Skip to content

Go: convert all qlref tests to inline expectation tests using postprocessing#21965

Open
owen-mc wants to merge 4 commits into
github:mainfrom
owen-mc:go/convert-to-inline-expectation-tests
Open

Go: convert all qlref tests to inline expectation tests using postprocessing#21965
owen-mc wants to merge 4 commits into
github:mainfrom
owen-mc:go/convert-to-inline-expectation-tests

Conversation

@owen-mc

@owen-mc owen-mc commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

This was done by copilot.

Copilot AI review requested due to automatic review settings June 10, 2026 05:42
@owen-mc owen-mc requested a review from a team as a code owner June 10, 2026 05:42
@owen-mc owen-mc added the no-change-note-required This PR does not need a change note label Jun 10, 2026
@github-actions github-actions Bot added the Go label Jun 10, 2026
Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Go CodeQL test suite to use inline expectation comments (for example // $ Alert[...], // $ Source[...], // $ Sink[...]) validated via the utils/test/InlineExpectationsTestQuery.ql postprocessor, and adjusts many .qlref files accordingly (often converting postprocess: from a scalar to a YAML list so multiple postprocessors can be applied).

Changes:

  • Add inline expectation markers to many Go query-test and library-test .go files.
  • Update .qlref files to run InlineExpectationsTestQuery.ql (often in addition to PrettyPrintModels.ql).
  • Update a small number of .expected files to reflect line-number shifts / updated comment parsing.
Show a summary per file
File Description
go/ql/test/query-tests/Security/CWE-798/sanitizer.go Add inline $ Alert[go/hardcoded-credentials] marker.
go/ql/test/query-tests/Security/CWE-798/main.go Add inline $ Alert[go/hardcoded-credentials] marker.
go/ql/test/query-tests/Security/CWE-798/jwt.go Add inline $ Alert[go/hardcoded-credentials] markers.
go/ql/test/query-tests/Security/CWE-798/HardcodedKeysBad.go Add inline $ Alert[go/hardcoded-credentials] marker.
go/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.go Add inline $ Alert[go/hardcoded-credentials] marker.
go/ql/test/query-tests/Security/CWE-798/AlertSuppressionExample.go Add inline $ Alert[...] marker while preserving lgtm[...] suppression comment.
go/ql/test/query-tests/Security/CWE-643/XPathInjection.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-643/XPathInjection.go Add $ Source[...] / $ Alert[...] markers for xpath injection flow.
go/ql/test/query-tests/Security/CWE-643/tst.go Add $ Source[...] / $ Alert[...] markers for xpath injection cases.
go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/main.go Add $ Source[...] / $ Sink[...] / $ Alert[...] markers for redirect checks.
go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/cves.go Add inline markers for redirect check CVE examples.
go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-601/BadRedirectCheck/BadRedirectCheck.go Add inline markers for redirect sanitizer example.
go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-352/ConstantOauth2State.go Add $ Source / $ Alert markers for constant OAuth2 state.
go/ql/test/query-tests/Security/CWE-347/MissingJwtSignatureCheck.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-347/golang-jwt-v5.go Add $ Source[...] / $ Alert[...] markers for unverified parse.
go/ql/test/query-tests/Security/CWE-347/go-jose.v3.go Add $ Source[...] / $ Alert[...] markers for unsafe claims usage.
go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/sample.go Add $ Source[...] / $ Alert[...] markers for insecure randomness flow.
go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.go Add $ Alert[...] marker for weak RNG password generation.
go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-327/UnsafeTLS.go Add $ Source[...] / $ Alert[...] markers for insecure TLS settings.
go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.go Add $ Source / $ Alert markers for insufficient RSA key sizes.
go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go Add inline markers for insecure HostKeyCallback query tests (some markers appear inconsistent with existing expected results).
go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallback.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/main.go Add $ Alert markers for InsecureSkipVerify.
go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-295/DisabledCertificateCheck/DisabledCertificateCheck.go Add $ Alert markers for InsecureSkipVerify transport.
go/ql/test/query-tests/Security/CWE-209/test.go Add $ Source / $ Alert markers for stack trace exposure.
go/ql/test/query-tests/Security/CWE-209/StackTraceExposure.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-190/tst3.go Add $ Source[...] / $ Alert[...] markers for allocation size overflow cases.
go/ql/test/query-tests/Security/CWE-190/tst2.go Add $ Source[...] / $ Alert[...] markers for allocation size overflow cases.
go/ql/test/query-tests/Security/CWE-190/tst.go Add $ Source[...] / $ Alert[...] markers for allocation size overflow cases.
go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-190/AllocationSizeOverflow.go Add $ Source[...] / $ Alert[...] markers for computed allocation size.
go/ql/test/query-tests/Security/CWE-089/StringBreakMismatched.go Reorder imports and add $ Source[...] / $ Alert[...] markers.
go/ql/test/query-tests/Security/CWE-089/StringBreak.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-089/StringBreak.go Add $ Source[...] / $ Alert[...] markers for unsafe quoting.
go/ql/test/query-tests/Security/CWE-089/StringBreak.expected Update expected locations to match line shifts.
go/ql/test/query-tests/Security/CWE-089/SqlInjection.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-089/SqlInjection.go Add $ Source[...] / $ Alert[...] markers for SQL injection.
go/ql/test/query-tests/Security/CWE-089/mongoDB.go Add $ Source[...] / $ Alert[...] markers for MongoDB API test coverage.
