Add deprecated TLS/SSL version detection query for PowerShell

Detects usage of SSL 3.0, TLS 1.0, and TLS 1.1 via SecurityProtocolType
and SslProtocols enum references.

Covers: Cryptography.10031 (CWE-327, CWE-757)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: chanel-y

powershell/ql/src/queries/security/cwe-757/DeprecatedTls.ql

@@ -0,0 +1,98 @@
+/**
+ * @name Use of deprecated TLS/SSL version
+ * @description Using deprecated TLS/SSL versions (SSL3, TLS 1.0, TLS 1.1) weakens transport security.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/microsoft/security/deprecated-tls
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-757
+ */
+
+import powershell
+import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.dataflow.DataFlow
+
+/**
+ * Holds if `protocolName` is a deprecated TLS/SSL protocol (lowercase).
+ */
+predicate isDeprecatedProtocol(string protocolName) {
+  protocolName = ["ssl3", "tls", "tls11"]
+}
+
+/**
+ * Gets the human-readable name for a deprecated protocol.
+ */
+bindingset[protocolName]
+string getProtocolDisplayName(string protocolName) {
+  protocolName = "ssl3" and result = "SSL 3.0"
+  or
+  protocolName = "tls" and result = "TLS 1.0"
+  or
+  protocolName = "tls11" and result = "TLS 1.1"
+}
+
+/**
+ * A reference to a deprecated SecurityProtocolType enum value, e.g.
+ * [Net.SecurityProtocolType]::Ssl3
+ */
+class DeprecatedSecurityProtocolType extends DataFlow::Node {
+  string protocolName;
+
+  DeprecatedSecurityProtocolType() {
+    exists(API::Node node |
+      (
+        node =
+          API::getTopLevelMember("system")
+              .getMember("net")
+              .getMember("securityprotocoltype")
+              .getMember(protocolName)
+        or
+        node =
+          API::getTopLevelMember("net")
+              .getMember("securityprotocoltype")
+              .getMember(protocolName)
+      ) and
+      this = node.asSource() and
+      isDeprecatedProtocol(protocolName)
+    )
+  }
+
+  string getProtocolName() { result = protocolName }
+}
+
+/**
+ * A reference to a deprecated SslProtocols enum value, e.g.
+ * [System.Security.Authentication.SslProtocols]::Tls
+ */
+class DeprecatedSslProtocols extends DataFlow::Node {
+  string protocolName;
+
+  DeprecatedSslProtocols() {
+    exists(API::Node node |
+      node =
+        API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("authentication")
+            .getMember("sslprotocols")
+            .getMember(protocolName) and
+      this = node.asSource() and
+      isDeprecatedProtocol(protocolName)
+    )
+  }
+
+  string getProtocolName() { result = protocolName }
+}
+
+from DataFlow::Node node, string protocolName
+where
+  exists(DeprecatedSecurityProtocolType d |
+    node = d and protocolName = d.getProtocolName()
+  )
+  or
+  exists(DeprecatedSslProtocols d | node = d and protocolName = d.getProtocolName())
+select node,
+  "Use of deprecated protocol " + getProtocolDisplayName(protocolName) +
+    ". Use TLS 1.2 or TLS 1.3 instead."

powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.expected

@@ -0,0 +1,4 @@
+| test.ps1:6:47:6:78 | ssl3 | Use of deprecated protocol SSL 3.0. Use TLS 1.2 or TLS 1.3 instead. |
+| test.ps1:9:47:9:77 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. |
+| test.ps1:12:47:12:79 | tls11 | Use of deprecated protocol TLS 1.1. Use TLS 1.2 or TLS 1.3 instead. |
+| test.ps1:15:54:15:91 | tls | Use of deprecated protocol TLS 1.0. Use TLS 1.2 or TLS 1.3 instead. |

powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref

@@ -0,0 +1 @@
+queries/security/cwe-757/DeprecatedTls.ql

powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1

@@ -0,0 +1,25 @@
+# ===================================================================
+# ========== TRUE POSITIVES (should trigger alert) ==================
+# ===================================================================
+
+# --- Case 1: SSL 3.0 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3 # BAD
+
+# --- Case 2: TLS 1.0 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls # BAD
+
+# --- Case 3: TLS 1.1 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls11 # BAD
+
+# --- Case 4: Full namespace TLS 1.0 ---
+[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls # BAD
+
+# ===================================================================
+# ========== TRUE NEGATIVES (should NOT trigger alert) ==============
+# ===================================================================
+
+# --- Safe: TLS 1.2 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # GOOD
+
+# --- Safe: TLS 1.3 ---
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls13 # GOOD