Merge branch 'main' into call-graph-code

python/ql/test/query-tests/Classes/conflicting/odasa6643.py

@@ -1,8 +1,6 @@
 #This code has conflicting attributes,
 #but the documentation in the standard library tells you do it this way :(
 
-#See https://discuss.lgtm.com/t/warning-on-normal-use-of-python-socketserver-mixins/677
-
 class ThreadingMixIn(object):
 
     def process_request(selfself, req):

python/ql/test/query-tests/Classes/missing-init/missing_init.py

@@ -39,7 +39,7 @@ class UVT(UT, PU):
 class IUVT(IUT, UVT):
     pass
 
-#False positive observed on LGTM
+#False positive
 class M1(object):
     def __init__(self):
         print("A")

python/ql/test/query-tests/Expressions/eq/expressions_test.py

@@ -78,7 +78,7 @@ class C(object):
         '''
         return self is other
 
-#Was FP -- https://github.com/lgtmhq/lgtm-queries/issues/13
+#Was FP
 def both_sides_known(zero_based="auto", query_id=False):
     if query_id and zero_based == "auto":
         zero_based = True

python/ql/test/query-tests/Functions/general/explicit_return_in_init.py

@@ -46,7 +46,7 @@ class InitCallsBadInit(ExplicitReturnInInit):
 
 # OK as procedure implicitly returns None
 #
-# this was seen in the wild: https://lgtm.com/projects/b/jjburton/cgmtools/snapshot/0d8a429b7ea17854a5e5341df98b1cbd54d7fe6c/files/mayaTools/cgm/lib/classes/AttrFactory.py?sort=name&dir=ASC&mode=heatmap#L90
+# this was seen in the wild:
 # using a pattern of `return procedure_that_logs_error()`
 
 def procedure():

python/ql/test/query-tests/Functions/general/parameter_names.py

@@ -127,7 +127,7 @@ Z().meth(0)
 # makes it such. As a consequence, the query `py/not-named-self` and other
 # relevant queries need to account for this.
 #
-# This has come up in the wild via LGTM as a false positive. For example,
+# This has come up in the wild as a false positive. For example,
 # `__init_subclass__`:
 #   https://docs.python.org/3/reference/datamodel.html#customizing-class-creation
 # `__class_getitem__`:

python/ql/test/query-tests/Security/CWE-022-PathInjection/DataflowQueryTest.expected

@@ -0,0 +1,2 @@
+missingAnnotationOnSink
+failures

python/ql/test/query-tests/Security/CWE-022-PathInjection/DataflowQueryTest.ql

@@ -0,0 +1,3 @@
+import python
+import experimental.dataflow.TestUtil.DataflowQueryTest
+import semmle.python.security.dataflow.PathInjectionQuery

python/ql/test/query-tests/Security/CWE-022-PathInjection/flask_path_injection.py

@@ -10,7 +10,7 @@ STATIC_DIR = "/server/static/"
 def download_file():
     filename = request.args.get('filename', '')
     # ok since `send_from_directory` ensure this stays within `STATIC_DIR`
-    return send_from_directory(STATIC_DIR, filename) # OK
+    return send_from_directory(STATIC_DIR, filename) # $result=OK
 
 
 # see https://flask.palletsprojects.com/en/1.1.x/api/#flask.send_from_directory
@@ -18,4 +18,4 @@ def download_file():
 def download_file():
     dirname = request.args.get('dirname', '')
     filename = request.args.get('filename', '')
-    return send_from_directory(dirname, filename) # NOT OK
+    return send_from_directory(dirname, filename) # $result=BAD result=OK(filename)

python/ql/test/query-tests/Security/CWE-022-PathInjection/path_injection.py

@@ -10,7 +10,7 @@ STATIC_DIR = "/server/static/"
 @app.route("/path1")
 def path_injection():
     filename = request.args.get('filename', '')
-    f = open(os.path.join(STATIC_DIR, filename)) # NOT OK
+    f = open(os.path.join(STATIC_DIR, filename)) # $result=BAD
 
 
 @app.route("/path2")
@@ -18,7 +18,7 @@ def path_injection():
     # Normalized, but not checked
     filename = request.args.get('filename', '')
     npath = os.path.normpath(os.path.join(STATIC_DIR, filename))
-    f = open(npath)  # NOT OK
+    f = open(npath)  # $result=BAD
 