go/ql/test/query-tests/Security/CWE-089/main.go Add $ Source[...] / $ Alert[...] markers for SQL injection examples.
go/ql/test/query-tests/Security/CWE-089/issue48.go Add $ Source[...] / $ Alert[...] markers for SQL injection issue reproduction.
go/ql/test/query-tests/Security/CWE-078/StoredCommand.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-078/StoredCommand.go Add $ Source[...] / $ Alert[...] markers for stored command execution.
go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go Add $ Source[...] / $ Alert[...] markers for command injection cases.
go/ql/test/query-tests/Security/CWE-078/GitSubcommands.go Add $ Source[...] / $ Alert[...] markers for vulnerable git subcommands.
go/ql/test/query-tests/Security/CWE-078/CommandInjection2.go Add $ Source[...] / $ Alert[...] markers for shell command injection examples.
go/ql/test/query-tests/Security/CWE-078/CommandInjection.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-078/CommandInjection.go Add $ Source[...] / $ Alert[...] markers for command injection.
go/ql/test/query-tests/Security/CWE-078/ArgumentInjection.go Add $ Source[...] / $ Alert[...] markers for argument injection.
go/ql/test/query-tests/Security/CWE-022/ZipSlip.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-022/ZipSlip.go Add $ Sink[...] / $ Alert[...] markers for ZipSlip.
go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlinkGood.go Add $ Sink[...] / $ Alert[...] markers for ZipSlip-related sanitization.
go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-022/UnsafeUnzipSymlink.go Add $ Sink[...] / $ Alert[...] markers for unsafe symlink writes.
go/ql/test/query-tests/Security/CWE-022/tst.go Add $ Sink[...] / $ Alert[...] markers for ZipSlip variants.
go/ql/test/query-tests/Security/CWE-022/tarslip.go Add $ Sink[...] / $ Alert[...] markers for tar slip.
go/ql/test/query-tests/Security/CWE-022/TaintedPath.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-022/TaintedPath.go Add $ Source[...] / $ Alert[...] markers for path injection.
go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/TaintedPath.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-022/GorillaMuxSkipClean/MuxClean.go Add $ Source[...] / $ Alert[...] markers for Gorilla mux SkipClean case.
go/ql/test/query-tests/Security/CWE-022/GorillaMuxDefault/TaintedPath.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/test.go Add $ Alert[...] markers for suspicious regex escapes.
go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-020/SuspiciousCharacterInRegexp/SuspiciousCharacterInRegexp.go Add $ Alert[...] marker for suspicious regex escape in compiled regex.
go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/MissingRegexpAnchor.go Add $ Alert marker for missing regexp anchor.
go/ql/test/query-tests/Security/CWE-020/MissingRegexpAnchor/main.go Add $ Alert markers for missing anchor examples.
go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/main.go Add $ Alert marker for incomplete URL scheme check.
go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck/IncompleteUrlSchemeCheck.go Add $ Alert marker for javascript scheme check.
go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/main.go Add $ Source[...] / $ Sink[...] / $ Alert[...] markers for hostname regexp.
go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/IncompleteHostnameRegexp.go Add $ Alert[...] / $ Sink[...] markers for incomplete hostname regexp.
go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/UnreachableStatement/UnreachableStatement.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/UnreachableStatement/main.go Add $ Alert markers for unreachable statement examples.
go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/ShiftOutOfRange.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/ShiftOutOfRange/main.go Add $ Alert markers for shift-out-of-range examples.
go/ql/test/query-tests/RedundantCode/SelfAssignment/tst.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/SelfAssignment/SelfAssignment.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/RedundantRecover/tst.go Add $ Alert[...] marker.
go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover2.go Add $ Alert[...] marker.
go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover1.go Add $ Alert[...] marker.
go/ql/test/query-tests/RedundantCode/RedundantRecover/RedundantRecover.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/RedundantExpr/tst.go Add $ Alert[...] marker.
go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/RedundantExpr/RedundantExpr.go Add $ Alert[...] marker.
go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/NegativeLengthCheck.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/NegativeLengthCheck/main.go Add $ Alert markers for negative-length comparisons.
go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/tst.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/ImpossibleInterfaceNilCheck/ImpossibleInterfaceNilCheck.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/main.go Add $ Alert markers for no-effect expressions.
go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/ExprHasNoEffect/ExprHasNoEffect.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/tst.go Add $ Alert[...] marker.
go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/DuplicateSwitchCase/DuplicateSwitchCase.go Add $ Alert[...] marker.
go/ql/test/query-tests/RedundantCode/DuplicateCondition/tst.go Add $ Source / $ Alert markers.
go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.go Add $ Source / $ Alert markers.
go/ql/test/query-tests/RedundantCode/DuplicateBranches/main.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/testdata.go Add $ Alert[...] markers for useless assignments.
go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/main.go Add $ Alert[...] marker.
go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/vp.go Add $ Alert marker.
go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/tst.go Add $ Alert markers.
