github · erik-krogh · Oct 3, 2022 · Sep 25, 2022 · Oct 1, 2022 · Oct 1, 2022
@@ -34,6 +34,6 @@ where
   bean1.getBeanIdentifier() < bean2.getBeanIdentifier() and
   bean1 != bean2
 select bean1,
-  "Bean $@ has " + similarProps.toString() +
+  "This bean has " + similarProps.toString() +
     " properties similar to $@. Consider introducing a common parent bean for these two beans.",
-  bean1, bean1.getBeanIdentifier(), bean2, bean2.getBeanIdentifier()
+  bean2, bean2.getBeanIdentifier()
@@ -26,5 +26,4 @@ class ParentBean extends SpringBean {
 
 from ParentBean parent
 where parent.getDeclaredClass().isAbstract()
-select parent, "Parent bean $@ should not have an abstract class.", parent,
-  parent.getBeanIdentifier()
+select parent, "This parent bean should not have an abstract class."
@@ -21,10 +21,11 @@ where
   e = clearlyNotNullExpr(reason) and
   (
     if reason instanceof Guard
-    then msg = "This check is useless, $@ cannot be null here, since it is guarded by $@."
+    then msg = "This check is useless. $@ cannot be null at this check, since it is guarded by $@."
     else
       if reason != e
-      then msg = "This check is useless, $@ cannot be null here, since $@ always is non-null."
+      then
+        msg = "This check is useless. $@ cannot be null at this check, since $@ always is non-null."
       else msg = "This check is useless, since $@ always is non-null."
   )
 select guard, msg, e, e.toString(), reason, reason.toString()
@@ -72,5 +72,5 @@ where
   remove.getCallee().hasName("remove") and
   iterOfSpecialCollection(remove.getQualifier(), scc)
 select remove,
-  "This call may fail when iterating over the collection created $@, since it does not support element removal.",
-  scc, "here"
+  "This call may fail when iterating over $@, since it does not support element removal.", scc,
+  "the collection"
@@ -77,4 +77,4 @@ where
   // Exclude `equals` methods that implement reference-equality.
   not m instanceof ReferenceEquals and
   not m instanceof UnimplementedEquals
-select m, "equals() method does not check argument type."
+select m, "This 'equals()' method does not check argument type."
@@ -21,4 +21,4 @@ where
   eq.getAnOperand() = f.getAnAccess() and nanField(f) and f.getDeclaringType().hasName(classname)
 select eq,
   "This comparison will always yield the same result since 'NaN != NaN'. Consider using " +
-    classname + ".isNaN instead"
+    classname + ".isNaN instead."
@@ -23,4 +23,4 @@ where
     ma.getEnclosingStmt().getEnclosingStmt*() instanceof SynchronizedStmt or
     ma.getEnclosingCallable().isSynchronized()
   )
-select ma, "sleep() with lock held."
+select ma, "This calls 'Thread.sleep()' with a lock held."
@@ -27,4 +27,4 @@ where
   ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Object") and
   ma.getEnclosingStmt().getEnclosingStmt*() = synch and
   synch.getEnclosingStmt+() instanceof Synched
-select ma, "wait() with two locks held."
+select ma, "This calls 'Object.wait()' with two locks held."
@@ -46,5 +46,5 @@ predicate contradictoryTypeCheck(Expr e, Variable v, RefType t, RefType sup, Exp
 
 from Expr e, Variable v, RefType t, RefType sup, Expr cond
 where contradictoryTypeCheck(e, v, t, sup, cond)
-select e, "Variable $@ cannot be of type $@ here, since $@ ensures that it is not of type $@.", v,
+select e, "This access of $@ cannot be of type $@, since $@ ensures that it is not of type $@.", v,
   v.getName(), t, t.getName(), cond, "this expression", sup, sup.getName()
@@ -45,5 +45,4 @@ predicate sameVariable(VarAccess left, VarAccess right) {
 from AssignExpr assign
 where sameVariable(assign.getDest(), assign.getSource())
 select assign,
-  "This assigns the variable " + assign.getDest().(VarAccess).getVariable().getName() +
-    " to itself and has no effect."
