Skip to content

CWE(s) in Kotlin not being detected by java-kotlin queries? #19517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LillieEntur opened this issue May 19, 2025 · 1 comment
Open

CWE(s) in Kotlin not being detected by java-kotlin queries? #19517

LillieEntur opened this issue May 19, 2025 · 1 comment
Labels
question Further information is requested

Comments

@LillieEntur
Copy link

Hi!

I recently did a test with CodeQL on a new Kotlin project, and I included CWE-1204 to get a detection.

I copied the example from documentation and test case. I then used IntelliJ IDEA to convert it from Java to Kotlin.

@Throws(Exception::class)  
fun encryptWithZeroStaticIvByteArray(key: ByteArray?, plaintext: ByteArray?): ByteArray {  
  val iv = ByteArray(16) // $Source  
  
  val ivSpec = GCMParameterSpec(128, iv)  
  val keySpec = SecretKeySpec(key, "AES")  
  
  val cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING")  
  cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec) // $Alert  
  cipher.update(plaintext)  
  return cipher.doFinal()  
}

I got no detections, and assumed it was an issue with Actions setup, after debugging I decided to test out CWE-117 which I've heard works on Kotlin. After I ran the CI/CD setup it was detected.

I was recommended to try out example from CWE-1204 using a new Java project. After running the CI/CD setup, it was detected.

I spent some time trying to figure out why, decompiling the code, looking at logs. I then looked at sarif file, and I found following rule:

"ruleId": "java/telemetry/unsupported-external-api", 
"value": 4, 
"message": { "text": "kotlin.ByteArray#ByteArray(int)" }

Questions:

  • Is there a known list which queries have been tested and works with Kotlin?
    • or a list of queries that is not working with Kotlin?
  • Is there anything I can do while waiting for queries to be fully compatible with Kotlin?__
@LillieEntur LillieEntur added the question Further information is requested label May 19, 2025
@coadaflorin
Copy link
Contributor

Hi @LillieEntur, thanks for reaching out!

Reading through the ticket, it looks like you came across a piece of Kotlin which is not modelled by QL.

"ruleId": "java/telemetry/unsupported-external-api", 
"value": 4, 
"message": { "text": "kotlin.ByteArray#ByteArray(int)" }

This specific piece here says that CodeQL does not recognize this bit of code and can't trace data through the ByteArray.

I will open a ticket with the team to have a look at this.

There is a short list of queries that are disabled for Kotlin: java/mutually-dependent-types, java/dead-class, java/dead-field, java/dead-function, java/dereferenced-value-may-be-null, java/return-value-ignored, java/non-static-nested-class.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@coadaflorin @LillieEntur
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy