Exclude broken algorithms from the list of secure algorithms

luchua-bc · luchua-bc · commit bed8a68d2805 · 2020-12-17T00:41:23.000Z
diff --git a/java/ql/src/semmle/code/java/security/Encryption.qll b/java/ql/src/semmle/code/java/security/Encryption.qll
@@ -99,7 +99,7 @@ string getAnInsecureAlgorithmName() {
   result = "RC5" or
   result = "ARCFOUR" or // a variant of RC4
   result = "ECB" or // encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay and other attacks
-  result = "AES/CBC/PKCS5Padding" // CBC mode of operation with PKCS#5 (or PKCS#7) padding is vulnerable to padding oracle attacks
+  result = "AES/CBC/PKCS[5|7]Padding" // CBC mode of operation with PKCS#5 (or PKCS#7) padding is vulnerable to padding oracle attacks
 }
 
 /**
@@ -141,7 +141,7 @@ string getASecureAlgorithmName() {
   result = "SHA512" or
   result = "CCM" or
   result = "GCM" or
-  result = "AES" or
+  result = "AES([^a-zA-Z](?!ECB|CBC/PKCS[5|7]Padding)).*" or
   result = "Blowfish" or
   result = "ECIES"
 }
diff --git a/java/ql/test/library-tests/Encryption/Test.java b/java/ql/test/library-tests/Encryption/Test.java
@@ -14,7 +14,6 @@ class Test {
 			"AES/ECB/NoPadding",
 			"AES/CBC/PKCS5Padding");
 
-
 	List<String> goodStrings = Arrays.asList(
 			"AES",
 			"AES_function",
diff --git a/java/ql/test/library-tests/Encryption/cryptoalgospec.expected b/java/ql/test/library-tests/Encryption/cryptoalgospec.expected
@@ -1,2 +1,2 @@
-| Test.java:35:4:35:17 | super(...) | Test.java:35:10:35:15 | "some" |
-| Test.java:39:3:39:38 | getInstance(...) | Test.java:39:29:39:37 | "another" |
+| Test.java:37:4:37:17 | super(...) | Test.java:37:10:37:15 | "some" |
+| Test.java:41:3:41:38 | getInstance(...) | Test.java:41:29:41:37 | "another" |
diff --git a/java/ql/test/library-tests/Encryption/secure.expected b/java/ql/test/library-tests/Encryption/secure.expected
@@ -1,2 +1,2 @@
-| Test.java:16:4:16:8 | "AES" |
-| Test.java:17:4:17:17 | "AES_function" |
+| Test.java:18:4:18:8 | "AES" |
+| Test.java:19:4:19:17 | "AES_function" |