+  "This expression assigns " + assign.getDest().(VarAccess).getVariable().getName() + " to itself."
@@ -17,4 +17,5 @@ private import semmle.code.java.dataflow.Nullness
 
 from VarAccess access, SsaSourceVariable var
 where alwaysNullDeref(var, access)
-select access, "Variable $@ is always null here.", var.getVariable(), var.getVariable().getName()
+select access, "Variable $@ is always null at this dereference.", var.getVariable(),
+  var.getVariable().getName()
@@ -24,5 +24,5 @@ where
   not alwaysNullDeref(var, access) and
   // Kotlin enforces this already:
   not access.getLocation().getFile().isKotlinSourceFile()
-select access, "Variable $@ may be null here " + msg + ".", var.getVariable(),
+select access, "Variable $@ may be null at this access " + msg + ".", var.getVariable(),
   var.getVariable().getName(), reason, "this"
@@ -22,4 +22,4 @@ where
     not f.getType().hasName("long")
   ) and
   f.getDeclaringType().getAStrictAncestor() instanceof TypeSerializable
-select f, "serialVersionUID should be final, static, and of type long."
+select f, "'serialVersionUID' should be final, static, and of type long."
@@ -106,4 +106,5 @@ where
   else multiCatchMsg = ""
 select try.getCatchClause(second),
   "This catch-clause is unreachable" + multiCatchMsg + "; it is masked $@.",
-  try.getCatchClause(first), "here for exceptions of type '" + masking.getName() + "'"
+  try.getCatchClause(first),
+  "by a previous catch-clause for exceptions of type '" + masking.getName() + "'"
@@ -36,5 +36,5 @@ where
   // This is the case is some dummy implementations.
   exists(MethodAccess ma | ma.getEnclosingCallable() = m | ma.getMethod().getName() = "write")
 select c,
-  "This class extends java.io.OutputStream and implements $@, but does not override write(byte[],int,int)",
+  "This class extends 'java.io.OutputStream' and implements $@, but does not override 'write(byte[],int,int)'.",
   m, m.getName()
@@ -70,5 +70,5 @@ DataFlow::Node getReportingNode(DataFlow::Node sink) {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, TaintedPathConfig conf
 where conf.hasFlowPath(source, sink)
-select getReportingNode(sink.getNode()), source, sink, "$@ flows to here and is used in a path.",
-  source.getNode(), "User-provided value"
+select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
+  source.getNode(), "user-provided value"
@@ -41,5 +41,4 @@ where
   e = p.getAnInput() and
   conf.hasFlowPath(source, sink) and
   not guarded(e)
-select p, source, sink, "$@ flows to here and is used in a path.", source.getNode(),
-  "User-provided value"
+select p, source, sink, "This path depends on a $@.", source.getNode(), "user-provided value"
@@ -13,4 +13,4 @@
 import semmle.code.java.security.PartialPathTraversal
 
 from PartialPathTraversalMethodAccess ma
-select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal"
+select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal."
