Java: Address review comments

lcartey · lcartey · commit 8a65dd2cd655 · 2020-08-11T15:28:06.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp b/java/ql/src/Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.qhelp
@@ -4,11 +4,11 @@
 <qhelp>
 <overview>
 <p>Using unsanitized untrusted data in an external API can cause a variety of security issues. This query reports 
-all external APIs which are used with untrusted data, along with how frequently the API is used, and how many 
+all external APIs that are used with untrusted data, along with how frequently the API is used, and how many 
 unique sources of untrusted data flow this API. This query is designed primarily to help identify which APIs 
 may be relevant for security analysis of this application.</p>
 
-<p>An external API is defined as a method call to a method which is not defined in the source code, not overridden 
+<p>An external API is defined as a method call to a method that is not defined in the source code, not overridden 
 in the source code, and is not modeled as a taint step in the default taint library. External APIs may be from the 
 Java standard library, third party dependencies or from internal dependencies. The query will report the method 
 signature with a fully qualified name, along with either <code>[param x]</code>, where <code>x</code> indicates the 
diff --git a/java/ql/src/Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql b/java/ql/src/Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
@@ -1,6 +1,6 @@
 /**
- * @name Frequency counts for external APIs which are used with untrusted data
- * @description This reports the external APIs which are used with untrusted data, along with how
+ * @name Frequency counts for external APIs that are used with untrusted data
+ * @description This reports the external APIs that are used with untrusted data, along with how
  *              frequently the API is called, and how many unique sources of untrusted data flow
  *              to it.
  * @id java/count-untrusted-data-external-api
diff --git a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.qhelp b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.qhelp
@@ -8,7 +8,7 @@ all uses of external APIs with untrusted data for review. This query has a delib
 and is designed to help security reviews for the application, as well as helping identify external APIs that 
 should be modeled as either taint steps, or sinks for specific problems.</p>
 
-<p>An external API is defined as a method call to a method which is not defined in the source code, not overridden 
+<p>An external API is defined as a method call to a method that is not defined in the source code, not overridden 
 in the source code, and is not modeled as a taint step in the default taint library. External APIs may be from the
 Java standard library, third party dependencies or from internal dependencies. The query will report uses of 
 untrusted data in either the qualifier or as one of the arguments of external APIs.</p>
@@ -28,7 +28,7 @@ untrusted data in either the qualifier or as one of the arguments of external AP
 </ul>
 
 <p>Otherwise, the result is likely uninteresting. Custom versions of this query can extend the <code>SafeExternalAPIMethod</code> 
-class to exclude known safe external APIs from future analysis.
+class to exclude known safe external APIs from future analysis.</p>
 
 </recommendation>
 <example>
diff --git a/java/ql/src/semmle/code/java/security/ExternalAPIs.qll b/java/ql/src/semmle/code/java/security/ExternalAPIs.qll
@@ -9,7 +9,7 @@ import semmle.code.java.dataflow.TaintTracking
 
 module ExternalAPIs {
   /**
-   * A `Method` which is considered a "safe" external API from a security perspective.
+   * A `Method` that is considered a "safe" external API from a security perspective.
    */
   abstract class SafeExternalAPIMethod extends Method { }
 
@@ -24,7 +24,7 @@ module ExternalAPIs {
       or
       getQualifiedName() = "Objects.equals"
       or
-      getDeclaringType().getQualifiedName() = "java.lang.String" and getName() = "equals"
+      getDeclaringType() instanceof TypeString and getName() = "equals"
       or
       getDeclaringType().hasQualifiedName("com.google.common.base", "Preconditions")
       or
@@ -76,7 +76,7 @@ module ExternalAPIs {
         m.getASourceOverriddenMethod() = call.getCallee().getSourceDeclaration() and
         m.fromSource()
       ) and
-      // Not already modelled as a taint step
+      // Not already modeled as a taint step
       not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and
       // Not a call to a known safe external API
       not call.getCallee() instanceof SafeExternalAPIMethod
