Skip to content

Java: Add MaDs for java.crypto.KDF #20345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 10, 2025
Merged

Java: Add MaDs for java.crypto.KDF #20345

merged 7 commits into from
Sep 10, 2025

Conversation

IdrissRio
Copy link
Contributor

@IdrissRio IdrissRio commented Sep 2, 2025
edited
Loading

@IdrissRio IdrissRio changed the base branch from main to idrissrio/java-upgrade-fix September 2, 2025 11:00
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 2, 2025
edited
Loading

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java extensions,"``javax.*``, ``jakarta.*``",87,4159,90,10,4,2,1,1,4
+    Java extensions,"``javax.*``, ``jakarta.*``",87,4185,90,10,4,2,1,1,4
-    Totals,,330,26328,2656,404,16,128,33,1,409
+    Totals,,330,26354,2656,404,16,128,33,1,409
  • Changes to framework-coverage-java.csv:
- javax.crypto,19,,114,,,12,3,,2,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,61,53
+ javax.crypto,19,,140,,,12,3,,2,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,76,64

@IdrissRio IdrissRio marked this pull request as ready for review September 2, 2025 11:40
@IdrissRio IdrissRio requested a review from a team as a code owner September 2, 2025 11:40
@Copilot Copilot AI review requested due to automatic review settings September 2, 2025 11:40
Copilot
Copilot AI reviewed Sep 2, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds Model as Data (MaD) support for the java.crypto.KDF API, enabling taint tracking through Key Derivation Function operations. The changes include comprehensive taint flow models for KDF operations and HKDF parameter specifications.

  • Adds taint flow models for javax.crypto.KDF class methods
  • Adds taint flow models for javax.crypto.spec.HKDFParameterSpec and its builder pattern
  • Includes comprehensive test coverage for various KDF usage patterns

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
java/ql/lib/ext/javax.crypto.model.yml Adds summary models for KDF class methods including deriveKey and deriveData
java/ql/lib/ext/javax.crypto.spec.model.yml Adds taint flow models for HKDF parameter specification builder methods and constructors
java/ql/test/library-tests/dataflow/kdf/test.ql Test query for verifying taint flow through KDF operations
java/ql/test/library-tests/dataflow/kdf/KDFDataflowTest.java Comprehensive test cases covering various KDF usage patterns
java/ql/test/library-tests/dataflow/kdf/options Compilation options enabling Java 25 preview features
java/ql/lib/change-notes/2025-09-02-kdf-api.md Release notes documenting the new KDF taint flow support

@IdrissRio IdrissRio force-pushed the idrissrio/java-upgrade-fix branch from a34b362 to 5d2268f Compare September 2, 2025 18:19
@IdrissRio IdrissRio requested a review from a team as a code owner September 2, 2025 18:19
aschackmull
aschackmull reviewed Sep 4, 2025
View reviewed changes
java/ql/lib/ext/javax.crypto.model.yml Outdated
- ["javax.crypto", "KDF", False, "getInstance", "(String,KDFParameters,Provider)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
- ["javax.crypto", "KDF", False, "getInstance", "(String,KDFParameters,String)", "", "Argument[0]", "ReturnValue.SyntheticField[javax.crypto.KDF.algorithm]", "value", "manual"]
- ["javax.crypto", "KDF", True, "getAlgorithm", "()", "", "Argument[this].SyntheticField[javax.crypto.KDF.algorithm]", "ReturnValue", "value", "manual"]
- ["javax.crypto", "KDF", True, "getProvider", "()", "", "Argument[this]", "ReturnValue", "value", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line looks suspicious. It suggests that getProvider() is implemented as return this. Should this have been a taint model rather than a value-preserving step?

aschackmull
aschackmull reviewed Sep 4, 2025
View reviewed changes
aschackmull
aschackmull reviewed Sep 4, 2025
View reviewed changes
Base automatically changed from idrissrio/java-upgrade-fix to main September 4, 2025 14:46
@github-actions github-actions bot added the Kotlin label Sep 5, 2025
aschackmull
aschackmull reviewed Sep 8, 2025
View reviewed changes
@github-actions github-actions bot removed the Kotlin label Sep 8, 2025
@IdrissRio IdrissRio merged commit 166c77d into main Sep 10, 2025
17 checks passed
@IdrissRio IdrissRio deleted the idrissrio/java-kdf branch September 10, 2025 09:21
@owen-mc owen-mc mentioned this pull request Sep 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@aschackmull aschackmull aschackmull approved these changes

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@IdrissRio @aschackmull