Apply suggestions from code review

atorralba · mchammer01 · web-flow · commit a880fecc8b3f · 2022-12-19T11:56:36.000+01:00
Co-authored-by: mc &lt;42146119+mchammer01@users.noreply.github.com&gt;
diff --git a/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.qhelp b/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.qhelp
@@ -6,7 +6,7 @@
 <p>
 Certificate pinning is the practice of only trusting a specific set of SSL certificates, rather than those that the device trusts by default.
 In Android applications, it is reccomended to use certificate pinning when communicating over the network, 
-in order to minimize the risk of machine-in-the-middle attacks from a comprimised CA.
+in order to minimize the risk of machine-in-the-middle attacks from a compromised CA.
 </p>
 </overview>
 
@@ -16,10 +16,10 @@ The easiest way to implement certificate pinning is to declare your pins in a <c
 This will automatically provide certificate pinning for any network connection made by the app.
 </p>
 <p>
-Another way to implement certificate pinning is to use the `CertificatePinner` from the `okhttp` library. 
+Another way to implement certificate pinning is to use the `CertificatePinner` class from the `okhttp` library. 
 </p>
 <p>
-A final way to implement certificate pinning is to use a <code>TrustManager</code>, initialized from a <code>KeyStore</code> loaded with only the neccesary certificates.
+A final way to implement certificate pinning is to use a <code>TrustManager</code>, initialized from a <code>KeyStore</code> loaded with only the necessary certificates.
 </p>
 
 </recommendation>
@@ -36,13 +36,13 @@ The other (good) cases demonstrate the different ways to implement certificate p
 
 <references>
   <li>
-    OWASP Mobile Security: <a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05g-testing-network-communication#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4">Testing Custom Certificate Stores and Certificate Pinning (MSTG-NETWORK-4)</a>
+    OWASP Mobile Security: <a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05g-testing-network-communication#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4">Testing Custom Certificate Stores and Certificate Pinning (MSTG-NETWORK-4)</a>.
   </li>
   <li>
-    Android Developers: <a href="https://developer.android.com/training/articles/security-config">Network security configuration</a>
+    Android Developers: <a href="https://developer.android.com/training/articles/security-config">Network security configuration</a>.
   </li>
   <li>
-    OkHttp: <a href="https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/">CertificatePinner</a>
+    OkHttp: <a href="https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/">CertificatePinner</a>.
   </li>
 </references>
 </qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql b/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
@@ -1,6 +1,6 @@
 /**
- * @name Android Missing Certificate Pinning
- * @description Network communication should use certificate pinning.
+ * @name Android missing certificate pinning
+ * @description Network connections that do not use certificate pinning may allow attackers to eavesdrop communications.
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.5
diff --git a/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning3.java b/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning3.java
@@ -10,7 +10,7 @@
 
 
 
-// GOOD: Certificate pinning implemented vis a TrustManager
+// GOOD: Certificate pinning implemented via a TrustManager
 KeyStore keyStore = KeyStore.getInstance("BKS");
 keyStore.load(resources.openRawResource(R.raw.cert), null);
 
