From 90db349f4bf623498d1b86bbf94495339824b90b Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 8 Oct 2025 14:05:00 +0100
Subject: [PATCH 1/4] State that ruby broken crypto algo doesn't deal with
 hashing

---
 .../queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp    | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
index cede4e735d57..d793312c45d6 100644
--- a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
+++ b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
@@ -13,6 +13,12 @@
       algorithm means that encrypted or hashed data is less
       secure than it appears to be.
     </p>
+    <p>
+      This query alerts on any use of a weak cryptographic algorithm, that is
+      not a hashing algorithm. Use of broken or weak cryptographic hash
+      functions are handled by the
+      <code>rb/weak-sensitive-data-hashing</code> query.
+    </p>
   </overview>
   <recommendation>
     <p>

From 2a1c9d8ec15d6fe5fd169c33294498b2603eb67b Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 8 Oct 2025 14:08:36 +0100
Subject: [PATCH 2/4] Remove erroneous comma

---
 python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp      | 2 +-
 .../ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp | 2 +-
 .../ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
index 1b26d30e0fe6..a457db904314 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -16,7 +16,7 @@
           </p>
 
           <p>
-               This query alerts on any use of a weak cryptographic algorithm, that is
+               This query alerts on any use of a weak cryptographic algorithm that is
                not a hashing algorithm. Use of broken or weak cryptographic hash
                functions are handled by the
                <code>py/weak-sensitive-data-hashing</code> query.
diff --git a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
index d793312c45d6..3346d3f7015f 100644
--- a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
+++ b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
@@ -14,7 +14,7 @@
       secure than it appears to be.
     </p>
     <p>
-      This query alerts on any use of a weak cryptographic algorithm, that is
+      This query alerts on any use of a weak cryptographic algorithm that is
       not a hashing algorithm. Use of broken or weak cryptographic hash
       functions are handled by the
       <code>rb/weak-sensitive-data-hashing</code> query.
diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
index e24222e09fc5..7bc1eb018e26 100644
--- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -16,7 +16,7 @@
           </p>
 
           <p>
-               This query alerts on any use of a weak cryptographic algorithm, that is
+               This query alerts on any use of a weak cryptographic algorithm that is
                not a hashing algorithm. Use of broken or weak cryptographic hash
                functions are handled by the
                <code>rust/weak-sensitive-data-hashing</code> query.

From 0bcdb91639f5433b2a2f2b64c52b64f02b14b134 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 8 Oct 2025 14:10:54 +0100
Subject: [PATCH 3/4] Improve qhelp for broken crypto algo queries

Previously it focussed too much on the risk of data being decrypted,
and didn't explain why using weak algorithms is a problem in other
contexts.
---
 .../CWE/CWE-327/BrokenCryptoAlgorithm.qhelp   | 14 ++++---
 .../CWE/CWE-327/BrokenCryptoAlgorithm.qhelp   | 14 ++++---
 .../CWE-327/BrokenCryptoAlgorithm.qhelp       | 29 ++++++++++++---
 .../CWE-327/BrokenCryptoAlgorithm.qhelp       | 30 ++++++++++++---
 .../cwe-327/BrokenCryptoAlgorithm.qhelp       | 30 ++++++++++++---
 .../CWE-327/BrokenCryptoAlgorithm.qhelp       | 37 ++++++++++++++-----
 6 files changed, 116 insertions(+), 38 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
index 0fcbd89d8921..33561b3d1bff 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -3,11 +3,15 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.</p>
-
-<p>Many cryptographic algorithms provided by cryptography libraries are known to be weak, or 
-flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted
-data.</p>
+<p>Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.</p>
+
+<p>Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:
+</p>
+<ul>
+  <li>If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.</li>
+  <li>If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.</li>
+  <li>If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.</li>
+</ul>
 
