Update JHipster CodeQL query from code review

JLLeitschuh · JLLeitschuh · commit ab3772eaeb5d · 2020-10-01T15:38:56.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
@@ -14,35 +14,37 @@ import semmle.code.java.frameworks.apache.Lang
 
 private class PredictableApacheRandomStringUtilsMethod extends Method {
   PredictableApacheRandomStringUtilsMethod() {
-    this.getDeclaringType() instanceof TypeApacheRandomStringUtils
+    this.getDeclaringType() instanceof TypeApacheRandomStringUtils and
+    // The one valid use of this type that uses SecureRandom as a source of data.
+    not this.getName() = "random"
   }
 }
 
 private class PredictableApacheRandomStringUtilsMethodAccess extends MethodAccess {
   PredictableApacheRandomStringUtilsMethodAccess() {
-    this.getMethod() instanceof PredictableApacheRandomStringUtilsMethod and
-    // The one valid use of this type that uses SecureRandom as a source of data.
-    not this.getMethod().getName() = "random"
+    this.getMethod() instanceof PredictableApacheRandomStringUtilsMethod
   }
 }
 
 private class VulnerableJHipsterRandomUtilClass extends Class {
-  VulnerableJHipsterRandomUtilClass() { getName() = "RandomUtil" }
+  VulnerableJHipsterRandomUtilClass() {
+    // The package name that JHipster generated the 'RandomUtil' class in was dynamic. Thus 'hasQualifiedName' can not be used here.
+    getName() = "RandomUtil"
+  }
 }
 
 private class VulnerableJHipsterRandomUtilMethod extends Method {
   VulnerableJHipsterRandomUtilMethod() {
     this.getDeclaringType() instanceof VulnerableJHipsterRandomUtilClass and
     this.getName().matches("generate%") and
     this.getReturnType() instanceof TypeString and
-    exists(ReturnStmt s, PredictableApacheRandomStringUtilsMethodAccess access |
-      s = this.getBody().(SingletonBlock).getStmt()
-    |
-      s.getResult() = access
+    exists(ReturnStmt s |
+      s = this.getBody().(SingletonBlock).getStmt() and
+      s.getResult() instanceof PredictableApacheRandomStringUtilsMethodAccess
     )
   }
 }
 
-from VulnerableJHipsterRandomUtilMethod the_method
-select the_method,
-  "RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303"
+from VulnerableJHipsterRandomUtilMethod method
+select method,
+  "Weak random number generator used in security sensitive method (JHipster CVE-2019-16303)."
diff --git a/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.expected b/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.expected
@@ -1,5 +1,5 @@
-| vulnerable/RandomUtil.java:20:26:20:41 | generatePassword | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
-| vulnerable/RandomUtil.java:29:26:29:46 | generateActivationKey | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
-| vulnerable/RandomUtil.java:38:26:38:41 | generateResetKey | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
-| vulnerable/RandomUtil.java:48:26:48:43 | generateSeriesData | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
-| vulnerable/RandomUtil.java:57:26:57:42 | generateTokenData | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
+| vulnerable/RandomUtil.java:20:26:20:41 | generatePassword | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
+| vulnerable/RandomUtil.java:29:26:29:46 | generateActivationKey | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
+| vulnerable/RandomUtil.java:38:26:38:41 | generateResetKey | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
+| vulnerable/RandomUtil.java:48:26:48:43 | generateSeriesData | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
+| vulnerable/RandomUtil.java:57:26:57:42 | generateTokenData | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
