-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Expand file tree
/
Copy pathBrokenCryptoAlgorithm.ql
More file actions
27 lines (25 loc) · 994 Bytes
/
BrokenCryptoAlgorithm.ql
File metadata and controls
27 lines (25 loc) · 994 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
/**
* @name Use of a broken or weak cryptographic algorithm
* @description Using broken or weak cryptographic algorithms can compromise security.
* @kind problem
* @problem.severity warning
* @security-severity 7.5
* @precision high
* @id py/weak-cryptographic-algorithm
* @tags security
* external/cwe/cwe-327
*/
import python
import semmle.python.Concepts
from Cryptography::CryptographicOperation operation, string msgPrefix
where
// `Cryptography::HashingAlgorithm` and `Cryptography::PasswordHashingAlgorithm` are
// handled by `py/weak-sensitive-data-hashing`
exists(Cryptography::EncryptionAlgorithm algorithm | algorithm = operation.getAlgorithm() |
algorithm.isWeak() and
msgPrefix = "The cryptographic algorithm " + algorithm.getName()
)
or
operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
select operation, "$@ is broken or weak, and should not be used.", operation.getInitialization(),
msgPrefix