Crypto: Adjust output of bad mac order queries, update associated bad mac order expected results, fix erroneous change to ID for a slicing query, update model to specify elliptic curve type as a property, update associated graph test expected files, update the not_included_in_qls.expected to reflect all queries now under quantum.

Author: bdrodes

java/ql/integration-tests/java/query-suite/not_included_in_qls.expected

@@ -228,14 +228,24 @@ ql/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfig
 ql/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
 ql/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
 ql/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql
-ql/java/ql/src/experimental/quantum/Analysis/InsecureNonceSource.ql
-ql/java/ql/src/experimental/quantum/Analysis/KnownWeakKDFIterationCount.ql
-ql/java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql
-ql/java/ql/src/experimental/quantum/Analysis/UnknownKDFIterationCount.ql
+ql/java/ql/src/experimental/quantum/Examples/BadMacOrderDecryptToMac.ql
+ql/java/ql/src/experimental/quantum/Examples/BadMacOrderMacOnEncryptPlaintext.ql
 ql/java/ql/src/experimental/quantum/Examples/BrokenCrypto.ql
+ql/java/ql/src/experimental/quantum/Examples/InsecInseInsecureIVorNonceSource.ql
+ql/java/ql/src/experimental/quantum/Examples/NonAESGCMCipher.ql
 ql/java/ql/src/experimental/quantum/Examples/TestAESGCMNonce.ql
 ql/java/ql/src/experimental/quantum/Examples/TestCipher.ql
 ql/java/ql/src/experimental/quantum/Examples/TestHash.ql
+ql/java/ql/src/experimental/quantum/Examples/ReusedNonce.ql
+ql/java/ql/src/experimental/quantum/Examples/UnknownHash.ql
+ql/java/ql/src/experimental/quantum/Examples/UnknownIVorNonceSource.ql
+ql/java/ql/src/experimental/quantum/Examples/UnknownKDFIterationCount.ql
+ql/java/ql/src/experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql
+ql/java/ql/src/experimental/quantum/Examples/WeakBlockModes.ql
+ql/java/ql/src/experimental/quantum/Examples/WeakHash.ql
+ql/java/ql/src/experimental/quantum/Examples/WeakKDFIterationCount.ql
+ql/java/ql/src/experimental/quantum/Examples/WeakKDFKeySize.ql
+ql/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.ql
 ql/java/ql/src/experimental/quantum/InventorySlices/KnownAsymmetricAlgorithm.ql
 ql/java/ql/src/experimental/quantum/InventorySlices/KnownAsymmetricCipherAlgorithm.ql
 ql/java/ql/src/experimental/quantum/InventorySlices/KnownAsymmetricOperationAlgorithm.ql

java/ql/src/experimental/quantum/Examples/BadMacOrderDecryptToMac.ql

@@ -15,4 +15,4 @@ import BadMacOrder
 from ArtifactFlow::PathNode src, ArtifactFlow::PathNode sink
 where isDecryptToMacFlow(src, sink)
 select sink, src, sink,
-  "MAC order potentially wrong: observed a potential decrypt operation output to MAC implying the MAC is on plaintext, and not a cipher."
+  "Incorrect decryption and MAC order: decryption output plaintext flows to MAC message input."

java/ql/src/experimental/quantum/Examples/BadMacOrderMacOnEncryptPlaintext.ql

@@ -17,5 +17,5 @@ from
   PlaintextUseAsMacAndCipherInputFlow::PathNode sink, InterimArg arg
 where isPlaintextInEncryptionAndMac(src, sink, arg)
 select sink, src, sink,
-  "Source is used as plaintext to MAC and encryption operation. Indicates possible misuse of MAC. Path shows plaintext to final use through intermediate mac or encryption operation here $@",
+  "Incorrect MAC usage: Encryption plaintext also used for MAC. Flow shows plaintext to final use through intermediate mac or encryption operation here $@",
   arg.asExpr(), arg.asExpr().toString()

java/ql/src/experimental/quantum/InventorySlices/UnknownOperationAlgorithm.ql

@@ -1,7 +1,7 @@
 /**
  * @name Operations with unknown algorithm
  * @description Outputs operations where the algorithm applied is unknown
- * @id java/quantum/examples/slices/operation-with-unknown-algorithm
+ * @id java/quantum/slices/operation-with-unknown-algorithm
  * @kind problem
  * @severity info
  * @tags quantum