 
 @app.route("/path3")
@@ -28,7 +28,7 @@ def unsafe_path_normpath():
     npath = os.path.normpath(os.path.join(STATIC_DIR, filename))
     if npath.startswith(STATIC_DIR):
         pass
-    f = open(npath)  # NOT OK
+    f = open(npath)  # $result=BAD
 
 
 @app.route("/path4")
@@ -37,7 +37,7 @@ def safe_path_normpath():
     filename = request.args.get('filename', '')
     npath = os.path.normpath(os.path.join(STATIC_DIR, filename))
     if npath.startswith(STATIC_DIR):
-        f = open(npath)  # OK
+        f = open(npath)  # $result=OK
 
 
 @app.route("/path5")
@@ -45,7 +45,7 @@ def unsafe_path_realpath():
     # Normalized (by `realpath` that also follows symlinks), but not checked properly
     filename = request.args.get('filename', '')
     npath = os.path.realpath(os.path.join(STATIC_DIR, filename))
-    f = open(npath)  # NOT OK
+    f = open(npath)  # $result=BAD
 
 
 @app.route("/path6")
@@ -54,7 +54,7 @@ def safe_path_realpath():
     filename = request.args.get('filename', '')
     npath = os.path.realpath(os.path.join(STATIC_DIR, filename))
     if npath.startswith(STATIC_DIR):
-        f = open(npath)  # OK
+        f = open(npath)  # $result=OK
 
 
 @app.route("/path6")
@@ -62,7 +62,7 @@ def unsafe_path_abspath():
     # Normalized (by `abspath`), but not checked properly
     filename = request.args.get('filename', '')
     npath = os.path.abspath(os.path.join(STATIC_DIR, filename))
-    f = open(npath)  # NOT OK
+    f = open(npath)  # $result=BAD
 
 
 @app.route("/path7")
@@ -71,7 +71,7 @@ def safe_path_abspath():
     filename = request.args.get('filename', '')
     npath = os.path.abspath(os.path.join(STATIC_DIR, filename))
     if npath.startswith(STATIC_DIR):
-        f = open(npath)  # OK
+        f = open(npath)  # $result=OK
 
 
 @app.route("/abspath_tricky")
@@ -84,14 +84,14 @@ def safe_path_abspath_tricky():
     filename = request.args.get('filename', '')
     possibly_unsafe_path = os.path.join(STATIC_DIR, filename)
     if os.path.abspath(possibly_unsafe_path).startswith(STATIC_DIR):
-        f = open(possibly_unsafe_path)  # OK
+        f = open(possibly_unsafe_path)  # $SPURIOUS: result=BAD
 
 
 @app.route("/int-only/<int:foo_id>")
 def flask_int_only(foo_id):
     # This is OK, since the flask routing ensures that `foo_id` MUST be an integer.
     path = os.path.join(STATIC_DIR, foo_id)
-    f = open(path)  # OK TODO: FP
+    f = open(path)  # $spurious: result=BAD
 
 
 @app.route("/not-path/<foo>")
@@ -99,7 +99,7 @@ def flask_not_path(foo):
     # On UNIX systems, this is OK, since without being marked as `<path:foo>`, flask
     # routing ensures that `foo` cannot contain forward slashes (not by using %2F either).
     path = os.path.join(STATIC_DIR, foo)
-    f = open(path)  # OK if only running on UNIX systems, NOT OK if could be running on windows
+    f = open(path)  # $result=BAD // OK if only running on UNIX systems, NOT OK if could be running on windows
 
 
 @app.route("/no-dot-dot")
@@ -110,7 +110,7 @@ def no_dot_dot():
     # handle if `filename` is an absolute path
     if '../' in path:
         return "not this time"
-    f = open(path)  # NOT OK
+    f = open(path)  # $result=BAD
 
 
 @app.route("/no-dot-dot-with-prefix")
@@ -121,7 +121,7 @@ def no_dot_dot_with_prefix():
     # Therefore, for UNIX-only programs, the `../` check is enough to stop path injections.
     if '../' in path:
         return "not this time"
-    f = open(path)  # OK if only running on UNIX systems, NOT OK if could be running on windows
+    f = open(path)  # $result=BAD // OK if only running on UNIX systems, NOT OK if could be running on windows
 
