Rust: Minor corrections.

Author: geoffw0

rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll

@@ -21,7 +21,7 @@ module DisabledCertificateCheckExtensions {
   }
 
   /**
-   * A default sink for disabled certificate check based on function names.
+   * A default sink for disabled certificate check vulnerabilities based on function names.
    */
   private class DefaultSink extends Sink {
     DefaultSink() {
@@ -34,7 +34,7 @@ module DisabledCertificateCheckExtensions {
   }
 
   /**
-   * A sink for disabled certificate check from model data.
+   * A sink for disabled certificate check vulnerabilities from model data.
    */
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, "disable-certificate") }

rust/ql/src/change-notes/2025-11-12-disabled-certificate-check.md

@@ -1,4 +1,4 @@
 ---
 category: newQuery
 ---
-* Added a new query `rust/disabled-certificate-check, to detect disabled TLS certificate checks.
+* Added a new query `rust/disabled-certificate-check`, to detect disabled TLS certificate checks.

rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.qhelp

@@ -11,7 +11,7 @@ The <code>danger_accept_invalid_certs</code> and <code>danger_accept_invalid_hos
 
 <recommendation>
 <p>
-Do not set <code>danger_accept_invalid_certs</code> or <code>danger_accept_invalid_hostnames</code> to <code>true</code> except in controlled environments such as tests. In production, always ensure certificate and hostname verification are enabled to prevent security risks.
+Do not set <code>danger_accept_invalid_certs</code> or <code>danger_accept_invalid_hostnames</code> to <code>true</code>, except in controlled environments such as tests. In production, always ensure certificate and hostname verification are enabled to prevent security risks.
 </p>
 </recommendation>
 

rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql

@@ -16,9 +16,9 @@ import codeql.rust.dataflow.DataFlow
 import codeql.rust.security.DisabledCertificateCheckExtensions
 
 /**
- * A taint configuration for disabling TLS certificate checks.
+ * A taint configuration for disabled TLS certificate checks.
  */
-module LogInjectionConfig implements DataFlow::ConfigSig {
+module DisabledCertificateCheckConfig implements DataFlow::ConfigSig {
   import DisabledCertificateCheckExtensions
 
   predicate isSource(DataFlow::Node node) {
@@ -30,13 +30,12 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 }
 
-module DisabledCertificateCheckExtensionFlow = DataFlow::Global<LogInjectionConfig>;
+module DisabledCertificateCheckFlow = DataFlow::Global<DisabledCertificateCheckConfig>;
 
-import DisabledCertificateCheckExtensionFlow::PathGraph
+import DisabledCertificateCheckFlow::PathGraph
 
 from
-  DisabledCertificateCheckExtensionFlow::PathNode sourceNode,
-  DisabledCertificateCheckExtensionFlow::PathNode sinkNode
-where DisabledCertificateCheckExtensionFlow::flowPath(sourceNode, sinkNode)
+  DisabledCertificateCheckFlow::PathNode sourceNode, DisabledCertificateCheckFlow::PathNode sinkNode
+where DisabledCertificateCheckFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode,
   "Disabling TLS certificate validation can expose the application to man-in-the-middle attacks."