Fixing shared .qhelp issue (renaming to .qhelp.inc)& addressing a fix

Author: raulgarciamsft

csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp

@@ -7,6 +7,6 @@
     <p>This query detects FNV-like hash calculations where there is an additional XOR (with any static value) after the hash calculation loop.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>

csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp

@@ -7,6 +7,6 @@
     <p>By themselves, the names of these enumeration constants are not malicious, so the query only detects enumerations that includes at least 10 of the 18 Solorigate commands.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>

csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.qhelp

@@ -8,6 +8,6 @@
     <p>Please notice that by themselves these literals are not malign, but several of the values together would be less likely to be coincidental.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>

csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.qhelp

@@ -8,6 +8,6 @@
     <p>Please notice that by themselves these literals are not malign.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>

csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.qhelp

@@ -8,6 +8,6 @@
     <p>Please notice that by themselves these method names are not malign.</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>

csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp renamed to csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp.inc

@@ -7,6 +7,6 @@
     <p>This query detects all generic exception empty catch blocks, but it is strongly suggested that the results for cs/catch-of-all-exceptions also be reviewed in the event that a malicious swallow everything exception handler was not empty</p>
   </overview>
 
-  <include src="Solorigate.qhelp" />
+  <include src="Solorigate.qhelp.inc" />
 
 </qhelp>

csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp

@@ -74,19 +74,10 @@ predicate isCallableAPotentialNonCryptographicHashFunction(Callable callable, Pa
   exists(Variable v, Expr op1, Expr op2, LoopStmt loop |
     maybeANonCryptogrphicHash(callable, v, op1, op2, loop) and
     callable.getAParameter() = param and
-    (
-      param.getAnAccess() = op1.(Operation).getAnOperand().getAChild*()
-      or
-      param.getAnAccess() = op2.(Operation).getAnOperand().getAChild*()
-      or
-      exists(Node source, Node sink |
-        (
-          sink.asExpr() = op1.(Operation).getAChild*() or
-          sink.asExpr() = op2.(Operation).getAChild*()
-        ) and
-        source.asExpr() = param.getAnAccess() and
-        DataFlow::localFlow(source, sink)
-      )
+    exists(ParameterNode p, ExprNode n |
+      p.getParameter() = param and
+      localFlow(p, n) and
+      n.getExpr() in [op1.(Operation).getAChild*(), op2.(Operation).getAChild*()]
     )
   )
 }