Add ECB and CBC block mode test cases for BrokenCryptoAlgorithm query

[Copilot]

Add test coverage for cryptographic block modes (ECB vs CBC) across multiple cipher types. ECB is cryptographically weak; CBC is acceptable.

Changes

• Test cases: Added test_ecb() function exercising ECB mode with AES, DES, and RC2
  • Covers turbo-fish syntax: ecb::Encryptor::<aes::Aes128>::new()
  • Covers type aliases: type MyDesEcbEncryptor = ecb::Encryptor<des::Des>
  • Multiple init methods: new(), new_from_slice()
• Dependencies: Added ecb = { version = "0.1.2" } to test options

Example

// ECB mode - should alert (weak block mode)
let aes_cipher = ecb::Encryptor::<aes::Aes128>::new(key.into());

// CBC mode - should NOT alert for block mode (only weak algorithms alert)
let aes_cipher = cbc::Encryptor::<aes::Aes128>::new(key.into(), iv.into());

// DES + ECB - should alert for both weak algorithm AND weak block mode
let des_cipher = ecb::Encryptor::<des::Des>::new(key.into());

Test cases marked with $ MISSING: as block mode detection is not yet implemented in RustCrypto.qll.

Original prompt

Hi Copilot, we'd like to have some new test cases in the tests at rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm, a te showing the use of different block modes. In particular ECB in considered a weak choice of block mode, whereas other options such as CBC are considered OK - we want the test to use both modes. Ideally there will be cases for each of the cryptography crates already used in the test, assuming they support the ECB block mode.

Ensure that the test compiles, e.g. by running it with the CodeQL test runner:

1. download and extract CodeQL CLI: cd /tmp && curl -L -o codeql-linux64.zip https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip && unzip -q codeql-linux64.zip
2. add to PATH: export PATH="/tmp/codeql:$PATH"
3. from the test directory, codeql test run . --learn.
   This will update the .expected file associated with the test, you can commit any changes to that file alongside your changes to the .rs.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[geoffw0]

Ready for review. We're not going to actually address these test cases for a while, because we need to investigate and fix an issue in call resolution first - so lets merge the new tests.

[Copilot]

Pull request overview

This PR adds comprehensive test coverage for ECB (Electronic Codebook) block mode, which is cryptographically weak, alongside the existing CBC (Cipher Block Chaining) tests. The tests demonstrate that ECB mode should trigger security alerts regardless of the underlying cipher algorithm.

• Added test_ecb() function with test cases covering AES, DES, and RC2 ciphers using ECB mode
• Tests use various initialization patterns (turbo-fish syntax, type aliases, new(), new_from_slice())
• Added ecb crate dependency (version 0.1.2) to support the new tests

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
test_cipher.rs	Adds new test_ecb() function with test cases for ECB mode encryption using AES128, DES, and RC2, along with a type alias MyAesEcbEncryptor following the pattern established in test_cbc()
options.yml	Adds ecb = { version = "0.1.2" } dependency to support ECB mode testing
Cargo.lock	Updates lock file with ecb crate (v0.1.2) and its dependencies

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.