .getAnExpandedElement ( ) = this .getAnArgument ( )
105- ) and
106- mi .getMacro ( ) = getAdditionalEvidenceMacro ( )
107- )
108- or
109- exists ( EnumConstantAccess ec |
110- ec = this .getAnArgument ( ) and
111- ec .getTarget ( ) = getAdditionalEvidenceEnumConst ( )
112- )
120+ /**
121+ * Holds if this is the `num`-th `BlamedElement` in `f`.
122+ */
123+ predicate hasFileRank ( File f , int num ) {
124+ exists ( int loc |
125+ getLocation ( ) .charLoc ( f , loc , _) and
126+ loc =
127+ rank [ num ] ( BlamedElement other , int loc2 | other .getLocation ( ) .charLoc ( f , loc2 , _) | loc2 )
113128 )
114129 }
115130
116- Element getBlame ( ) { result = blame }
117-
118- string getDescription ( ) { result = explain }
131+ string getDescription ( ) { result = description }
119132}
120133
121- from InsecureFunctionCall c
122- select c .getBlame ( ) ,
123- "This " + c .getDescription ( ) + " specifies a broken or weak cryptographic algorithm."
134+ from File f , BlamedElement firstResult , BlamedElement thisResult
135+ where
136+ firstResult .hasFileRank ( f , 1 ) and
137+ thisResult .hasFileRank ( f , _)
138+ select firstResult ,
139+ "This file makes use of a broken or weak cryptographic algorithm (specified by $@)." , thisResult ,
140+ thisResult .getDescription ( )
0 commit comments