Merge pull request github#10731 from erik-krogh/rb-last-msg

Ruby: fix some more style-guide violations in the alert-messages

Author: erik-krogh

ruby/ql/src/change-notes/2022-10-07-alert-messages.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.

ruby/ql/src/queries/security/cwe-295/RequestWithoutValidation.ql

@@ -27,8 +27,6 @@ where
   // NOTE: We compare the locations instead of DataFlow::Nodes directly, since for
   // snippet `Excon.defaults[:ssl_verify_peer] = false`, `disablingNode = argumentNode`
   // does NOT hold.
-  if disablingNode.getLocation() = origin.getLocation()
-  then ending = "."
-  else ending = " by the value from $@."
-select request, "This request may run without certificate validation because it is $@" + ending,
-  disablingNode, "disabled here", origin, "here"
+  if disablingNode.getLocation() = origin.getLocation() then ending = "." else ending = " by $@."
+select request, "This request may run without certificate validation because $@" + ending,
+  disablingNode, "the request is disabled", origin, "this value"

ruby/ql/src/queries/security/cwe-312/CleartextLogging.ql

@@ -20,5 +20,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.",
+select sink.getNode(), source, sink, "This logs sensitive data returned by $@ as clear text.",
   source.getNode(), source.getNode().(Source).describe()

ruby/ql/src/queries/security/cwe-312/CleartextStorage.ql

@@ -21,5 +21,5 @@ import DataFlow::PathGraph
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.",
+select sink.getNode(), source, sink, "This stores sensitive data returned by $@ as clear text.",
   source.getNode(), source.getNode().(Source).describe()

ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql

@@ -63,5 +63,6 @@ from
   DataFlow::PathNode source, DataFlow::PathNode sink, PermissivePermissionsConfig conf,
   FileSystemPermissionModification mod
 where conf.hasFlowPath(source, sink) and mod.getAPermissionNode() = sink.getNode()
-select source.getNode(), source, sink, "Overly permissive mask in $@ sets file to $@.", mod,
-  mod.toString(), source.getNode(), source.getNode().toString()
+select source.getNode(), source, sink,
+  "This overly permissive mask used in $@ allows read or write access to others.", mod,
+  mod.toString()

ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql

@@ -154,4 +154,5 @@ class HardcodedCredentialsConfiguration extends DataFlow::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialsConfiguration conf
 where conf.hasFlowPath(source, sink)
-select source.getNode(), source, sink, "Use of $@.", source.getNode(), "hardcoded credentials"
+select source.getNode(), source, sink, "This hardcoded value is $@.", sink.getNode(),
+  "used as credentials"

ruby/ql/src/queries/security/cwe-912/HttpToFileAccess.ql

@@ -18,4 +18,5 @@ import codeql.ruby.security.HttpToFileAccessQuery
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ flows to file system.", source.getNode(), "Untrusted data"
+select sink.getNode(), source, sink, "Write to file system depends on $@.", source.getNode(),
+  "untrusted data"

