Add qldoc and autoformat query

luchua-bc · luchua-bc · commit f8fd2ea8215f · 2020-11-03T12:23:40.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/Security/CWE/CWE-532/SensitiveInfoLog.ql
@@ -16,14 +16,14 @@ import PathGraph
 /**
  * Gets a regular expression for matching names of variables that indicate the value being held may contain sensitive information
  */
-private string getACredentialRegex() {
-  result = "(?i)(.*username|url).*"
-}
+private string getACredentialRegex() { result = "(?i)(.*username|url).*" }
 
 /** Variable keeps sensitive information judging by its name * */
 class CredentialExpr extends Expr {
   CredentialExpr() {
-    exists(Variable v | this = v.getAnAccess() | v.getName().regexpMatch([getCommonSensitiveInfoRegex(), getACredentialRegex()]))
+    exists(Variable v | this = v.getAnAccess() |
+      v.getName().regexpMatch([getCommonSensitiveInfoRegex(), getACredentialRegex()])
+    )
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.qhelp b/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.qhelp
@@ -1,25 +1,50 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
 <qhelp>
 
-<overview>
-<p>Broadcast intents in an Android application are visible to all applications installed on the same mobile device, exposing all sensitive information they contain.</p>
-<p>Broadcasts are vulnerable to passive eavesdropping or active denial of service attacks when an intent is broadcast without specifying any receiver permission or receiver application.</p>
-</overview>
+  <overview>
+    <p>Broadcast intents in an Android application are visible to all applications installed on the same mobile device, exposing all sensitive information they contain.</p>
+    <p>Broadcasts are vulnerable to passive eavesdropping or active denial of service attacks when an intent is broadcast without specifying any receiver permission or receiver application.</p>
+  </overview>
 
-<recommendation>
-<p>Specify a receiver permission or application when broadcasting intents, or switch to <code>LocalBroadcastManager</code> or the latest <code>LiveData</code> library.</p>
-</recommendation>
+  <recommendation>
+    <p>
+      Specify a receiver permission or application when broadcasting intents, or switch to
+      <code>LocalBroadcastManager</code>
+      or the latest
+      <code>LiveData</code>
+      library.
+    </p>
+  </recommendation>
 
-<example>
-<p>The following example shows two ways of broadcasting intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.</p>
-<sample src="SensitiveBroadcast.java" />
-</example>
+  <example>
+    <p>The following example shows two ways of broadcasting intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.</p>
+    <sample src="SensitiveBroadcast.java" />
+  </example>
 
-<references>
-<li>
-<a href="https://cwe.mitre.org/data/definitions/927.html">CWE-927: Use of Implicit Intent for Sensitive Communication</a>
-</li>
-</references>
+  <references>
+    <li>
+      CWE:
+      <a href="https://cwe.mitre.org/data/definitions/927.html">CWE-927: Use of Implicit Intent for Sensitive Communication</a>
+    </li>
+    <li>
+      Android Developers:
+      <a href="https://developer.android.com/guide/components/broadcasts">Security considerations and best practices for sending and receiving broadcasts</a>
+    </li>
+    <li>
+      sonarsource:
+      <a href="https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-5320">Broadcasting intents is security-sensitive</a>
+    </li>
+    <li>
+      Android Developer Fundamentals:
+      <a href="https://google-developer-training.github.io/android-developer-fundamentals-course-concepts-v2/unit-3-working-in-the-background/lesson-7-background-tasks/7-3-c-broadcasts/7-3-c-broadcasts.html">Restricting broadcasts</a>
+    </li>
+    <li>
+      Carnegie Mellon University:
+      <a href="https://wiki.sei.cmu.edu/confluence/display/android/DRD03-J.+Do+not+broadcast+sensitive+information+using+an+implicit+intent">DRD03-J. Do not broadcast sensitive information using an implicit intent</a>
+    </li>
+    <li>
+      Android Developers:
+      <a href="https://developer.android.com/topic/libraries/architecture/livedata">Android LiveData Overview</a>
+    </li>
+  </references>
 </qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.ql b/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.ql
@@ -52,7 +52,7 @@ class SensitiveInfoExpr extends Expr {
 }
 
 /**
- * A method access of the `context.sendBroadcast` family.
+ * A method access of the `Context.sendBroadcast` family.
  */
 class SendBroadcastMethodAccess extends MethodAccess {
   SendBroadcastMethodAccess() {

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ class SensitiveInfoExpr extends Expr {`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`/**`
`55`		- * A method access of the `context.sendBroadcast` family.
	`55`	+ * A method access of the `Context.sendBroadcast` family.
`56`	`56`	`*/`
`57`	`57`	`class SendBroadcastMethodAccess extends MethodAccess {`
`58`	`58`	`SendBroadcastMethodAccess() {`