Skip to content

Add CodeQL Quantum models and queries (Java, C++) to experimental #19469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 133 commits into
base: main
Choose a base branch
from
Open

Add CodeQL Quantum models and queries (Java, C++) to experimental #19469

wants to merge 133 commits into from
+9,400 −0

Conversation

nicolaswill
Copy link
Contributor

@nicolaswill nicolaswill commented May 8, 2025
edited
Loading

This pull request introduces libraries and queries for inventorying and analyzing cryptography through a shared language-independent model library, language-specific implementations, and library-specific models.

There is currently modelling for the Java Cryptography Architecture (JCA) and OpenSSL (C++), with DGML-based inventory graph output for both currently supported languages. Our Java implementation further provides a set of analysis queries and inventory subset ("slice") output queries.

nicolaswill and others added 30 commits January 23, 2025 12:46
@nicolaswill
Create Base.qll
395d54b
@nicolaswill
WIP
1a7d8cb
@nicolaswill
WIP: hash types example and documentation
7836234
@nicolaswill
WIP: add properties
e027b0e
@bdrodes
Concepts for elliptic cureve and misc. updates.
0cd3df9
@nicolaswill
WIP: add dgml/dot output/remove test code
9af18bc
@nicolaswill
Update CBOMGraph.ql
69a6385
@knewbury01
Add first sample JCA encryption model
5f355c7
@knewbury01
Improve JCA aes alg model, add test
86e51da
@knewbury01
Add broken crypto query
efcf7ea
@nicolaswill
Merge pull request #1 from nicolaswill/brodes/experiments
cd70acd 
Concepts for elliptic curves and misc. updates.
@knewbury01
Merge branch 'nic/crypto-test' into knewbury01/JCA-sample
2e12bb5
@nicolaswill
Move language-agnostic model to shared library
3dc28c2
@nicolaswill
Merge pull request #3 from nicolaswill/nicolaswill/shared-crypto-library
7a96f56 
Move language-agnostic model to shared library
@knewbury01
Update progress on JCA
60d931a
@knewbury01
Update JCA model with flow to call as AESuse and format JCA model
6005437
@knewbury01
Merge branch 'nic/crypto-test' into knewbury01/JCA-sample
9c8ade7
@knewbury01
Update JCA model to use shared lib
59208bd
@knewbury01
Update JCA model, refactor modes
1a12fb3
@nicolaswill
Refactor Model and CBOM print queries
4d44755
@nicolaswill
Modify model to use newtypes, expand modeling
874e3b5
@nicolaswill
Expand model and specialize newtype relations
b777a22
@nicolaswill
Expand model and JCA modeling
df01fa7
@nicolaswill
Continue Artifact data-flow WIP
8707e4d
@bdrodes
Adding support for encryption operation detection.
3871c6a
@bdrodes
Adding a sketch for a CipherOperation concept to model encryption/dec…
9ee4a7a 
…ryption operations.
@bdrodes
Fixing type bug
83dc5b9
@bdrodes
Simplifying additional flow step logic.
011ed3f
@bdrodes
Adding a todo
9ac9252
@bdrodes
Misc. updates to support all JCA cipher operations, including wrap, u…
86cab46 
…nwrap and doFinal calls. Corrected pathing for init tracing to detect what mode is being set along a path. Added support for tracing the init operation mode argument to source. Since this involved creating an Operation Mode, changes were also made to make cipher block modes (CBC) more explicit (previously just called mode, but now that term is used for various purposes).
@Copilot Copilot AI review requested due to automatic review settings May 8, 2025 00:48
@nicolaswill nicolaswill requested review from a team as code owners May 8, 2025 00:48
Copilot

This comment was marked as off-topic.

Sign in to view

github-advanced-security[bot]
github-advanced-security bot found potential problems May 8, 2025
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@nicolaswill
Copy link
Contributor Author

Note for review: the changes not targeting experimental/quantum directories are added dependencies to codeql/cpp-all and codeql/java-all to the new shared (language-independent) experimental pack, which currently only contains an experimental/quantum directory for Model.qll within it.

@nicolaswill nicolaswill requested a review from Copilot May 8, 2025 01:01
Copilot

This comment was marked as off-topic.

Sign in to view

@nicolaswill nicolaswill added the no-change-note-required This PR does not need a change note label May 8, 2025
michaelnebel
michaelnebel reviewed May 8, 2025
View reviewed changes
shared/experimental/qlpack.yml
@@ -0,0 +1,7 @@
name: codeql/experimental
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a new qlpack is added, I think it needs to be added to the list here. Do you have access to the internal repo?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened a PR: https://github.com/github/semmle-code/pull/53077.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C++ Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nicolaswill @michaelnebel @bdrodes @knewbury01