Update qldoc and test method

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.qhelp

@@ -5,8 +5,8 @@
 
 <overview>
 <p>Java versions 8u181 or greater have enabled LDAPS endpoint identification by default. Nowadays infrastructure services like LDAP are commonly deployed behind load balancers therefore the LDAP server name can be different from the FQDN of the LDAPS endpoint. If a service certificate does not properly contain a matching DNS name as part of the certificate, Java will reject it by default.</p>
-<p>Instead of addressing the issue properly by having a compliant certificate deployed, frequently developers simply disable LDAPS endpoint check.</p>
-<p>Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. This query checks whether LDAPS endpoint check is disabled in system properties.</p>
+<p>Instead of addressing the issue properly by having a compliant certificate deployed, frequently developers simply disable the LDAPS endpoint check.</p>
+<p>Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. This query checks whether the LDAPS endpoint check is disabled in system properties.</p>
 </overview>
 
 <recommendation>

java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql

@@ -32,15 +32,15 @@ class SetPropertyMethod extends Method {
   }
 }
 
-/** The method to set system properties. */
+/** The `setProperties` method declared in `java.lang.System`. */
 class SetSystemPropertiesMethod extends Method {
   SetSystemPropertiesMethod() {
     this.hasName("setProperties") and
     this.getDeclaringType().hasQualifiedName("java.lang", "System")
   }
 }
 
-/** Holds if an expression is evaluated to the string literal `com.sun.jndi.ldap.object.disableEndpointIdentification`. */
+/** Holds if `expr` is evaluated to the string literal `com.sun.jndi.ldap.object.disableEndpointIdentification`. */
 predicate isPropertyDisableLdapEndpointId(Expr expr) {
   expr.(CompileTimeConstantExpr).getStringValue() =
     "com.sun.jndi.ldap.object.disableEndpointIdentification"
@@ -72,7 +72,8 @@ predicate isBooleanTrue(Expr expr) {
 
 /** Holds if `ma` is in a test class or method. */
 predicate isTestMethod(MethodAccess ma) {
-  ma.getMethod() instanceof TestMethod or
+  ma.getEnclosingCallable() instanceof TestMethod or
+  ma.getEnclosingCallable().getDeclaringType() instanceof TestClass or
   ma.getEnclosingCallable().getDeclaringType().getPackage().getName().matches("%test%") or
   ma.getEnclosingCallable().getDeclaringType().getName().toLowerCase().matches("%test%")
 }