search

IBM / sonar-cryptography

This repository contains a SonarQube Plugin that detects cryptographic assets in source code and generates CBOM.
Apache License 2.0
18 stars 1 forks source link

Resolution for an outer parameter that is used in a subscription expression #10

Open n1ckl0sk0rtge opened 1 month ago

n1ckl0sk0rtge commented 1 month ago

Example inspired by this code.

_curveTable = {
    b'ecdsa-sha2-nistp256': ec.SECP256R1(),
    b'ecdsa-sha2-nistp384': ec.SECP384R1(),
    b'ecdsa-sha2-nistp521': ec.SECP521R1(),
}

def _fromECComponents(cls, x, y, curve, privateValue=None):
        publicNumbers = ec.EllipticCurvePublicNumbers(
            x=x, y=y, curve=_curveTable[curve])
        #....

Key._fromECComponents(..., ..., ..., b'ecdsa-sha2-nistp256', ...) # Noncompliant {{SECP256R1}} (desired behaviour)

In this example, we want to resolve a curve value by looking into a dictionary. While this resolution is already implemented, this is a particular case where the subscription index curve is a parameter of the enclosing function. Here, curve is correctly resolved (using outer scope resolution) to b'ecdsa-sha2-nistp256', but this resolved value is not later used to look into the dictionary. Therefore, the captured value is currently b'ecdsa-sha2-nistp256' instead of SECP256R1.