Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <[email protected]>

Author: yoff

python/ql/src/Security/CWE-327/FluentApiModel.qll

@@ -65,8 +65,8 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
  * Holds if `conectionCreation` marks the creation of a connetion based on the contex
  * found at `contextOrigin` and allowing `insecure_version`.
  *
- * `specific` is true iff the context is configured for a specific protocol version rather
- * than for a family of protocols.
+ * `specific` is true iff the context is configured for a specific protocol version (`ssl.PROTOCOL_TLSv1_2`) rather
+ * than for a family of protocols (`ssl.PROTOCOL_TLS`).
  */
 predicate unsafe_connection_creation_with_context(
   DataFlow::Node connectionCreation, ProtocolVersion insecure_version, DataFlow::Node contextOrigin,

python/ql/src/Security/CWE-327/Ssl.qll

@@ -149,7 +149,8 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
     or
     // Case: No protocol arguemnt is present.
     not exists(this.getProtocol()) and
-    // The default argument is TLS and the SSL versions are turned off by default.
+    // The default argument is TLS and the SSL versions are turned off by default since Python 3.6
+    // see https://docs.python.org/3.6/library/ssl.html#ssl.SSLContext
     result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
   }
 }

python/ql/test/query-tests/Security/CWE-327/ssl_fluent.py

@@ -49,6 +49,8 @@ def test_fluent_tls_safe():
 
 def test_fluent_ssl():
     hostname = 'www.python.org'
+    # notice that `ssl.PROTOCOL_SSLv23` is just a deprecated alias for `ssl.PROTOCOL_TLS`.
+    # Therefore, we only have this one test using PROTOCOL_SSLv23, to show that we handle this alias correctly.
     context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 
     with socket.create_connection((hostname, 443)) as sock: