github · erik-krogh · Oct 1, 2022 · Sep 26, 2022 · Sep 29, 2022 · Sep 29, 2022
@@ -27,6 +27,5 @@ where
       xor2.getAnOperand() = v.getAnAccess()
     )
   )
-select l,
-  "The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@.",
-  v, v.toString(), additional_xor, "xor", l, l.toString()
+select l, "This literal is used in an $@ after an FNV-like hash calculation with variable $@.",
+  additional_xor, "additional xor", v, v.toString()
@@ -34,5 +34,5 @@ where
   total = countSolorigateCommandInEnum(e) and
   total > 10
 select e,
-  "The enum $@ may be related to Solorigate. It matches " + total +
-    " of the values used for commands in the enum.", e, e.getName()
+  "This enum may be related to Solorigate. It matches " + total +
+    " of the values used for commands in the enum."
@@ -29,5 +29,5 @@ where
   isSolorigateHash(l) and
   total > threshold
 select l,
-  "The Hash literal $@ may be related to the Solorigate campaign. Total count = " + total +
-    " is above the threshold " + threshold + ".", l, l.getValue()
+  "This Hash literal may be related to the Solorigate campaign. Total count = " + total +
+    " is above the threshold " + threshold + "."
@@ -29,5 +29,5 @@ where
   isSolorigateLiteral(l) and
   total > threshold
 select l,
-  "The literal $@ may be related to the Solorigate campaign. Total count = " + total +
-    " is above the threshold " + threshold + ".", l, l.getValue()
+  "This literal may be related to the Solorigate campaign. Total count = " + total +
+    " is above the threshold " + threshold + "."
@@ -28,5 +28,5 @@ where
   isSolorigateSuspiciousMethodName(m) and
   total > threshold
 select m,
-  "The method $@ may be related to Solorigate. Total count = " + total + " is above the threshold " +
-    threshold + ".", m, m.getName()
+  "This method may be related to Solorigate. Total count = " + total + " is above the threshold " +
+    threshold + "."
@@ -1 +1 @@
-| test.cs:39:16:39:36 | 6605813339339102567 | The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@. | test.cs:25:9:25:11 | num | num | test.cs:39:10:39:36 | ... ^ ... | xor | test.cs:39:16:39:36 | 6605813339339102567 | 6605813339339102567 |
+| test.cs:39:16:39:36 | 6605813339339102567 | This literal is used in an $@ after a FNV-like hash calculation with variable $@. | test.cs:39:10:39:36 | ... ^ ... | additional xor | test.cs:25:9:25:11 | num | num |
@@ -23,9 +23,9 @@ where
     exists(MethodCall callToEquals |
       callToEquals.getTarget() instanceof EqualsMethod and
       callToEquals.getQualifier().getType() = c and
-      message = "but it is called $@" and
+      message = "but $@" and
       item = callToEquals and
-      itemText = "here"
+      itemText = "'Equals' is called on an instance of this class"
     )
     or
     item = c.getAnOperator().(EQOperator) and

@@ -106,4 +106,4 @@ predicate mayNotBeDisposed(LocalScopeDisposableCreation disposable) {
 
 from LocalScopeDisposableCreation disposable
 where mayNotBeDisposed(disposable)
-select disposable, "Disposable '" + disposable.getType() + "' is created here but is not disposed."
+select disposable, "Disposable '" + disposable.getType() + "' is created but not disposed."
@@ -16,4 +16,4 @@ import semmle.code.csharp.dataflow.Nullness
 
