Reframe Invoke-Expression query as quality guidance

powershell/ql/src/queries/security/cwe-078/DoNotUseInvokeExpression.ql

@@ -1,16 +1,18 @@
 /**
  * @name Use of Invoke-Expression
- * @description Do not use Invoke-Expression
+ * @description Avoid using Invoke-Expression when safer command invocation is possible.
  * @kind problem
- * @problem.severity error
- * @security-severity 9.8
- * @precision high
+ * @problem.severity recommendation
+ * @precision medium
  * @id powershell/microsoft/public/do-not-use-invoke-expression
- * @tags security
+ * @tags quality
+ *       maintainability
+ *       correctness
  */
+
 import powershell
-import semmle.code.powershell.dataflow.DataFlow
 
-from CmdCall call 
+from CmdCall call
 where call.matchesName("Invoke-Expression")
-select call, "Do not use Invoke-Expression. It is a command injection risk."
+select call,
+  "Prefer direct command invocation, splatting, or the call operator over Invoke-Expression."

powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp

@@ -4,20 +4,35 @@
 <qhelp>
 <overview>
 <p>
-<code>Invoke-Expression</code> cmdlet should only be used as a last resort. In most scenarios, safer and more robust alternatives are available. Using <code>Invoke-Expression</code> can lead to arbitrary commands being executed</p>
+The <code>Invoke-Expression</code> cmdlet evaluates a string as PowerShell code. This
+can make scripts harder to understand, harder to analyze, and more fragile than
+using normal command invocation. This query treats uses of
+<code>Invoke-Expression</code> as code-quality backlog items rather than as
+high-severity security vulnerabilities.
+</p>
 
 </overview>
 <recommendation>
 
-<p>Avoid using <code>Invoke-Expression</code> in your powershell code.</p>
+<p>
+Avoid using <code>Invoke-Expression</code> in PowerShell code. Prefer direct command
+calls, splatting, or the command invocation operator <code>&amp;</code> for command paths
+stored in variables. If <code>Invoke-Expression</code> is unavoidable, keep the
+dynamically generated command text small, explicit, and easy to review.
+</p>
 
-<p>If you’re running some command and the command path has spaces in it, then you need the command invocation operator <code>&amp;</code></p>
+<p>
+Security-critical cases where attacker-controlled data reaches command execution
+are covered by the command-injection queries. This query reports all uses of
+<code>Invoke-Expression</code>, including constant or otherwise trusted command text, as
+best-practice warnings for safer and more maintainable command execution.
+</p>
 </recommendation>
 
 <references>
 
 <li>
-Powershell:
+PowerShell:
 <a href="https://devblogs.microsoft.com/powershell/invoke-expression-considered-harmful/">Invoke-Expression considered harmful</a>.
 </li>
 <li>

powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.expected

@@ -1 +1,2 @@
-| test.ps1:2:1:2:26 | Call to invoke-expression | Do not use Invoke-Expression. It is a command injection risk. |
+| test.ps1:2:1:2:26 | Call to invoke-expression | Prefer direct command invocation, splatting, or the call operator over Invoke-Expression. |
+| test.ps1:4:1:4:28 | Call to invoke-expression | Prefer direct command invocation, splatting, or the call operator over Invoke-Expression. |

powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1

@@ -1,2 +1,4 @@
 $command = "Get-Process"
-Invoke-Expression $Command # $ Alert
+Invoke-Expression $Command # $ Alert
+
+Invoke-Expression "Get-Date" # $ Alert - constant command text still triggers best-practice query