Address review comment.

Author: Max Schaefer

javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql

@@ -24,6 +24,6 @@ where
   sourceNode = source.getNode() and
   sinkNode = sink.getNode() and
   not sourceNode instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
-select sinkNode, source, sink,
-  "A broken or weak cryptographic algorithm (configured $@) depends on $@.",
-  sinkNode.getInitialization(), "here", sourceNode, "sensitive data from " + sourceNode.describe()
+select sinkNode, source, sink, "$@ depends on $@.", sinkNode.getInitialization(),
+  "A broken or weak cryptographic algorithm", sourceNode,
+  "sensitive data from " + sourceNode.describe()

javascript/ql/test/query-tests/Security/CWE-327/BrokenCryptoAlgorithm.expected

@@ -26,8 +26,8 @@ edges
 | tst.js:19:17:19:24 | password | tst.js:19:17:19:24 | password |
 | tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText |
 #select
-| tst.js:11:17:11:26 | secretText | tst.js:3:18:3:24 | trusted | tst.js:11:17:11:26 | secretText | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | here | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted |
-| tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | here | tst.js:11:17:11:26 | secretText | sensitive data from an access to secretText |
-| tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | here | tst.js:17:17:17:25 | o.trusted | sensitive data from an access to trusted |
-| tst.js:22:21:22:30 | secretText | tst.js:3:18:3:24 | trusted | tst.js:22:21:22:30 | secretText | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:21:22:21:60 | crypto. ... ', key) | here | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted |
-| tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | A broken or weak cryptographic algorithm (configured $@) depends on $@. | tst.js:21:22:21:60 | crypto. ... ', key) | here | tst.js:22:21:22:30 | secretText | sensitive data from an access to secretText |
+| tst.js:11:17:11:26 | secretText | tst.js:3:18:3:24 | trusted | tst.js:11:17:11:26 | secretText | $@ depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted |
+| tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | tst.js:11:17:11:26 | secretText | $@ depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:11:17:11:26 | secretText | sensitive data from an access to secretText |
+| tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | tst.js:17:17:17:25 | o.trusted | $@ depends on $@. | tst.js:5:19:5:49 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:17:17:17:25 | o.trusted | sensitive data from an access to trusted |
+| tst.js:22:21:22:30 | secretText | tst.js:3:18:3:24 | trusted | tst.js:22:21:22:30 | secretText | $@ depends on $@. | tst.js:21:22:21:60 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:3:18:3:24 | trusted | sensitive data from an access to trusted |
+| tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | tst.js:22:21:22:30 | secretText | $@ depends on $@. | tst.js:21:22:21:60 | crypto. ... ', key) | A broken or weak cryptographic algorithm | tst.js:22:21:22:30 | secretText | sensitive data from an access to secretText |

python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql

@@ -23,5 +23,5 @@ where
   )
   or
   operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
-select operation, msgPrefix + " (configured $@) is broken or weak, and should not be used.",
-  operation.getInitialization(), "here"
+select operation, "$@ is broken or weak, and should not be used.", operation.getInitialization(),
+  msgPrefix

python/ql/test/query-tests/Security/CWE-327-BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected

@@ -1,4 +1,4 @@
-| test_cryptodome.py:11:13:11:42 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 (configured $@) is broken or weak, and should not be used. | test_cryptodome.py:10:10:10:22 | ControlFlowNode for Attribute() | here |
-| test_cryptodome.py:16:13:16:42 | ControlFlowNode for Attribute() | The block mode ECB (configured $@) is broken or weak, and should not be used. | test_cryptodome.py:15:10:15:35 | ControlFlowNode for Attribute() | here |
-| test_cryptography.py:13:13:13:44 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 (configured $@) is broken or weak, and should not be used. | test_cryptography.py:12:13:12:30 | ControlFlowNode for Attribute() | here |
-| test_cryptography.py:22:13:22:58 | ControlFlowNode for Attribute() | The block mode ECB (configured $@) is broken or weak, and should not be used. | test_cryptography.py:21:13:21:30 | ControlFlowNode for Attribute() | here |
+| test_cryptodome.py:11:13:11:42 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptodome.py:10:10:10:22 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 |
+| test_cryptodome.py:16:13:16:42 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptodome.py:15:10:15:35 | ControlFlowNode for Attribute() | The block mode ECB |
+| test_cryptography.py:13:13:13:44 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptography.py:12:13:12:30 | ControlFlowNode for Attribute() | The cryptographic algorithm ARC4 |
+| test_cryptography.py:22:13:22:58 | ControlFlowNode for Attribute() | $@ is broken or weak, and should not be used. | test_cryptography.py:21:13:21:30 | ControlFlowNode for Attribute() | The block mode ECB |