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
 from DataFlow::PathNode source, DataFlow::PathNode sink
 where any(PartialPathTraversalFromRemoteConfig config).hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Partial Path Traversal Vulnerability due to insufficient guard against path traversal from user-supplied data"
+  "Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@.",
+  source, "user-supplied data"
@@ -20,5 +20,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg
 where execTainted(source, sink, execArg)
-select execArg, source, sink, "$@ flows to here and is used in a command.", source.getNode(),
-  "User-provided value"
+select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -38,5 +38,5 @@ from
   DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg,
   LocalUserInputToArgumentToExecFlowConfig conf
 where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg
-select execArg, source, sink, "$@ flows to here and is used in a command.", source.getNode(),
-  "User-provided value"
+select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -34,5 +34,5 @@ class XssConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, XssConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
   source.getNode(), "user-provided value"
@@ -19,5 +19,4 @@ import DataFlow::PathGraph
 
 from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink
 where queryTaintedBy(query, source, sink)
-select query, source, sink, "This SQL query depends on $@.", source.getNode(),
-  "a user-provided value"
+select query, source, sink, "This query depends on a $@.", source.getNode(), "user-provided value"
@@ -36,5 +36,5 @@ class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configurat
 from
   DataFlow::PathNode source, DataFlow::PathNode sink, LocalUserInputToQueryInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Query might include code from $@.", source.getNode(),
-  "this user input"
+select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -18,5 +18,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, LdapInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "LDAP query might include code from $@.", source.getNode(),
-  "this user input"
+select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, GroovyInjectionConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Groovy Injection from $@.", source.getNode(),
-  "this user input"
+select sink.getNode(), source, sink, "Groovy script depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -80,5 +80,5 @@ where
     exists(SetMessageInterpolatorCall c | not c.isSafe())
   ) and
   cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink,
-  "Custom constraint error message contains unsanitized user data"
+select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
+  source, "user-provided value"
@@ -17,4 +17,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "JEXL injection from $@.", source.getNode(), "this user input"
+select sink.getNode(), source, sink, "JEXL expression depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -17,4 +17,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, MvelInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "MVEL injection from $@.", source.getNode(), "this user input"
+select sink.getNode(), source, sink, "MVEL expression depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, SpelInjectionConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "SpEL injection from $@.", source.getNode(), "this user input"
+select sink.getNode(), source, sink, "SpEL expression depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from TemplateInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
-  source.getNode(), "a template value loaded from a remote source."
+select sink.getNode(), source, sink, "Template, which may contain code, depends on a $@.",
+  source.getNode(), "user-provided value"
@@ -47,5 +47,6 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Response-splitting vulnerability due to this $@.",
+select sink.getNode(), source, sink,
+  "This header depends on a $@, which may cause a response-splitting vulnerability.",
   source.getNode(), "user-provided value"
@@ -31,5 +31,6 @@ class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingLocalConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Response-splitting vulnerability due to this $@.",
+select sink.getNode(), source, sink,
+  "This header depends on a $@, which may cause a response-splitting vulnerability.",
   source.getNode(), "user-provided value"
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select source.getNode(), source, sink, "This user-provided value flows to a $@.", sink.getNode(),
-  "log entry"
+select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -33,5 +33,5 @@ where
   sizeExpr = sink.getNode().asExpr() and
   any(Conf conf).hasFlowPath(source, sink)
 select arrayAccess.getIndexExpr(), source, sink,
-  "The $@ is accessed here, but the array is initialized using $@ which may be zero.",
-  arrayCreation, "array", source.getNode(), "User-provided value"
+  "This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
+  "array", source.getNode(), "user-provided value"
@@ -38,5 +38,5 @@ where
   boundedsource = source.getNode() and
   any(BoundedFlowSourceConf conf).hasFlowPath(source, sink)
 select arrayAccess.getIndexExpr(), source, sink,
-  "The $@ is accessed here, but the array is initialized using $@ which may be zero.",
-  arrayCreation, "array", boundedsource, boundedsource.getDescription().toLowerCase()
