github · nicolaswill · Feb 22, 2026 · Feb 22, 2026 · Feb 22, 2026 · Feb 22, 2026
@@ -0,0 +1,119 @@
+/**
+ * @name All cryptographic classifications
+ * @description Reports every cryptographic element classified as quantum-vulnerable, insecure, or secure
+ *              using all predicates in the QuantumCryptoClassification library.
+ * @id java/quantum/examples/demo/all-classifications
+ * @kind problem
+ * @problem.severity warning
+ * @tags quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+/**
+ * Gets a short label for logical grouping of each finding category.
+ */
+string categoryLabel(string cat) {
+  cat = "Algorithm" and result = "Algorithm"
+  or
+  cat = "KeyAgreement" and result = "KeyAgreement"
+  or
+  cat = "Curve" and result = "Curve"
+  or
+  cat = "Padding" and result = "Padding"
+  or
+  cat = "Mode" and result = "Mode"
+  or
+  cat = "Hash" and result = "Hash"
+  or
+  cat = "KeySize" and result = "KeySize"
+}
+
+from Crypto::NodeBase node, string category, string classification, string detail
+where
+  // ---- Key-operation algorithms (quantum-vulnerable / insecure / secure) ----
+  exists(Crypto::KeyOperationAlgorithmNode alg |
+    node = alg and
+    category = "Algorithm" and
+    classification = classifyAlgorithmType(alg.getAlgorithmType()) and
+    classification != "other" and
+    detail = alg.getAlgorithmName()
+  )
+  or
+  // ---- Key-agreement algorithms (quantum-vulnerable) ----
+  exists(Crypto::KeyAgreementAlgorithmNode kaAlg |
+    node = kaAlg and
+    category = "KeyAgreement" and
+    classification = classifyKeyAgreementType(kaAlg.getKeyAgreementType()) and
+    classification != "other" and
+    detail = kaAlg.getAlgorithmName()
+  )
+  or
+  // ---- Elliptic curves (quantum-vulnerable) ----
+  exists(Crypto::EllipticCurveNode curve |
+    node = curve and
+    category = "Curve" and
+    isQuantumVulnerableCurveType(curve.getEllipticCurveType()) and
+    classification = "quantum-vulnerable" and
+    detail = curve.getAlgorithmName() + " (" + curve.getEllipticCurveType().toString() + ")"
+  )
+  or
+  // ---- Padding (quantum-vulnerable) ----
+  exists(Crypto::PaddingAlgorithmNode pad |
+    node = pad and
+    category = "Padding" and
+    isQuantumVulnerablePaddingType(pad.getPaddingType()) and
+    classification = "quantum-vulnerable" and
+    detail = pad.getPaddingType().toString()
+  )
+  or
+  // ---- Block modes (insecure) ----
+  exists(Crypto::ModeOfOperationAlgorithmNode mode |
+    node = mode and
+    category = "Mode" and
+    isInsecureModeType(mode.getModeType()) and
+    classification = "insecure" and
+    detail = mode.getModeType().toString()
+  )
+  or
+  // ---- Hash algorithms (insecure / secure) ----
+  exists(Crypto::HashAlgorithmNode hash |
+    node = hash and
+    category = "Hash" and
+    (
+      isInsecureHashType(hash.getHashType()) and
+      classification = "insecure" and
+      detail = hash.getHashType().toString()
+      or
+      isSecureHashType(hash.getHashType()) and
+      classification = "secure" and
+      detail =
+        hash.getHashType().toString() +
+          any(string s |
+            if exists(hash.getDigestLength())
+            then s = " (" + hash.getDigestLength().toString() + "-bit)"
+            else s = ""
+          )
+    )
+  )
+  or
+  // ---- Key sizes with quantum-vulnerable algorithms ----
+  exists(Crypto::KeyCreationOperationNode keygen, Crypto::AlgorithmNode alg, int keySize |
+    node = keygen and
+    category = "KeySize" and
+    classification = "quantum-vulnerable" and
+    alg = keygen.getAKnownAlgorithm() and
+    keygen.getAKeySizeSource().asElement().(Literal).getValue().toInt() = keySize and
+    (
+      exists(Crypto::KeyOperationAlgorithmNode keyAlg |
+        keyAlg = alg and isQuantumVulnerableAlgorithmType(keyAlg.getAlgorithmType())
+      )
+      or
+      exists(Crypto::KeyAgreementAlgorithmNode kaAlg |
+        kaAlg = alg and isQuantumVulnerableKeyAgreementType(kaAlg.getKeyAgreementType())
+      )
+    ) and
+    detail = keySize.toString() + "-bit key for " + alg.getAlgorithmName()
+  )
+select node, "[" + classification + "] " + categoryLabel(category) + ": " + detail
@@ -0,0 +1,17 @@
+/**
+ * @name Insecure block mode
+ * @description Detects use of insecure block cipher modes of operation.