java/ql/test/experimental/library-tests/quantum/node_properties.expected

@@ -1,6 +1,6 @@
 #select
-| BadMacUse.java:56:42:56:50 | plaintext | BadMacUse.java:50:28:50:53 | doFinal(...) : byte[] | BadMacUse.java:56:42:56:50 | plaintext | MAC order potentially wrong: observed a potential decrypt operation output to MAC implying the MAC is on plaintext, and not a cipher. |
-| BadMacUse.java:124:42:124:51 | ciphertext | BadMacUse.java:92:16:92:36 | doFinal(...) : byte[] | BadMacUse.java:124:42:124:51 | ciphertext | MAC order potentially wrong: observed a potential decrypt operation output to MAC implying the MAC is on plaintext, and not a cipher. |
+| BadMacUse.java:56:42:56:50 | plaintext | BadMacUse.java:50:28:50:53 | doFinal(...) : byte[] | BadMacUse.java:56:42:56:50 | plaintext | Incorrect decryption and MAC order: decryption output plaintext flows to MAC message input. |
+| BadMacUse.java:124:42:124:51 | ciphertext | BadMacUse.java:92:16:92:36 | doFinal(...) : byte[] | BadMacUse.java:124:42:124:51 | ciphertext | Incorrect decryption and MAC order: decryption output plaintext flows to MAC message input. |
 edges
 | BadMacUse.java:27:29:27:53 | doFinal(...) : byte[] | BadMacUse.java:32:42:32:51 | ciphertext | provenance |  |
 | BadMacUse.java:50:28:50:53 | doFinal(...) : byte[] | BadMacUse.java:56:42:56:50 | plaintext | provenance |  |

java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected

@@ -1,14 +1,14 @@
 #select
-| BadMacUse.java:80:44:80:52 | plaintext | BadMacUse.java:67:82:67:97 | plaintext : byte[] | BadMacUse.java:80:44:80:52 | plaintext | Source is used as plaintext to MAC and encryption operation. Indicates possible misuse of MAC. Path shows plaintext to final use through intermediate mac or encryption operation here $@ | BadMacUse.java:75:42:75:50 | plaintext | plaintext |
+| BadMacUse.java:76:44:76:52 | plaintext | BadMacUse.java:63:82:63:97 | plaintext : byte[] | BadMacUse.java:76:44:76:52 | plaintext | Incorrect MAC usage: Encryption plaintext also used for MAC. Flow shows plaintext to final use through intermediate mac or encryption operation here $@ | BadMacUse.java:71:42:71:50 | plaintext | plaintext |
 edges
-| BadMacUse.java:67:82:67:97 | plaintext : byte[] | BadMacUse.java:75:42:75:50 | plaintext : byte[] | provenance |  |
-| BadMacUse.java:75:42:75:50 | plaintext : byte[] | BadMacUse.java:75:42:75:50 | plaintext : byte[] | provenance | Config |
-| BadMacUse.java:75:42:75:50 | plaintext : byte[] | BadMacUse.java:80:44:80:52 | plaintext | provenance |  |
+| BadMacUse.java:63:82:63:97 | plaintext : byte[] | BadMacUse.java:71:42:71:50 | plaintext : byte[] | provenance |  |
+| BadMacUse.java:71:42:71:50 | plaintext : byte[] | BadMacUse.java:71:42:71:50 | plaintext : byte[] | provenance | Config |
+| BadMacUse.java:71:42:71:50 | plaintext : byte[] | BadMacUse.java:76:44:76:52 | plaintext | provenance |  |
 nodes
-| BadMacUse.java:67:82:67:97 | plaintext : byte[] | semmle.label | plaintext : byte[] |
-| BadMacUse.java:75:42:75:50 | plaintext : byte[] | semmle.label | plaintext : byte[] |
-| BadMacUse.java:75:42:75:50 | plaintext : byte[] | semmle.label | plaintext : byte[] |
-| BadMacUse.java:80:44:80:52 | plaintext | semmle.label | plaintext |
+| BadMacUse.java:63:82:63:97 | plaintext : byte[] | semmle.label | plaintext : byte[] |
+| BadMacUse.java:71:42:71:50 | plaintext : byte[] | semmle.label | plaintext : byte[] |
+| BadMacUse.java:71:42:71:50 | plaintext : byte[] | semmle.label | plaintext : byte[] |
+| BadMacUse.java:76:44:76:52 | plaintext | semmle.label | plaintext |
 subpaths
 testFailures
-| BadMacUse.java:54:56:54:66 | // $Source | Missing result: Source |
+| BadMacUse.java:50:56:50:66 | // $Source | Missing result: Source |

java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected

@@ -2393,6 +2393,10 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
       key = "ParsedName" and
       value = instance.asAlg().getParsedEllipticCurveName() and
       location = this.getLocation()
+      or
+      key = "CurveType" and
+      value = this.getEllipticCurveType().toString() and
+      location = this.getLocation()
     }
   }
 }