Swift: Convert .qlref security query tests to inline expectation tests

[Copilot]

Converts 19 Swift security query .qlref tests from .expected-file-based testing to inline expectation tests by adding // $ Alert, // $ Source, and // $ Sink comments directly in the Swift source files.

What changed

• 19 .qlref files updated to add postprocess: utils/test/InlineExpectationsTestQuery.ql (compact single-line form)
• 35 Swift source files annotated with inline expectation comments derived from existing .expected files:
  • @kind problem queries: // $ Alert at each result's end-line
  • @kind path-problem queries: // $ Alert at alert location, // $ Source at source (when on different line), // $ Sink at sink (when on different line from alert)
• No .expected files were modified

Before/after example (CWE-760/ConstantSalt):

// Before
let myConstantSalt1 = Data("abcdef123456")  // no annotation
let _ = myEncryptor.key(..., salt: myConstantSalt1, ...) // BAD

// After
let myConstantSalt1 = Data("abcdef123456") // $ Source
let _ = myEncryptor.key(..., salt: myConstantSalt1, ...) // $ Alert

Lines with pre-existing // BAD, descriptive text comments were restructured to // $ Alert // BAD, descriptive text so the $ appears first in the comment content (required by the inline expectation parser).

Skipped tests (12)

Test	Reason
4× PrintAst.qlref	AST dump queries
library-tests/ast/Errors.qlref	No @kind metadata
AlertSuppression.qlref	@kind alert-suppression
Diagnostics/ExtractedFiles.qlref	@kind diagnostic
Diagnostics/SuccessfullyExtractedLines.qlref	@kind metric
CWE-757/InsecureTLS.qlref	file:// synthetic alert locations in #select (9 rows)
CWE-321/HardcodedEncryptionKey.qlref	file:// synthetic alert location
CWE-078/CommandInjection.qlref	file:// synthetic alert locations
CWE-135/StringLengthConflation.qlref	file:// synthetic source locations (13 rows)

Original prompt

Follow these instructions for Swift.
qlref conversion instructions

Here’s the repeatable recipe for converting a CodeQL language’s .qlref tests to inline expectation tests.

Overall Workflow

1. cd into the language folder.

2. Run grep -rL "InlineExpectationsTestQuery" --include="*.qlref".

3. Ignore generated .actual files, .testproj copies, and other generated artifacts.

4. For each .qlref, resolve the referenced query and read its metadata.

5. Classify each test before editing:

  - convert now for standard @kind problem and @kind path-problem

  - skip for anything else, with a short concrete reason

6. Inspect the existing .expected file before converting:

  - If it is empty and the query is a standard problem or path-problem query, usually convert by adding the postprocessor only. No source comments are needed.

  - If it is non-empty, add inline expectation comments to the source files at the expected result locations, then add the postprocessor to the .qlref.

7. Keep the existing .expected file. Do not edit generated expected files by hand, even when converting.

8. Edit only source files and .qlref files.

9. Maintain a skip list for tests not converted, with exact paths and short reasons.

10. Do not make a PR.

.qlref Formatting

For a single postprocessor, use the compact form:

query: path/to/Query.ql

postprocess: utils/test/InlineExpectationsTestQuery.ql

If the .qlref already has other postprocessors, use list form:

query: path/to/Query.ql

postprocess:

  - utils/test/PrettyPrintModels.ql

  - utils/test/InlineExpectationsTestQuery.ql

If the original .qlref was a plain single-line query reference, convert it to query: form only when adding postprocess:.

Always preserve existing postprocessors.

Expectation Comments

Use the language’s supported inline comment syntax from its inline expectation implementation. Typical tags are:

$ Alert

$ Source

$ Sink

For example, in Java or Kotlin:

sink(userInput); // $ Alert

For problem queries, add Alert at each expected result location.

For path-problem queries, add:

• Alert at the alert location.

• Source at the source location, unless the source is on the same line as the alert.

• Sink at the sink location when it is a distinct relevant location.

Multi-line result locations should be annotated on the end line.

If more than one result is expected on the same line for the same query, just use a single tag in the comment, for example:

foo(bar); // $ Alert

Only add comments to real source files that belong to the test. Do not annotate generated copies, shared vendored fixtures, or shared stubs unless that is clearly the right ownership boundary for the test.

Empty .expected Files

If a problem or path-problem test already has an empty .expected file, the default conversion is:

1. Leave .expected untouched.

2. Add postprocess: utils/test/InlineExpectationsTestQuery.ql to the .qlref.

3. Add no source comments unless the test actually has expected results that are currently represented elsewhere.

This is common in zero-result tests.

Query Ids

Do not add [query-id] by default.

Only qualify tags when needed, usually when more than one inline expectation test in the same effective test folder or database can see the same source comments. Then use the query’s metadata id:

response.write(x); // $ Alert[java/xss]

Apply this to Alert, Source, and Sink only for the comments that need disambiguation.

If you add query ids in a shared folder, validate the owner queries for those comments as well, not just the query you were editing.

Good Skip Reasons

Skip, or revert to non-inline, when conversion would make the test misleading, brittle, or noisy. Common reasons:

• The query is not @kind problem or @kind path-problem.

• The query is a telemetry, metrics, table, definitions, diagnostic, extractor-information, stub-generation, or tool-specific query.

• The test is an AST dump or similar structural output test, such as PrintAst.

• The selected result text is inside a string literal, raw string, heredoc, text block, XML literal, or multiline literal and adding a comment changes the selected text.

• The expected location is inside documentation syntax where adding a comment changes what the query reports, such as Javadoc tags.

• The .expected output is nonstandard enough that mechanical conversion is risky.

• Results are in shared stubs, generated copies, vendored files, or synthetic/test-project paths where inline comments would pollute shared fixtures.

• The alert, source, or sink locations are too dense or ambiguous to make the source understandable.

• The language’s inline expectation implementation does not support the source file or comment style needed.

• The query uses a special result kind or framework behavior, such as alert-...

Created from VS Code.

[owen-mc]

@copilot In swift/ql/test/query-tests/Security/CWE-020/ you have converted two tests to inline expectations tests, but you have used // $ Alert for all the alerts. This means that each test will expect alerts at places that the other test has a result. You have to use the optional query id form in this situation: // $ Alert[swift/missing-regexp-anchor]. Please fix this issue in this folder and the others where it applies: swift/ql/test/query-tests/Security/CWE-311/ and swift/ql/test/query-tests/Security/CWE-328/. You can use the .expected files for each test to see which alerts belong to which test. (If there is an alert for >1 test on one line then add comments with the query id for all relevant tests.) If you have a codeql binary available then you may run it to see the test output.

[Copilot]

@copilot In swift/ql/test/query-tests/Security/CWE-020/ you have converted two tests to inline expectations tests, but you have used // $ Alert for all the alerts. This means that each test will e...

Fixed in the latest commit. For each of the three folders:

• CWE-020: test.swift now uses // $ Alert[swift/incomplete-hostname-regexp] or // $ Alert[swift/missing-regexp-anchor] per-line based on which query produces that result. Lines 81 and 84 (where both queries produce one result each) keep bare // $ Alert. SemiAnchoredRegex.swift and UnanchoredUrlRegex.swift now use [swift/missing-regexp-anchor] throughout (only MRA produces results there). I also fixed lines with multiple results that previously had only one Alert annotation (e.g., line 65 needs two, line 77 needs three IHR + one MRA).

• CWE-311: Since the files are disjoint (CleartextStorageDatabase covers SQLite/CoreData/GRDB/Realm; CleartextTransmission covers Alamofire/Send/URL), all annotations now use the appropriate [swift/cleartext-storage-database] or [swift/cleartext-transmission] qualifier.

• CWE-328: testCryptoKit.swift and testCryptoSwift.swift now use [swift/weak-password-hashing] for password variables (passwd/passwdArray/etc.) and [swift/weak-sensitive-data-hashing] for sensitive data variables (cert/account_no/credit_card_no/phoneNumberArray/etc.), matching the split in the expected files.