Update InsecureDependencyResolution with code review comments

JLLeitschuh · JLLeitschuh · commit 229622459cbc · 2019-12-09T20:37:53.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql b/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
@@ -6,6 +6,7 @@
  * @precision very-high
  * @id java/maven/non-https-url
  * @tags security
+ *       external/cwe/cwe-300
  *       external/cwe/cwe-319
  *       external/cwe/cwe-494
  *       external/cwe/cwe-829
@@ -15,24 +16,22 @@ import java
 import semmle.code.xml.MavenPom
 
 private class DeclaredRepository extends PomElement {
-    DeclaredRepository() {
-        this.getName() = "repository" or
-        this.getName() = "snapshotRepository" or
-        this.getName() = "pluginRepository"
-    }
+  DeclaredRepository() {
+    this.getName() = "repository" or
+    this.getName() = "snapshotRepository" or
+    this.getName() = "pluginRepository"
+  }
 
-    string getUrl() {
-        result = getAChild("url").(PomElement).getValue()
-    }
+  string getUrl() { result = getAChild("url").(PomElement).getValue() }
 
-    predicate isInsecureRepositoryUsage() {
-        getUrl().matches("http://%") or
-        getUrl().matches("ftp://%")
-    }
+  predicate isInsecureRepositoryUsage() {
+    getUrl().matches("http://%") or
+    getUrl().matches("ftp://%")
+  }
 }
 
 from DeclaredRepository repository
 where repository.isInsecureRepositoryUsage()
-select
-    repository,
-    "Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository " + repository.getUrl()
+select repository,
+  "Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to repository " +
+    repository.getUrl()
diff --git a/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.qlref b/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-829/InsecureDependencyResolution.ql
diff --git a/java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml b/java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <!-- Duplicated in java/ql/src/Security/CWE/CWE-829/insecure-pom.xml -->
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Security Testing</name>
+    <description>An example of insecure download and upload of dependencies</description>
+
+    <distributionManagement>
+        <repository>
+            <id>insecure-releases</id>
+            <name>Insecure Repository Releases</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://insecure-repository.example</url>
+        </repository>
+        <snapshotRepository>
+            <id>insecure-snapshots</id>
+            <name>Insecure Repository Snapshots</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://insecure-repository.example</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>insecure</id>
+            <name>Insecure Repository</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://insecure-repository.example</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>insecure-plugins</id>
+            <name>Insecure Repository Releases</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://insecure-repository.example</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>
diff --git a/java/ql/test/query-tests/security/CWE-829/semmle/tests/secure-pom.xml b/java/ql/test/query-tests/security/CWE-829/semmle/tests/secure-pom.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <!-- Duplicated in java/ql/src/Security/CWE/CWE-829/secure-pom.xml -->
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Security Testing</name>
+    <description>An example of secure download and upload of dependencies</description>
+
+    <distributionManagement>
+        <repository>
+            <id>insecure-releases</id>
+            <name>Secure Repository Releases</name>
+            <!-- GOOD! Use HTTPS -->
+            <url>https://insecure-repository.example</url>
+        </repository>
+        <snapshotRepository>
+            <id>insecure-snapshots</id>
+            <name>Secure Repository Snapshots</name>
+            <!-- GOOD! Use HTTPS -->
+            <url>https://insecure-repository.example</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>insecure</id>
+            <name>Secure Repository</name>
+            <!-- GOOD! Use HTTPS -->
+            <url>https://insecure-repository.example</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>insecure-plugins</id>
+            <name>Secure Repository Releases</name>
+            <!-- GOOD! Use HTTPS -->
+            <url>https://insecure-repository.example</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE/CWE-829/InsecureDependencyResolution.ql`