Skip to content

Remove security-severity tag to java/random-used-once #7613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jan 19, 2022
Merged

Remove security-severity tag to java/random-used-once #7613

merged 3 commits into from
Jan 19, 2022

Conversation

smowton
Copy link
Contributor

@smowton smowton commented Jan 17, 2022

Raised in #7601, this is one of the only .ql files that has a security-severity score but not the tag "security", including many other queries that live outside the Security/ subdirectory.

Besides this the only other files with this security-severity-but-no-security-tag combination are:

java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql

Given their location I'm assuming these queries are disabled by default and likely shouldn't changed?

@smowton
Add security tag to java/random-used-once
16aa53a 
Raised in #7601, this is one of the only .ql files that has a security-severity score but not the tag "security", including many other queries that live outside the `Security/` subdirectory.

Besides this the only other files with this security-severity-but-no-security-tag combination are:

```
java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
```

Given their location I'm assuming these queries are disabled by default and likely shouldn't changed?
@smowton smowton requested a review from a team as a code owner January 17, 2022 10:35
@github-actions github-actions bot added the Java label Jan 17, 2022
@smowton smowton mentioned this pull request Jan 17, 2022
Open
@atorralba
Copy link
Contributor

I think that the actual problem was that the query had been (incorrectly IMHO) assigned a CWE, and because of that a security-severity score was automatically assigned to it. I don't think this query actually models CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) (or a security problem at all), so in my opinion we should instead remove the CWE and security-severity tags.

@smowton
Copy link
Contributor Author

smowton commented Jan 17, 2022

If the complaint in the query description (a less-than-even distribution) is true, then that would make random numbers easier to predict than they should be. That seems like a (perhaps mild) security issue to me.

atorralba
atorralba previously approved these changes Jan 17, 2022
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I saw the readability and maintainability tags and assumed that this was a code quality matter, but after reading more about it I agree it may be a low-severity security issue (because I think this would be very difficult to exploit practically). I also think it shouldn't have a severity of 9.8, but I'm hesitant to change that because it'll probably be changed back the next time the automation runs.

@smowton
Copy link
Contributor Author

smowton commented Jan 17, 2022

Yeah that does seem dubious. @aschackmull do you have an opinion?

@aschackmull
Copy link
Contributor

I think the query likely does a decent job as a code quality query, but a poor job as a security query, so for that reason I think the simplest solution is to just consider it to be the former and not the latter.

@smowton
Remove security-severity tag instead
f0645a3 
This leaves the Java query in the same state as its C# cousin.
@smowton smowton changed the title Add security tag to java/random-used-once Remove security-severity tag to java/random-used-once Jan 19, 2022
@smowton
Copy link
Contributor Author

smowton commented Jan 19, 2022

Changed this to remove the security-severity score, leaving the tagging in the same state as the C# query of the same name.

@smowton smowton merged commit 162b382 into main Jan 19, 2022
@smowton smowton deleted the smowton/admin/tag-random-used-once branch January 19, 2022 14:43
@atorralba atorralba mentioned this pull request Aug 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull aschackmull approved these changes

@atorralba atorralba atorralba left review comments

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smowton @atorralba @aschackmull