Apply suggestions from code review

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2026-04-29 18:55:14 +02:00 · 2021-04-07 15:50:51 +02:00
parent a006a92f8d
commit 38daeb4df2
3 changed files with 6 additions and 3 deletions
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -65,8 +65,8 @@ class InsecureContextConfiguration extends DataFlow::Configuration {
 * Holds if `conectionCreation` marks the creation of a connetion based on the contex
 * found at `contextOrigin` and allowing `insecure_version`.
 *
- * `specific` is true iff the context is configured for a specific protocol version rather
- * than for a family of protocols.
+ * `specific` is true iff the context is configured for a specific protocol version (`ssl.PROTOCOL_TLSv1_2`) rather
+ * than for a family of protocols (`ssl.PROTOCOL_TLS`).
 */
 predicate unsafe_connection_creation_with_context(
  DataFlow::Node connectionCreation, ProtocolVersion insecure_version, DataFlow::Node contextOrigin,
--- a/python/ql/src/Security/CWE-327/Ssl.qll
+++ b/python/ql/src/Security/CWE-327/Ssl.qll
@@ -149,7 +149,8 @@ class UnspecificSSLContextCreation extends SSLContextCreation, UnspecificContext
    or
    // Case: No protocol arguemnt is present.
    not exists(this.getProtocol()) and
-    // The default argument is TLS and the SSL versions are turned off by default.
+    // The default argument is TLS and the SSL versions are turned off by default since Python 3.6
+    // see https://docs.python.org/3.6/library/ssl.html#ssl.SSLContext
    result in ["TLSv1", "TLSv1_1", "TLSv1_2", "TLSv1_3"]
  }
 }