ruby/ql/src/queries/security/cwe-327/BrokenCryptoAlgorithm.ql

@@ -23,5 +23,5 @@ where
   )
   or
   operation.getBlockMode().isWeak() and msgPrefix = "The block mode " + operation.getBlockMode()
-select operation, msgPrefix + " (configured $@) is broken or weak, and should not be used.",
-  operation.getInitialization(), "here"
+select operation, "$@ is broken or weak, and should not be used.", operation.getInitialization(),
+  msgPrefix

ruby/ql/test/query-tests/security/cwe-327/BrokenCryptoAlgorithm.expected

@@ -1,19 +1,19 @@
-| broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:4:8:4:34 | call to new | here |
-| broken_crypto.rb:8:1:8:18 | call to update | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:8:1:8:4 | weak | here |
-| broken_crypto.rb:12:8:12:43 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:12:8:12:43 | call to new | here |
-| broken_crypto.rb:16:1:16:18 | call to update | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:16:1:16:4 | weak | here |
-| broken_crypto.rb:28:1:28:35 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:28:1:28:35 | call to new | here |
-| broken_crypto.rb:37:1:37:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:37:1:37:33 | call to new | here |
-| broken_crypto.rb:42:1:42:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:42:1:42:33 | call to new | here |
-| broken_crypto.rb:47:1:47:33 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:47:1:47:33 | call to new | here |
-| broken_crypto.rb:52:1:52:29 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:52:1:52:29 | call to new | here |
-| broken_crypto.rb:57:1:57:32 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:57:1:57:32 | call to new | here |
-| broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:60:1:60:24 | call to new | here |
-| broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:62:1:62:30 | call to new | here |
-| broken_crypto.rb:67:1:67:31 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:67:1:67:31 | call to new | here |
-| broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:70:1:70:24 | call to new | here |
-| broken_crypto.rb:72:1:72:30 | call to new | The block mode ECB (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | here |
-| broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | here |
-| broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:75:1:75:24 | call to new | here |
-| broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:77:1:77:29 | call to new | here |
-| broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 (configured $@) is broken or weak, and should not be used. | broken_crypto.rb:79:1:79:35 | call to new | here |
+| broken_crypto.rb:4:8:4:34 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:4:8:4:34 | call to new | The cryptographic algorithm DES |
+| broken_crypto.rb:8:1:8:18 | call to update | $@ is broken or weak, and should not be used. | broken_crypto.rb:8:1:8:4 | weak | The cryptographic algorithm DES |
+| broken_crypto.rb:12:8:12:43 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:12:8:12:43 | call to new | The block mode ECB |
+| broken_crypto.rb:16:1:16:18 | call to update | $@ is broken or weak, and should not be used. | broken_crypto.rb:16:1:16:4 | weak | The block mode ECB |
+| broken_crypto.rb:28:1:28:35 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:28:1:28:35 | call to new | The block mode ECB |
+| broken_crypto.rb:37:1:37:33 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:37:1:37:33 | call to new | The block mode ECB |
+| broken_crypto.rb:42:1:42:33 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:42:1:42:33 | call to new | The block mode ECB |
+| broken_crypto.rb:47:1:47:33 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:47:1:47:33 | call to new | The block mode ECB |
+| broken_crypto.rb:52:1:52:29 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:52:1:52:29 | call to new | The block mode ECB |
+| broken_crypto.rb:57:1:57:32 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:57:1:57:32 | call to new | The block mode ECB |
+| broken_crypto.rb:60:1:60:24 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:60:1:60:24 | call to new | The cryptographic algorithm DES |
+| broken_crypto.rb:62:1:62:30 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:62:1:62:30 | call to new | The cryptographic algorithm DES |
+| broken_crypto.rb:67:1:67:31 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:67:1:67:31 | call to new | The block mode ECB |
+| broken_crypto.rb:70:1:70:24 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:70:1:70:24 | call to new | The cryptographic algorithm RC2 |
+| broken_crypto.rb:72:1:72:30 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | The block mode ECB |
+| broken_crypto.rb:72:1:72:30 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:72:1:72:30 | call to new | The cryptographic algorithm RC2 |
+| broken_crypto.rb:75:1:75:24 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 |
+| broken_crypto.rb:77:1:77:29 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 |
+| broken_crypto.rb:79:1:79:35 | call to new | $@ is broken or weak, and should not be used. | broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 |