From 81cac67cc5bf3a2f2beaac49062f6eca6bd35480 Mon Sep 17 00:00:00 2001
From: Graham Sutherland <graham.sutherland@trailofbits.com>
Date: Wed, 16 Jul 2025 19:45:00 +0100
Subject: [PATCH 1/2] Improve C++ legacy crypto algorithm query

Adds the name of the detected algorithm to help identify the substring that triggered the detection, and reduces false positives when detecting DES by using a regex to exclude common words like "description" and "nodes".
---
 cpp/src/crypto/UseOfLegacyAlgorithm.ql | 45 +++++++++++++++++---------
 1 file changed, 30 insertions(+), 15 deletions(-)

diff --git a/cpp/src/crypto/UseOfLegacyAlgorithm.ql b/cpp/src/crypto/UseOfLegacyAlgorithm.ql
index c28220c..057d67a 100644
--- a/cpp/src/crypto/UseOfLegacyAlgorithm.ql
+++ b/cpp/src/crypto/UseOfLegacyAlgorithm.ql
@@ -11,20 +11,35 @@
 
 import cpp
 
-from FunctionCall call
+from FunctionCall call, string functionName, string cipherName
 where
-  call.getTarget()
-      .getQualifiedName()
-      .toLowerCase()
-      .matches([
-          // Hash functions
-          "%md2%", "%md4%", "%md5%", "%ripemd%", "%sha1%", "%whirlpool%", "%streebog%",
-          // KDFs
-          "%pbkdf1%",
-          // Symmetric ciphers
-          "%arcfour%", "%blowfish%", "%cast%", "%des%", "%idea%", "%kasumi%",
-          "%magma%", "%rc2%", "%rc4%", "%tdea%"
-      ])
+	functionName = call.getTarget()
+	  .getQualifiedName()
+	  .toLowerCase()
+	and
+	(
+		exists(string cn |
+			cn in [
+				"MD2", "MD4", "MD5", "RIPEMD", "SHA1", "Whirlpool", "Streebog",
+				"PBKDF1",
+				"ArcFour", "Blowfish", "CAST", "DES", "IDEA", "Kasumi",
+				"Magma", "RC2", "RC4", "TDEA"
+			]
+			and cipherName = cn
+			and functionName.matches("%" + cn.toLowerCase() + "%")
+		)
+		/* match DES, but avoid false positives by not matching common terms containing it:
+			nodes
+			modes
+			codes
+			describe
+			description
+			descriptor
+			design
+			descend
+			destroy
+		*/
+		or cipherName = "DES" and functionName.regexpMatch(".*(?<!no|mo|co)des(?!cri(be|ption|ptor)|ign|cend|troy).*")
+	)
 select call.getLocation(),
-  "Potential use of legacy cryptographic algorithm " + call.getTarget().getQualifiedName() +
-    " detected"
+	"Potential use of legacy cryptographic algorithm " + cipherName + " detected in function name " + call.getTarget().getQualifiedName()

From 1654fc883e34f014542bb6a2c7d6e491be9ca893 Mon Sep 17 00:00:00 2001
From: Graham Sutherland <graham.sutherland@trailofbits.com>
Date: Wed, 16 Jul 2025 19:50:49 +0100
Subject: [PATCH 2/2] Fix editing error in legacy cryptography algorithm query

The "DES" string is covered by the regex and should not be in the first list. This was a typo made during testing.
---
 cpp/src/crypto/UseOfLegacyAlgorithm.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/src/crypto/UseOfLegacyAlgorithm.ql b/cpp/src/crypto/UseOfLegacyAlgorithm.ql
index 057d67a..e3e2bc3 100644
--- a/cpp/src/crypto/UseOfLegacyAlgorithm.ql
+++ b/cpp/src/crypto/UseOfLegacyAlgorithm.ql
@@ -22,7 +22,7 @@ where
 			cn in [
 				"MD2", "MD4", "MD5", "RIPEMD", "SHA1", "Whirlpool", "Streebog",
 				"PBKDF1",
-				"ArcFour", "Blowfish", "CAST", "DES", "IDEA", "Kasumi",
+				"ArcFour", "Blowfish", "CAST", "IDEA", "Kasumi",
 				"Magma", "RC2", "RC4", "TDEA"
 			]
 			and cipherName = cn