Insecure-TLS: Use DataFlow::Node::getRoot, and factor getEnclosingFunction

smowton · smowton · commit 9b4e189374a9 · 2020-07-28T11:55:58.000+01:00
diff --git a/ql/src/experimental/CWE-327/InsecureTLS.ql b/ql/src/experimental/CWE-327/InsecureTLS.ql
@@ -239,8 +239,8 @@ where
   // Exclude sources or sinks that occur lexically within a block related to a feature or legacy flag
   not astNodeIsFlag([source, sink].getNode().asExpr().getParent*(), [featureFlag(), legacyFlag()]) and
   // Exclude results in functions whose name documents insecurity
-  not exists(FuncDef fn | fn = sink.getNode().asInstruction().getRoot() |
-    isFeatureFlagName(fn.getEnclosingFunction*().getName()) or
-    isLegacyFlagName(fn.getEnclosingFunction*().getName())
+  not exists(FuncDef fn | fn = sink.getNode().getRoot().getEnclosingFunction*() |
+    isFeatureFlagName(fn.getName()) or
+    isLegacyFlagName(fn.getName())
   )
 select sink.getNode(), source, sink, message
