From 36a0d49dcf7c8b4874a38185937cd0d6317c9965 Mon Sep 17 00:00:00 2001
From: Graham Sutherland <graham.sutherland@trailofbits.com>
Date: Tue, 24 Feb 2026 17:31:09 +0000
Subject: [PATCH] Explicit precedence clarifies logic in
 UseOfLegacyAlgorithm.ql

Not strictly a bugfix since CodeQL's precedence handles this already (disjunction occurs before conjunction) but the and/or logic for handling "DES" becomes clearer when wrapped in parens.
---
 cpp/src/crypto/UseOfLegacyAlgorithm.ql | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/cpp/src/crypto/UseOfLegacyAlgorithm.ql b/cpp/src/crypto/UseOfLegacyAlgorithm.ql
index a26f42f..9334c5d 100644
--- a/cpp/src/crypto/UseOfLegacyAlgorithm.ql
+++ b/cpp/src/crypto/UseOfLegacyAlgorithm.ql
@@ -36,9 +36,10 @@ where
      * 			descend
      * 			destroy
      */
-
-    cipherName = "DES" and
-    functionName.regexpMatch(".*(?<!no|mo|co)des(?!cri(be|ption|ptor)|ign|cend|troy).*")
+    (
+      cipherName = "DES" and
+      functionName.regexpMatch(".*(?<!no|mo|co)des(?!cri(be|ption|ptor)|ign|cend|troy).*")
+    )
   )
 select call.getLocation(),
   "Potential use of legacy cryptographic algorithm " + cipherName + " detected in function name " +