Merge pull request #9816 from erik-krogh/msgConsis

Make alert messages consistent across languages

java/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -19,4 +19,5 @@ import DataFlow::PathGraph
 
 from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink
 where queryTaintedBy(query, source, sink)
-select query, source, sink, "Query might include code from $@.", source.getNode(), "this user input"
+select query, source, sink, "This SQL query depends on $@.", source.getNode(),
+  "a user-provided value"

java/ql/src/Security/CWE/CWE-611/XXE.ql

@@ -51,5 +51,6 @@ class XxeConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
-  "user input"
+select sink.getNode(), source, sink,
+  "A $@ is parsed as XML without guarding against external entity expansion.", source.getNode(),
+  "user-provided value"