Reorder steps to introduce vulnerability then resolve it.

Author: chriswblake

.github/steps/1.1-step.md

@@ -0,0 +1,45 @@
+## Step 2.1: Prevent Vulnerabilities in a Pull Request
+
+In this step, we will introduce a vulnerability into the `routes.py` file to trigger an alert.
+
+### ⌨️ Activity: Recreate a vulnerability
+
+1. In the top navigation, select the **Code** tab.
+
+1. Navigate to the `server` folder and select the `routes.py` file.
+
+1. In the top right of the preview, click the **Edit** button.
+
+   <img width="400" alt="edit button" src="https://github.com/user-attachments/assets/19462cc5-a360-4dae-a97b-ecfd571aa403"/>
+
+1. Navigate to about **line 16** and modify it to the below.
+
+   ```py
+   "SELECT * FROM books WHERE name LIKE '%" + name + "%'"
+   ```
+
+1. Above the editor in the top-right, click the **Commit changes...** button. Select the radio button next to **Create a new branch**. **DO NOT commit it to main branch.**
+
+1. Click **Propose changes** option and click **Create pull request**.
+
+### ⌨️ Activity: Review pull request
+
+1. If needed, navigate to the newly created pull requests from the previous activity.
+
+1. Scroll to the bottom of the pull request. Search for a check named `CodeQL`. This is the analysis job scanning the proposed code changes in the pull request.
+
+   <img width="500" alt="pr panel" src="https://github.com/user-attachments/assets/1c29ee0f-cc1d-4568-9e71-338d45ad1d54"/>
+
+1. If the job is still running, wait a few minutes for it to complete.
+
+1. Search the comments to find a report from the analysis.
+
+   - Notice that the results found a SQL injection vulnerability. It is also suggesting a fix.
+   - Don't worry about responding or resolving this problem (yet).
+
+   <img width="500" alt="image" src="https://github.com/user-attachments/assets/677cc104-9116-44a9-8061-091e8126442a">
+
+1. With the pull request started, Mona will check your progress and share the next steps.
+
+
+<!-- If you would like to learn more about pull request integrations for code scanning, see "[Triage code scanning alerts in pull requests](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)." -->

.github/steps/2-step.md

@@ -1,10 +1,25 @@
 ## Step 2: Review and Triage CodeQL Alerts
 
-Now we will review the CodeQL scan results, triage an alert, and create a GitHub issue to track an alert.
+With our pull request changes now reviewed by CodeQL, let's take a moment to learn about managing alerts.
 
-### What is CWE
+GitHub provides a dedicated **Security** tab for securely managing all security related issues. CodeQL saves alerts using the same standard as many other analysis tools with the results showing up under the **Code scanning** area.
 
-Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. Think of it as a way to describe and categorize security issues in an application's source code. For more information on CWEs, see the Wikipedia article [Common Weakness Enumeration](https://en.wikipedia.org/wiki/Common_Weakness_Enumeration).
+<img width="500" alt="image" src="https://github.com/user-attachments/assets/cf4fc6ec-e40e-4df6-8984-b6ec35341737" />
+
+### What information do alerts provide?
+
+The main area of an alert provides the resolution status, affected branch, code location, and classification information like severity and [CVE identification number](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers).
+
+
+<img width="500" alt="additional information" src="https://github.com/user-attachments/assets/9a5aaf3f-e063-4d07-8cdd-6272eec8a411"/>
+
+<!-- > 💡 Tip: Clicking the **Show paths** link will provide additional insights about the alert's data flow from user input (source), through the application, and when it is acted on (sink). -->
+
+### What is 'CWE'
+
+Many of the patterns CodeQL scans for come from existing databases of vulnerabilities.
+
+The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. Think of it as a way to describe and categorize security issues in an application's source code. For more information on CWEs, see the Wikipedia article [Common Weakness Enumeration](https://en.wikipedia.org/wiki/Common_Weakness_Enumeration).
 
 ### ⌨️ Activity: View the status of a CodeQL scan
 
@@ -26,43 +41,31 @@ Common Weakness Enumeration (CWE) is a category system for hardware and software
 
 1. (Optional) Use the filters and search bar to explore the open and closed security alerts, including from the CodeQL scan.
 
-#### Alert status and location
-
-The main area of the alert provides the resolution status, affected branch, code location, and classification information like severity and [CVE identification number](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers).
-
-> 💡 Tip: Clicking the **Show paths** link will provide additional insights about the alert's data flow from user input (source), through the application, and when it is acted on (sink).
-
-<img width="500" alt="alert status" src="https://github.com/user-attachments/assets/2fecc67d-52ef-44fc-ad89-1eb28ceb9437">
-
-<img width="500" alt="location information" src="https://github.com/user-attachments/assets/1a450118-f200-436b-8433-04b7e5e4f1a8"/>
-
-<img width="500" alt="additional information" src="https://github.com/user-attachments/assets/9a5aaf3f-e063-4d07-8cdd-6272eec8a411"/>
-
-#### Explanation and Recommendation
+1. Click on an alert.
 