ruby/ql/test/query-tests/security/cwe-295/RequestWithoutValidation.expected

@@ -1,28 +1,28 @@
-| Excon.rb:6:3:6:34 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:5:38:5:42 | ... = ... | disabled here | Excon.rb:5:38:5:42 | false | here |
-| Excon.rb:12:3:12:34 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:11:27:11:31 | ... = ... | disabled here | Excon.rb:11:27:11:31 | false | here |
-| Excon.rb:18:3:18:34 | call to get | This request may run without certificate validation because it is $@ by the value from $@. | Excon.rb:17:38:17:60 | ... = ... | disabled here | Excon.rb:17:55:17:59 | false | here |
-| Excon.rb:24:3:24:10 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:23:72:23:76 | false | disabled here | Excon.rb:23:72:23:76 | false | here |
-| Excon.rb:30:3:30:62 | call to get | This request may run without certificate validation because it is $@. | Excon.rb:30:53:30:57 | false | disabled here | Excon.rb:30:53:30:57 | false | here |
-| Faraday.rb:5:12:5:30 | call to get | This request may run without certificate validation because it is $@. | Faraday.rb:4:63:4:67 | false | disabled here | Faraday.rb:4:63:4:67 | false | here |
-| Faraday.rb:9:12:9:30 | call to get | This request may run without certificate validation because it is $@. | Faraday.rb:8:68:8:92 | VERIFY_NONE | disabled here | Faraday.rb:8:68:8:92 | VERIFY_NONE | here |
-| Faraday.rb:35:16:35:35 | call to get | This request may run without certificate validation because it is $@ by the value from $@. | Faraday.rb:34:51:34:53 | arg | disabled here | Faraday.rb:38:42:38:46 | false | here |
-| Faraday.rb:44:16:44:35 | call to get | This request may run without certificate validation because it is $@ by the value from $@. | Faraday.rb:43:56:43:58 | arg | disabled here | Faraday.rb:47:47:47:71 | VERIFY_NONE | here |
-| HttpClient.rb:6:1:6:33 | call to get | This request may run without certificate validation because it is $@. | HttpClient.rb:5:33:5:57 | ... = ... | disabled here | HttpClient.rb:5:33:5:57 | VERIFY_NONE | here |
-| Httparty.rb:4:1:4:50 | call to get | This request may run without certificate validation because it is $@. | Httparty.rb:4:45:4:49 | false | disabled here | Httparty.rb:4:45:4:49 | false | here |
-| Httparty.rb:7:1:7:55 | call to get | This request may run without certificate validation because it is $@. | Httparty.rb:7:50:7:54 | false | disabled here | Httparty.rb:7:50:7:54 | false | here |
-| Httparty.rb:10:1:10:59 | call to get | This request may run without certificate validation because it is $@. | Httparty.rb:10:52:10:56 | false | disabled here | Httparty.rb:10:52:10:56 | false | here |
-| Httparty.rb:13:1:13:70 | call to post | This request may run without certificate validation because it is $@. | Httparty.rb:13:65:13:69 | false | disabled here | Httparty.rb:13:65:13:69 | false | here |
-| Httparty.rb:16:1:16:74 | call to post | This request may run without certificate validation because it is $@. | Httparty.rb:16:67:16:71 | false | disabled here | Httparty.rb:16:67:16:71 | false | here |
-| NetHttp.rb:9:12:9:31 | call to request | This request may run without certificate validation because it is $@. | NetHttp.rb:7:20:7:44 | ... = ... | disabled here | NetHttp.rb:7:20:7:44 | VERIFY_NONE | here |
-| OpenURI.rb:4:1:4:78 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:4:53:4:77 | VERIFY_NONE | disabled here | OpenURI.rb:4:53:4:77 | VERIFY_NONE | here |
-| OpenURI.rb:7:1:7:82 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:7:55:7:79 | VERIFY_NONE | disabled here | OpenURI.rb:7:55:7:79 | VERIFY_NONE | here |
-| OpenURI.rb:11:1:11:43 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:10:30:10:54 | VERIFY_NONE | disabled here | OpenURI.rb:10:30:10:54 | VERIFY_NONE | here |
-| OpenURI.rb:14:1:14:81 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:14:56:14:80 | VERIFY_NONE | disabled here | OpenURI.rb:14:56:14:80 | VERIFY_NONE | here |