 
 @app.route("/replace-slash")
@@ -129,7 +129,7 @@ def replace_slash():
     filename = request.args.get('filename', '')
     path = os.path.join(STATIC_DIR, filename)
     sanitized = path.replace("/", "_")
-    f = open(sanitized)  # OK if only running on UNIX systems, NOT OK if could be running on windows
+    f = open(sanitized)  # $result=BAD // OK if only running on UNIX systems, NOT OK if could be running on windows
 
 
 @app.route("/stackoverflow-solution")
@@ -139,7 +139,7 @@ def stackoverflow_solution():
     path = os.path.join(STATIC_DIR, filename)
     if os.path.commonprefix((os.path.realpath(path), STATIC_DIR)) != STATIC_DIR:
         return "not this time"
-    f = open(path) # OK TODO: FP
+    f = open(path) # $SPURIOUS: result=BAD
 
 
 SAFE_FILES = ['foo', 'bar', 'baz']
@@ -149,4 +149,4 @@ def safe_set_of_files():
     filename = request.args.get('filename', '')
     if filename in SAFE_FILES:
         path = os.path.join(STATIC_DIR, filename)
-        f = open(path) # OK TODO: FP
+        f = open(path) # $SPURIOUS: result=BAD

python/ql/test/query-tests/Security/CWE-022-PathInjection/test.py

@@ -16,21 +16,21 @@ def normalize(x):
 @app.route("/path")
 def simple():
     x = source()
-    open(x)  # NOT OK
+    open(x)  # $result=BAD
 
 
 @app.route("/path")
 def normalization():
     x = source()
     y = normalize(x)
-    open(y)  # NOT OK
+    open(y)  # $result=BAD
 
 
 @app.route("/path")
 def check():
     x = source()
     if x.startswith("subfolder/"):
-        open(x)  # NOT OK
+        open(x)  # $result=BAD
 
 
 @app.route("/path")
@@ -38,7 +38,7 @@ def normalize_then_check():
     x = source()
     y = normalize(x)
     if y.startswith("subfolder/"):
-        open(y)  # OK
+        open(y)  # $result=OK
 
 
 @app.route("/path")
@@ -46,4 +46,4 @@ def check_then_normalize():
     x = source()
     if x.startswith("subfolder/"):
         y = normalize(x)
-        open(y)  # NOT OK
+        open(y)  # $result=BAD

python/ql/test/query-tests/Security/CWE-022-PathInjection/test_chaining.py

@@ -20,7 +20,7 @@ def normalize_then_check():
     x = source()
     y = normalize(x)  # <--- this call...
     if y.startswith("subfolder/"):
-        open(y)  # OK
+        open(y)  # $result=OK
 
 
 @app.route("/path")
@@ -29,7 +29,7 @@ def normalize_check_normalize():
     y = normalize(x)  # (...or this call...)
     if y.startswith("subfolder/"):
         z = normalize(y)  # <--- ...can jump to here, resulting in FP
-        open(z)  # OK
+        open(z)  # $result=OK
 
 
 # The problem does not manifest if we simply define an alias
@@ -42,4 +42,4 @@ def normalize_check_normalize_alias():
     y = normpath(x)
     if y.startswith("subfolder/"):
         z = normpath(y)
-        open(z)  # OK
+        open(z)  # $result=OK

python/ql/test/query-tests/Security/CWE-078-CommandInjection/DataflowQueryTest.expected

@@ -0,0 +1,2 @@
+missingAnnotationOnSink
+failures

python/ql/test/query-tests/Security/CWE-078-CommandInjection/DataflowQueryTest.ql

@@ -0,0 +1,3 @@
+import python
+import experimental.dataflow.TestUtil.DataflowQueryTest
+import semmle.python.security.dataflow.CommandInjectionQuery

python/ql/test/query-tests/Security/CWE-078-CommandInjection/command_injection.py

@@ -10,27 +10,27 @@ app = Flask(__name__)
 def command_injection1():
     files = request.args.get('files', '')
     # Don't let files be `; rm -rf /`
-    os.system("ls " + files)
+    os.system("ls " + files) # $result=BAD
 
