Fix query ids

Author: sylwia-budzynska

3/1/instructions.md

@@ -1,3 +1,7 @@
 You will need to set up CodeQL using one of the methods presented in [challenge 2](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md) from CodeQL zero to hero part 2 to run the queries. Remember also to download and [select a CodeQL database](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#select-codeql-database) - it can be the GitHubSecurityLab/codeql-zero-to-hero database, but you may also choose another project.
 
 Run the query in this challenge to find all method calls that are called ‘execute’ and come from the `django.db` library.
+
+If the path is not displaying properly, you may need to change the view to ‘alerts’.
+
+<img src=../../images/alert-view.png>

3/1/query.ql

@@ -1,3 +1,9 @@
+/**
+ * @id codeql-zero-to-hero/3-1
+ * @severity error
+ * @kind problem
+ */
+
 import python
 import semmle.python.ApiGraphs
 
@@ -6,5 +12,4 @@ where node =
 API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
 and
 node.getLocation().getFile().getRelativePath().regexpMatch("2/challenge-1/.*")
-
-select node
+select node, "Call to django.db execute"

3/2/query.ql

@@ -1,7 +1,13 @@
+/**
+ * @id codeql-zero-to-hero/3-2
+ * @severity error
+ * @kind problem
+ */
+
 import python
 import semmle.python.ApiGraphs
 
 from API::CallNode node
 where node = API::moduleImport("os").getMember("system").getACall()
 and node.getLocation().getFile().getRelativePath().regexpMatch("2/challenge-1/.*")
-select node
+select node, "Call to os.system"

3/3/query.ql

@@ -1,7 +1,13 @@
+/**
+ * @id codeql-zero-to-hero/3-3
+ * @severity error
+ * @kind problem
+ */
+
 import python
 import semmle.python.ApiGraphs
 
-select API::moduleImport("flask").getMember("request").getMember("args").asSource()
+select API::moduleImport("flask").getMember("request").getMember("args").asSource(), "Flask request.args source"
 
 // Note that you can also use a wildcard to query for any method of the request object, for example:
 

3/4/query.ql

@@ -1,6 +1,11 @@
+/**
+ * @id codeql-zero-to-hero/3-4
+ * @severity error
+ * @kind problem
+ */
 import python
 import semmle.python.ApiGraphs
 
 from API::CallNode node
 where node = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
-select node, node.getAQlClass()
+select node, "The node has type " + node.getAQlClass()

3/5/query.ql

@@ -1,3 +1,8 @@
+/**
+ * @id codeql-zero-to-hero/3-5
+ * @severity error
+ * @kind problem
+ */
 import python
 import semmle.python.ApiGraphs
 
@@ -18,4 +23,4 @@ predicate executeNotLiteral(DataFlow::CallCfgNode call) {
 
 from DataFlow::CallCfgNode call
 where executeNotLiteral(call)
-select call
+select call, "Call to django.db execute with an argument that is not a literal"

3/6/query.ql

@@ -1,11 +1,7 @@
 /**
- * @name DataFlow configuration
- * @description DataFlow TaintTracking configuration
  * @kind path-problem
- * @precision low
  * @problem.severity error
- * @id githubsecuritylab/dataflow-query
- * @tags template
+ * @id githubsecuritylab/3-6
  */
 
  import python

3/8/query.ql

@@ -1,6 +1,11 @@
+/**
+ * @kind problem
+ * @problem.severity error
+ * @id githubsecuritylab/3-8
+ */
 import python
 import semmle.python.dataflow.new.RemoteFlowSources
 
 
 from RemoteFlowSource rfs
-select rfs
+select rfs, "A remote flow source"

3/9/query.ql

@@ -1,5 +1,11 @@
+/**
+ * @kind problem
+ * @problem.severity error
+ * @id githubsecuritylab/3-9
+ */
+
 import python
 import semmle.python.Concepts
 
 from SqlExecution sink
-select sink
+select sink, "Potential SQL injection sink"