 from Dereference d, Ssa::SourceVariable v
 where d.isFirstAlwaysNull(v)
-select d, "Variable $@ is always null here.", v, v.toString()
+select d, "Variable $@ is always null at this dereference.", v, v.toString()
@@ -19,4 +19,5 @@ import PathGraph
 from
   Dereference d, PathNode source, PathNode sink, Ssa::SourceVariable v, string msg, Element reason
 where d.isFirstMaybeNull(v.getAnSsaDefinition(), source, sink, msg, reason)
-select d, source, sink, "Variable $@ may be null here " + msg + ".", v, v.toString(), reason, "this"
+select d, source, sink, "Variable $@ may be null at this access " + msg + ".", v, v.toString(),
+  reason, "this"
@@ -28,4 +28,4 @@ where
     readaccess.getEnclosingCallable() = getter and
     not exists(LockStmt readlock | readlock.getAChildStmt+().getAChildExpr+() = readaccess)
   )
-select p, "Field '$@' is guarded by a lock in the setter but not in the getter.", f, f.getName()
+select p, "Field $@ is guarded by a lock in the setter but not in the getter.", f, f.getName()
@@ -111,6 +111,5 @@ where
     fa.getTarget() = g and
     g.getUnboundDeclaration() = f
   )
-select f,
-  "The field '" + f.getName() + "' is never explicitly assigned a value, yet it is read $@.", fa,
-  "here"
+select f, "The field '" + f.getName() + "' is never explicitly assigned a value, yet $@.", fa,
+  "the field is read"
@@ -19,4 +19,4 @@ where
   f.fromSource() and
   isDeadField(f) and
   not f.getDeclaringType().isPartial()
-select f, "Unused field (or field used from dead method only)"
+select f, "Unused field (or field used from dead method only)."
@@ -20,4 +20,4 @@ where
   m.fromSource() and
   isDeadMethod(m) and
   not m.getDeclaringType().isPartial()
-select m, "Unused method (or method called from dead method only)"
+select m, "Unused method (or method called from dead method only)."
@@ -111,5 +111,5 @@ predicate declaredInsideLoop(ForeachStmt loop, LocalVariable v) {
 
 from LambdaDataFlowConfiguration c, AnonymousFunctionExpr lambda, Variable loopVar, Element storage
 where c.capturesLoopVarAndIsStoredIn(lambda, loopVar, storage)
-select lambda, "Function which may be stored in $@ captures variable $@", storage,
+select lambda, "Function which may be stored in $@ captures variable $@.", storage,
   storage.toString(), loopVar, loopVar.getName()
@@ -35,5 +35,5 @@ where
   uselessIsBeforeAs(ae, ie) and
   not exists(MethodCall mc | ae = mc.getAnArgument().getAChildExpr*())
 select ae,
-  "This 'as' expression performs a type test - it should be directly compared against null, rendering the 'is' $@ potentially redundant.",
-  ie, "here"
+  "This 'as' expression performs a type test - it should be directly compared against null, rendering the $@ potentially redundant.",
+  ie, "is"
@@ -59,6 +59,5 @@ where
   va = seq.getAnAccess() and
   potentiallyConsumingAccess(va) and
   count(VariableAccess x | x = seq.getAnAccess() and potentiallyConsumingAccess(x)) > 1
-select seq,
-  "This enumerable sequence may not be repeatable, but is potentially consumed multiple times $@.",
-  va, "here"
+select seq, "This enumerable sequence may not be repeatable, but $@.", va,
+  "it is potentially consumed multiple times"
@@ -16,5 +16,5 @@ import Linq.Helpers
 from ForeachStmt fes, LocalVariableDeclStmt s
 where missedCastOpportunity(fes, s)
 select fes,
-  "This foreach loop immediately casts its iteration variable to another type $@ - consider casting the sequence explicitly using '.Cast(...)'.",
-  s, "here"
+  "This foreach loop immediately $@ - consider casting the sequence explicitly using '.Cast(...)'.",
+  s, "casts its iteration variable to another type"
@@ -16,5 +16,5 @@ import Linq.Helpers
 from ForeachStmt fes, LocalVariableDeclStmt s
 where missedOfTypeOpportunity(fes, s)
 select fes,
-  "This foreach loop immediately uses 'as' to coerce its iteration variable to another type $@ - consider using '.OfType(...)' instead.",
-  s, "here"
+  "This foreach loop immediately uses 'as' to $@ - consider using '.OfType(...)' instead.", s,
+  "coerce its iteration variable to another type"
@@ -25,5 +25,5 @@ where
   missedSelectOpportunity(fes, s) and
   not oversized(s)
 select fes,
-  "This foreach loop immediately maps its iteration variable to another variable $@ - consider mapping the sequence explicitly using '.Select(...)'.",
-  s, "here"
+  "This foreach loop immediately $@ - consider mapping the sequence explicitly using '.Select(...)'.",
+  s, "maps its iteration variable to another variable"
@@ -17,5 +17,5 @@ where
   missedWhereOpportunity(fes, is) and
   not missedAllOpportunity(fes)
 select fes,
-  "This foreach loop implicitly filters its target sequence $@ - consider filtering the sequence explicitly using '.Where(...)'.",
-  is.getCondition(), "here"
+  "This foreach loop $@ - consider filtering the sequence explicitly using '.Where(...)'.",
+  is.getCondition(), "implicitly filters its target sequence"
@@ -20,5 +20,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in a path.", source.getNode(),
-  "User-provided value"
+select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in a command.", source.getNode(),
-  "User-provided value"
+select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -24,5 +24,5 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
 
 from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in a command.", source.getNode(),
-  "Stored user-provided value"
+select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
+  "stored (potentially user-provided) value"
@@ -29,8 +29,8 @@ from
 where
   c.hasFlowPath(source, sink) and
   if exists(sink.getNode().(Sink).explanation())
-  then explanation = ": " + sink.getNode().(Sink).explanation() + "."
-  else explanation = "."
+  then explanation = " (" + sink.getNode().(Sink).explanation() + ")"
+  else explanation = ""
 select sink.getNode(), source, sink,
-  "$@ flows to here and is written to HTML or JavaScript" + explanation, source.getNode(),
-  "Stored user-provided value"
+  "This HTML or JavaScript write" + explanation + " depends on a $@.", source.getNode(),
+  "stored (potentially user-provided) value"
@@ -22,5 +22,5 @@ class StoredTaintTrackingConfiguration extends SqlInjection::TaintTrackingConfig
 
 from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in an SQL query.",
-  source.getNode(), "Stored user-provided value"
+select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
+  "stored user-provided value"
@@ -25,5 +25,5 @@ string getSourceType(DataFlow::Node node) {
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Query might include code from $@.", source,
+select sink.getNode(), source, sink, "This query depends on $@.", source,
   ("this " + getSourceType(source.getNode()))
@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in an LDAP query.",
-  source.getNode(), "User-provided value"
+select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -22,5 +22,5 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
 
 from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in an LDAP query.",
-  source.getNode(), "Stored user-provided value"
+select sink.getNode(), source, sink, "This LDAP query depends on a $@.", source.getNode(),
+  "stored (potentially user-provided) value"
@@ -48,4 +48,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink, "$@ flows to here and is inserted as XML.", source, "User-provided value"
+select sink.getNode(), source, sink, "This XML element depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is compiled as code.", source.getNode(),
-  "User-provided value"
+select sink.getNode(), source, sink, "This code compilation depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in a resource descriptor.",
-  source.getNode(), "User-provided value"
+select sink.getNode(), source, sink, "This resource descriptor depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -18,5 +18,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "$@ flows to here and is processed as XML without validation because " +
-    sink.getNode().(Sink).getReason(), source.getNode(), "User-provided value"
+  "This XML processing depends on a $@ without validation because " +
+    sink.getNode().(Sink).getReason(), source.getNode(), "user-provided value"
@@ -49,5 +49,4 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 
 from TaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
 where c.hasFlow(source, sink)
-select sink, "$@ flows to here and is used as the path to dynamically load an assembly.", source,
-  "User-provided value"
+select sink, "This assembly path depends on a $@.", source, "user-provided value"
@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to log entry.", source.getNode(),
-  "User-provided value"
+select sink.getNode(), source, sink, "This log entry depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -31,7 +31,13 @@ class FormatStringConfiguration extends TaintTracking::Configuration {
   }
 }
 