 </overview>
 <recommendation>
diff --git a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
index 1d8e8db6798c..35b37b9f814d 100644
--- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -3,11 +3,15 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.</p>
-
-<p>Many cryptographic algorithms provided by cryptography libraries are known to be weak, or 
-flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted
-data.</p>
+<p>Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.</p>
+
+<p>Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:
+</p>
+<ul>
+  <li>If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.</li>
+  <li>If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.</li>
+  <li>If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.</li>
+</ul>
 
 </overview>
 <recommendation>
diff --git a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
index e0ccf71572f7..bdd1071b6134 100644
--- a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -4,17 +4,34 @@
 <qhelp>
 	<overview>
 		<p>
-			Using broken or weak cryptographic algorithms can leave data
-			vulnerable to being decrypted or forged by an attacker.
+			Using broken or weak cryptographic algorithms may compromise
+			security guarantees such as confidentiality, integrity, and
+			authenticity.
 		</p>
 
 		<p>
-			Many cryptographic algorithms provided by cryptography
-			libraries are known to be weak, or flawed. Using such an
-			algorithm means that encrypted or hashed data is less
-			secure than it appears to be.
+			Many cryptographic algorithms are known to be weak or flawed. The
+			security guarantees of a system often rely on the underlying
+			cryptography, so using a weak algorithm can have severe consequences.
+			For example:
 		</p>
 
+		<ul>
+			<li>
+			If a weak encryption algorithm is used, an attacker may be able to
+			decrypt sensitive data.
+			</li>
+			<li>
+			If a weak hashing algorithm is used to protect data integrity, an
+			attacker may be able to craft a malicious input that has the same
+			hash as a benign one.
+			</li>
+			<li>
+			If a weak algorithm is used for digital signatures, an attacker may
+			be able to forge signatures and impersonate legitimate users.
+			</li>
+		</ul>
+
 	</overview>
 	<recommendation>
 
diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
index a457db904314..003849b17cc0 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -3,18 +3,36 @@
 "qhelp.dtd">
 <qhelp>
      <overview>
+
           <p>
-               Using broken or weak cryptographic algorithms can leave data
-               vulnerable to being decrypted or forged by an attacker.
+               Using broken or weak cryptographic algorithms may compromise
+               security guarantees such as confidentiality, integrity, and
+               authenticity.
           </p>
 
           <p>
-               Many cryptographic algorithms provided by cryptography
-               libraries are known to be weak, or flawed. Using such an
-               algorithm means that encrypted or hashed data is less
-               secure than it appears to be.
+               Many cryptographic algorithms are known to be weak or flawed. The
+               security guarantees of a system often rely on the underlying
+               cryptography, so using a weak algorithm can have severe consequences.
+               For example:
           </p>
 
+          <ul>
+               <li>
+               If a weak encryption algorithm is used, an attacker may be able to
+               decrypt sensitive data.
+               </li>
+               <li>
+               If a weak hashing algorithm is used to protect data integrity, an
+               attacker may be able to craft a malicious input that has the same
+               hash as a benign one.
+               </li>
+               <li>
+               If a weak algorithm is used for digital signatures, an attacker may
+               be able to forge signatures and impersonate legitimate users.
+               </li>
+          </ul>
+
           <p>
                This query alerts on any use of a weak cryptographic algorithm that is
                not a hashing algorithm. Use of broken or weak cryptographic hash
diff --git a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
index 3346d3f7015f..3c4dae2ae7bc 100644
--- a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
+++ b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
@@ -4,15 +4,33 @@
 <qhelp>
   <overview>
     <p>
-      Using broken or weak cryptographic algorithms can leave data
-      vulnerable to being decrypted or forged by an attacker.
+      Using broken or weak cryptographic algorithms may compromise
+      security guarantees such as confidentiality, integrity, and
+      authenticity.
     </p>
+
     <p>
-      Many cryptographic algorithms provided by cryptography
-      libraries are known to be weak, or flawed. Using such an
-      algorithm means that encrypted or hashed data is less
-      secure than it appears to be.
+      Many cryptographic algorithms are known to be weak or flawed. The
+      security guarantees of a system often rely on the underlying
+      cryptography, so using a weak algorithm can have severe consequences.
+      For example:
     </p>
+
+    <ul>
+      <li>
+      If a weak encryption algorithm is used, an attacker may be able to
+      decrypt sensitive data.
+      </li>
+      <li>
+      If a weak hashing algorithm is used to protect data integrity, an
+      attacker may be able to craft a malicious input that has the same
+      hash as a benign one.
+      </li>
+      <li>
+      If a weak algorithm is used for digital signatures, an attacker may
+      be able to forge signatures and impersonate legitimate users.
+      </li>
+    </ul>
     <p>
       This query alerts on any use of a weak cryptographic algorithm that is
       not a hashing algorithm. Use of broken or weak cryptographic hash
diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
index 7bc1eb018e26..89aa8f71a58a 100644
--- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -3,17 +3,34 @@
 "qhelp.dtd">
 <qhelp>
      <overview>
-          <p>
-               Using broken or weak cryptographic algorithms can leave data
-               vulnerable to being decrypted or forged by an attacker.
-          </p>
+		<p>
+			Using broken or weak cryptographic algorithms may compromise
+			security guarantees such as confidentiality, integrity, and
+			authenticity.
+		</p>
 
