github
diff --git a/‎java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.java‎
Lines changed: 5 additions & 5 deletions b/‎java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.java‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java‎
Lines changed: 7 additions & 7 deletions b/‎java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java‎
Lines changed: 22 additions & 22 deletions b/‎java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java‎
Lines changed: 22 additions & 22 deletions
diff --git a/‎java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java‎
Lines changed: 4 additions & 4 deletions b/‎java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownBlockMode/Test.java‎
Lines changed: 5 additions & 5 deletions b/‎java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownBlockMode/Test.java‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java‎
Lines changed: 8 additions & 8 deletions b/‎java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownHash/WeakHashing.java‎
Lines changed: 8 additions & 8 deletions
@@ -1,15 +1,15 @@
 class Bad extends WebViewClient {
     // BAD: All certificates are trusted.
-    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult
-        handler.proceed(); 
+    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $ hasResult
+        handler.proceed();
     }
 }
 
 class Good extends WebViewClient {
     PublicKey myPubKey = ...;
 
     // GOOD: Only certificates signed by a certain public key are trusted.
-    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $hasResult
+    public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError error) { // $ hasResult
         try {
             X509Certificate cert = error.getCertificate().getX509Certificate();
             cert.verify(this.myPubKey);
@@ -18,5 +18,5 @@ public void onReceivedSslError (WebView view, SslErrorHandler handler, SslError
         catch (CertificateException|NoSuchAlgorithmException|InvalidKeyException|NoSuchProviderException|SignatureException e) {
             handler.cancel();
         }
-    }    
-}
+    }
+}
@@ -47,20 +47,20 @@ public void BadDecryptThenMacOnPlaintextVerify(byte[] encryptionKeyBytes, byte[]
         SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES");
         Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
         cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new SecureRandom());
-        byte[] plaintext = cipher.doFinal(ciphertext); // $Source
+        byte[] plaintext = cipher.doFinal(ciphertext); // $ Source
 
         // Now verify MAC (too late)
         SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
         Mac mac = Mac.getInstance("HmacSHA256");
         mac.init(macKey);
-        byte[] computedMac = mac.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac] 
+        byte[] computedMac = mac.doFinal(plaintext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac]
 
         if (!MessageDigest.isEqual(receivedMac, computedMac)) {
             throw new SecurityException("MAC verification failed");
         }
     }
 
-    public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $Source
+    public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $ Source
         // Create keys directly from provided byte arrays
         SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES");
         SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
@@ -73,7 +73,7 @@ public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byt
         // Encrypt the plaintext
         Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
         cipher.init(Cipher.ENCRYPT_MODE, encryptionKey, new SecureRandom());
-        byte[] ciphertext = cipher.doFinal(plaintext); // $Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
+        byte[] ciphertext = cipher.doFinal(plaintext); // $ Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
 
         // Concatenate ciphertext and MAC
         byte[] output = new byte[ciphertext.length + computedMac.length];
@@ -132,7 +132,7 @@ public byte[] falsePositiveDecryptToMac(byte[] encryptionKeyBytes, byte[] macKey
 
 
     /**
-     * Correct inputs to a decrypt and MAC operation, but the ordering is unsafe. 
+     * Correct inputs to a decrypt and MAC operation, but the ordering is unsafe.
      * The function decrypts THEN computes the MAC on the plaintext.
      * It should have the MAC computed on the ciphertext first.
      */
@@ -143,13 +143,13 @@ public void decryptThenMac(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[]
         byte[] receivedMac = Arrays.copyOfRange(input, input.length - macLength, input.length);
 
         // Decrypt first (unsafe)
-        byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $Source
+        byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $ Source
 
         // Now verify MAC (too late)
         SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
         Mac mac = Mac.getInstance("HmacSHA256");
         mac.init(macKey);
-        byte[] computedMac = mac.doFinal(ciphertext); // $Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac], False positive for Plaintext reuse
+        byte[] computedMac = mac.doFinal(ciphertext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac], False positive for Plaintext reuse
 
         if (!MessageDigest.isEqual(receivedMac, computedMac)) {
             throw new SecurityException("MAC verification failed");
 
@@ -11,33 +11,33 @@ public class InsecureIVorNonceSource {
 
     // BAD: AES-GCM with static IV from a byte array
     public byte[] encryptWithStaticIvByteArrayWithInitializer(byte[] key, byte[] plaintext) throws Exception {
-        byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $Source
+        byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $ Source
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
 
