Merge branch 'main' into redsun82/bzlmod

Author: redsun82

java/kotlin-extractor/kotlin_plugin_versions.py

@@ -46,7 +46,7 @@ def version_string_to_version(version):
 # Version number used by CI.
 ci_version = '1.9.0'
 
-many_versions = [ '1.5.0', '1.5.10', '1.5.20', '1.5.30', '1.6.0', '1.6.20', '1.7.0', '1.7.20', '1.8.0', '1.9.0-Beta', '1.9.20-Beta', '2.0.0-Beta3', '2.0.255-SNAPSHOT' ]
+many_versions = [ '1.5.0', '1.5.10', '1.5.20', '1.5.30', '1.6.0', '1.6.20', '1.7.0', '1.7.20', '1.8.0', '1.9.0-Beta', '1.9.20-Beta', '2.0.0-Beta4', '2.0.255-SNAPSHOT' ]
 
 many_versions_versions = [version_string_to_version(v) for v in many_versions]
 many_versions_versions_asc  = sorted(many_versions_versions, key = lambda v: v.toTupleWithTag())

…sions/v_2_0_0-Beta3/IrSymbolInternals.kt …sions/v_2_0_0-Beta4/IrSymbolInternals.ktjava/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta3/IrSymbolInternals.kt renamed to java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/IrSymbolInternals.kt java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta3/IrSymbolInternals.kt renamed to java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/IrSymbolInternals.kt

@@ -1,6 +1,7 @@
 /** Definitions for the insecure local authentication query. */
 
 import java
+private import semmle.code.java.dataflow.DataFlow
 
 /** A base class that is used as a callback for biometric authentication. */
 private class AuthenticationCallbackClass extends Class {
@@ -40,3 +41,24 @@ class AuthenticationSuccessCallback extends Method {
     not result = this.getASuperResultUse()
   }
 }
+
+/** A call that sets a parameter for key generation that is insecure for use with biometric authentication. */
+class InsecureBiometricKeyParamCall extends MethodCall {
+  InsecureBiometricKeyParamCall() {
+    exists(string name, CompileTimeConstantExpr val |
+      this.getMethod()
+          .hasQualifiedName("android.security.keystore", "KeyGenParameterSpec$Builder", name) and
+      DataFlow::localExprFlow(val, this.getArgument(0)) and
+      (
+        name = ["setUserAuthenticationRequired", "setInvalidatedByBiometricEnrollment"] and
+        val.getBooleanValue() = false
+        or
+        name = "setUserAuthenticationValidityDurationSeconds" and
+        val.getIntValue() != -1
+      )
+    )
+  }
+}
+
+/** Holds if the application contains an instance of a key being used for local biometric authentication. */
+predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb | exists(cb.getAResultUse())) }

…v_2_0_0-Beta3/JavaBinarySourceElement.kt …v_2_0_0-Beta4/JavaBinarySourceElement.ktjava/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta3/JavaBinarySourceElement.kt renamed to java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/JavaBinarySourceElement.kt java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta3/JavaBinarySourceElement.kt renamed to java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/JavaBinarySourceElement.kt

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Biometric authentication, such as fingerprint recognition, can be used alongside cryptographic keys stored in the Android <code>KeyStore</code> to protect sensitive parts of the application. However, 
+when a key generated for this purpose has certain parameters set insecurely, an attacker with physical access can bypass the 
+authentication check using application hooking tools such as Frida.
+</p>
+</overview>
+
+<recommendation>
+<p>
+When generating a key for use with biometric authentication, ensure that the following parameters of <code>KeyGenParameterSpec.Builder</code> are set:
+</p>
+<ul>
+<li><code>setUserAuthenticationRequired</code> should be set to <code>true</code>; otherwise, the key can be used without user authentication.</li>
+<li><code>setInvalidatedByBiometricEnrollment</code> should be set to <code>true</code> (the default); otherwise, an attacker can use the key by enrolling additional biometrics on the device.</li>
+<li><code>setUserAuthenticationValidityDurationSeconds</code>, if used, should be set to <code>-1</code>; otherwise, non-biometric (less secure) credentials can be used to access the key. We recommend using <code>setUserAuthenticationParameters</code> instead to explicitly set both the timeout and the types of credentials that may be used.</li>
+</ul>
+
+</recommendation>
+
+<example>
+<p>The following example demonstrates a key that is configured with secure paramaters:</p>
+<sample src="AndroidInsecureKeysGood.java"/>
+
+<p>In each of the following cases, a parameter is set insecurely:</p>
+<sample src="AndroidInsecureKeysBad.java"/>
+</example>
+
+<references>
+<li>
+WithSecure: <a href="https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication">How Secure is your Android Keystore Authentication?</a>.
+</li>
+<li>
+Android Developers: <a href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder">KeyGenParameterSpec.Builder</a>.
+</li>
+
+</references>
+</qhelp>

…_0_255-SNAPSHOT/JvmDefaultModeEnabled.kt …s/v_2_0_0-Beta4/JvmDefaultModeEnabled.ktjava/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_255-SNAPSHOT/JvmDefaultModeEnabled.kt renamed to java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/JvmDefaultModeEnabled.kt java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_255-SNAPSHOT/JvmDefaultModeEnabled.kt renamed to java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/JvmDefaultModeEnabled.kt

@@ -0,0 +1,18 @@
+/**
+ * @name Insecurely generated keys for local authentication
+ * @description Generation of keys with insecure parameters for local biometric authentication can allow attackers with physical access to bypass authentication checks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 4.4
+ * @precision medium
+ * @id java/android/insecure-local-key-gen
+ * @tags security
+ *       external/cwe/cwe-287
+ */
+
+import java
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+from InsecureBiometricKeyParamCall call
+where usesLocalAuth()
+select call, "This key is not secure for biometric authentication."

…ls/versions/v_2_0_255-SNAPSHOT/Psi2Ir.kt …n/utils/versions/v_2_0_0-Beta4/Psi2Ir.ktjava/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_255-SNAPSHOT/Psi2Ir.kt renamed to java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/Psi2Ir.kt java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_255-SNAPSHOT/Psi2Ir.kt renamed to java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/Psi2Ir.kt

@@ -0,0 +1,47 @@
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        // BAD: User authentication is not required to use this key.
+        .setUserAuthenticationRequired(false)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
+
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        .setUserAuthenticationRequired(true)
+        // BAD: An attacker can access this key by enrolling additional biometrics.
+        .setInvalidatedByBiometricEnrollment(false)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
+
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        .setUserAuthenticationRequired(true)
+        .setInvalidatedByBiometricEnrollment(true)
+        // BAD: This key can be accessed using non-biometric credentials. 
+        .setUserAuthenticationValidityDurationSeconds(30)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}