Removed @kind path-problem in comment. Added text message in select.

masterofnow · masterofnow · commit 532f6a5b0c53 · 2023-11-13T08:27:07.000+08:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql
@@ -4,7 +4,6 @@
  *              package signature but only rely on package name.
  *              This makes it susceptible to package namespace squatting 
  *              potentially leading to arbitrary code execution.
- * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id java/unsafe-reflection
@@ -59,16 +58,13 @@ from
 where
     maCreatePackageContext.getCallee().getDeclaringType().getQualifiedName() = "android.content.ContextWrapper" and
     maCreatePackageContext.getCallee().getName() = "createPackageContext" and
-
     not isSignaturesChecked(maCreatePackageContext) and
-
     lvdePackageContext.getEnclosingStmt() = maCreatePackageContext.getEnclosingStmt() and
     TaintTracking::localTaint(DataFlow::exprNode(lvdePackageContext.getAnAccess()), sinkPackageContext) and
-
     doesPackageContextLeadToInvokeMethod(sinkPackageContext, maInvoke)
 select
     lvdePackageContext, 
     sinkPackageContext, 
     maInvoke,
-    maCreatePackageContext.getArgument(0)
+    "Potential arbitary code execution due to class loading without package signature checking."
 
