From a781522ca0db723eb6f3a10a360e3b12e8c0a85e Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 30 Jul 2024 12:19:16 +0100
Subject: [PATCH 1/2] Copyedit documentation

---
 .../Security/CWE/CWE-347/Auth0NoVerifier.qhelp        | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp
index 4fc17e68530..9b87a4e5810 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp
@@ -2,24 +2,21 @@
 <qhelp>
      <overview>
           <p>
-               A JSON Web Token (JWT) is used for authenticating and managing users in an application.
-          </p>
-          <p>
-               Only Decoding JWTs without checking if they have a valid signature or not can lead to security vulnerabilities.
+               A JSON Web Token (JWT) is used for authenticating and managing users in an application. It must be verified in order to ensure the JWT is genuine.
           </p>
 
      </overview>
      <recommendation>
 
           <p>
-               Don't use methods that only decode JWT, Instead use methods that verify the signature of JWT.
+               Don't use information from a JWT without verifying that JWT.
           </p>
 
      </recommendation>
      <example>
 
           <p>
-               The following code you can see an Example from a popular Library.
+               The following example illustrates secure and insecure use of the Auth0 `java-jwt` library.
           </p>
 
           <sample src="Example.java" />
@@ -31,4 +28,4 @@
           </li>
      </references>
 
-</qhelp>
\ No newline at end of file
+</qhelp>

From 8f52b2cd95718eac4fcf65d00a5a98eac0d98330 Mon Sep 17 00:00:00 2001
From: Chris Smowton <smowton@github.com>
Date: Tue, 30 Jul 2024 12:23:38 +0100
Subject: [PATCH 2/2] Fix link

---
 .../src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp
index 9b87a4e5810..b2258c457fe 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp
@@ -24,7 +24,7 @@
      </example>
      <references>
           <li>
-               <a href="CVE-2021-37580">The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication.</a>
+               <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-37580">The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication.</a>
           </li>
      </references>