Weak Hashing findings vanished from 1.1.11 ruleset? #18518
Description
I maintain the OWASP Benchmark project:
Which is a test suite for testing the effectiveness of software security analysis tools. I've had codeQL scripts for scanning OWASP Benchmark for a while.
They can be found in the scripts folder here: https://github.com/OWASP-Benchmark/BenchmarkJava/tree/master/scripts
- translateCodeQL.sh
- runCodeQL.sh
You have to follow the codeQL install instructions listed in the translateCodeQL.sh script, then run translateCodeQL.sh and then runCodeQL.sh.
After completing, it puts the codeQL SARIF results file into the results/ folder and you can then score the tool against Benchmark by running createScoreards.sh.
I noticed that when using the latest version of CodeQL 2.20.1, with the 1.1.9 ruleset, it properly detected 69% of the Weak Hashing test cases in Benchmark (and had zero false positives). But when I upgraded to ruleset 1.1.11, it now detects none of them.
Is this on purpose? Or was a bug introduced. or mistake made, to cause those rules to go away in 1.1.11?