go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.go Add $ Alert marker.
go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.go Add $ Alert markers.
go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.go Add $ Alert marker.
go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/main.go Add $ Alert markers and whitespace adjustment.
go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.go Add $ Alert marker.
go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/main.go Add $ Alert markers.
go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/tests.go Add $ Alert[...] markers.
go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/main.go Add $ Alert / $ Source markers.
go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.go Add $ Alert / $ Source markers.
go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/main.go Add $ Alert markers.
go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.go Add $ Alert marker.
go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.go Add $ Alert marker.
go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go Add $ Source[...] / $ Alert[...] markers for XSS and SQL injection.
go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/SqlInjection.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.ql Adjust parsing to ignore trailing $ ... inline markers in test: comments.
go/ql/test/library-tests/semmle/go/frameworks/Twirp/tests.expected Update expected ranges affected by changed comment parsing.
go/ql/test/library-tests/semmle/go/frameworks/Twirp/server/main.go Add $ Source[...] / $ Alert[...] markers without breaking test: comment parsing.
go/ql/test/library-tests/semmle/go/frameworks/Twirp/rpc/notes/service.twirp.go Add $ Source[...] marker on request body read.
go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go Add inline expectation markers alongside existing $ responsebody=... annotations.
go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go Add inline markers for reflected XSS in HTTP mux handlers.
go/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go Add $ Source[...] / $ Alert[...] markers for multiple query scenarios.
go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go Add inline markers for log injection example.
go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref Convert to YAML .qlref and enable inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go Add $ Source[...] / $ Alert[...] markers for XSS/open redirect/path injection.
go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/Chi/test.go Add $ Source[...] / $ Alert[...] markers for reflected XSS.
go/ql/test/library-tests/semmle/go/frameworks/Chi/ReflectedXss.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go Add $ Source[...] / $ Alert[...] markers for SQL injection and stored XSS.
go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go Add inline markers (some appear inconsistent with current expected results).
go/ql/test/experimental/InconsistentCode/test.go Add $ Alert[...] markers for experimental inconsistent-code examples.
go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.go Add $ Alert[...] marker.
go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/InconsistentCode/DeferInLoop.go Add $ Alert[...] marker.
go/ql/test/experimental/CWE-840/ConditionalBypassBad.go Add $ Alert[...] marker.
go/ql/test/experimental/CWE-840/ConditionalBypass.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/CWE-840/condition.go Add $ Alert[...] markers.
go/ql/test/experimental/CWE-807/SensitiveConditionBypassBad.go Add $ Alert[...] marker.
go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/CWE-807/condition.go Add $ Alert[...] markers.
go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/experimental/CWE-74/DsnInjection.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/experimental/CWE-74/Dsn.go Add $ Source[...] / $ Alert[...] markers for DSN injection flows.
go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go Add $ Alert[...] marker.
go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go Add $ Alert[...] marker.
go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go Add $ Alert[...] markers.
go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go Add $ Alert[...] marker.
go/ql/test/experimental/CWE-525/WebCacheDeception.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/CWE-522-DecompressionBombs/test.go Add $ Source[...] / $ Alert[...] markers for decompression bomb flows.
go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/experimental/CWE-400/test.go Add inline markers for database-call-in-loop examples (including block-end markers).
go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go Add $ Source[...] / $ Alert[...] markers for DB call in loop.
go/ql/test/experimental/CWE-369/DivideByZero.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/experimental/CWE-369/DivideByZero.go Add $ Source[...] / $ Alert[...] markers for divide-by-zero examples.
go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go Add $ Source[...] / $ Alert[...] markers for hardcoded key JWT parsing.
go/ql/test/experimental/CWE-321-V2/go-jose.v3.go Add $ Source[...] / $ Alert[...] markers for hardcoded key usage.
go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/experimental/CWE-287/ImproperLdapAuth.go Add $ Source[...] / $ Alert[...] markers for LDAP bind issues.
go/ql/test/experimental/CWE-285/PamAuthBypass.qlref Enable inline-expectations postprocess.
go/ql/test/experimental/CWE-285/main.go Add $ Alert[...] marker for PAM callback.
go/ql/test/experimental/CWE-203/Timing.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/experimental/CWE-203/timing.go Add $ Source[...] / $ Alert[...] markers for timing-attack comparisons.
go/ql/test/experimental/CWE-090/LDAPInjection.qlref Switch postprocess to YAML list and add inline-expectations postprocess.
go/ql/test/experimental/CWE-090/LDAPInjection.go Add $ Source[...] / $ Alert[...] markers for LDAP injection.