+  "This accesses the $@, but the array is initialized using $@ which may be zero.", arrayCreation,
+  "array", boundedsource, boundedsource.getDescription().toLowerCase()
@@ -34,5 +34,5 @@ where
   sizeExpr = sink.getNode().asExpr() and
   any(Conf conf).hasFlowPath(source, sink)
 select arrayAccess.getIndexExpr(), source, sink,
-  "The $@ is accessed here, but the array is initialized using $@ which may be zero.",
-  arrayCreation, "array", source.getNode(), "User-provided value"
+  "This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
+  "array", source.getNode(), "user-provided value"
@@ -32,5 +32,5 @@ where
   arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
   any(Conf conf).hasFlowPath(source, sink)
 select arrayAccess.getIndexExpr(), source, sink,
-  "$@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException.",
-  source.getNode(), "User-provided value"
+  "This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
+  "user-provided value"
@@ -31,5 +31,5 @@ where
   arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
   any(Conf conf).hasFlowPath(source, sink)
 select arrayAccess.getIndexExpr(), source, sink,
-  "$@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException.",
-  source.getNode(), "User-provided value"
+  "This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
+  "user-provided value"
@@ -33,5 +33,5 @@ from
   DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall,
   ExternallyControlledFormatStringConfig conf
 where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument()
-select formatCall.getFormatArgument(), source, sink,
-  "$@ flows to here and is used in a format string.", source.getNode(), "User-provided value"
+select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
+  source.getNode(), "user-provided value"
@@ -31,5 +31,5 @@ from
   DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall,
   ExternallyControlledFormatStringLocalConfig conf
 where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument()
-select formatCall.getFormatArgument(), source, sink,
-  "$@ flows to here and is used in a format string.", source.getNode(), "User-provided value"
+select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
+  source.getNode(), "user-provided value"
@@ -47,5 +47,5 @@ where
   underflowSink(exp, sink.getNode().asExpr()) and
   effect = "underflow"
 select exp, source, sink,
-  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  source.getNode(), "User-provided value"
+  "This arithmetic expression depends on a $@, potentially causing an " + effect + ".",
+  source.getNode(), "user-provided value"
@@ -47,5 +47,5 @@ where
   underflowSink(exp, sink.getNode().asExpr()) and
   effect = "underflow"
 select exp, source, sink,
-  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  source.getNode(), "User-provided value"
+  "This arithmetic expression depends on a $@, potentially causing an " + effect + ".",
+  source.getNode(), "user-provided value"
@@ -55,5 +55,5 @@ where
   underflowSink(exp, sink.getNode().asExpr()) and
   effect = "underflow"
 select exp, source, sink,
-  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  source.getNode(), "Uncontrolled value"
+  "This arithmetic expression depends on an $@, potentially causing an " + effect + ".",
+  source.getNode(), "uncontrolled value"
@@ -20,5 +20,6 @@ import DataFlow::PathGraph
 from DataFlow::PathNode source, DataFlow::PathNode sink
 where any(IntentUriPermissionManipulationConf c).hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "This Intent can be set with arbitrary flags from $@, " +
-    "and used to give access to internal content providers.", source.getNode(), "this user input"
+  "This Intent can be set with arbitrary flags from a $@, " +
+    "and used to give access to internal content providers.", source.getNode(),
+  "user-provided value"
@@ -17,5 +17,6 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink
 where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink)
-select sink, source, sink, "This $@, which is defined $@ and trusts any certificate, is used here.",
-  source, "TrustManager", source.getNode().asExpr().(ClassInstanceExpr).getConstructedType(), "here"
+select sink, source, sink, "This uses $@, which is defined in $@ and trusts any certificate.",
+  source, "TrustManager",
+  source.getNode().asExpr().(ClassInstanceExpr).getConstructedType() as type, type.nestedName()
@@ -21,4 +21,4 @@ where
   isInsecureMailPropertyConfig(ma.getArgument(0).(VarAccess).getVariable())
   or
   enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier().(VarAccess).getVariable())
-select ma, "Java mailing has insecure SSL configuration"
+select ma, "Java mailing has insecure SSL configuration."
@@ -121,5 +121,5 @@ where
   not isNodeGuardedByFlag(sink.getNode()) and
   verifier = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
 select sink, source, sink,
-  "$@ that is defined $@ and accepts any certificate as valid, is used here.", source,
-  "This hostname verifier", verifier, "here"
+  "The $@ defined by $@ always accepts any certificate, even if the hostname does not match.",
+  source, "hostname verifier", verifier, "this type"
@@ -20,5 +20,5 @@ where
   input = s.getAnInput() and
   store = s.getAStore() and
   data.flowsTo(input)
-select store, "SQLite database $@ containing $@ is stored $@. Data was added $@.", s, s.toString(),
-  data, "sensitive data", store, "here", input, "here"
+select store, "This stores data in a SQLite database $@ containing $@ which was $@.", s,
+  s.toString(), data, "sensitive data", input, "previously added"