Add EC to secure algorithm whitelist for Java CWE-327 query#21594
Merged
owen-mc merged 4 commits intogithub:mainfrom Mar 28, 2026
Merged
Add EC to secure algorithm whitelist for Java CWE-327 query#21594owen-mc merged 4 commits intogithub:mainfrom
owen-mc merged 4 commits intogithub:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Java CWE-327 “potentially weak cryptographic algorithm” query support code to treat common Elliptic Curve (EC) algorithm names as secure, addressing reported false positives.
Changes:
- Extend the secure-algorithm whitelist in
Encryption.qllto include EC/ECDH/ECDSA and related modern curve families (EdDSA/Ed25519/Ed448, XDH/X25519/X448). - Add query-test coverage examples intended to ensure these algorithms are no longer flagged.
- Add a change note documenting the reduction in false positives.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| java/ql/lib/semmle/code/java/security/Encryption.qll | Expands the secure algorithm name whitelist to include EC-family algorithm identifiers. |
| java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java | Adds “GOOD” examples for EC-family algorithm strings to prevent regressions in CWE-327 behavior. |
| java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md | Documents the analysis-result change (fewer false positives). |
java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Outdated
Show resolved
Hide resolved
java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Outdated
Show resolved
Hide resolved
owen-mc
requested changes
Mar 27, 2026
Contributor
owen-mc
left a comment
There was a problem hiding this comment.
Thanks for this contribution. It looks good, and should be mergeable with a few small changes. Please add signature.getInstance as a sink, as I explained in another comment.
In another forum, a user complained about FPs with this query, and gave the below examples. Is it possible you could add them at the same time?
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.SecretKeyFactory;
import java.security.KeyPairGenerator;
public class C {
public static void main(String[] args) {
try {
MessageDigest msgDigester1 = MessageDigest.getInstance("MD5"); //OK
MessageDigest msgDigester2 = MessageDigest.getInstance("SHA-1"); //OK
MessageDigest msgDigester3 = MessageDigest.getInstance("SHA-256"); //OK
new SecretKeySpec(null, "HMACSHA1"); // FP
new SecretKeySpec(null, "HMACSHA256"); // FP
new SecretKeySpec(null, "HMACSHA384"); // FP
new SecretKeySpec(null, "SHA384withECDSA"); // FP
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); // FP
KeyPairGenerator.getInstance("EC"); // FP
} catch (NoSuchAlgorithmException nsae) {
System.out.println("NoSuchAlgorithmException caught when digest token");
}
}
}
java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
Outdated
Show resolved
Hide resolved
Contributor
Author
|
no problem. I will handle all these issues you mentioned ASAP. Will let u know when ready. :) |
…ist, fix test APIs - Model Signature.getInstance() as CryptoAlgoSpec sink (previously only Signature constructor was modeled) - Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512) and PBKDF2 to the secure algorithm whitelist - Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of KeyPairGenerator.getInstance() to match their key agreement semantics - Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1 from user-reported false positives - Update change note to document all additions
80880b4 to
da4a223
Compare
Contributor
Author
|
Added all examples. Also added HMAC/PBKDF2 to whitelist and updated change note. |
owen-mc
reviewed
Mar 28, 2026
java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
Outdated
Show resolved
Hide resolved
owen-mc
reviewed
Mar 28, 2026
java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
Outdated
Show resolved
Hide resolved
owen-mc
approved these changes
Mar 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix #21593