Codeql scan cannot produce results

[kexinoh]

I am trying to scan the ECB mode, which is this API:
import javax.crypto.Cipher;
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
When I tested, I used the CamBench-Cap dataset, and its example is as follows:

/*
package org.cambench.cap.basic.ecbmode;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

public class EcbMode1 {
    public static void main(String[] args) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException {
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE,keyGen.generateKey());
    }
}

I used the QL code scan I completed myself, but I don't know where the problem lies? I didn't scan any results.

/**

 * @kind path-problem
 * @id java/0-javax-getInstance-misuse
 * @problem.severity error
 * @precision high
 * @tags security
 */

import java
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph

module A0ModeUsage implements DataFlow::ConfigSig {

    predicate isSource(DataFlow::Node source) {
              exists(StringLiteral str |
                   (str.getValue().toUpperCase().matches("%ECB%")) and
                   source.asExpr() = str
             )
       }

    predicate isSink(DataFlow::Node sink) {
        exists(Call call |
                call.getCallee().(Constructor).getDeclaringType().hasQualifiedName("javax.crypto.Cipher","getInstance") and
                sink.asExpr()=call.getArgument(0)
        )
    }

}

module A0ModeUsageFlow = TaintTracking::Global;

from A0ModeUsageFlow::PathNode source, A0ModeUsageFlow::PathNode sink
where A0ModeUsageFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "I find one ECB"

[pwntester]

Hi @kexinoh,

From a quick read, I can see see you are matching a Constructor call rather than a Method one. Since getInstance is a method you should be using:

        exists(Call call |
                call.getCallee().(Method).getDeclaringType().hasQualifiedName("javax.crypto.Cipher","getInstance") and
                sink.asExpr()=call.getArgument(0)
        )

or just

        exists(MethodCall call, Method m |
                call.getMethod() = m and
                m.hasQualifiedName("javax.crypto.Cipher","getInstance") and
                sink.asExpr()=call.getArgument(0)
        )

[kexinoh]

Thank you very much for your answer, but after testing, I found that neither of them works. The first QL is unable to find the corresponding ECB, while the second QL will report an error: Error: hasQualifiedName (string, string) cannot be resolved for type Member:: Method (D: \ pychar \ Javascan \ tempoutput \ jacx \ query0. ql: 26,19-35)

[kexinoh]

i work it by this:
exists(MethodCall api | api.getQualifier().getType().(RefType).hasQualifiedName("javax.crypto","Cipher") and api.getMethod().getName() = "getInstance" and sink.asExpr()=api.getAnArgument() )

[pwntester]

Glad you solved it! The Method.hasQualifiedName() has a different signature that the one I posted from memory (sorry). You should be able to use it with m.hasQualifiedName("javax.crypto", "Cipher","getInstance") https://codeql.github.com/codeql-standard-libraries/java/semmle/code/java/Member.qll/predicate.Member$Member$hasQualifiedName.3.html