Add tests

Author: joefarebrother

java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java

@@ -1,7 +1,7 @@
 // BAD: No padding scheme is used
-Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding")
+Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding");
 ...
 
 //GOOD: OAEP padding is used
-Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding")
+Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
 ...

java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected

@@ -0,0 +1,9 @@
+import javax.crypto.Cipher;
+
+class RsaWithoutOaep {
+    public void test() throws Exception {
+        Cipher rsaBad = Cipher.getInstance("RSA/ECB/NoPadding"); // $hasResult
+
+        Cipher rsaGood = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding"); 
+    }
+}

java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java

@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.security.RsaWithoutOaepQuery
+
+class HasResult extends InlineExpectationsTest {
+  HasResult() { this = "HasResult" }
+
+  override string getARelevantTag() { result = "hasResult" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasResult" and
+    value = "" and
+    exists(MethodAccess ma |
+      rsaWithoutOaepCall(ma) and
+      location = ma.getLocation() and
+      element = ma.toString()
+    )
+  }
+}