-          <p>
-               Many cryptographic algorithms provided by cryptography
-               libraries are known to be weak, or flawed. Using such an
-               algorithm means that encrypted or hashed data is less
-               secure than it appears to be.
-          </p>
+		<p>
+			Many cryptographic algorithms are known to be weak or flawed. The
+			security guarantees of a system often rely on the underlying
+			cryptography, so using a weak algorithm can have severe consequences.
+			For example:
+		</p>
+
+		<ul>
+			<li>
+			If a weak encryption algorithm is used, an attacker may be able to
+			decrypt sensitive data.
+			</li>
+			<li>
+			If a weak hashing algorithm is used to protect data integrity, an
+			attacker may be able to craft a malicious input that has the same
+			hash as a benign one.
+			</li>
+			<li>
+			If a weak algorithm is used for digital signatures, an attacker may
+			be able to forge signatures and impersonate legitimate users.
+			</li>
+		</ul>
 
           <p>
                This query alerts on any use of a weak cryptographic algorithm that is

From 2f22acdd062fd00ad3cbcf24a9008dbeeb547817 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Wed, 8 Oct 2025 16:48:57 +0100
Subject: [PATCH 4/4] Remove hashing example when not covered by query

---
 python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp   | 5 -----
 .../src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp | 5 -----
 .../src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp | 5 -----
 3 files changed, 15 deletions(-)

diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
index 003849b17cc0..9757f2d49bfe 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -23,11 +23,6 @@
                decrypt sensitive data.
                </li>
                <li>
-               If a weak hashing algorithm is used to protect data integrity, an
-               attacker may be able to craft a malicious input that has the same
-               hash as a benign one.
-               </li>
-               <li>
                If a weak algorithm is used for digital signatures, an attacker may
                be able to forge signatures and impersonate legitimate users.
                </li>
diff --git a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
index 3c4dae2ae7bc..cf84089e3d26 100644
--- a/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
+++ b/ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.qhelp
@@ -22,11 +22,6 @@
       decrypt sensitive data.
       </li>
       <li>
-      If a weak hashing algorithm is used to protect data integrity, an
-      attacker may be able to craft a malicious input that has the same
-      hash as a benign one.
-      </li>
-      <li>
       If a weak algorithm is used for digital signatures, an attacker may
       be able to forge signatures and impersonate legitimate users.
       </li>
diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
index 89aa8f71a58a..0c9e8fc289dd 100644
--- a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -22,11 +22,6 @@
 			decrypt sensitive data.
 			</li>
 			<li>
-			If a weak hashing algorithm is used to protect data integrity, an
-			attacker may be able to craft a malicious input that has the same
-			hash as a benign one.
-			</li>
-			<li>
 			If a weak algorithm is used for digital signatures, an attacker may
 			be able to forge signatures and impersonate legitimate users.
 			</li>