 
 @app.route("/command2")
 def command_injection2():
     files = request.args.get('files', '')
     # Don't let files be `; rm -rf /`
-    subprocess.Popen("ls " + files, shell=True)
+    subprocess.Popen("ls " + files, shell=True) # $result=BAD
 
 
 @app.route("/command3")
 def first_arg_injection():
     cmd = request.args.get('cmd', '')
-    subprocess.Popen([cmd, "param1"])
+    subprocess.Popen([cmd, "param1"]) # $result=BAD
 
 
 @app.route("/other_cases")
 def others():
     files = request.args.get('files', '')
     # Don't let files be `; rm -rf /`
-    os.popen("ls " + files)
+    os.popen("ls " + files) # $result=BAD
 
 
 @app.route("/multiple")
@@ -38,8 +38,8 @@ def multiple():
     command = request.args.get('command', '')
     # We should mark flow to both calls here, which conflicts with removing flow out of
     # a sink due to use-use flow.
-    os.system(command)
-    os.system(command)
+    os.system(command) # $result=BAD
+    os.system(command) # $result=BAD
 
 
 @app.route("/not-into-sink-impl")
@@ -52,11 +52,11 @@ def not_into_sink_impl():
     subprocess.call implementation: https://github.com/python/cpython/blob/fa7ce080175f65d678a7d5756c94f82887fc9803/Lib/subprocess.py#L341
     """
     command = request.args.get('command', '')
-    os.system(command)
-    os.popen(command)
-    subprocess.call(command)
-    subprocess.check_call(command)
-    subprocess.run(command)
+    os.system(command) # $result=BAD
+    os.popen(command) # $result=BAD
+    subprocess.call(command) # $result=BAD
+    subprocess.check_call(command) # $result=BAD
+    subprocess.run(command) # $result=BAD
 
 
 @app.route("/path-exists-not-sanitizer")
@@ -70,11 +70,11 @@ def path_exists_not_sanitizer():
     """
     path = request.args.get('path', '')
     if os.path.exists(path):
-        os.system("ls " + path) # NOT OK
+        os.system("ls " + path) # $result=BAD
 
 
 @app.route("/restricted-characters")
 def restricted_characters():
     path = request.args.get('path', '')
     if re.match(r'^[a-zA-Z0-9_-]+$', path):
-        os.system("ls " + path) # OK (TODO: Currently FP)
+        os.system("ls " + path) # $SPURIOUS: result=BAD

python/ql/test/query-tests/Security/CWE-285-PamAuthorization/PamAuthorization.expected

@@ -1 +1,16 @@
-| pam_test.py:48:18:48:44 | ControlFlowNode for pam_authenticate() | This PAM authentication call may lead to an authorization bypass, since 'pam_acct_mgmt' is not called afterwards. |
+edges
+| pam_test.py:0:0:0:0 | ModuleVariableNode for pam_test.request | pam_test.py:71:16:71:22 | ControlFlowNode for request |
+| pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:4:26:4:32 | GSSA Variable request |
+| pam_test.py:4:26:4:32 | GSSA Variable request | pam_test.py:0:0:0:0 | ModuleVariableNode for pam_test.request |
+| pam_test.py:71:16:71:22 | ControlFlowNode for request | pam_test.py:71:16:71:27 | ControlFlowNode for Attribute |
+| pam_test.py:71:16:71:27 | ControlFlowNode for Attribute | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() |
+nodes
+| pam_test.py:0:0:0:0 | ModuleVariableNode for pam_test.request | semmle.label | ModuleVariableNode for pam_test.request |
+| pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
+| pam_test.py:4:26:4:32 | GSSA Variable request | semmle.label | GSSA Variable request |
+| pam_test.py:71:16:71:22 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| pam_test.py:71:16:71:27 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | semmle.label | ControlFlowNode for pam_authenticate() |
+subpaths
+#select
+| pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | pam_test.py:76:14:76:40 | ControlFlowNode for pam_authenticate() | This PAM authentication depends on a $@, and 'pam_acct_mgmt' is not called afterwards. | pam_test.py:4:26:4:32 | ControlFlowNode for ImportMember | user-provided value |

python/ql/test/query-tests/Security/CWE-285-PamAuthorization/pam_test.py

@@ -1,6 +1,7 @@
 from ctypes import CDLL, POINTER, Structure, byref
 from ctypes import c_char_p, c_int
 from ctypes.util import find_library
+from flask import Flask, request, redirect
 
 
 class PamHandle(Structure):
@@ -38,26 +39,57 @@ pam_acct_mgmt.restype = c_int
 pam_acct_mgmt.argtypes = [PamHandle, c_int]
 
