Merge pull request github#1509 from hvitved/csharp/rename-queries

Approved by aibaars, felicity-semmle
thepalbi · Jun 27, 2019 · 74ad6e8 · 74ad6e8
2 parents c7983a0 + ccc30ea
commit 74ad6e8
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/change-notes/1.21/analysis-csharp.md b/change-notes/1.21/analysis-csharp.md
@@ -8,14 +8,14 @@ C# analysis now supports the extraction and analysis of many C# 8 features. For
 
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
 |-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Class defines a field that uses an ICryptoTransform class in a way that would be unsafe for concurrent threads (`cs/thread-unsafe-icryptotransform-field-in-class`) | concurrency, security, external/cwe/cwe-362 | Highlights classes with fields that make use of a static `System.Security.Cryptography.ICryptoTransform` object. Using these classes in concurrent threads is dangerous. It may result in an error and may also give incorrect results. Results are not shown on [LGTM](https://lgtm.com/rules/1507931833866/) by default. |
-| Potential usage of an object implementing ICryptoTransform class in a way that would be unsafe for concurrent threads (`cs/thread-unsafe-icryptotransform-captured-in-lambda`) | concurrency, security, external/cwe/cwe-362 | Highlights instances of classes where a field of type `System.Security.Cryptography.ICryptoTransform` is captured by a lambda, and appears to be used in a thread initialization method. Results are not shown on [LGTM](https://lgtm.com/rules/1508141845995/) by default. |
+| Thread-unsafe capturing of an ICryptoTransform object (`cs/thread-unsafe-icryptotransform-captured-in-lambda`) | concurrency, security, external/cwe/cwe-362 | Highlights instances of classes where a field of type `System.Security.Cryptography.ICryptoTransform` is captured by a lambda, and appears to be used in a thread initialization method. Results are not shown on [LGTM](https://lgtm.com/rules/1508141845995/) by default. |
 
 ## Changes to existing queries
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
 | Constant condition (`cs/constant-condition`) | Fewer false positive results | The query now ignores code where the `null` value is in a conditional expression on the left hand side of a null-coalescing expression. For example, in `(a ? b : null) ?? c`, `null` is not considered to be a constant condition. |
+| Thread-unsafe use of a static ICryptoTransform field (`cs/thread-unsafe-icryptotransform-field-in-class`) | Fewer false positive results | The criteria for a result has changed to include nested properties, nested fields, and collections. The format of the alert message has changed to highlight the static field. The query name has been updated. |
 | Useless upcast (`cs/useless-upcast`) | Fewer false positive results | The query now ignores code where the upcast is used to disambiguate the target of a constructor call. |
 
 ## Changes to code extraction

diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql
@@ -1,5 +1,5 @@
 /**
- * @name Class defines a field that uses an ICryptoTransform class in a way that would be unsafe for concurrent threads
+ * @name Thread-unsafe use of a static ICryptoTransform field
  * @description The class has a field that directly or indirectly make use of a static System.Security.Cryptography.ICryptoTransform object.
  *              Using this an instance of this class in concurrent threads is dangerous as it may not only result in an error,
  *              but under some circumstances may also result in incorrect results.

diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql
@@ -1,5 +1,5 @@
 /**
- * @name Potential usage of an object implementing ICryptoTransform class in a way that would be unsafe for concurrent threads.
+ * @name Thread-unsafe capturing of an ICryptoTransform object
  * @description An instance of a class that either implements or has a field of type System.Security.Cryptography.ICryptoTransform is being captured by a lambda,
  *              and used in what seems to be a thread initialization method.
  *              Using an instance of this class in concurrent threads is dangerous as it may not only result in an error,