+string getSourceType(DataFlow::Node node) {
+  result = node.(RemoteFlowSource).getSourceType()
+  or
+  result = node.(LocalFlowSource).getSourceType()
+}
+
 from FormatStringConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used as a format string.",
-  source.getNode(), source.getNode().toString()
+select sink.getNode(), source, sink, "This format string depends on $@.", source.getNode(),
+  ("this" + getSourceType(source.getNode()))
@@ -47,6 +47,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 
 from TaintTrackingConfiguration configuration, DataFlow::PathNode source, DataFlow::PathNode sink
 where configuration.hasFlowPath(source, sink)
-select sink.getNode(), source, sink,
-  "Sensitive information from $@ flows to here, and is transmitted to the user.", source.getNode(),
-  source.toString()
+select sink.getNode(), source, sink, "This data transmitted to the user depends on $@.",
+  source.getNode(), "sensitive information"
@@ -64,6 +64,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink,
-  "Exception information from $@ flows to here, and is exposed to the user.", source.getNode(),
-  source.toString()
+select sink.getNode(), source, sink, "This information exposed to the user depends on $@.",
+  source.getNode(), "exception information"
@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.",
+select sink.getNode(), source, sink, "This stores sensitive data returned by $@ as clear text.",
   source.getNode(), source.toString()
@@ -38,5 +38,5 @@ class StringLiteralSource extends KeySource {
 
 from SymmetricKeyTaintTrackingConfiguration keyFlow, KeySource src, SymmetricEncryptionKeySink sink
 where keyFlow.hasFlow(src, sink)
-select sink, "Hard-coded symmetric $@ is used in symmetric algorithm in " + sink.getDescription(),
-  src, "key"
+select sink, "This hard-coded $@ is used in symmetric algorithm in " + sink.getDescription(), src,
+  "symmetric key"
@@ -41,4 +41,4 @@ class AddCertToRootStoreConfig extends DataFlow::Configuration {
 
 from DataFlow::PathNode oc, DataFlow::PathNode mc, AddCertToRootStoreConfig config
 where config.hasFlowPath(oc, mc)
-select mc.getNode(), oc, mc, "Certificate added to the root certificate store."
+select mc.getNode(), oc, mc, "This certificate is added to the root certificate store."
@@ -41,5 +41,6 @@ class TaintTrackingConfiguration extends DataFlow::Configuration {
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and does not specify `Encrypt=True`.",
-  source.getNode(), "Connection string"
+select sink.getNode(), source, sink,
+  "$@ flows to this SQL connection and does not specify `Encrypt=True`.", source.getNode(),
+  "Connection string"
@@ -69,5 +69,5 @@ where
   loginMethod(loginMethod, fromLoginFlow) and
   sessionUse(sessionUse.getElement()) and
   controlStep+(loginCall.getASuccessorByType(fromLoginFlow), sessionUse)
-select sessionUse, "This session has not been invalidated following the call to '$@'.", loginCall,
+select sessionUse, "This session has not been invalidated following the call to $@.", loginCall,
   loginMethod.getName()
@@ -19,5 +19,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "$@ flows to here and is loaded insecurely as XML (" + sink.getNode().(Sink).getReason() + ").",
-  source.getNode(), "User-provided value"
+  "This insecure XML processing depends on a $@ (" + sink.getNode().(Sink).getReason() + ").",
+  source.getNode(), "user-provided value"
@@ -22,5 +22,5 @@ class StoredTaintTrackingConfiguration extends XPathInjection::TaintTrackingConf
 
 from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
-  source.getNode(), "Stored user-provided value"
+select sink.getNode(), source, sink, "This XPath expression depends on a $@.", source.getNode(),
+  "stored (potentially user-provided) value"
@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
-  source.getNode(), "User-provided value"
+select sink.getNode(), source, sink, "This XPath expression depends on a $@.", source.getNode(),
+  "user-provided value"
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		\| test.cs:39:16:39:36 \| 6605813339339102567 \| The variable $@ seems to be used as part of a FNV-like hash calculation, that is modified by an additional $@ expression using literal $@. \| test.cs:25:9:25:11 \| num \| num \| test.cs:39:10:39:36 \| ... ^ ... \| xor \| test.cs:39:16:39:36 \| 6605813339339102567 \| 6605813339339102567 \|
		\| test.cs:39:16:39:36 \| 6605813339339102567 \| This literal is used in an $@ after a FNV-like hash calculation with variable $@. \| test.cs:39:10:39:36 \| ... ^ ... \| additional xor \| test.cs:25:9:25:11 \| num \| num \|