github
diff --git a/‎swift/ql/test/query-tests/Security/ECB-Encryption/ECBEncryption.expected
Lines changed: 26 additions & 17 deletions b/‎swift/ql/test/query-tests/Security/ECB-Encryption/ECBEncryption.expected
Lines changed: 26 additions & 17 deletions
diff --git a/‎swift/ql/test/query-tests/Security/ECB-Encryption/test.swift
Lines changed: 72 additions & 0 deletions b/‎swift/ql/test/query-tests/Security/ECB-Encryption/test.swift
Lines changed: 72 additions & 0 deletions
diff --git a/‎swift/ql/test/query-tests/Security/ECB-Encryption/testAES.swift
Lines changed: 0 additions & 45 deletions b/‎swift/ql/test/query-tests/Security/ECB-Encryption/testAES.swift
Lines changed: 0 additions & 45 deletions
diff --git a/‎swift/ql/test/query-tests/Security/ECB-Encryption/testBlowfish.swift
Lines changed: 0 additions & 41 deletions b/‎swift/ql/test/query-tests/Security/ECB-Encryption/testBlowfish.swift
Lines changed: 0 additions & 41 deletions
@@ -1,21 +1,30 @@
 edges
-| testAES.swift:32:12:32:16 | call to init() :  | testAES.swift:36:36:36:36 | ecb |
-| testAES.swift:32:12:32:16 | call to init() :  | testAES.swift:37:36:37:36 | ecb |
-| testBlowfish.swift:32:12:32:16 | call to init() :  | testBlowfish.swift:36:41:36:41 | ecb |
+| test.swift:34:9:34:13 | call to init() :  | test.swift:54:37:54:53 | call to getECBBlockMode() |
+| test.swift:34:9:34:13 | call to init() :  | test.swift:55:37:55:53 | call to getECBBlockMode() |
+| test.swift:34:9:34:13 | call to init() :  | test.swift:67:42:67:58 | call to getECBBlockMode() |
+| test.swift:45:12:45:16 | call to init() :  | test.swift:50:37:50:37 | ecb |
+| test.swift:45:12:45:16 | call to init() :  | test.swift:51:37:51:37 | ecb |
+| test.swift:45:12:45:16 | call to init() :  | test.swift:65:42:65:42 | ecb |
 nodes
-| testAES.swift:32:12:32:16 | call to init() :  | semmle.label | call to init() :  |
-| testAES.swift:36:36:36:36 | ecb | semmle.label | ecb |
-| testAES.swift:37:36:37:36 | ecb | semmle.label | ecb |
-| testAES.swift:38:36:38:40 | call to init() | semmle.label | call to init() |
-| testAES.swift:39:36:39:40 | call to init() | semmle.label | call to init() |
-| testBlowfish.swift:32:12:32:16 | call to init() :  | semmle.label | call to init() :  |
-| testBlowfish.swift:36:41:36:41 | ecb | semmle.label | ecb |
-| testBlowfish.swift:37:41:37:45 | call to init() | semmle.label | call to init() |
+| test.swift:34:9:34:13 | call to init() :  | semmle.label | call to init() :  |
+| test.swift:45:12:45:16 | call to init() :  | semmle.label | call to init() :  |
+| test.swift:50:37:50:37 | ecb | semmle.label | ecb |
+| test.swift:51:37:51:37 | ecb | semmle.label | ecb |
+| test.swift:52:37:52:41 | call to init() | semmle.label | call to init() |
+| test.swift:53:37:53:41 | call to init() | semmle.label | call to init() |
+| test.swift:54:37:54:53 | call to getECBBlockMode() | semmle.label | call to getECBBlockMode() |
+| test.swift:55:37:55:53 | call to getECBBlockMode() | semmle.label | call to getECBBlockMode() |
+| test.swift:65:42:65:42 | ecb | semmle.label | ecb |
+| test.swift:66:42:66:46 | call to init() | semmle.label | call to init() |
+| test.swift:67:42:67:58 | call to getECBBlockMode() | semmle.label | call to getECBBlockMode() |
 subpaths
 #select
-| testAES.swift:36:36:36:36 | ecb | testAES.swift:32:12:32:16 | call to init() :  | testAES.swift:36:36:36:36 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | testAES.swift:32:12:32:16 | call to init() :  | call to init() |
-| testAES.swift:37:36:37:36 | ecb | testAES.swift:32:12:32:16 | call to init() :  | testAES.swift:37:36:37:36 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | testAES.swift:32:12:32:16 | call to init() :  | call to init() |
-| testAES.swift:38:36:38:40 | call to init() | testAES.swift:38:36:38:40 | call to init() | testAES.swift:38:36:38:40 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | testAES.swift:38:36:38:40 | call to init() | call to init() |
-| testAES.swift:39:36:39:40 | call to init() | testAES.swift:39:36:39:40 | call to init() | testAES.swift:39:36:39:40 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | testAES.swift:39:36:39:40 | call to init() | call to init() |
-| testBlowfish.swift:36:41:36:41 | ecb | testBlowfish.swift:32:12:32:16 | call to init() :  | testBlowfish.swift:36:41:36:41 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | testBlowfish.swift:32:12:32:16 | call to init() :  | call to init() |
-| testBlowfish.swift:37:41:37:45 | call to init() | testBlowfish.swift:37:41:37:45 | call to init() | testBlowfish.swift:37:41:37:45 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | testBlowfish.swift:37:41:37:45 | call to init() | call to init() |
