False positive: java/potentially-weak-cryptographic-algorithm flags secure Elliptic Curve algorithms (EC, ECDSA, ECDH, EdDSA, etc.)

[MarkLee131]

Description of the false positive

The java/potentially-weak-cryptographic-algorithm query (CWE-327) incorrectly flags standard Elliptic Curve cryptographic algorithms as "potentially insecure", including EC, ECDSA, ECDH, EdDSA, Ed25519, Ed448, XDH, X25519, and X448. These are modern, secure algorithms recommended by NIST SP 800-57 and widely adopted as industry best practice.

The root cause is in getASecureAlgorithmName() (Encryption.qll#L258-L264). The rule uses an inverted whitelist strategy: any algorithm string not matching the secure whitelist and not matching the insecure blacklist is flagged as "potentially weak". The whitelist includes ECIES but omits the base EC family:

string getASecureAlgorithmName() {
  result =
    [
      "RSA", "SHA-?(256|384|512)", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
      "Blowfish", "ECIES", "SHA3-(256|384|512)"
      // Missing: "EC", "ECDSA", "ECDH", "EdDSA", "Ed25519", "Ed448", "XDH", "X25519", "X448"
    ]
}

This causes false positives for all standard Java EC usage patterns, such as KeyPairGenerator.getInstance("EC"), Signature.getInstance("ECDSA"), KeyAgreement.getInstance("ECDH"), KeyPairGenerator.getInstance("Ed25519"), etc.

Code samples or links to source code

Discovered while scanning Apache Dubbo (branch 3.3):

https://github.com/apache/dubbo/blob/3.3/dubbo-plugin/dubbo-security/src/main/java/org/apache/dubbo/security/cert/DubboCertManager.java#L315-L325

protected static KeyPair signWithEcdsa() {
    KeyPair keyPair = null;
    try {
        ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
        KeyPairGenerator g = KeyPairGenerator.getInstance("EC");  // ← flagged as potentially weak
        g.initialize(ecSpec, new SecureRandom());
        java.security.KeyPair keypair = g.generateKeyPair();
        PrivateKey privateKey = keypair.getPrivate();
        ContentSigner signer = new JcaContentSignerBuilder("SHA256withECDSA").build(privateKey);
        // ...
    }
}

This code uses EC with secp256r1 (P-256, ~128-bit security) and SHA256withECDSA — a textbook-correct, NIST-recommended configuration.

Suggested fix

Add the missing EC algorithm family to getASecureAlgorithmName() in Encryption.qll:

"EC", "ECDSA", "ECDH", "EdDSA", "Ed25519", "Ed448", "XDH", "X25519", "X448"

I have a branch with the fix, tests, and change note ready, happy to open a PR. :)

[redsun82]

👋 @MarkLee131 a colleague of mine has taken over reviewing the PR, but let me thank you here for this report, and the contribution, highly appreciated!