addiitonal minor fixes

chanel-y · chanel-y · commit 2081c6fc887c · 2026-01-29T16:33:18.000-08:00
diff --git a/powershell/ql/src/queries/security/cwe-327/ObsoleteKDFAlgorithm.qhelp b/powershell/ql/src/queries/security/cwe-327/ObsoleteKDFAlgorithm.qhelp
@@ -17,25 +17,8 @@
       a SHA-2 hash function (such as SHA-256 or SHA-512). Additionally, use a high iteration
       count (at least 100,000) to increase resistance against brute-force attacks.
     </p>
+    
   </recommendation>
-  <example>
-    <p>
-      The following example shows the use of an obsolete KDF algorithm:
-    </p>
-    <sample language="powershell">
-# BAD: Using PasswordDeriveBytes which implements PBKDF1
-$kdf = New-Object System.Security.Cryptography.PasswordDeriveBytes($password, $salt)
-$key = $kdf.CryptDeriveKey("AES", "SHA256", 256, $iv)
-    </sample>
-    <p>
-      The following example shows the recommended approach using PBKDF2:
-    </p>
-    <sample language="powershell">
-# GOOD: Using Rfc2898DeriveBytes with SHA-256 and high iteration count
-$kdf = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, 100000, [System.Security.Cryptography.HashAlgorithmName]::SHA256)
-$key = $kdf.GetBytes(32)
-    </sample>
-  </example>
   <references>
     <li>NIST, SP 800-132: <a href="https://csrc.nist.gov/publications/detail/sp/800-132/final">Recommendation for Password-Based Key Derivation</a>.</li>
     <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">Password Storage Cheat Sheet</a>.</li>
diff --git a/powershell/ql/src/queries/security/cwe-327/WeakSymmetricAlgorithm.ql b/powershell/ql/src/queries/security/cwe-327/WeakSymmetricAlgorithm.ql
@@ -15,45 +15,6 @@ import semmle.code.powershell.ApiGraphs
 import semmle.code.powershell.dataflow.DataFlow
 import semmle.code.powershell.security.cryptography.Concepts
 
-// class WeaksSymmetricAlgorithmCreateCall extends DataFlow::CallNode {
-//     WeaksSymmetricAlgorithmCreateCall() {
-//         this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("rc2").getMember("create").asCall() or
-//         this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("des").getMember("create").asCall() or
-//         this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("tripledes").getMember("create").asCall() or
-//         (
-//             this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("symmetricalgorithm").getMember("create").asCall() and
-//             this.getAnArgument().asExpr().getValue().asString() = ["RC2", "DES", "TripleDES", "Rijndael"] or
-//             this.getAnArgument().asExpr().getValue().asString() = ["System.Security.Cryptography.RC2", "System.Security.Cryptography.DES", "System.Security.Cryptography.TripleDES", "System.Security.Cryptography.Rijndael"]
-//         )
-//   }
-// }
-// class WeakSymmetricAlgorithmObjectCreation extends DataFlow::ObjectCreationNode {
-//   WeakSymmetricAlgorithmObjectCreation() {
-//     this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.DES" or
-//     this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.DESCryptoServiceProvider" or
-//     this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.TripleDES" or
-//     this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.TripleDESCryptoServiceProvider" or
-//     this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.RC2" or
-//     this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.RC2CryptoServiceProvider" or
-//     this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.Rijndael" or
-//     this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.Rijndael"
-//   }
-// }
-// class CreateFromNameSink extends DataFlow::CallNode {
-//   CreateFromNameSink(){
-//       this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("cryptoconfig").getMember("createfromname").asCall() and
-//       (
-//         this.getAnArgument().asExpr().getValue().asString() = ["System.Security.Cryptography.DES", "System.Security.Cryptography.TripleDES", "System.Security.Cryptography.RC2", "System.Security.Cryptography.Rijndael"] or
-//         this.getAnArgument().asExpr().getValue().asString() = ["DES", "TripleDES", "RC2", "Rijndael"]
-//       )
-//   }
-// }
-// from DataFlow::Node weakSymmetricAlg
-// where weakSymmetricAlg instanceof WeaksSymmetricAlgorithmCreateCall or
-//       weakSymmetricAlg instanceof WeakSymmetricAlgorithmObjectCreation or
-//         weakSymmetricAlg instanceof CreateFromNameSink
-// select weakSymmetricAlg,
-//     "Use of weak symmetric cryptographic algorithm. Consider using AES instead."
 from SymmetricAlgorithm symmetricAlg
 where not symmetricAlg.getSymmetricAlgorithmName() = ["aes", "aes128", "aes192", "aes256"]
 select symmetricAlg,
