GO: make the alert messages of taint-tracking queries more consistent #10413
Conversation
|
Mostly looks good, though I'm personally not keen on |
erik-krogh
force-pushed
the
go-followMsg
branch
from
d5546be to
8ec3fb1
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -24,5 +24,5 @@ | |||
| // this excludes flow from safe parts of request URLs, for example the full URL when the | |||
| // doing a redirect from `http://<path>` to `https://<path>` | |||
| not scfg.hasFlow(_, sink.getNode()) | |||
| select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(), | |||
| select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(), | |||
Check warning
Code scanning / CodeQL
Alert message style violation
There was a problem hiding this comment.
A false positive. It's a data-flow query, but the configuration includes basically all the taint-tracking steps.
…-in-regex`, which also avoids using "here" in the alert-message
erik-krogh
force-pushed
the
go-followMsg
branch
from
8ec3fb1 to
175d3ac
Compare
|
Does this want a change note since it might lead to alerts being considered spuriously resolved and recreated? |
There is still the change-note from my previous Go PR that touched alert-messages. |
I just did this for Ruby, Python, and JavaScript.
I'm rewriting alert messages for the taint tracking queries:
This path depends on a user-provided value.User-provided value flows to this location and is used in a path.I also generally tried to use "this location" instead of "here".
I tried to formulate messages to use "depends on" and use the term "a user-provided value".
The previous change-note for changing the alert messages still cover this PR.
I'm also trying to update the style-guide based on my findings.