add path-graph back to query alerts

Jami Cogswell · Jami Cogswell · commit 3e8748e63901 · 2022-10-11T16:56:11.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -2,12 +2,11 @@
 
 import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.DataFlow2
 
 /**
  * An Asymmetric (RSA, DSA, DH) key length data flow tracking configuration.
  */
-class AsymmetricNonECKeyTrackingConfiguration extends DataFlow2::Configuration {
+class AsymmetricNonECKeyTrackingConfiguration extends DataFlow::Configuration {
   AsymmetricNonECKeyTrackingConfiguration() { this = "AsymmetricNonECKeyTrackingConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -52,7 +51,7 @@ class AsymmetricNonECKeyTrackingConfiguration extends DataFlow2::Configuration {
 /**
  * An Asymmetric (EC) key length data flow tracking configuration.
  */
-class AsymmetricECKeyTrackingConfiguration extends DataFlow2::Configuration {
+class AsymmetricECKeyTrackingConfiguration extends DataFlow::Configuration {
   AsymmetricECKeyTrackingConfiguration() { this = "AsymmetricECKeyTrackingConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -88,7 +87,7 @@ class AsymmetricECKeyTrackingConfiguration extends DataFlow2::Configuration {
 /**
  * A Symmetric (AES) key length data flow tracking configuration.
  */
-class SymmetricKeyTrackingConfiguration extends DataFlow2::Configuration {
+class SymmetricKeyTrackingConfiguration extends DataFlow::Configuration {
   SymmetricKeyTrackingConfiguration() { this = "SymmetricKeyTrackingConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
diff --git a/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -2,7 +2,7 @@
  * @name Insufficient key size used with a cryptographic algorithm
  * @description Using cryptographic algorithms with too small of a key size can
  *              allow an attacker to compromise security.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @security-severity 7.5
  * @precision high
@@ -13,10 +13,11 @@
 
 import java
 import semmle.code.java.security.InsufficientKeySizeQuery
+import DataFlow::PathGraph
 
-from DataFlow::Node source, DataFlow::Node sink
+from DataFlow::PathNode source, DataFlow::PathNode sink
 where
-  exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlow(source, sink)) or
-  exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlow(source, sink)) or
-  exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlow(source, sink))
-select sink, "This $@ is too small.", source, "key size"
+  exists(AsymmetricNonECKeyTrackingConfiguration config1 | config1.hasFlowPath(source, sink)) or
+  exists(AsymmetricECKeyTrackingConfiguration config2 | config2.hasFlowPath(source, sink)) or
+  exists(SymmetricKeyTrackingConfiguration config3 | config3.hasFlowPath(source, sink))
+select sink.getNode(), source, sink, "This $@ is too small.", source.getNode(), "key size"
