Java: detect use of deprecated Azure Active Directory Authentication Library#5108
Java: detect use of deprecated Azure Active Directory Authentication Library#5108phenggeler wants to merge 2 commits intogithub:mainfrom
Conversation
smowton
changed the title
|
Let's definitely not have a query for every single deprecated library -- I suggest restructuring this to something like It's fine for it to only diagnose use of this one library for now, but e.g. the qhelp should be expressed in general terms, and doesn't need to give particular code examples. |
|
Two other notes:
|
Hi @smowton - thanks for your review. I agree with your assessment. I noticed you assigned this to yourself - are you OK if I start implementing your suggested changes? Was there any other review you wanted to make? |
|
No that's it, please go ahead. My assignment is intended to represent my responsibility as reviewer |
|
This CodeQL looks for a pre-defined list of deprecated Java classes being imported into a project. Currently, the scope is limited to a few, but could be expanded to include this complete list: https://docs.oracle.com/javase/9/docs/api/deprecated-list.html#class Example of this query run against various Microsoft and Apache projects: |
|
|
||
| predicate usesInsecureDependency(Import i) { | ||
| i.toString().splitAt(" ", 1) in [ "com.microsoft.aad.adal4j.*", | ||
| "AuthenticationContext", |
There was a problem hiding this comment.
Why is this looking for particular class names? Can we just look for any import matching "com.microsoft.aad.adal4j.%"?
| * @kind problem | ||
| * @problem.severity error | ||
| * @precision high | ||
| * @id java/microsoft/using-insecure-dependency |
There was a problem hiding this comment.
| * @id java/microsoft/using-insecure-dependency | |
| * @id java/using-deprecated-dependency |
| @@ -0,0 +1,23 @@ | |||
| /** | |||
| * @name Using Insecure Dependency | |||
There was a problem hiding this comment.
| * @name Using Insecure Dependency | |
| * @name Using Deprecated Dependency |
| } | ||
|
|
||
| from Import imp | ||
| where imp = max(Import i | usesInsecureDependency(i) | i order by i.getFile().toString()) |
There was a problem hiding this comment.
This would only give one alert even if they used two different deprecated packages. How about writing a predicate that takes the max Import per dependency, so that if I have imports
import deprecated1.SomeClass1
import deprecated2.SomeClass2
import deprecated1.SomeOtherClass1
import deprecated2.SomeOtherClass2
import deprecated1.SomeOtherClass1
Then I should get two alerts: use of dependency deprecated1, use of dependency deprecated2.
|
Also regarding your list of deprecated classes, note we already have a query for use of deprecated classes or methods. This query should be restricted to deprecated libraries / packages that don't carry the |
|
@phenggeler please tag me when this is ready for re-review |
|
@phenggeler do you intend to keep working on this? |
2 participants
This CodeQL detects the dependence upon Azure Active Directory Authentication Library (ADAL). This library was deprecated by Microsoft in June 2020, and Microsoft suggests projects move to the supported Microsoft Authentication Library (MSAL).
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363
Example of this query run against various Microsoft projects:
https://lgtm.com/query/7515233935542346311/