-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Rust: Update legacy MaD models 2 #19942
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Accepted test regressions. There are almost no results left for We also lose some results in a test case involving a loop, similar to the one discussed in #19934 (comment) . |
rust/ql/lib/codeql/rust/frameworks/rustcrypto/rustcrypto.model.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Arthur Baars <[email protected]>
rust/ql/lib/codeql/rust/frameworks/rustcrypto/rustcrypto.model.yml
Outdated
Show resolved
Hide resolved
@@ -11,8 +11,8 @@ fn test_hash_algorithms( | |||
|
|||
// MD5 | |||
_ = md5::Md5::digest(harmless); | |||
_ = md5::Md5::digest(credit_card_no); // $ Alert[rust/weak-sensitive-data-hashing] | |||
_ = md5::Md5::digest(password); // $ Alert[rust/weak-sensitive-data-hashing] | |||
_ = md5::Md5::digest(credit_card_no); // $ MISSING: Alert[rust/weak-sensitive-data-hashing] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently getStaticTarget()
fails on md5::Md5::digest
. This are the relevant lines:
pub type Md5 = CoreWrapper<Md5Core>;
impl<D: FixedOutput + Default + Update + HashMarker> Digest for D {
fn digest(data: impl AsRef<[u8]>) -> Output<Self> { ... }
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hvitved I guess the type variable in for D
is the cause of the trouble, isn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we don't currently handle impl<T> Foo for T
; I have added this instance to our internal issue tracking this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I've just created an issue to track test results we are losing but expect to get back with type inference improvements - the idea being we can merge this before we get it back if we want to.
….yml Co-authored-by: Arthur Baars <[email protected]>
Co-authored-by: Arthur Baars <[email protected]>
I think the only remaining issue is the CWE-328 test regressions, which we now have |
DCA LGTM, apart from lost query sinks and cryptographic operations. Likely all are the CWE-328 issue we picked up in tests. (there's some discussion going on elsewhere about whether to temporarily accept these regressions, or put in a temporary fix; other than that I think we're good to merge now) |
Merge conflict fixed. |
Update some more legacy MaD models to the new model format (continues from #19934 , but should be independent of that).