Apply suggestions from code review

Co-authored-by: Chris Smowton <[email protected]>

Author: JLLeitschuh

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -35,54 +35,54 @@ of the existence of so-called Bypass Gadgets, which can circumvent such
 protection measures.
 </p>
 <p>
-Fixes by framework:
+Recommendations specific to particular frameworks supported by this query:
 </p>
 <table>
     <tbody>
         <tr>
             <th>Project</th>
             <th>Maven Coordinates</th>
             <th>Secure by Default</th>
-            <th>Fix</th>
+            <th>Recommendation</th>
         </tr>
             <tr>
             <td>XMLDecoder</td>
             <td>Java Standard Library</td>
             <td>No</td>
-            <td>Don't use XMLDecoder with untrusted user input. It is impossible to secure.</td>
+            <td>Do not use with untrusted user input.</td>
         </tr>
         <tr>
             <td>ObjectInputStream</td>
             <td>Java Standard Library</td>
             <td>No</td>
-            <td>Leverage a validating input stream like <code>org.apache.commons.io.serialization.ValidatingObjectInputStream</code>.</td>
+            <td>Use a validating input stream, such as  <code>org.apache.commons.io.serialization.ValidatingObjectInputStream</code>.</td>
         </tr>
             <tr>
             <td>FastJson</td>
             <td>com.alibaba:fastjson</td>
             <td>Partially</td>
-            <td>Call <code>com.alibaba.fastjson.parser.ParserConfig#setSafeMode</code> with the argument <code>true</code>.</td>
+            <td>Call <code>com.alibaba.fastjson.parser.ParserConfig#setSafeMode</code> with the argument <code>true</code> before deserializing untrusted data.</td>
         </tr>
         <tr>
             <td>SnakeYAML</td>
             <td>org.yaml:snakeyaml</td>
             <td><a href="https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&amp;%20NIST.md">No</a> (<a href="https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in">maintainer response</a>)</td>
-            <td>Instantiate the <code>org.yaml.snakeyaml.Yaml</code> instance explicitly with an instance of <code>org.yaml.snakeyaml.constructor.SafeConstructor</code> as an argument.</td>
+            <td>Pass an instance of <code>org.yaml.snakeyaml.constructor.SafeConstructor</code> to  <code>org.yaml.snakeyaml.Yaml</code>'s constructor before using it to deserialize untrusted data.</td>
         </tr>
         <tr>
             <td>FasterXML jackson-databind</td>
             <td>com.fasterxml.jackson.core:jackson-databind</td>
             <td>Yes</td>
             <td>
-                Don't call <code>com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping</code> and don't annotate any object fields with <code>com.fasterxml.jackson.annotation.JsonTypeInfo</code> passing either the <code>CLASS</code> or <code>MINIMAL_CLASS</code> values to the annotation.
+                Don't call <code>com.fasterxml.jackson.databind.ObjectMapper#enableDefaultTyping</code> and don't annotate any object fields with <code>@JsonTypeInfo(CLASS) or @JsonTypeInfo(MINIMAL_CLASS)</code> if untrusted data may be deserialized.
                 Read <a href="https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba">this guide</a>.
             </td>
         </tr>
         <tr>
             <td>Kryo</td>
             <td>com.esotericsoftware:kryo and com.esotericsoftware:kryo5</td>
             <td>com.esotericsoftware:kryo >= 5.0.0 and com.esotericsoftware:kryo5 Yes</td>
-            <td>Don't call <code>com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired</code> with the argument <code>false</code>.</td>
+            <td>Don't call <code>com.esotericsoftware.kryo(5).Kryo#setRegistrationRequired</code> with the argument <code>false</code> on any <code>Kryo</code> instance that may deserialize untrusted data.</td>
         </tr>
     </tbody>
 </table>