     // BAD: AES-GCM with static IV from zero-initialized byte array
     public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
-        byte[] iv = new byte[16]; 
+        byte[] iv = new byte[16];
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/unknown-iv-or-nonce-source]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
 
     // BAD: AES-CBC with static IV from 1-initialized byte array
     public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
-        byte[] iv = new byte[16]; 
+        byte[] iv = new byte[16];
         for (byte i = 0; i < iv.length; i++) {
             iv[i] = 1;
         }
@@ -46,55 +46,55 @@ public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
 
     // BAD: AES-GCM with static IV from a multidimensional byte array
     public byte[] encryptWithOneOfStaticIvs01(byte[] key, byte[] plaintext) throws Exception {
         byte[][] staticIvs = new byte[][] {
-            { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $Source
-            { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $Source
-        }; 
+            { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $ Source
+            { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $ Source
+        };
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
 
     // BAD: AES-GCM with static IV from a multidimensional byte array
     public byte[] encryptWithOneOfStaticIvs02(byte[] key, byte[] plaintext) throws Exception {
         byte[][] staticIvs = new byte[][] {
-            new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $Source
-            new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $Source
-        }; 
+            new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }, // $ Source
+            new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 } // $ Source
+        };
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/insecure-iv-or-nonce]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/insecure-iv-or-nonce]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
 
     // BAD: AES-GCM with static IV from a zero-initialized multidimensional byte array
     public byte[] encryptWithOneOfStaticZeroIvs(byte[] key, byte[] plaintext) throws Exception {
         byte[][] ivs = new byte[][] {
-            new byte[8], 
-            new byte[16] 
+            new byte[8],
+            new byte[16]
         };
 
         GCMParameterSpec ivSpec = new GCMParameterSpec(128, ivs[1]);
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/examples/unknown-iv-or-nonce-source]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $ Alert[java/quantum/examples/unknown-iv-or-nonce-source]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
@@ -166,8 +166,8 @@ public byte[] encryptWithRandomIvWithArraysCopy(byte[] key, byte[] plaintext) th
         return cipher.doFinal();
     }
 
-    public byte[] generate(int size) throws Exception { 
-        if (size == 0) { 
+    public byte[] generate(int size) throws Exception {
+        if (size == 0) {
             return new byte[0];
         }
         byte[] randomBytes = new byte[size];
@@ -183,15 +183,15 @@ public byte[] encryptWithGeneratedIvByteArray(byte[] key, byte[] plaintext) thro
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); 
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
         cipher.update(plaintext);
         return cipher.doFinal();
     }
 
     public byte[] generateInsecureRandomBytes(int numBytes) {
         Random random = new Random();
         byte[] bytes = new byte[numBytes];
-        random.nextBytes(bytes); // $Source
+        random.nextBytes(bytes); // $ Source
         return bytes;
     }
 
@@ -203,7 +203,7 @@ public byte[] encryptWithGeneratedIvByteArrayInsecure(byte[] key, byte[] plainte
         SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
 
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
-        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);  // $Alert[java/quantum/examples/insecure-iv-or-nonce]]
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);  // $ Alert[java/quantum/examples/insecure-iv-or-nonce]]
         cipher.update(plaintext);
         return cipher.doFinal();
     }
 
@@ -2,15 +2,15 @@
 public class InsufficientAsymmetricKeySize{
     public static void test() throws Exception{
         KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
-        keyPairGen1.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
+        keyPairGen1.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
         keyPairGen1.generateKeyPair();
 
         KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
-        keyPairGen2.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
+        keyPairGen2.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
         keyPairGen2.generateKeyPair();
 
         KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
-        keyPairGen3.initialize(1024); // $Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
+        keyPairGen3.initialize(1024); // $ Alert[java/quantum/examples/weak-asymmetric-key-gen-size]
         keyPairGen3.generateKeyPair();
 
         KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
@@ -25,4 +25,4 @@ public static void test() throws Exception{
         keyPairGen6.initialize(2048); // GOOD
         keyPairGen6.generateKeyPair();
     }
-}
+}
@@ -10,25 +10,25 @@ public static void main(String[] args) throws Exception {
         byte[] data = "SensitiveData".getBytes();
 
         // Insecure block mode: ECB
-        Cipher cipherECB = Cipher.getInstance("AES/ECB/PKCS5Padding"); // $Alert
+        Cipher cipherECB = Cipher.getInstance("AES/ECB/PKCS5Padding"); // $ Alert
         cipherECB.init(Cipher.ENCRYPT_MODE, key);
         byte[] ecbEncrypted = cipherECB.doFinal(data);
         System.out.println("ECB encrypted: " + bytesToHex(ecbEncrypted));
 
         // Insecure block mode: CFB
-        Cipher cipherCFB = Cipher.getInstance("AES/CFB/PKCS5Padding"); // $Alert
+        Cipher cipherCFB = Cipher.getInstance("AES/CFB/PKCS5Padding"); // $ Alert
         cipherCFB.init(Cipher.ENCRYPT_MODE, key, iv);
         byte[] cfbEncrypted = cipherCFB.doFinal(data);
         System.out.println("CFB encrypted: " + bytesToHex(cfbEncrypted));
 
         // Insecure block mode: OFB
-        Cipher cipherOFB = Cipher.getInstance("AES/OFB/PKCS5Padding"); // $Alert
+        Cipher cipherOFB = Cipher.getInstance("AES/OFB/PKCS5Padding"); // $ Alert
         cipherOFB.init(Cipher.ENCRYPT_MODE, key, iv);
         byte[] ofbEncrypted = cipherOFB.doFinal(data);
         System.out.println("OFB encrypted: " + bytesToHex(ofbEncrypted));
 
         // Insecure block mode: CTR
-        Cipher cipherCTR = Cipher.getInstance("AES/CTR/NoPadding"); // $Alert
+        Cipher cipherCTR = Cipher.getInstance("AES/CTR/NoPadding"); // $ Alert
         cipherCTR.init(Cipher.ENCRYPT_MODE, key, iv);
         byte[] ctrEncrypted = cipherCTR.doFinal(data);
         System.out.println("CTR encrypted: " + bytesToHex(ctrEncrypted));
@@ -54,4 +54,4 @@ private static String bytesToHex(byte[] bytes) {
             sb.append(String.format("%02x", b));
         return sb.toString();
     }
-}
+}
@@ -12,33 +12,33 @@ void hashing() throws NoSuchAlgorithmException, IOException {
         props.load(new FileInputStream("example.properties"));
 
         // BAD: Using a weak hashing algorithm even with a secure default
-        MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $Alert[java/quantum/examples/weak-hash]
+        MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $ Alert[java/quantum/examples/weak-hash]
 
         // BAD: Using a weak hashing algorithm even with a secure default
-        MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $Alert[java/quantum/examples/weak-hash]
+        MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $ Alert[java/quantum/examples/weak-hash]
 
         // BAD: Using a strong hashing algorithm but with a weak default
-        MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $Alert[java/quantum/examples/weak-hash]
+        MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $ Alert[java/quantum/examples/weak-hash]
 
         // BAD: Using a weak hash
-        MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $Alert[java/quantum/examples/weak-hash]
+        MessageDigest bad4 = MessageDigest.getInstance("SHA-1"); // $ Alert[java/quantum/examples/weak-hash]
 
         // BAD: Property does not exist and default (used value) is unknown
-        MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $Alert[java/quantum/examples/unknown-hash]
+        MessageDigest bad5 = MessageDigest.getInstance(props.getProperty("non-existent_property", "non-existent_default")); // $ Alert[java/quantum/examples/unknown-hash]
 
         java.util.Properties props2 = new java.util.Properties();
 
         props2.load(new FileInputStream("unobserved-file.properties"));
 
-        // BAD: "hashAlg2" is not visible in the file loaded for props2, should be an unknown 
+        // BAD: "hashAlg2" is not visible in the file loaded for props2, should be an unknown
         // FALSE NEGATIVE for unknown hash
-        MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash]
+        MessageDigest bad6 = MessageDigest.getInstance(props2.getProperty("hashAlg2", "SHA-256")); // $ Alert[java/quantum/examples/unknown-hash]
 
         // GOOD: Using a strong hashing algorithm
         MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2"));
 
         // BAD?: Property does not exist (considered unknown) and but default is secure
-        MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $Alert[java/quantum/examples/unknown-hash]
+        MessageDigest ok2 = MessageDigest.getInstance(props.getProperty("non-existent-property", "SHA-256")); // $ Alert[java/quantum/examples/unknown-hash]
 
         // GOOD: Using a strong hashing algorithm
         MessageDigest ok3 = MessageDigest.getInstance("SHA3-512");