IBM · n1ckl0sk0rtge · Sep 19, 2024 · Sep 16, 2024 · Sep 16, 2024 · Sep 16, 2024
@@ -825,8 +825,7 @@ private void analyseExpression(
                     // scope
                     detectionStore.onDetectedDependingParameter(
                             parameter, methodInvocationTree, DetectionStore.Scope.EXPRESSION);
-                } else if (expression instanceof NewClassTree newClassTree
-                        && assignedSymbol.isEmpty()) {
+                } else if (expression instanceof NewClassTree newClassTree) {
                     // follow expression directly, do not find matching expression in the method
                     // scope
                     detectionStore.onDetectedDependingParameter(

@@ -19,36 +19,19 @@
  */
 package com.ibm.engine.model.context;
 
+import java.util.HashMap;
+import java.util.Map;
 import javax.annotation.Nonnull;
 import org.jetbrains.annotations.NotNull;
 
-public class AlgorithmParameterContext
-        implements IDetectionContext, ISupportKind<AlgorithmParameterContext.Kind> {
-
-    public enum Kind {
-        DH,
-        AEAD,
-        CCM,
-        GMSS,
-        IES,
-        KEY,
-        SABER,
-        NONE
-    }
-
-    @Nonnull private final Kind kind;
-
-    public AlgorithmParameterContext(@Nonnull Kind kind) {
-        this.kind = kind;
-    }
+public class AlgorithmParameterContext extends DetectionContext {
 
     public AlgorithmParameterContext() {
-        this.kind = Kind.NONE;
+        super(new HashMap<>());
     }
 
-    @Nonnull
-    public Kind kind() {
-        return kind;
+    public AlgorithmParameterContext(@Nonnull Map<String, String> properties) {
+        super(properties);
     }
 
     @NotNull @Override

@@ -23,70 +23,14 @@
 import java.util.Map;
 import javax.annotation.Nonnull;
 
-public class CipherContext extends DetectionContext
-        implements IDetectionContext, ISupportKind<CipherContext.Kind> {
-
-    public enum Kind {
-        PKE,
-        RSA,
-        Fernet,
-        OAEP,
-        CHACHA20POLY1305,
-        AES_WRAP,
-        AES_WRAP_WITH_PADDING,
-        ENCRYPTION_STATUS,
-        WRAPPING_STATUS,
-        ENCODING,
-        ENCODING_SIGNATURE,
-        WRAP,
-        BLOCK_CIPHER,
-        BLOCK_CIPHER_ENGINE,
-        BLOCK_CIPHER_ENGINE_FOR_AEAD,
-        STREAM_CIPHER_ENGINE,
-        ASYMMETRIC_CIPHER_ENGINE,
-        ASYMMETRIC_CIPHER_ENGINE_SIGNATURE,
-        ASYMMETRIC_BUFFERED_BLOCK_CIPHER,
-        BUFFERED_BLOCK_CIPHER,
-        AEAD_BLOCK_CIPHER,
-        AEAD_ENGINE,
-        PADDING,
-        PBE,
-        HASH,
-        NONE
-    }
-
-    @Nonnull private final Kind kind;
-
-    /**
-     * use a property map instead
-     *
-     * @deprecated
-     */
-    @Deprecated(since = "1.3.0")
-    public CipherContext(@Nonnull Kind kind) {
-        super(new HashMap<>());
-        this.kind = kind;
-    }
+public class CipherContext extends DetectionContext {
 
     public CipherContext() {
         super(new HashMap<>());
-        this.kind = Kind.NONE;
     }
 
     public CipherContext(@Nonnull Map<String, String> properties) {
         super(properties);
-        this.kind = Kind.NONE;
-    }
-
-    /**
-     * use a property map instead
-     *
-     * @deprecated
-     */
-    @Deprecated(since = "1.3.0")
-    @Nonnull
-    public Kind kind() {
-        return kind;
     }
 
     @Nonnull

@@ -23,48 +23,14 @@
 import java.util.Map;
 import javax.annotation.Nonnull;
 
-public class DigestContext extends DetectionContext
-        implements IDetectionContext, ISupportKind<DigestContext.Kind> {
-
-    public enum Kind {
-        NONE,
-        MGF1,
-        CRAMER_SHOUP,
-        NTRU,
-    }
-
-    @Nonnull private final Kind kind;
+public class DigestContext extends DetectionContext {
 
     public DigestContext() {
         super(new HashMap<>());
-        this.kind = Kind.NONE;
-    }
-
-    /**
-     * use a property map instead
-     *
-     * @deprecated
-     */
-    @Deprecated(since = "1.3.0")
-    public DigestContext(@Nonnull Kind kind) {
-        super(new HashMap<>());
-        this.kind = kind;
     }
 
     public DigestContext(@Nonnull Map<String, String> properties) {
         super(properties);
-        this.kind = Kind.NONE;
-    }
-
-    /**
-     * use a property map instead
-     *
-     * @deprecated
-     */
-    @Deprecated(since = "1.3.0")
-    @Nonnull
-    public Kind kind() {
-        return kind;
     }
 
     @Nonnull

@@ -19,23 +19,18 @@
  */
 package com.ibm.engine.model.context;
 
+import java.util.HashMap;
 import java.util.Map;
 import org.jetbrains.annotations.NotNull;
 
-public class KeyAgreementContext extends DetectionContext implements IDetectionContext {
+public class KeyAgreementContext extends DetectionContext {
 
-    public KeyAgreementContext(@NotNull Map<String, String> properties) {
-        super(properties);
+    public KeyAgreementContext() {
+        super(new HashMap<>());
     }
 
