Skip to content

Remove security-severity tag to java/random-used-once#7613

Merged
smowton merged 3 commits intomainfrom
smowton/admin/tag-random-used-once
Jan 19, 2022
Merged

Remove security-severity tag to java/random-used-once#7613
smowton merged 3 commits intomainfrom
smowton/admin/tag-random-used-once

Conversation

@smowton
Copy link
Contributor

@smowton smowton commented Jan 17, 2022

Raised in #7601, this is one of the only .ql files that has a security-severity score but not the tag "security", including many other queries that live outside the Security/ subdirectory.

Besides this the only other files with this security-severity-but-no-security-tag combination are:

java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql

Given their location I'm assuming these queries are disabled by default and likely shouldn't changed?

@smowton
Add security tag to java/random-used-once
16aa53a 
Raised in #7601, this is one of the only .ql files that has a security-severity score but not the tag "security", including many other queries that live outside the `Security/` subdirectory.

Besides this the only other files with this security-severity-but-no-security-tag combination are:

```
java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
```

Given their location I'm assuming these queries are disabled by default and likely shouldn't changed?
@smowton smowton requested a review from a team as a code owner January 17, 2022 10:35
@github-actions github-actions bot added the Java label Jan 17, 2022
@smowton smowton mentioned this pull request Jan 17, 2022
Open
@atorralba
Copy link
Contributor

atorralba commented Jan 17, 2022

I think that the actual problem was that the query had been (incorrectly IMHO) assigned a CWE, and because of that a security-severity score was automatically assigned to it. I don't think this query actually models CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) (or a security problem at all), so in my opinion we should instead remove the CWE and security-severity tags.

@smowton
Copy link
Contributor Author

smowton commented Jan 17, 2022

If the complaint in the query description (a less-than-even distribution) is true, then that would make random numbers easier to predict than they should be. That seems like a (perhaps mild) security issue to me.

atorralba
atorralba previously approved these changes Jan 17, 2022
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I saw the readability and maintainability tags and assumed that this was a code quality matter, but after reading more about it I agree it may be a low-severity security issue (because I think this would be very difficult to exploit practically). I also think it shouldn't have a severity of 9.8, but I'm hesitant to change that because it'll probably be changed back the next time the automation runs.

@smowton
Copy link
Contributor Author

smowton commented Jan 17, 2022

Yeah that does seem dubious. @aschackmull do you have an opinion?

@aschackmull
Copy link
Contributor

aschackmull commented Jan 19, 2022

I think the query likely does a decent job as a code quality query, but a poor job as a security query, so for that reason I think the simplest solution is to just consider it to be the former and not the latter.

@smowton
Remove security-severity tag instead
f0645a3 
This leaves the Java query in the same state as its C# cousin.
@smowton smowton changed the title Add security tag to java/random-used-once Remove security-severity tag to java/random-used-once Jan 19, 2022
@smowton
Copy link
Contributor Author

smowton commented Jan 19, 2022

Changed this to remove the security-severity score, leaving the tagging in the same state as the C# query of the same name.

@smowton smowton merged commit 162b382 into main Jan 19, 2022
@smowton smowton deleted the smowton/admin/tag-random-used-once branch January 19, 2022 14:43
@atorralba atorralba mentioned this pull request Aug 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aschackmull aschackmull aschackmull approved these changes

+1 more reviewer

@atorralba atorralba atorralba left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@smowton @atorralba @aschackmull