Java: add SHA3 family to list of secure crypto algorithms

aibaars · aibaars · commit c6eaed343d25 · 2024-11-22T19:03:00.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll
@@ -250,7 +250,7 @@ string getASecureAlgorithmName() {
   result =
     [
       "RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
-      "Blowfish", "ECIES"
+      "Blowfish", "ECIES", "SHA3-(224|256|384|512)"
     ]
 }
 
diff --git a/java/ql/src/change-notes/2024-11-22-sha3.md b/java/ql/src/change-notes/2024-11-22-sha3.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3.
diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected b/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.expected
@@ -4,11 +4,9 @@ nodes
 | WeakHashing.java:15:55:15:83 | getProperty(...) | semmle.label | getProperty(...) |
 | WeakHashing.java:18:56:18:95 | getProperty(...) | semmle.label | getProperty(...) |
 | WeakHashing.java:21:56:21:91 | getProperty(...) | semmle.label | getProperty(...) |
-| WeakHashing.java:30:55:30:64 | "SHA3-512" | semmle.label | "SHA3-512" |
 subpaths
 #select
 | Test.java:34:21:34:53 | new SecretKeySpec(...) | Test.java:34:48:34:52 | "foo" | Test.java:34:48:34:52 | "foo" | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | Test.java:34:48:34:52 | "foo" | foo |
 | WeakHashing.java:15:29:15:84 | getInstance(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | WeakHashing.java:15:55:15:83 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:15:55:15:83 | getProperty(...) | MD5 |
 | WeakHashing.java:18:30:18:96 | getInstance(...) | WeakHashing.java:18:56:18:95 | getProperty(...) | WeakHashing.java:18:56:18:95 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:18:56:18:95 | getProperty(...) | MD5 |
 | WeakHashing.java:21:30:21:92 | getInstance(...) | WeakHashing.java:21:56:21:91 | getProperty(...) | WeakHashing.java:21:56:21:91 | getProperty(...) | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:21:56:21:91 | getProperty(...) | MD5 |
-| WeakHashing.java:30:29:30:65 | getInstance(...) | WeakHashing.java:30:55:30:64 | "SHA3-512" | WeakHashing.java:30:55:30:64 | "SHA3-512" | Cryptographic algorithm $@ may not be secure, consider using a different algorithm. | WeakHashing.java:30:55:30:64 | "SHA3-512" | SHA3-512 |

Original file line number	Diff line number	Diff line change
`@@ -250,7 +250,7 @@ string getASecureAlgorithmName() {`
`250`	`250`	`result =`
`251`	`251`	`[`
`252`	`252`	`"RSA", "SHA-?256", "SHA-?512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB\|CBC/PKCS[57]Padding))",`
`253`		`- "Blowfish", "ECIES"`
	`253`	`+ "Blowfish", "ECIES", "SHA3-(224\|256\|384\|512)"`
`254`	`254`	`]`
`255`	`255`	`}`
`256`	`256`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3.