Merge pull request #10676 from erik-krogh/kernelOpenMsg

RB: add a link to the source in the alert-message for `rb/kernel-open`

Author: erik-krogh

ruby/ql/src/queries/security/cwe-078/KernelOpen.ql

@@ -71,7 +71,7 @@ from
 where
   config.hasFlowPath(source, sink) and
   sourceNode = source.getNode() and
-  call.asExpr().getExpr().(MethodCall).getArgument(0) = sink.getNode().asExpr().getExpr()
+  call.getArgument(0) = sink.getNode()
 select sink.getNode(), source, sink,
-  "This call to " + call.(Replacement).getFrom() +
-    " depends on a user-provided value. Replace it with " + call.(Replacement).getTo() + "."
+  "This call to " + call.(Replacement).getFrom() + " depends on a $@. Replace it with " +
+    call.(Replacement).getTo() + ".", source.getNode(), "user-provided value"

ruby/ql/test/query-tests/security/cwe-078/KernelOpen.expected

@@ -9,5 +9,5 @@ nodes
 | KernelOpen.rb:5:13:5:16 | file | semmle.label | file |
 subpaths
 #select
-| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a user-provided value. Replace it with File.open. |
-| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a user-provided value. Replace it with File.read. |
+| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Replace it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
+| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params :  | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Replace it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |