[krishnprakash/codeql] a9449c: Add EC to secure algorithm whitelist for Java CWE-...
0 views
Skip to first unread message
Phileco
Mar 30, 2026, 3:00:45 AM (9 days ago) Mar 30
to philecodi...@googlegroups.com
Branch: refs/heads/main
Home: https://github.com/krishnprakash/codeql
Commit: a9449cc99183003883f6ec6375974d4382aecbff
https://github.com/krishnprakash/codeql/commit/a9449cc99183003883f6ec6375974d4382aecbff
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Add EC to secure algorithm whitelist for Java CWE-327 query
Commit: da4a2238bc706382a41d402e5a907d9d95d6424a
https://github.com/krishnprakash/codeql/commit/da4a2238bc706382a41d402e5a907d9d95d6424a
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
M java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Address PR review: add Signature.getInstance sink, HMAC/PBKDF2 whitelist, fix test APIs
- Model Signature.getInstance() as CryptoAlgoSpec sink (previously only
Signature constructor was modeled)
- Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512)
and PBKDF2 to the secure algorithm whitelist
- Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of
KeyPairGenerator.getInstance() to match their key agreement semantics
- Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1
from user-reported false positives
- Update change note to document all additions
Commit: 0c5e89a68eff355ca81aa710827194f501046496
https://github.com/krishnprakash/codeql/commit/0c5e89a68eff355ca81aa710827194f501046496
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
M java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Log Message:
-----------
Exclude bounds-check arithmetic from tainted-arithmetic sinks
The java/tainted-arithmetic query now recognizes when an arithmetic
expression appears directly as an operand of a comparison (e.g.,
`if (off + len > array.length)`). Such expressions are bounds checks,
not vulnerable computations, and are excluded via the existing
overflowIrrelevant predicate.
Add test cases for bounds-checking patterns that should not be flagged.
Commit: ea9b99f67c575574a484d1de0a2cd54b866d771c
https://github.com/krishnprakash/codeql/commit/ea9b99f67c575574a484d1de0a2cd54b866d771c
Author: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
M java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
Log Message:
-----------
Rephrase change note
Commit: 2b8558706f07b170a83426e4bdb0b934182a7012
https://github.com/krishnprakash/codeql/commit/2b8558706f07b170a83426e4bdb0b934182a7012
Author: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
M java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
Log Message:
-----------
Add sentence to change note.
Commit: 58218ee630ee6d7abc2c62e08de4bc0746e7e803
https://github.com/krishnprakash/codeql/commit/58218ee630ee6d7abc2c62e08de4bc0746e7e803
Author: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Merge pull request #21594 from MarkLee131/fix/add-ec-to-secure-algorithm-whitelist
Add EC to secure algorithm whitelist for Java CWE-327 query
Commit: f5cfc5e282d73e4f89eb2377aa9e7966ed54d8e1
https://github.com/krishnprakash/codeql/commit/f5cfc5e282d73e4f89eb2377aa9e7966ed54d8e1
Author: Kaixuan Li <kaixu...@ntu.edu.sg>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Log Message:
-----------
Update java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Co-authored-by: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Commit: 938039d82c9540b809902d94a0e8a44639c1f160
https://github.com/krishnprakash/codeql/commit/938039d82c9540b809902d94a0e8a44639c1f160
Author: Kaixuan Li <kaixu...@ntu.edu.sg>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Merge branch 'main' into fix/tainted-arithmetic-bounds-check-barrier
Commit: b595a70384d4e118dd5fdb94afbb73e27474fb40
https://github.com/krishnprakash/codeql/commit/b595a70384d4e118dd5fdb94afbb73e27474fb40
Author: Kaixuan Li <kaixu...@ntu.edu.sg>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
M java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
Log Message:
-----------
Update java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
Co-authored-by: Copilot <17572847...@users.noreply.github.com>
Commit: e6adfbca77eeb010bd0a8fbb4df5857d8829f177
https://github.com/krishnprakash/codeql/commit/e6adfbca77eeb010bd0a8fbb4df5857d8829f177
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
M java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.expected
Log Message:
-----------
Address review: update QLDoc comment and fix expected test output
- Clarify that arithmeticUsedInBoundsCheck applies to if-condition
comparisons, not all comparisons
- Update expected test line numbers to reflect added test calls
Commit: 898d12b0beeac520af20d58159be58028293154c
https://github.com/krishnprakash/codeql/commit/898d12b0beeac520af20d58159be58028293154c
Author: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
M java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.expected
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Log Message:
-----------
Merge pull request #21608 from MarkLee131/fix/tainted-arithmetic-bounds-check-barrier
Exclude bounds-check arithmetic from tainted-arithmetic sinks
Commit: 9940370fa2e255ee732902cdcb1c019d4ce501c7
https://github.com/krishnprakash/codeql/commit/9940370fa2e255ee732902cdcb1c019d4ce501c7
Author: Phileco <132178579+k...@users.noreply.github.com>
Date: 2026-03-30 (Mon, 30 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
A java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
M java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.expected
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Merge branch 'github:main' into main
Compare: https://github.com/krishnprakash/codeql/compare/6f98d86055ea...9940370fa2e2
To unsubscribe from these emails, change your notification settings at https://github.com/krishnprakash/codeql/settings/notifications
Home: https://github.com/krishnprakash/codeql
Commit: a9449cc99183003883f6ec6375974d4382aecbff
https://github.com/krishnprakash/codeql/commit/a9449cc99183003883f6ec6375974d4382aecbff
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Add EC to secure algorithm whitelist for Java CWE-327 query
Commit: da4a2238bc706382a41d402e5a907d9d95d6424a
https://github.com/krishnprakash/codeql/commit/da4a2238bc706382a41d402e5a907d9d95d6424a
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
M java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Address PR review: add Signature.getInstance sink, HMAC/PBKDF2 whitelist, fix test APIs
- Model Signature.getInstance() as CryptoAlgoSpec sink (previously only
Signature constructor was modeled)
- Add HMAC-based algorithms (HMACSHA1/256/384/512, HmacSHA1/256/384/512)
and PBKDF2 to the secure algorithm whitelist
- Fix XDH/X25519/X448 tests to use KeyAgreement.getInstance() instead of
KeyPairGenerator.getInstance() to match their key agreement semantics
- Add test cases for SHA384withECDSA, HMACSHA*, and PBKDF2WithHmacSHA1
from user-reported false positives
- Update change note to document all additions
Commit: 0c5e89a68eff355ca81aa710827194f501046496
https://github.com/krishnprakash/codeql/commit/0c5e89a68eff355ca81aa710827194f501046496
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
M java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Log Message:
-----------
Exclude bounds-check arithmetic from tainted-arithmetic sinks
The java/tainted-arithmetic query now recognizes when an arithmetic
expression appears directly as an operand of a comparison (e.g.,
`if (off + len > array.length)`). Such expressions are bounds checks,
not vulnerable computations, and are excluded via the existing
overflowIrrelevant predicate.
Add test cases for bounds-checking patterns that should not be flagged.
Commit: ea9b99f67c575574a484d1de0a2cd54b866d771c
https://github.com/krishnprakash/codeql/commit/ea9b99f67c575574a484d1de0a2cd54b866d771c
Author: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
M java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
Log Message:
-----------
Rephrase change note
Commit: 2b8558706f07b170a83426e4bdb0b934182a7012
https://github.com/krishnprakash/codeql/commit/2b8558706f07b170a83426e4bdb0b934182a7012
Author: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
M java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
Log Message:
-----------
Add sentence to change note.
Commit: 58218ee630ee6d7abc2c62e08de4bc0746e7e803
https://github.com/krishnprakash/codeql/commit/58218ee630ee6d7abc2c62e08de4bc0746e7e803
Author: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Date: 2026-03-28 (Sat, 28 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Merge pull request #21594 from MarkLee131/fix/add-ec-to-secure-algorithm-whitelist
Add EC to secure algorithm whitelist for Java CWE-327 query
Commit: f5cfc5e282d73e4f89eb2377aa9e7966ed54d8e1
https://github.com/krishnprakash/codeql/commit/f5cfc5e282d73e4f89eb2377aa9e7966ed54d8e1
Author: Kaixuan Li <kaixu...@ntu.edu.sg>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Log Message:
-----------
Update java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Co-authored-by: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Commit: 938039d82c9540b809902d94a0e8a44639c1f160
https://github.com/krishnprakash/codeql/commit/938039d82c9540b809902d94a0e8a44639c1f160
Author: Kaixuan Li <kaixu...@ntu.edu.sg>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Merge branch 'main' into fix/tainted-arithmetic-bounds-check-barrier
Commit: b595a70384d4e118dd5fdb94afbb73e27474fb40
https://github.com/krishnprakash/codeql/commit/b595a70384d4e118dd5fdb94afbb73e27474fb40
Author: Kaixuan Li <kaixu...@ntu.edu.sg>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
M java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
Log Message:
-----------
Update java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
Co-authored-by: Copilot <17572847...@users.noreply.github.com>
Commit: e6adfbca77eeb010bd0a8fbb4df5857d8829f177
https://github.com/krishnprakash/codeql/commit/e6adfbca77eeb010bd0a8fbb4df5857d8829f177
Author: MarkLee131 <kaixu...@ntu.edu.sg>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
M java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.expected
Log Message:
-----------
Address review: update QLDoc comment and fix expected test output
- Clarify that arithmeticUsedInBoundsCheck applies to if-condition
comparisons, not all comparisons
- Update expected test line numbers to reflect added test calls
Commit: 898d12b0beeac520af20d58159be58028293154c
https://github.com/krishnprakash/codeql/commit/898d12b0beeac520af20d58159be58028293154c
Author: Owen Mansel-Chan <62447351...@users.noreply.github.com>
Date: 2026-03-29 (Sun, 29 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
M java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.expected
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
Log Message:
-----------
Merge pull request #21608 from MarkLee131/fix/tainted-arithmetic-bounds-check-barrier
Exclude bounds-check arithmetic from tainted-arithmetic sinks
Commit: 9940370fa2e255ee732902cdcb1c019d4ce501c7
https://github.com/krishnprakash/codeql/commit/9940370fa2e255ee732902cdcb1c019d4ce501c7
Author: Phileco <132178579+k...@users.noreply.github.com>
Date: 2026-03-30 (Mon, 30 Mar 2026)
Changed paths:
A java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
A java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
M java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
M java/ql/lib/semmle/code/java/security/Encryption.qll
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.expected
M java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
M java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java
Log Message:
-----------
Merge branch 'github:main' into main
Compare: https://github.com/krishnprakash/codeql/compare/6f98d86055ea...9940370fa2e2
To unsubscribe from these emails, change your notification settings at https://github.com/krishnprakash/codeql/settings/notifications
Reply all
Reply to author
Forward
0 new messages