Merge pull request #16572 from github/aibaars-patch-2

Java: include link to `remote source` in TrustBoundaryViolation.ql
github · May 23, 2024 · b2c64ea · b2c64ea
2 parents 4fbbda5 + b5b5fef
commit b2c64ea
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql
@@ -16,5 +16,5 @@ import TrustBoundaryFlow::PathGraph
 
 from TrustBoundaryFlow::PathNode source, TrustBoundaryFlow::PathNode sink
 where TrustBoundaryFlow::flowPath(source, sink)
-select sink.getNode(), sink, source,
-  "This servlet reads data from a remote source and writes it to a session variable."
+select sink.getNode(), source, sink,
+  "This servlet reads data from a $@ and writes it to a session variable.", source, "remote source"
diff --git a/java/ql/src/change-notes/2024-05-23-trusted-boundary-violation.md b/java/ql/src/change-notes/2024-05-23-trusted-boundary-violation.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The alert message for the query "Trust boundary violation" (`java/trust-boundary-violation`) has been updated to include a link to the remote source.