+ * @id java/quantum/examples/demo/insecure-block-mode
+ * @kind problem
+ * @problem.severity error
+ * @tags quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+from Crypto::KeyOperationAlgorithmNode alg, Crypto::ModeOfOperationAlgorithmNode mode
+where
+  mode = alg.getModeOfOperation() and
+  isInsecureModeType(mode.getModeType())
+select alg, "Insecure block mode $@ detected.", mode, mode.getModeType().toString()
@@ -0,0 +1,18 @@
+/**
+ * @name Insecure symmetric cipher
+ * @description Detects use of classically insecure symmetric cipher algorithms.
+ * @id java/quantum/examples/demo/insecure-cipher
+ * @kind problem
+ * @problem.severity error
+ * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+from Crypto::KeyOperationAlgorithmNode alg, KeyOpAlg::TSymmetricCipherType cipherType
+where
+  alg.getAlgorithmType() = KeyOpAlg::TSymmetricCipher(cipherType) and
+  isInsecureCipherType(cipherType)
+select alg, "Insecure symmetric cipher: " + alg.getAlgorithmName() + "."
@@ -0,0 +1,16 @@
+/**
+ * @name Insecure hash algorithm
+ * @description Detects use of classically insecure hash algorithms.
+ * @id java/quantum/examples/demo/insecure-hash
+ * @kind problem
+ * @problem.severity error
+ * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+from Crypto::HashAlgorithmNode alg
+where isInsecureHashType(alg.getHashType())
+select alg, "Insecure hash algorithm: " + alg.getHashType().toString() + "."
@@ -0,0 +1,26 @@
+/**
+ * @name Inventory of cryptographic algorithms
+ * @description Lists all detected key operation algorithms with their security classification.
+ * @id java/quantum/examples/demo/inventory-algorithms
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+from Crypto::AlgorithmNode alg, string name, string classification
+where
+  exists(Crypto::KeyOperationAlgorithmNode keyAlg |
+    keyAlg = alg and
+    name = keyAlg.getAlgorithmName() and
+    classification = classifyAlgorithmType(keyAlg.getAlgorithmType())
+  )
+  or
+  exists(Crypto::KeyAgreementAlgorithmNode kaAlg |
+    kaAlg = alg and
+    name = kaAlg.getAlgorithmName() and
+    classification = classifyKeyAgreementType(kaAlg.getKeyAgreementType())
+  )
+select alg, "Algorithm: " + name + " [" + classification + "]."
@@ -0,0 +1,27 @@
+/**
+ * @name Inventory of elliptic curves
+ * @description Lists all detected elliptic curve algorithms with their family and key size.
+ * @id java/quantum/examples/demo/inventory-curves
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::EllipticCurveNode c, string detail
+where
+  if exists(string ks | c.properties("KeySize", ks, _))
+  then
+    exists(string ks |
+      c.properties("KeySize", ks, _) and
+      detail =
+        "Elliptic curve: " + c.getAlgorithmName() + " (" + c.getEllipticCurveType().toString() +
+          " family, " + ks + "-bit)."
+    )
+  else
+    detail =
+      "Elliptic curve: " + c.getAlgorithmName() + " (" + c.getEllipticCurveType().toString() +
+        " family)."
+select c, detail
@@ -0,0 +1,21 @@
+/**
+ * @name Inventory of hash algorithms
+ * @description Lists all detected hash algorithms with their digest length.
+ * @id java/quantum/examples/demo/inventory-hashes
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::HashAlgorithmNode h, string detail
+where
+  if exists(h.getDigestLength())
+  then
+    detail =
+      "Hash algorithm: " + h.getHashType().toString() + " (" + h.getDigestLength().toString() +
+        "-bit digest)."
+  else detail = "Hash algorithm: " + h.getHashType().toString() + "."
+select h, detail
@@ -0,0 +1,19 @@
+/**
+ * @name Inventory of cryptographic key sizes
+ * @description Lists all detected key creation operations with their algorithm and key size.
