codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

CWE(s) in Kotlin not being detected by java-kotlin queries?

Open LillieEntur opened this issue 8 months ago • 1 comments

Hi!

I recently did a test with CodeQL on a new Kotlin project, and I included CWE-1204 to get a detection.

I copied the example from documentation and test case. I then used IntelliJ IDEA to convert it from Java to Kotlin.

@Throws(Exception::class)  
fun encryptWithZeroStaticIvByteArray(key: ByteArray?, plaintext: ByteArray?): ByteArray {  
  val iv = ByteArray(16) // $Source  
  
  val ivSpec = GCMParameterSpec(128, iv)  
  val keySpec = SecretKeySpec(key, "AES")  
  
  val cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING")  
  cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec) // $Alert  
  cipher.update(plaintext)  
  return cipher.doFinal()  
}

I got no detections, and assumed it was an issue with Actions setup, after debugging I decided to test out CWE-117 which I've heard works on Kotlin. After I ran the CI/CD setup it was detected.

I was recommended to try out example from CWE-1204 using a new Java project. After running the CI/CD setup, it was detected.

I spent some time trying to figure out why, decompiling the code, looking at logs. I then looked at sarif file, and I found following rule:

"ruleId": "java/telemetry/unsupported-external-api", 
"value": 4, 
"message": { "text": "kotlin.ByteArray#ByteArray(int)" }

Questions:

  • Is there a known list which queries have been tested and works with Kotlin?
    • or a list of queries that is not working with Kotlin?
  • Is there anything I can do while waiting for queries to be fully compatible with Kotlin?__

LillieEntur avatar May 19 '25 09:05 LillieEntur

Hi @LillieEntur, thanks for reaching out!

Reading through the ticket, it looks like you came across a piece of Kotlin which is not modelled by QL.

"ruleId": "java/telemetry/unsupported-external-api", 
"value": 4, 
"message": { "text": "kotlin.ByteArray#ByteArray(int)" }

This specific piece here says that CodeQL does not recognize this bit of code and can't trace data through the ByteArray.

I will open a ticket with the team to have a look at this.

There is a short list of queries that are disabled for Kotlin: java/mutually-dependent-types, java/dead-class, java/dead-field, java/dead-function, java/dereferenced-value-may-be-null, java/return-value-ignored, java/non-static-nested-class.

coadaflorin avatar May 21 '25 13:05 coadaflorin