Add weak HMAC algorithm detection query for PowerShell

Detects HMACMD5, HMACSHA1, and HMACRIPEMD160 usage via New-Object,
static Create(), and ::new() patterns.

Covers: Cryptography.10020 (CWE-327, CWE-328)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: chanel-y

powershell/ql/src/queries/security/cwe-328/WeakHmac.ql

@@ -0,0 +1,92 @@
+/**
+ * @name Use of weak HMAC algorithm
+ * @description Using weak HMAC algorithms like HMACMD5 or HMACSHA1 can compromise message authentication.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/microsoft/security/weak-hmac
+ * @tags security
+ *       external/cwe/cwe-327
+ *       external/cwe/cwe-328
+ */
+
+import powershell
+import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.security.cryptography.CryptographyModule
+
+/**
+ * Holds if `name` is a weak HMAC algorithm name (lowercase).
+ */
+predicate isWeakHmacAlgorithm(string name) {
+  name = ["hmacmd5", "hmacsha1", "hmacripemd160"]
+}
+
+/** A weak HMAC algorithm instantiated via New-Object. */
+class WeakHmacObjectCreation extends DataFlow::ObjectCreationNode {
+  string algName;
+
+  WeakHmacObjectCreation() {
+    exists(string objName |
+      objName =
+        this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString().toLowerCase() and
+      (
+        objName = "system.security.cryptography." + algName or
+        objName = algName
+      ) and
+      isWeakHmacAlgorithm(algName)
+    )
+  }
+
+  string getName() { result = algName }
+}
+
+/** A weak HMAC algorithm instantiated via [Type]::Create() or [Type]::new(). */
+class WeakHmacCreateCall extends DataFlow::CallNode {
+  string algName;
+
+  WeakHmacCreateCall() {
+    isWeakHmacAlgorithm(algName) and
+    (
+      this =
+        API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember(algName)
+            .getMember("create")
+            .asCall()
+      or
+      this =
+        API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember(algName)
+            .getMember("new")
+            .asCall()
+    )
+  }
+
+  string getName() { result = algName }
+}
+
+/** A weak HMAC algorithm passed as string to CryptoConfig.CreateFromName(). */
+class WeakHmacCreateFromNameCall extends CryptoAlgorithmCreateFromNameCall {
+  string algName;
+
+  WeakHmacCreateFromNameCall() {
+    objectName = ["", "system.security.cryptography."] + algName and
+    isWeakHmacAlgorithm(algName)
+  }
+
+  string getHmacName() { result = algName }
+}
+
+from DataFlow::Node node, string algName
+where
+  exists(WeakHmacObjectCreation c | node = c and algName = c.getName())
+  or
+  exists(WeakHmacCreateCall c | node = c and algName = c.getName())
+  or
+  exists(WeakHmacCreateFromNameCall c | node = c and algName = c.getHmacName())
+select node, "Use of weak HMAC algorithm: " + algName + ". Use HMACSHA256 or stronger."

powershell/ql/test/query-tests/security/cwe-328/WeakHmac/WeakHmac.expected

@@ -0,0 +1,4 @@
+| test.ps1:6:9:6:55 | Call to new-object | Use of weak HMAC algorithm: hmacmd5. Use HMACSHA256 or stronger. |
+| test.ps1:9:9:9:56 | Call to new-object | Use of weak HMAC algorithm: hmacsha1. Use HMACSHA256 or stronger. |
+| test.ps1:12:9:12:56 | Call to create | Use of weak HMAC algorithm: hmacmd5. Use HMACSHA256 or stronger. |
+| test.ps1:15:9:15:54 | Call to new | Use of weak HMAC algorithm: hmacsha1. Use HMACSHA256 or stronger. |

powershell/ql/test/query-tests/security/cwe-328/WeakHmac/WeakHmac.qlref

@@ -0,0 +1 @@
+queries/security/cwe-328/WeakHmac.ql

powershell/ql/test/query-tests/security/cwe-328/WeakHmac/test.ps1

@@ -0,0 +1,28 @@
+# ===================================================================
+# ========== TRUE POSITIVES (should trigger alert) ==================
+# ===================================================================
+
+# --- Case 1: HMACMD5 via New-Object ---
+$hmac = New-Object System.Security.Cryptography.HMACMD5 # BAD
+
+# --- Case 2: HMACSHA1 via New-Object ---
+$hmac = New-Object System.Security.Cryptography.HMACSHA1 # BAD
+
+# --- Case 3: HMACMD5 via static Create ---
+$hmac = [System.Security.Cryptography.HMACMD5]::Create() # BAD
+
+# --- Case 4: HMACSHA1 via ::new() ---
+$hmac = [System.Security.Cryptography.HMACSHA1]::new() # BAD
+
+# ===================================================================
+# ========== TRUE NEGATIVES (should NOT trigger alert) ==============
+# ===================================================================
+
+# --- Safe: HMACSHA256 ---
+$hmac = New-Object System.Security.Cryptography.HMACSHA256 # GOOD
+
+# --- Safe: HMACSHA384 ---
+$hmac = [System.Security.Cryptography.HMACSHA384]::new() # GOOD
+
+# --- Safe: HMACSHA512 ---
+$hmac = [System.Security.Cryptography.HMACSHA512]::Create() # GOOD