 
-class pam():
+def authenticate_bad_but_no_alert(self, username, service='login'):
+    # This is not OK, but since we don't have flow from a remote-flow-source, we
+    # don't give an alert.
+    handle = PamHandle()
+    conv = PamConv(None, 0)
+    retval = pam_start(service, username, byref(conv), byref(handle))
+    retval = pam_authenticate(handle, 0)
+    # NOT OK: no call to `pam_acct_mgmt`
+    auth_success = retval == 0
 
-    def authenticate_bad(self, username, service='login'):
-        handle = PamHandle()
-        conv = PamConv(None, 0)
-        retval = pam_start(service, username, byref(conv), byref(handle))
+    return auth_success
 
-        retval = pam_authenticate(handle, 0)
-        auth_success = retval == 0
 
-        return auth_success
+def authenticate_good(self, username, service='login'):
+    handle = PamHandle()
+    conv = PamConv(None, 0)
+    retval = pam_start(service, username, byref(conv), byref(handle))
 
-    def authenticate_good(self, username, service='login'):
-        handle = PamHandle()
-        conv = PamConv(None, 0)
-        retval = pam_start(service, username, byref(conv), byref(handle))
+    retval = pam_authenticate(handle, 0)
+    if retval == 0:
+        retval = pam_acct_mgmt(handle, 0)
+    auth_success = retval == 0
 
-        retval = pam_authenticate(handle, 0)
-        if retval == 0:
-            retval = pam_acct_mgmt(handle, 0)
-        auth_success = retval == 0
+    return auth_success
 
-        return auth_success
+
+app = Flask(__name__)
+@app.route('/bad')
+def bad():
+    username = request.args.get('username', '')
+    handle = PamHandle()
+    conv = PamConv(None, 0)
+    retval = pam_start(service, username, byref(conv), byref(handle))
+
+    retval = pam_authenticate(handle, 0)
+    # NOT OK: no call to `pam_acct_mgmt`
+    auth_success = retval == 0
+
+    return auth_success
+
+
+@app.route('/good')
+def good():
+    username = request.args.get('username', '')
+    handle = PamHandle()
+    conv = PamConv(None, 0)
+    retval = pam_start(service, username, byref(conv), byref(handle))
+
+    retval = pam_authenticate(handle, 0)
+    if retval == 0:
+        retval = pam_acct_mgmt(handle, 0)
+    auth_success = retval == 0
+
+    return auth_success

python/ql/test/query-tests/Variables/unused/variables_test.py

@@ -127,7 +127,7 @@ def decorated_inner_function():
 
 
 
-#FP observed https://lgtm.com/projects/g/torchbox/wagtail/alerts/ 
+#FP observed
 def test_dict_unpacking(queryset, field_name, value):
     #True positive
     for tag in value.split(','):

python/ql/test/query-tests/analysis/suppression/AlertSuppression.expected

@@ -14,7 +14,11 @@
 | test.py:18:4:18:12 | Comment #    lgtm |     lgtm | lgtm | test.py:18:1:18:12 | suppression range |
 | test.py:19:4:19:31 | Comment # lgtm    [py/line-too-long] |  lgtm    [py/line-too-long] | lgtm    [py/line-too-long] | test.py:19:1:19:31 | suppression range |
 | test.py:20:4:20:14 | Comment # lgtm lgtm |  lgtm lgtm | lgtm | test.py:20:1:20:14 | suppression range |
+| test.py:23:1:23:41 | Comment #lgtm -- Ignore this -- No line or scope. | lgtm -- Ignore this -- No line or scope. | lgtm | test.py:23:1:23:41 | suppression range |
+| test.py:23:1:23:41 | Comment #lgtm -- Ignore this -- No line or scope. | lgtm -- Ignore this -- No line or scope. | lgtm | test.py:24:0:24:0 | suppression range |
 | test.py:27:12:27:23 | Comment #lgtm [func] | lgtm [func] | lgtm [func] | test.py:27:1:27:23 | suppression range |
+| test.py:28:5:28:70 | Comment # lgtm -- Blank line (ignore for now, maybe scope wide in future). |  lgtm -- Blank line (ignore for now, maybe scope wide in future). | lgtm | test.py:28:1:28:70 | suppression range |
+| test.py:28:5:28:70 | Comment # lgtm -- Blank line (ignore for now, maybe scope wide in future). |  lgtm -- Blank line (ignore for now, maybe scope wide in future). | lgtm | test.py:29:0:29:0 | suppression range |
 | test.py:29:17:29:35 | Comment # lgtm on docstring |  lgtm on docstring | lgtm | test.py:29:1:29:35 | suppression range |
 | test.py:30:16:30:47 | Comment #lgtm [py/duplicate-key-in-dict] | lgtm [py/duplicate-key-in-dict] | lgtm [py/duplicate-key-in-dict] | test.py:30:1:30:47 | suppression range |
 | test.py:35:10:35:21 | Comment # lgtm class |  lgtm class | lgtm | test.py:35:1:35:21 | suppression range |
@@ -22,6 +26,8 @@
 | test.py:39:4:39:8 | Comment #noqa | noqa | lgtm | test.py:39:1:39:8 | suppression range |
 | test.py:40:4:40:9 | Comment # noqa |  noqa | lgtm | test.py:40:1:40:9 | suppression range |
 | test.py:45:4:45:31 | Comment # noqa -- Some extra detail. |  noqa -- Some extra detail. | lgtm | test.py:45:1:45:31 | suppression range |
+| test.py:49:1:49:10 | Comment #LGTM-1929 | LGTM-1929 | LGTM | test.py:49:1:49:10 | suppression range |
+| test.py:49:1:49:10 | Comment #LGTM-1929 | LGTM-1929 | LGTM | test.py:50:0:50:0 | suppression range |
 | test.py:50:34:50:117 | Comment # noqa: E501; (line too long) pylint: disable=invalid-name; lgtm [py/missing-equals] |  noqa: E501; (line too long) pylint: disable=invalid-name; lgtm [py/missing-equals] | lgtm [py/missing-equals] | test.py:50:1:50:117 | suppression range |
 | test.py:52:4:52:67 | Comment # noqa: E501; (line too long) pylint: disable=invalid-name; lgtm |  noqa: E501; (line too long) pylint: disable=invalid-name; lgtm | lgtm | test.py:52:1:52:67 | suppression range |
 | test.py:53:4:53:78 | Comment # random nonsense lgtm [py/missing-equals] and then some more commentary... |  random nonsense lgtm [py/missing-equals] and then some more commentary... | lgtm [py/missing-equals] | test.py:53:1:53:78 | suppression range |
@@ -31,6 +37,9 @@
 | test.py:65:4:65:60 | Comment # lgtm[py/line-too-long] and lgtm[py/non-callable-called] |  lgtm[py/line-too-long] and lgtm[py/non-callable-called] | lgtm[py/non-callable-called] | test.py:65:1:65:60 | suppression range |
 | test.py:66:4:66:33 | Comment # lgtm[py/line-too-long]; lgtm |  lgtm[py/line-too-long]; lgtm | lgtm | test.py:66:1:66:33 | suppression range |
 | test.py:66:4:66:33 | Comment # lgtm[py/line-too-long]; lgtm |  lgtm[py/line-too-long]; lgtm | lgtm[py/line-too-long] | test.py:66:1:66:33 | suppression range |
+| test.py:69:1:69:26 | Comment # codeql[py/line-too-long] |  codeql[py/line-too-long] | lgtm[py/line-too-long] | test.py:70:0:70:0 | suppression range |