Copilot's findings

  • Files reviewed: 203/203 changed files
  • Comments generated: 17

Comment thread go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go
// Read before secret without overflowing to secret:
// NOTE: unsafe.Pointer(&harmless) == unsafe.Pointer(&harmless[0])
var data = (*[8]byte)(unsafe.Pointer(&harmless)) // OK
var data = (*[8]byte)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // OK
Comment thread go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go
// Read before secret without overflowing to secret:
// NOTE: unsafe.Pointer(&harmless) == unsafe.Pointer(&harmless[0])
var data = (*[8]byte)(unsafe.Pointer(&harmless[0])) // OK
var data = (*[8]byte)(unsafe.Pointer(&harmless[0])) // $ Alert[go/wrong-usage-of-unsafe] // OK
Comment thread go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go
// the end of `harmless` is 8 bytes),
// which does not cross into `secret`.
var data = (*[8]byte)(unsafe.Pointer(&harmless[3])) // OK
var data = (*[8]byte)(unsafe.Pointer(&harmless[3])) // $ Alert[go/wrong-usage-of-unsafe] // OK
Comment thread go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go

// Read before secret:
var data = (*int)(unsafe.Pointer(&harmless)) // TODO: is this really OK?
var data = (*int)(unsafe.Pointer(&harmless)) // $ Alert[go/wrong-usage-of-unsafe] // TODO: is this really OK?
Comment thread go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go
func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
})
}) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback]
Comment thread go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go
func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
})
}) // $ Alert[go/insecure-hostkeycallback]
Comment thread go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go
}) // $ Alert[go/insecure-hostkeycallback]

potentialInsecureSSHClientConfig(insecureCallback)
potentialInsecureSSHClientConfig(insecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback]
Comment thread go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go
}
return fmt.Errorf("ssh: Unexpected host for key")
})
}) // $ Alert[go/insecure-hostkeycallback]
Comment thread go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go

potentialInsecureSSHClientConfig(potentiallySecureCallback)
potentialInsecureSSHClientConfig(ssh.InsecureIgnoreHostKey())
potentialInsecureSSHClientConfig(potentiallySecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback]
Comment thread go/ql/test/query-tests/Security/CWE-322/InsecureHostKeyCallbackExample.go
potentialInsecureSSHClientConfig(ssh.InsecureIgnoreHostKey()) // $ Alert[go/insecure-hostkeycallback]

potentialInsecureSSHClientConfigTwoWrites(potentiallySecureCallback)
potentialInsecureSSHClientConfigTwoWrites(potentiallySecureCallback) // $ Source[go/insecure-hostkeycallback] Alert[go/insecure-hostkeycallback]
@hvitved

hvitved commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Nice, we should do this for all languages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Go no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@owen-mc @hvitved