Apply suggestions from code review

https://github.com/github/codeql/pull/4312

Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Arthur Baars <aibaars@github.com>

java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp

@@ -3,10 +3,10 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>This query detects instances of <code>RandomUtil.java</code> generated by a <a href="https://www.jhipster.tech/">JHipster</a> version vulnerable to <a href="https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84">CVE-2019-16303</a>.</p>
+<p>This query detects instances of <code>RandomUtil.java</code> that were generated by a <a href="https://www.jhipster.tech/">JHipster</a> version that is vulnerable to <a href="https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84">CVE-2019-16303</a>.</p>
 
-<p>Using one password reset token from your app combined with the proof of concept (POC) linked below, an attacker can determine all future password reset tokens to be generated by this server.
-This allows an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.</p>
+<p>If an app uses <code>RandomUtil.java</code> generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. 
+Using this information, they can create a reset link that allows them to take over any account.</p>
 
 <p>This vulnerability has a 
 <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-16303&amp;vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&amp;version=3.1&amp;source=NIST">
@@ -26,24 +26,27 @@ This allows an attacker to pick and choose what account they would like to takeo
 
 <recommendation>
 
-<p>An automated refactoring <a href="https://github.com/openrewrite/rewrite">rewrite</a> module <a href="https://github.com/moderneinc/jhipster-cwe-338"> can be found here</a>.</p>
+<p>You should refactor the <code>RandomUtil</code> class and replace every call to <code>RandomStringUtils.randomAlphaNumeric</code>. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using the <a href="https://github.com/moderneinc/jhipster-cwe-338">Patching JHipster CWE-338</a> for the <a href="https://github.com/openrewrite/rewrite">Rewrite project</a>.
+</p>
 </recommendation>
 
 <references>
 
 <li>
+  Cloudflare Blog: 
   <a href="https://blog.cloudflare.com/why-randomness-matters/">
-    Cloudflare Blog: Why secure systems require random numbers
+    Why secure systems require random numbers
   </a>
 </li>
 <li>
+  Hacker News: 
   <a href="https://news.ycombinator.com/item?id=639976">
     How I Hacked Hacker News (with arc security advisory)
   </a>
 </li>
 <li>
-  Research (Hacking Apache Commons RandomStringUtils):
-  <a href="https://web.archive.org/web/20191126104359/https://medium.com/@alex91ar/the-java-soothsayer-a-practical-application-for-insecure-randomness-c67b0cd148cd">
+  Posts by Pucara Information Security Team:
+  <a href="https://blog.pucarasec.com/2020/05/09/the-java-soothsayer-a-practical-application-for-insecure-randomness-includes-free-0day/">
     The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day)
   </a>
 </li>

java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql

@@ -1,6 +1,6 @@
 /**
- * @name Detect JHipster Generator Vulnnerability CVE-2019-16303
- * @description Detector for the CVE-2019-16303 vulnerability that existed in the JHipster code generator.
+ * @name Detect JHipster Generator Vulnerability CVE-2019-16303
+ * @description Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts.
  * @kind problem
  * @problem.severity error
  * @precision very-high