From ea9b99f67c575574a484d1de0a2cd54b866d771c Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
Date: Sat, 28 Mar 2026 16:36:39 +0000
Subject: [PATCH] Rephrase change note

---
 .../change-notes/2026-03-27-add-ec-to-secure-algorithms.md    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md b/java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
index 1e323fafd35..adf25c03a59 100644
--- a/java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
+++ b/java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
@@ -1,5 +1,5 @@
 ---
 category: minorAnalysis
 ---
-* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. Previously, these algorithms were not included in the secure algorithm whitelist, causing false positives when using standard Java cryptographic APIs such as `KeyPairGenerator.getInstance("EC")` or `new SecretKeySpec(key, "HMACSHA256")`.
-* The `Signature.getInstance(...)` method is now modeled as a `CryptoAlgoSpec` sink, alongside the existing `Signature` constructor sink. This ensures that algorithm strings passed to `Signature.getInstance(...)` are also checked by the query.
+* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
+* The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`.