+| test.swift:50:37:50:37 | ecb | test.swift:45:12:45:16 | call to init() :  | test.swift:50:37:50:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | test.swift:45:12:45:16 | call to init() :  | call to init() |
+| test.swift:51:37:51:37 | ecb | test.swift:45:12:45:16 | call to init() :  | test.swift:51:37:51:37 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | test.swift:45:12:45:16 | call to init() :  | call to init() |
+| test.swift:52:37:52:41 | call to init() | test.swift:52:37:52:41 | call to init() | test.swift:52:37:52:41 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | test.swift:52:37:52:41 | call to init() | call to init() |
+| test.swift:53:37:53:41 | call to init() | test.swift:53:37:53:41 | call to init() | test.swift:53:37:53:41 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | test.swift:53:37:53:41 | call to init() | call to init() |
+| test.swift:54:37:54:53 | call to getECBBlockMode() | test.swift:34:9:34:13 | call to init() :  | test.swift:54:37:54:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@ | test.swift:34:9:34:13 | call to init() :  | call to init() |
+| test.swift:55:37:55:53 | call to getECBBlockMode() | test.swift:34:9:34:13 | call to init() :  | test.swift:55:37:55:53 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@ | test.swift:34:9:34:13 | call to init() :  | call to init() |
+| test.swift:65:42:65:42 | ecb | test.swift:45:12:45:16 | call to init() :  | test.swift:65:42:65:42 | ecb | The initialization of the cipher 'ecb' uses the insecure ECB block mode from $@ | test.swift:45:12:45:16 | call to init() :  | call to init() |
+| test.swift:66:42:66:46 | call to init() | test.swift:66:42:66:46 | call to init() | test.swift:66:42:66:46 | call to init() | The initialization of the cipher 'call to init()' uses the insecure ECB block mode from $@ | test.swift:66:42:66:46 | call to init() | call to init() |
+| test.swift:67:42:67:58 | call to getECBBlockMode() | test.swift:34:9:34:13 | call to init() :  | test.swift:67:42:67:58 | call to getECBBlockMode() | The initialization of the cipher 'call to getECBBlockMode()' uses the insecure ECB block mode from $@ | test.swift:34:9:34:13 | call to init() :  | call to init() |
@@ -0,0 +1,72 @@
+
+// --- stubs ---
+
+// These stubs roughly follows the same structure as classes from CryptoSwift
+class AES
+{
+	init(key: Array<UInt8>, blockMode: BlockMode, padding: Padding) { }
+	init(key: Array<UInt8>, blockMode: BlockMode) { }
+}
+
+class Blowfish
+{
+	init(key: Array<UInt8>, blockMode: BlockMode, padding: Padding) { }
+}
+
+protocol BlockMode { }
+
+struct ECB: BlockMode { 
+	init() { }
+}
+
+struct CBC: BlockMode { 
+	init() { }
+}
+
+protocol PaddingProtocol { }
+
+enum Padding: PaddingProtocol {
+  case noPadding, zeroPadding, pkcs7, pkcs5, eme_pkcs1v15, emsa_pkcs1v15, iso78164, iso10126
+}
+
+// Create some inter-procedural dependencies
+func getECBBlockMode() -> BlockMode {
+	return ECB()
+}
+
+func getCBCBlockMode() ->  BlockMode {
+	return CBC()
+}
+
+// --- tests ---
+
+func test1() {
+	let key: Array<UInt8> = [0x2a, 0x3a, 0x80, 0x05, 0xaf, 0x46, 0x58, 0x2d, 0x66, 0x52, 0x10, 0xae, 0x86, 0xd3, 0x8e, 0x8f]
+	let ecb = ECB()
+	let cbc = CBC()
+	let padding = Padding.noPadding
+
+	// AES test cases
+	let ab1 = AES(key: key, blockMode: ecb, padding: padding) // BAD
+	let ab2 = AES(key: key, blockMode: ecb) // BAD
+	let ab3 = AES(key: key, blockMode: ECB(), padding: padding) // BAD
+	let ab4 = AES(key: key, blockMode: ECB()) // BAD
+	let ab5 = AES(key: key, blockMode: getECBBlockMode(), padding: padding) // BAD
+	let ab6 = AES(key: key, blockMode: getECBBlockMode()) // BAD
+
+	let ag1 = AES(key: key, blockMode: cbc, padding: padding) // GOOD
+	let ag2 = AES(key: key, blockMode: cbc) // GOOD
+	let ag3 = AES(key: key, blockMode: CBC(), padding: padding) // GOOD
+	let ag4 = AES(key: key, blockMode: CBC()) // GOOD
+	let ag5 = AES(key: key, blockMode: getCBCBlockMode(), padding: padding) // GOOD
+	let ag6 = AES(key: key, blockMode: getCBCBlockMode()) // GOOD
+
+	// Blowfish test cases
+	let bb1 = Blowfish(key: key, blockMode: ecb, padding: padding) // BAD
+	let bb2 = Blowfish(key: key, blockMode: ECB(), padding: padding) // BAD
+	let bb3 = Blowfish(key: key, blockMode: getECBBlockMode(), padding: padding) // BAD
+
+	let bg1 = Blowfish(key: key, blockMode: cbc, padding: padding) // GOOD
+	let bg2 = Blowfish(key: key, blockMode: CBC(), padding: padding) // GOOD
+	let bg3 = Blowfish(key: key, blockMode: getCBCBlockMode(), padding: padding) // GOOD
+}