Merge pull request #18084 from github/aibaars/java-sha3

aibaars · web-flow · commit c2b342f1a007 · 2024-11-25T15:07:43.000+01:00
Java: add SHA3 family to list of secure crypto algorithms
diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -247,7 +247,7 @@ string getASecureAlgorithmName() {
   result =
     [
       "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
-      "Blowfish", "ECIES"
+      "Blowfish", "ECIES", "SHA3-(256|384|512)"
     ]
 }
 
diff --git a/java/ql/src/change-notes/2024-11-22-sha3.md b/java/ql/src/change-notes/2024-11-22-sha3.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3.
diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java
@@ -25,5 +25,8 @@ void hashing() throws NoSuchAlgorithmException, IOException {
 
         // OK: Property does not exist and default is secure
         MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("hashAlg3", "SHA-256"));
+
+        // GOOD: Using a strong hashing algorithm
+        MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ string getASecureAlgorithmName() {`
`247`	`247`	`result =`
`248`	`248`	`[`
`249`	`249`	`"RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB\|CBC/PKCS[57]Padding))",`
`250`		`- "Blowfish", "ECIES"`
	`250`	`+ "Blowfish", "ECIES", "SHA3-(256\|384\|512)"`
`251`	`251`	`]`
`252`	`252`	`}`
`253`	`253`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3.
Original file line number	Diff line number	Diff line change
`@@ -25,5 +25,8 @@ void hashing() throws NoSuchAlgorithmException, IOException {`
`25`	`25`
`26`	`26`	`// OK: Property does not exist and default is secure`
`27`	`27`	`MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("hashAlg3", "SHA-256"));`
	`28`	`+`
	`29`	`+ // GOOD: Using a strong hashing algorithm`
	`30`	`+ MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");`
`28`	`31`	`}`
`29`		`-}`
	`32`	`+}`