Merge branch 'main' into python-update

GeekMasher · web-flow · commit 8ef81553a494 · 2024-01-10T16:23:03.000Z
diff --git a/cpp/src/qlpack.yml b/cpp/src/qlpack.yml
@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-cpp-queries
-version: 0.0.3
+version: 0.0.4
 suites: suites
 defaultSuiteFile: suites/cpp.qls
 dependencies:
diff --git a/cpp/src/suites/cpp-audit.qls b/cpp/src/suites/cpp-audit.qls
@@ -0,0 +1,20 @@
+- description: "GitHub's Community Packs C/C++ Audit Suite"
+
+# Audit queries
+- queries: '.'
+  from: githubsecuritylab/codeql-cpp-queries
+- include:
+    kind:
+    - problem
+    - path-problem
+    - metric
+    - diagnostic
+    tags contain:
+    - audit
+
+# External API query
+- queries: '.'
+  from: codeql/cpp-queries
+- include:
+    id:
+      - cpp/untrusted-data-to-external-api
diff --git a/csharp/src/qlpack.yml b/csharp/src/qlpack.yml
@@ -1,9 +1,9 @@
 library: false
 name: githubsecuritylab/codeql-csharp-queries
-version: 0.0.3
+version: 0.0.4
 suites: suites
 defaultSuiteFile: suites/csharp.qls
 dependencies:
-  codeql/csharp-all: '*'
-  codeql/csharp-queries: '*' # Required for Dependencies.ql
+  codeql/csharp-all: "*"
+  codeql/csharp-queries: "*" # Required for Dependencies.ql
   githubsecuritylab/codeql-csharp-libs: 0.0.1
diff --git a/csharp/src/security/CWE-328/WeakPasswordHashing.qhelp b/csharp/src/security/CWE-328/WeakPasswordHashing.qhelp
@@ -4,8 +4,7 @@
 <qhelp>
     <overview>
         <p>
-            Using a insufficiently computationally hard hash function can leave data
-            vulnerable, and should not be used for password hashing.
+            Hash functions that are not sufficiently computationally hard can leave data vulnerable. You should not use such functions for password hashing.
         </p>
 
         <p>
@@ -30,18 +29,18 @@
         </ul>
 
         <p>
-            All of MD5, SHA-1, SHA-2 and SHA-3 are weak against offline brute forcing, since they are not computationally hard.
+            All of MD5, SHA-1, SHA-2 and SHA-3 are weak against offline brute forcing, since they are not sufficiently computationally hard. This includes SHA-224, SHA-256, SHA-384 and SHA-512, which are in the SHA-2 family.
         </p>
 
         <p>
-            Password hashing algorithms are designed to be slow and/or memory intenstive to compute, which makes brute force attacks more difficult.
+            Password hashing algorithms should be slow and/or memory intensive to compute, to make brute force attacks more difficult.
         </p>
 
     </overview>
     <recommendation>
 
         <p>
-            Ensure that for password storage you should use a computationally hard cryptographic hash function, such as:
+            For password storage, you should use a sufficiently computationally hard cryptographic hash function, such as one of the following:
         </p>
 
         <ul>
@@ -51,7 +50,9 @@
             <li>
                 scrypt
             </li>
+            <li>
                 bcrypt
+            </li>
             <li>
                 PBKDF2
             </li>
@@ -61,7 +62,7 @@
     <example>
 
         <p>
-            The following examples show a function that hashes a password using a cryptographic hashing algorithm.
+            The following examples show two versions of the same function. In both cases, a password is hashed using a cryptographic hashing algorithm.
 
             In the first case the SHA-512 hashing algorithm is used. It is vulnerable to offline brute force attacks:
         </p>
diff --git a/csharp/src/suites/csharp-audit.qls b/csharp/src/suites/csharp-audit.qls
@@ -2,7 +2,7 @@
 
 # Audit queries
 - queries: '.'
-  from: githubsecuritylab/codeql-csharp
+  from: githubsecuritylab/codeql-csharp-queries
 - include:
     kind:
     - problem
diff --git a/java/src/qlpack.yml b/java/src/qlpack.yml
@@ -1,8 +1,8 @@
 library: false
 name: githubsecuritylab/codeql-java-queries
-version: 0.0.3
+version: 0.0.4
 suites: suites
 defaultSuiteFile: suites/java.qls
 dependencies:
-  codeql/java-all: '*'
+  codeql/java-all: "*"
   githubsecuritylab/codeql-java-libs: 0.0.1
diff --git a/java/src/suites/java-audit.qls b/java/src/suites/java-audit.qls
@@ -2,7 +2,7 @@
 
 # Audit queries
 - queries: '.'
-  from: githubsecuritylab/java-queries
+  from: githubsecuritylab/codeql-java-queries
 - include:
     kind:
     - problem
diff --git a/java/src/suites/java-local.qls b/java/src/suites/java-local.qls
@@ -4,7 +4,7 @@
   from: codeql/java-queries
 
 - queries: '.'
-  from: githubsecuritylab/java-queries
+  from: githubsecuritylab/codeql-java-queries
 - include:
     id:
       - java/xxe-local
