make abstract class, remove microsoft from id, add qhelp

Author: chanel-y

powershell/ql/src/queries/security/cwe-757/DeprecatedTls.qhelp

@@ -0,0 +1,42 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols
+      used to secure network communications. Older versions of these protocols have known
+      vulnerabilities that can be exploited by attackers to compromise the confidentiality and
+      integrity of data in transit.
+    </p>
+    <p>
+      The following versions are considered deprecated:
+    </p>
+    <ul>
+      <li>SSL 3.0 is vulnerable to the POODLE attack and other weaknesses.</li>
+      <li>TLS 1.0 has known vulnerabilities including the BEAST attack and weak cipher suites.</li>
+      <li>TLS 1.1 lacks support for modern cryptographic algorithms and is deprecated by RFC 8996.</li>
+    </ul>
+  </overview>
+  <recommendation>
+    <p>
+      Use TLS 1.2 or TLS 1.3 for all secure communications. TLS 1.3 is preferred as it removes
+      support for legacy cryptographic features and provides improved performance. When configuring
+      <code>SecurityProtocolType</code>, use <code>Tls12</code> or <code>Tls13</code>.
+    </p>
+  </recommendation>
+  <example>
+    <p>
+      In the following example, the script enables the deprecated SSL 3.0 and TLS 1.0 protocols:
+    </p>
+    <sample src="examples/DeprecatedTls/DeprecatedTlsBad.ps1" />
+    <p>
+      The following example shows the corrected code using TLS 1.2:
+    </p>
+    <sample src="examples/DeprecatedTls/DeprecatedTlsGood.ps1" />
+  </example>
+  <references>
+    <li>IETF, RFC 8996: <a href="https://datatracker.ietf.org/doc/html/rfc8996">Deprecating TLS 1.0 and TLS 1.1</a>.</li>
+    <li>NIST, SP 800-52 Rev. 2: <a href="https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final">Guidelines for the Selection, Configuration, and Use of TLS Implementations</a>.</li>
+    <li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html">Transport Layer Security Cheat Sheet</a>.</li>
+    <li>CWE-757: <a href="https://cwe.mitre.org/data/definitions/757.html">Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')</a>.</li>
+  </references>
+</qhelp>

powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql

@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 7.5
  * @precision high
- * @id powershell/microsoft/security/deprecated-tls
+ * @id powershell/deprecated-tls
  * @tags security
  *       external/cwe/cwe-327
  *       external/cwe/cwe-757
@@ -15,13 +15,6 @@ import powershell
 import semmle.code.powershell.ApiGraphs
 import semmle.code.powershell.dataflow.DataFlow
 
-/**
- * Holds if `protocolName` is a deprecated TLS/SSL protocol (lowercase).
- */
-predicate isDeprecatedProtocol(string protocolName) {
-  protocolName = ["ssl3", "tls", "tls11"]
-}
-
 /**
  * Gets the human-readable name for a deprecated protocol.
  */
@@ -34,11 +27,15 @@ string getProtocolDisplayName(string protocolName) {
   protocolName = "tls11" and result = "TLS 1.1"
 }
 
+abstract class SecurityProtocol extends Expr {
+  abstract string getProtocolName();
+}
+
 /**
  * A reference to a deprecated SecurityProtocolType enum value, e.g.
  * [Net.SecurityProtocolType]::Ssl3
  */
-class DeprecatedSecurityProtocolType extends DataFlow::Node {
+class DeprecatedSecurityProtocolType extends SecurityProtocol {
   string protocolName;
 
   DeprecatedSecurityProtocolType() {
@@ -55,19 +52,18 @@ class DeprecatedSecurityProtocolType extends DataFlow::Node {
               .getMember("securityprotocoltype")
               .getMember(protocolName)
       ) and
-      this = node.asSource() and
-      isDeprecatedProtocol(protocolName)
+      this = node.asSource().asExpr().getExpr()
     )
   }
 
-  string getProtocolName() { result = protocolName }
+  override string getProtocolName() { result = protocolName }
 }
 
 /**
  * A reference to a deprecated SslProtocols enum value, e.g.
  * [System.Security.Authentication.SslProtocols]::Tls
  */
-class DeprecatedSslProtocols extends DataFlow::Node {
+class DeprecatedSslProtocols extends SecurityProtocol {
   string protocolName;
 
   DeprecatedSslProtocols() {
@@ -78,21 +74,17 @@ class DeprecatedSslProtocols extends DataFlow::Node {
             .getMember("authentication")
             .getMember("sslprotocols")
             .getMember(protocolName) and
-      this = node.asSource() and
-      isDeprecatedProtocol(protocolName)
+      this = node.asSource().asExpr().getExpr()
     )
   }
 
-  string getProtocolName() { result = protocolName }
+  override string getProtocolName() { result = protocolName }
 }
 
-from DataFlow::Node node, string protocolName
+from SecurityProtocol sp, string protocolName
 where
-  exists(DeprecatedSecurityProtocolType d |
-    node = d and protocolName = d.getProtocolName()
-  )
-  or
-  exists(DeprecatedSslProtocols d | node = d and protocolName = d.getProtocolName())
-select node,
+  protocolName = sp.getProtocolName() and 
+  protocolName = ["ssl3", "tls", "tls11"]
+select sp,
   "Use of deprecated protocol " + getProtocolDisplayName(protocolName) +
     ". Use TLS 1.2 or TLS 1.3 instead."

powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsBad.ps1

@@ -0,0 +1,8 @@
+# BAD: Using deprecated SSL 3.0
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3
+
+# BAD: Using deprecated TLS 1.0
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls
+
+# BAD: Using deprecated TLS 1.1
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11

powershell/ql/src/queries/security/cwe-757/examples/DeprecatedTls/DeprecatedTlsGood.ps1

@@ -0,0 +1,5 @@
+# GOOD: Using TLS 1.2
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+# GOOD: Using TLS 1.3
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13