-    /**
-     * use a property map instead
-     *
-     * @deprecated
-     */
-    @Deprecated(since = "1.3.0")
-    public KeyAgreementContext() {
-        super(Map.of());
+    public KeyAgreementContext(@NotNull Map<String, String> properties) {
+        super(properties);
     }
 
     @NotNull @Override

@@ -27,36 +27,15 @@
 public class KeyContext extends DetectionContext
         implements IDetectionContext, ISupportKind<KeyContext.Kind> {
     public enum Kind {
-        KDF,
-        KEM,
+        /* TODO: they are still used in JCA and Python, but should be removed */
+        EC,
         DES,
         DESede,
         DH,
-        DH_FULL,
         DSA,
-        EC,
         PBE,
-        RSA,
-        X25519,
-        X448,
-        Ed25519,
-        Ed448,
-        Fernet,
-        CHACHA20POLY1305,
-        AESGCM,
-        AESGCMIV,
-        AESOCB3,
-        AESSIV,
-        AESCCM,
-        PBKDF2HMAC,
-        SCRYPT,
-        ConcatKDFHash,
-        ConcatKDFHMAC,
-        HKDF,
-        HKDFExpand,
-        KBKDFHMAC,
-        KBKDFCMAC,
-        X963KDF,
+        KDF,
+        KEM,
         NONE,
         UNKNOWN;
     }

@@ -23,48 +23,14 @@
 import java.util.Map;
 import javax.annotation.Nonnull;
 
-public class MacContext extends DetectionContext
-        implements IDetectionContext, ISupportKind<MacContext.Kind> {
-
-    public enum Kind {
-        CMAC,
-        HMAC,
-        Poly1305,
-        NONE
-    }
-
-    @Nonnull private final Kind kind;
-
-    /**
-     * use a property map instead
-     *
-     * @deprecated
-     */
-    @Deprecated(since = "1.3.0")
-    public MacContext(@Nonnull Kind kind) {
-        super(new HashMap<>());
-        this.kind = kind;
-    }
+public class MacContext extends DetectionContext {
 
     public MacContext() {
         super(new HashMap<>());
-        this.kind = Kind.NONE;
     }
 
     public MacContext(@Nonnull Map<String, String> properties) {
         super(properties);
-        this.kind = Kind.NONE;
-    }
-
-    /**
-     * use a property map instead
-     *
-     * @deprecated
-     */
-    @Deprecated(since = "1.3.0")
-    @Nonnull
-    public Kind kind() {
-        return kind;
     }
 
     @Nonnull

@@ -28,10 +28,6 @@ public class SignatureContext extends DetectionContext
     public enum Kind {
         PSS,
         MGF1,
-        DSA,
-        EdDSA,
-        MESSAGE_SIGNER,
-        SIGNING_STATUS,
         NONE
     }
 

@@ -23,6 +23,7 @@
 import com.ibm.enricher.algorithm.DESEnricher;
 import com.ibm.enricher.algorithm.DHEnricher;
 import com.ibm.enricher.algorithm.DSAEnricher;
+import com.ibm.enricher.algorithm.KEMEnricher;
 import com.ibm.enricher.algorithm.PBKDF2Enricher;
 import com.ibm.enricher.algorithm.RSAEnricher;
 import com.ibm.enricher.algorithm.RSAoaepEnricher;
@@ -88,7 +89,8 @@ public static Collection<INode> enrich(@Nonnull final Collection<INode> nodes) {
                     new RSAssaPSSEnricher(),
                     new RSAoaepEnricher(),
                     new SignatureEnricher(),
-                    new TagOrDigestEnricher());
+                    new TagOrDigestEnricher(),
+                    new KEMEnricher());
 
     /**
      * Enriches the given node with additional information.

@@ -0,0 +1,62 @@
+/*
+ * SonarQube Cryptography Plugin
+ * Copyright (C) 2024 IBM
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.enricher.algorithm;
+
+import com.ibm.enricher.IEnricher;
+import com.ibm.mapper.model.INode;
+import com.ibm.mapper.model.Oid;
+import com.ibm.mapper.model.ParameterSetIdentifier;
+import com.ibm.mapper.model.algorithms.kyber.MLKEM;
+import com.ibm.mapper.utils.DetectionLocation;
+import java.util.Optional;
+import javax.annotation.Nonnull;
+
+public class KEMEnricher implements IEnricher {
+
+    @Override
+    public @Nonnull INode enrich(@Nonnull INode node) {
+        if (node instanceof MLKEM mlkem) {
+            return enrichMLKEM(mlkem);
+        }
+        return node;
+    }
+
+    @Nonnull
+    private MLKEM enrichMLKEM(@Nonnull MLKEM mlkem) {
+        final Optional<INode> parameterSetIdentifierOptional =
+                mlkem.hasChildOfType(ParameterSetIdentifier.class);
+        if (parameterSetIdentifierOptional.isPresent()
+                && parameterSetIdentifierOptional.get()
+                        instanceof ParameterSetIdentifier parameterSetIdentifier) {
+            final DetectionLocation detectionLocation =
+                    parameterSetIdentifier.getDetectionContext();
+            switch (parameterSetIdentifier.asString()) {
+                case "512" -> mlkem.put(new Oid("2.16.840.1.101.3.4.4.1", detectionLocation));
+                case "768" -> mlkem.put(new Oid("2.16.840.1.101.3.4.4.2", detectionLocation));
+                case "1024" -> mlkem.put(new Oid("2.16.840.1.101.3.4.4.3", detectionLocation));
+                default -> {
+                    // the base OID for NIST KEM
+                    mlkem.put(new Oid("2.16.840.1.101.3.4.4", detectionLocation));
+                }
+            }
+        }
+        return mlkem;
+    }
+}