-This alert is further described, justified, and a recommended solution is provided when possible.
+1. Notice the description, related vulnerability information and a recommended solution.
 
-- Click the **View source** link to view the CodeQL query that detected the alert.
-- Click the **Show more** link to view the full recommendation.
+    <img width="500" alt="recommendations" src="https://github.com/user-attachments/assets/a5653b45-b66f-4e5b-8e03-a7b8cd3b91b4"/>
 
-<img width="500" alt="recommendations" src="https://github.com/user-attachments/assets/a5653b45-b66f-4e5b-8e03-a7b8cd3b91b4"/>
+1. (Optional) Click the **View source** link to view the CodeQL query that detected the alert.
 
-#### Audit trail
+1. (Optional) Click the **Show more** link to view the full recommendation.
 
-The audit trail provides a secure history of the alert for future reference, like who marked the vulnerability as closed/fixed.
+1. Inspect the audit trail to see a secure history of the alert, including open/close information.
 
-<img width="500" alt="audit trail" src="https://github.com/user-attachments/assets/25ec5256-20c7-4e9d-8160-ff40f3763872"/>
+    <img width="500" alt="audit trail" src="https://github.com/user-attachments/assets/25ec5256-20c7-4e9d-8160-ff40f3763872"/>
 
-### ⌨️ Activity: Dismiss an Alert
+### ⌨️ Activity: Dismiss and Reopen an Alert
 
-1. On the alert page, in the top right, click **Dismiss alert** dropdown.
+1. In the top right, click **Dismiss alert** dropdown.
 
 1. Select any reason and add a short explanation then click the **Dismiss alert** button.
 
-    - The alert state will change to `Dismissed` and an audit trail entry will be added.
+   - The alert state will change to `Dismissed`.
+   - An entry is added to the audit trail, which can't be removed or edited.
 
-1. Navigate back to **Security** tab and **Code scanning alerts** area.
+1. Reopen the alert.
 
-1. Click the **1 Closed** text to switch to a view showing closed alerts.
+   - The alert state will change to `Open`.
+   - An entry is added to the audit trail, which can't be removed or edited.
 
-   <img width="500" alt="one closed alert" src="https://github.com/user-attachments/assets/b10005b6-9ef8-4d46-a160-4c9849d2c898"/>

.github/steps/3-step.md

@@ -30,12 +30,6 @@ If you expand the **More info** section at the bottom of the alert, there are ve
    "SELECT * FROM books WHERE name LIKE %s", name
    ```
 
-1. Navigate to about **line 22** and modify it to the below.
-
-   ```py
-   "SELECT * FROM books WHERE author LIKE %s", author
-   ```
-
 1. Above the editor in the top-right, click the **Commit changes...** button. Use the defaults options to commit the changes to `main`.
 
    - CodeQL will now initiate a another scan.
@@ -47,4 +41,15 @@ If you expand the **More info** section at the bottom of the alert, there are ve
    - There should be zero open alerts and two closed alerts. Nice work! 🎉
    - Feel free to review the closed alerts, especially the audit trail.
 
-1. With the CodeQL job finished, Mona will check your progress and share the next steps.
+<!-- 1. With the CodeQL job finished, Mona will check your progress and share the next steps. -->
+
+1. With the pull request started, Mona will check your progress and share a final review. Nice work! You are done! 🥳
+
+
+
+
+<!-- 1. Navigate back to **Security** tab and **Code scanning alerts** area.
+
+1. Click the **1 Closed** text to switch to a view showing closed alerts.
+
+   <img width="500" alt="one closed alert" src="https://github.com/user-attachments/assets/b10005b6-9ef8-4d46-a160-4c9849d2c898"/> -->

.github/steps/4-step.md

@@ -13,13 +13,14 @@ def index():
 
     if name:
         cursor.execute(
-            "SELECT * FROM books WHERE name LIKE '%" + name + "%'"
+            "SELECT * FROM books WHERE name LIKE %s", name
         )
         books = [Book(*row) for row in cursor]
 
     elif author:
         cursor.execute(
-            "SELECT * FROM books WHERE author LIKE '%" + author + "%'"
+            "SELECT * FROM books WHERE author LIKE %s", author
+
         )
         books = [Book(*row) for row in cursor]