-| OpenURI.rb:17:1:17:85 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:17:58:17:82 | VERIFY_NONE | disabled here | OpenURI.rb:17:58:17:82 | VERIFY_NONE | here |
-| OpenURI.rb:21:1:21:46 | call to open | This request may run without certificate validation because it is $@. | OpenURI.rb:20:30:20:54 | VERIFY_NONE | disabled here | OpenURI.rb:20:30:20:54 | VERIFY_NONE | here |
-| RestClient.rb:5:12:5:23 | call to get | This request may run without certificate validation because it is $@. | RestClient.rb:4:72:4:96 | VERIFY_NONE | disabled here | RestClient.rb:4:72:4:96 | VERIFY_NONE | here |
-| RestClient.rb:9:12:9:23 | call to get | This request may run without certificate validation because it is $@. | RestClient.rb:8:74:8:98 | VERIFY_NONE | disabled here | RestClient.rb:8:74:8:98 | VERIFY_NONE | here |
-| RestClient.rb:14:12:14:23 | call to get | This request may run without certificate validation because it is $@. | RestClient.rb:12:25:12:49 | VERIFY_NONE | disabled here | RestClient.rb:12:25:12:49 | VERIFY_NONE | here |
-| RestClient.rb:19:12:19:23 | call to get | This request may run without certificate validation because it is $@ by the value from $@. | RestClient.rb:18:72:18:76 | value | disabled here | RestClient.rb:17:9:17:33 | VERIFY_NONE | here |
-| Typhoeus.rb:4:1:4:62 | call to get | This request may run without certificate validation because it is $@. | Typhoeus.rb:4:57:4:61 | false | disabled here | Typhoeus.rb:4:57:4:61 | false | here |
-| Typhoeus.rb:8:1:8:54 | call to post | This request may run without certificate validation because it is $@. | Typhoeus.rb:7:53:7:57 | false | disabled here | Typhoeus.rb:7:53:7:57 | false | here |
+| Excon.rb:6:3:6:34 | call to get | This request may run without certificate validation because $@. | Excon.rb:5:38:5:42 | ... = ... | the request is disabled | Excon.rb:5:38:5:42 | false | this value |
+| Excon.rb:12:3:12:34 | call to get | This request may run without certificate validation because $@. | Excon.rb:11:27:11:31 | ... = ... | the request is disabled | Excon.rb:11:27:11:31 | false | this value |
+| Excon.rb:18:3:18:34 | call to get | This request may run without certificate validation because $@ by $@. | Excon.rb:17:38:17:60 | ... = ... | the request is disabled | Excon.rb:17:55:17:59 | false | this value |
+| Excon.rb:24:3:24:10 | call to get | This request may run without certificate validation because $@. | Excon.rb:23:72:23:76 | false | the request is disabled | Excon.rb:23:72:23:76 | false | this value |
+| Excon.rb:30:3:30:62 | call to get | This request may run without certificate validation because $@. | Excon.rb:30:53:30:57 | false | the request is disabled | Excon.rb:30:53:30:57 | false | this value |
+| Faraday.rb:5:12:5:30 | call to get | This request may run without certificate validation because $@. | Faraday.rb:4:63:4:67 | false | the request is disabled | Faraday.rb:4:63:4:67 | false | this value |
+| Faraday.rb:9:12:9:30 | call to get | This request may run without certificate validation because $@. | Faraday.rb:8:68:8:92 | VERIFY_NONE | the request is disabled | Faraday.rb:8:68:8:92 | VERIFY_NONE | this value |
+| Faraday.rb:35:16:35:35 | call to get | This request may run without certificate validation because $@ by $@. | Faraday.rb:34:51:34:53 | arg | the request is disabled | Faraday.rb:38:42:38:46 | false | this value |
+| Faraday.rb:44:16:44:35 | call to get | This request may run without certificate validation because $@ by $@. | Faraday.rb:43:56:43:58 | arg | the request is disabled | Faraday.rb:47:47:47:71 | VERIFY_NONE | this value |
+| HttpClient.rb:6:1:6:33 | call to get | This request may run without certificate validation because $@. | HttpClient.rb:5:33:5:57 | ... = ... | the request is disabled | HttpClient.rb:5:33:5:57 | VERIFY_NONE | this value |
+| Httparty.rb:4:1:4:50 | call to get | This request may run without certificate validation because $@. | Httparty.rb:4:45:4:49 | false | the request is disabled | Httparty.rb:4:45:4:49 | false | this value |
+| Httparty.rb:7:1:7:55 | call to get | This request may run without certificate validation because $@. | Httparty.rb:7:50:7:54 | false | the request is disabled | Httparty.rb:7:50:7:54 | false | this value |
+| Httparty.rb:10:1:10:59 | call to get | This request may run without certificate validation because $@. | Httparty.rb:10:52:10:56 | false | the request is disabled | Httparty.rb:10:52:10:56 | false | this value |
+| Httparty.rb:13:1:13:70 | call to post | This request may run without certificate validation because $@. | Httparty.rb:13:65:13:69 | false | the request is disabled | Httparty.rb:13:65:13:69 | false | this value |
+| Httparty.rb:16:1:16:74 | call to post | This request may run without certificate validation because $@. | Httparty.rb:16:67:16:71 | false | the request is disabled | Httparty.rb:16:67:16:71 | false | this value |
+| NetHttp.rb:9:12:9:31 | call to request | This request may run without certificate validation because $@. | NetHttp.rb:7:20:7:44 | ... = ... | the request is disabled | NetHttp.rb:7:20:7:44 | VERIFY_NONE | this value |
+| OpenURI.rb:4:1:4:78 | call to open | This request may run without certificate validation because $@. | OpenURI.rb:4:53:4:77 | VERIFY_NONE | the request is disabled | OpenURI.rb:4:53:4:77 | VERIFY_NONE | this value |
+| OpenURI.rb:7:1:7:82 | call to open | This request may run without certificate validation because $@. | OpenURI.rb:7:55:7:79 | VERIFY_NONE | the request is disabled | OpenURI.rb:7:55:7:79 | VERIFY_NONE | this value |
+| OpenURI.rb:11:1:11:43 | call to open | This request may run without certificate validation because $@. | OpenURI.rb:10:30:10:54 | VERIFY_NONE | the request is disabled | OpenURI.rb:10:30:10:54 | VERIFY_NONE | this value |
+| OpenURI.rb:14:1:14:81 | call to open | This request may run without certificate validation because $@. | OpenURI.rb:14:56:14:80 | VERIFY_NONE | the request is disabled | OpenURI.rb:14:56:14:80 | VERIFY_NONE | this value |
+| OpenURI.rb:17:1:17:85 | call to open | This request may run without certificate validation because $@. | OpenURI.rb:17:58:17:82 | VERIFY_NONE | the request is disabled | OpenURI.rb:17:58:17:82 | VERIFY_NONE | this value |
+| OpenURI.rb:21:1:21:46 | call to open | This request may run without certificate validation because $@. | OpenURI.rb:20:30:20:54 | VERIFY_NONE | the request is disabled | OpenURI.rb:20:30:20:54 | VERIFY_NONE | this value |
+| RestClient.rb:5:12:5:23 | call to get | This request may run without certificate validation because $@. | RestClient.rb:4:72:4:96 | VERIFY_NONE | the request is disabled | RestClient.rb:4:72:4:96 | VERIFY_NONE | this value |
+| RestClient.rb:9:12:9:23 | call to get | This request may run without certificate validation because $@. | RestClient.rb:8:74:8:98 | VERIFY_NONE | the request is disabled | RestClient.rb:8:74:8:98 | VERIFY_NONE | this value |
+| RestClient.rb:14:12:14:23 | call to get | This request may run without certificate validation because $@. | RestClient.rb:12:25:12:49 | VERIFY_NONE | the request is disabled | RestClient.rb:12:25:12:49 | VERIFY_NONE | this value |
+| RestClient.rb:19:12:19:23 | call to get | This request may run without certificate validation because $@ by $@. | RestClient.rb:18:72:18:76 | value | the request is disabled | RestClient.rb:17:9:17:33 | VERIFY_NONE | this value |
+| Typhoeus.rb:4:1:4:62 | call to get | This request may run without certificate validation because $@. | Typhoeus.rb:4:57:4:61 | false | the request is disabled | Typhoeus.rb:4:57:4:61 | false | this value |
+| Typhoeus.rb:8:1:8:54 | call to post | This request may run without certificate validation because $@. | Typhoeus.rb:7:53:7:57 | false | the request is disabled | Typhoeus.rb:7:53:7:57 | false | this value |