New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
C++: Experimental query for implementation of a cryptographic primitive #14972
base: main
Are you sure you want to change the base?
Conversation
cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
Fixed
Show fixed
Hide fixed
cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
Outdated
Show resolved
Hide resolved
…expansion (I've seen this more than once).
30e91e0
to
521d98e
Compare
|
I've just replaced (via a rebase) the examples copied from Wikipedia with code I wrote myself. This is because I had a chat with some legal + open source people and there was a bit of uncertainty - nobody was 100% sure what I was doing was definitely OK. In any case the new tests are entirely written by me. It's slightly sad they're a bit less authentic but they work fine as tests. Also the latest commit is new - I've added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
|
(I'm not sure what's wrong with the failing check, but it doesn't appear to be this PR at fault) Are you happy to have an experimental query that's missing |
Yeah, that's not your fault. It was presumably caused by #15003 (which has now been reverted).
That's probably fine, yeah 👍 |
Adds an experimental query for detecting custom implementations of a cryptographic primitive (i.e. covering https://mas.owasp.org/MASTG/General/0x04g-Testing-Cryptography/#custom-implementations-of-cryptography
and parts of https://cwe.mitre.org/data/definitions/1240.html).
Currently
@precision medium, because it flags established library encryption implementations just as happily as custom implementations and entirely custom algorithms. Though probably none of these should be in a database unless it's a database for a cryptography library.Developed during a hackathon. Needs more work to be production quality - in particular it currently lacks: