Merge pull request #19984 from jketema/jketema/sec-shared

Make a proper shared library out of the concept related libraries

Author: jketema

config/identical-files.json

@@ -231,35 +231,10 @@
     "java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
     "java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
   ],
-  "CryptoAlgorithms Python/JS/Ruby": [
-    "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
-    "ruby/ql/lib/codeql/ruby/security/CryptoAlgorithms.qll",
-    "rust/ql/lib/codeql/rust/security/CryptoAlgorithms.qll"
-  ],
-  "CryptoAlgorithmNames Python/JS/Ruby": [
-    "javascript/ql/lib/semmle/javascript/security/internal/CryptoAlgorithmNames.qll",
-    "python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll",
-    "ruby/ql/lib/codeql/ruby/security/internal/CryptoAlgorithmNames.qll",
-    "rust/ql/lib/codeql/rust/security/internal/CryptoAlgorithmNames.qll"
-  ],
-  "SensitiveDataHeuristics Python/JS": [
-    "javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
-    "python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll",
-    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
-    "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll",
-    "rust/ql/lib/codeql/rust/security/internal/SensitiveDataHeuristics.qll"
-  ],
   "IncompleteUrlSubstringSanitization": [
     "javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll",
     "ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll"
   ],
-  "Concepts Python/Ruby/JS": [
-    "python/ql/lib/semmle/python/internal/ConceptsShared.qll",
-    "ruby/ql/lib/codeql/ruby/internal/ConceptsShared.qll",
-    "javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll",
-    "rust/ql/lib/codeql/rust/internal/ConceptsShared.qll"
-  ],
   "ApiGraphModels": [
     "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll",
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",

javascript/ql/lib/qlpack.yml

@@ -6,6 +6,7 @@ extractor: javascript
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/concepts: ${workspace}
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
   codeql/regex: ${workspace}

javascript/ql/lib/semmle/javascript/Concepts.qll

@@ -5,7 +5,11 @@
  */
 
 import javascript
+private import semmle.javascript.dataflow.internal.sharedlib.DataFlowArg
 private import codeql.threatmodels.ThreatModels
+private import codeql.concepts.ConceptsShared
+
+private module ConceptsShared = ConceptsMake<Location, JSDataFlow>;
 
 /**
  * A data flow source, for a specific threat-model.
@@ -206,7 +210,7 @@ abstract class PersistentWriteAccess extends DataFlow::Node {
  * Provides models for cryptographic things.
  */
 module Cryptography {
-  private import semmle.javascript.internal.ConceptsShared::Cryptography as SC
+  private import ConceptsShared::Cryptography as SC
 
   /**
    * A data-flow node that is an application of a cryptographic algorithm. For example,

javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll

@@ -4,7 +4,7 @@
 
 import javascript
 import semmle.javascript.Concepts::Cryptography
-private import semmle.javascript.security.internal.CryptoAlgorithmNames
+private import codeql.concepts.internal.CryptoAlgorithmNames
 
 /**
  * A key used in a cryptographic algorithm.

javascript/ql/lib/semmle/javascript/internal/ConceptsImports.qll

@@ -1,117 +1,5 @@
 /**
  * Provides classes modeling cryptographic algorithms, separated into strong and weak variants.
- *
- * The classification into strong and weak are based on Wikipedia, OWASP and Google (2021).
  */
 
-private import internal.CryptoAlgorithmNames
-
-/**
- * A cryptographic algorithm.
- */
-private newtype TCryptographicAlgorithm =
-  MkHashingAlgorithm(string name, boolean isWeak) {
-    isStrongHashingAlgorithm(name) and isWeak = false
-    or
-    isWeakHashingAlgorithm(name) and isWeak = true
-  } or
-  MkEncryptionAlgorithm(string name, boolean isWeak) {
-    isStrongEncryptionAlgorithm(name) and isWeak = false
-    or
-    isWeakEncryptionAlgorithm(name) and isWeak = true
-  } or
-  MkPasswordHashingAlgorithm(string name, boolean isWeak) {
-    isStrongPasswordHashingAlgorithm(name) and isWeak = false
-    or
-    isWeakPasswordHashingAlgorithm(name) and isWeak = true
-  }
-
-/**
- * Gets the most specific `CryptographicAlgorithm` that matches the given `name`.
- * A matching algorithm is one where the name of the algorithm matches the start of name, with allowances made for different name formats.
- * In the case that multiple `CryptographicAlgorithm`s match the given `name`, the algorithm(s) with the longest name will be selected. This is intended to select more specific versions of algorithms when multiple versions could match - for example "SHA3_224" matches against both "SHA3" and "SHA3224", but the latter is a more precise match.
- */
-bindingset[name]
-private CryptographicAlgorithm getBestAlgorithmForName(string name) {
-  result =
-    max(CryptographicAlgorithm algorithm |
-      algorithm.getName() =
-        [
-          name.toUpperCase(), // the full name
-          name.toUpperCase().regexpCapture("^([\\w]+)(?:-.*)?$", 1), // the name prior to any dashes or spaces
-          name.toUpperCase().regexpCapture("^([A-Z0-9]+)(?:(-|_).*)?$", 1) // the name prior to any dashes, spaces, or underscores
-        ].regexpReplaceAll("[-_ ]", "") // strip dashes, underscores, and spaces
-    |
-      algorithm order by algorithm.getName().length()
-    )
-}
-
-/**
- * A cryptographic algorithm.
- */
-abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {
-  /** Gets a textual representation of this element. */
-  string toString() { result = this.getName() }
-
-  /**
-   * Gets the normalized name of this algorithm (upper-case, no spaces, dashes or underscores).
-   */
-  abstract string getName();
-
-  /**
-   * Holds if the name of this algorithm is the most specific match for `name`.
-   * This predicate matches quite liberally to account for different ways of formatting algorithm names, e.g. using dashes, underscores, or spaces as separators, including or not including block modes of operation, etc.
-   */
-  bindingset[name]
-  predicate matchesName(string name) { this = getBestAlgorithmForName(name) }
-
-  /**
-   * Holds if this algorithm is weak.
-   */
-  abstract predicate isWeak();
-}
-
-/**
- * A hashing algorithm such as `MD5` or `SHA512`.
- */
-class HashingAlgorithm extends MkHashingAlgorithm, CryptographicAlgorithm {
-  string name;
-  boolean isWeak;
-
-  HashingAlgorithm() { this = MkHashingAlgorithm(name, isWeak) }
-
-  override string getName() { result = name }
-
-  override predicate isWeak() { isWeak = true }
-}
-
-/**
- * An encryption algorithm such as `DES` or `AES512`.
- */
-class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm {
-  string name;
-  boolean isWeak;
-
-  EncryptionAlgorithm() { this = MkEncryptionAlgorithm(name, isWeak) }
-
-  override string getName() { result = name }
-
-  override predicate isWeak() { isWeak = true }
-
-  /** Holds if this algorithm is a stream cipher. */
-  predicate isStreamCipher() { isStreamCipher(name) }
-}
-
-/**
- * A password hashing algorithm such as `PBKDF2` or `SCRYPT`.
- */
-class PasswordHashingAlgorithm extends MkPasswordHashingAlgorithm, CryptographicAlgorithm {
-  string name;
-  boolean isWeak;
-
-  PasswordHashingAlgorithm() { this = MkPasswordHashingAlgorithm(name, isWeak) }
-
-  override string getName() { result = name }
-
-  override predicate isWeak() { isWeak = true }
-}
+import codeql.concepts.CryptoAlgorithms

javascript/ql/lib/semmle/javascript/internal/ConceptsShared.qll

@@ -10,7 +10,7 @@
  */
 
 import javascript
-import semmle.javascript.security.internal.SensitiveDataHeuristics
+import codeql.concepts.internal.SensitiveDataHeuristics
 private import HeuristicNames
 
 /** An expression that might contain sensitive data. */