+ * @id java/quantum/examples/demo/inventory-key-sizes
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::KeyCreationOperationNode keygen, Crypto::AlgorithmNode alg, int keySize
+where
+  alg = keygen.getAKnownAlgorithm() and
+  keygen.getAKeySizeSource().asElement().(Literal).getValue().toInt() = keySize
+select keygen,
+  "Key creation with algorithm $@ using " + keySize.toString() + "-bit key.", alg,
+  alg.getAlgorithmName()
@@ -0,0 +1,14 @@
+/**
+ * @name Inventory of block cipher modes
+ * @description Lists all detected modes of operation for block ciphers.
+ * @id java/quantum/examples/demo/inventory-modes
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::ModeOfOperationAlgorithmNode m
+select m, "Mode of operation: " + m.getModeType().toString() + "."
@@ -0,0 +1,14 @@
+/**
+ * @name Inventory of padding schemes
+ * @description Lists all detected padding scheme algorithms.
+ * @id java/quantum/examples/demo/inventory-padding
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::PaddingAlgorithmNode pad
+select pad, "Padding scheme: " + pad.getPaddingType().toString() + "."
@@ -0,0 +1,32 @@
+/**
+ * @name JWS PS protocol detected (PS256/PS384/PS512)
+ * @description Detects RSA-PSS signature with SHA-2 hash, corresponding to JWS PS256/PS384/PS512.
+ * @id java/quantum/examples/demo/protocol-jws-ps
+ * @kind problem
+ * @problem.severity warning
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+import Crypto::KeyOpAlg as KeyOpAlg
+
+from
+  Crypto::SignatureOperationNode sigOp, Crypto::KeyOperationAlgorithmNode alg,
+  Crypto::PSSPaddingAlgorithmNode pss, Crypto::HashAlgorithmNode hash, int digestLen
+where
+  alg = sigOp.getAKnownAlgorithm() and
+  alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
+  pss = alg.getPaddingAlgorithm() and
+  // Get hash from the PSS padding or from the signature operation
+  (
+    hash = pss.getPSSHashAlgorithm()
+    or
+    hash = sigOp.getHashAlgorithm() and not exists(pss.getPSSHashAlgorithm())
+  ) and
+  hash.getHashType() = Crypto::SHA2() and
+  digestLen = hash.getDigestLength() and
+  digestLen in [256, 384, 512]
+select alg,
+  "JWS PS" + digestLen.toString() + " protocol detected (RSA-PSS + SHA-" + digestLen.toString() +
+    ")."
@@ -0,0 +1,29 @@
+/**
+ * @name JWS RS protocol detected (RS256/RS384/RS512)
+ * @description Detects RSA PKCS#1 v1.5 signature with SHA-2 hash, corresponding to JWS RS256/RS384/RS512.
+ * @id java/quantum/examples/demo/protocol-jws-rs
+ * @kind problem
+ * @problem.severity warning
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+import Crypto::KeyOpAlg as KeyOpAlg
+
+from
+  Crypto::SignatureOperationNode sigOp, Crypto::KeyOperationAlgorithmNode alg,
+  Crypto::HashAlgorithmNode hash, int digestLen
+where
+  alg = sigOp.getAKnownAlgorithm() and
+  alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
+  // No PSS padding — implies PKCS#1 v1.5
+  not alg.getPaddingAlgorithm() instanceof Crypto::PSSPaddingAlgorithmNode and
+  // Hash is SHA-2 with standard JWS digest lengths
+  hash = sigOp.getHashAlgorithm() and
+  hash.getHashType() = Crypto::SHA2() and
+  digestLen = hash.getDigestLength() and
+  digestLen in [256, 384, 512]
+select alg,
+  "JWS RS" + digestLen.toString() + " protocol detected (RSA PKCS#1 v1.5 + SHA-" +
+    digestLen.toString() + ")."
@@ -0,0 +1,19 @@
+/**
+ * @name RSA-OAEP protocol detected
+ * @description Detects RSA encryption with OAEP padding, a quantum-vulnerable protocol composition.
+ * @id java/quantum/examples/demo/protocol-rsa-oaep
+ * @kind problem
+ * @problem.severity warning
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+import Crypto::KeyOpAlg as KeyOpAlg
+
+from
+  Crypto::KeyOperationAlgorithmNode alg, Crypto::OAEPPaddingAlgorithmNode pad
+where
+  alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
+  pad = alg.getPaddingAlgorithm()
+select alg, "RSA-OAEP protocol detected with OAEP padding $@.", pad, pad.toString()