+| test.py:71:1:71:25 | Comment #CODEQL[py/line-too-long] | CODEQL[py/line-too-long] | lgtm[py/line-too-long] | test.py:72:0:72:0 | suppression range |
+| test.py:73:1:73:63 | Comment # codeql[py/line-too-long] -- because I know better than codeql |  codeql[py/line-too-long] -- because I know better than codeql | lgtm[py/line-too-long] | test.py:74:0:74:0 | suppression range |
 | testWindows.py:4:4:4:9 | Comment # lgtm |  lgtm | lgtm | testWindows.py:4:1:4:9 | suppression range |
 | testWindows.py:5:4:5:27 | Comment # lgtm[py/line-too-long] |  lgtm[py/line-too-long] | lgtm[py/line-too-long] | testWindows.py:5:1:5:27 | suppression range |
 | testWindows.py:6:4:6:51 | Comment # lgtm[py/line-too-long, py/non-callable-called] |  lgtm[py/line-too-long, py/non-callable-called] | lgtm[py/line-too-long, py/non-callable-called] | testWindows.py:6:1:6:51 | suppression range |
@@ -47,14 +56,22 @@
 | testWindows.py:18:4:18:12 | Comment #    lgtm |     lgtm | lgtm | testWindows.py:18:1:18:12 | suppression range |
 | testWindows.py:19:4:19:31 | Comment # lgtm    [py/line-too-long] |  lgtm    [py/line-too-long] | lgtm    [py/line-too-long] | testWindows.py:19:1:19:31 | suppression range |
 | testWindows.py:20:4:20:14 | Comment # lgtm lgtm |  lgtm lgtm | lgtm | testWindows.py:20:1:20:14 | suppression range |
+| testWindows.py:23:1:23:41 | Comment #lgtm -- Ignore this -- No line or scope. | lgtm -- Ignore this -- No line or scope. | lgtm | testWindows.py:23:1:23:41 | suppression range |
+| testWindows.py:23:1:23:41 | Comment #lgtm -- Ignore this -- No line or scope. | lgtm -- Ignore this -- No line or scope. | lgtm | testWindows.py:24:0:24:0 | suppression range |
 | testWindows.py:27:12:27:23 | Comment #lgtm [func] | lgtm [func] | lgtm [func] | testWindows.py:27:1:27:23 | suppression range |
+| testWindows.py:28:5:28:70 | Comment # lgtm -- Blank line (ignore for now, maybe scope wide in future). |  lgtm -- Blank line (ignore for now, maybe scope wide in future). | lgtm | testWindows.py:28:1:28:70 | suppression range |
+| testWindows.py:28:5:28:70 | Comment # lgtm -- Blank line (ignore for now, maybe scope wide in future). |  lgtm -- Blank line (ignore for now, maybe scope wide in future). | lgtm | testWindows.py:29:0:29:0 | suppression range |
 | testWindows.py:29:17:29:35 | Comment # lgtm on docstring |  lgtm on docstring | lgtm | testWindows.py:29:1:29:35 | suppression range |
 | testWindows.py:30:16:30:47 | Comment #lgtm [py/duplicate-key-in-dict] | lgtm [py/duplicate-key-in-dict] | lgtm [py/duplicate-key-in-dict] | testWindows.py:30:1:30:47 | suppression range |
 | testWindows.py:35:10:35:21 | Comment # lgtm class |  lgtm class | lgtm | testWindows.py:35:1:35:21 | suppression range |
 | testWindows.py:36:21:36:33 | Comment # lgtm method |  lgtm method | lgtm | testWindows.py:36:1:36:33 | suppression range |
 | testWindows.py:39:3:39:7 | Comment #noqa | noqa | lgtm | testWindows.py:39:1:39:7 | suppression range |
 | testWindows.py:40:4:40:9 | Comment # noqa |  noqa | lgtm | testWindows.py:40:1:40:9 | suppression range |
+| testWindows.py:45:1:45:28 | Comment # noqa -- Some extra detail. |  noqa -- Some extra detail. | lgtm | testWindows.py:45:1:45:28 | suppression range |
 | testWindows.py:48:4:48:60 | Comment # lgtm[py/line-too-long] and lgtm[py/non-callable-called] |  lgtm[py/line-too-long] and lgtm[py/non-callable-called] | lgtm[py/line-too-long] | testWindows.py:48:1:48:60 | suppression range |
 | testWindows.py:48:4:48:60 | Comment # lgtm[py/line-too-long] and lgtm[py/non-callable-called] |  lgtm[py/line-too-long] and lgtm[py/non-callable-called] | lgtm[py/non-callable-called] | testWindows.py:48:1:48:60 | suppression range |
 | testWindows.py:49:4:49:33 | Comment # lgtm[py/line-too-long]; lgtm |  lgtm[py/line-too-long]; lgtm | lgtm | testWindows.py:49:1:49:33 | suppression range |
 | testWindows.py:49:4:49:33 | Comment # lgtm[py/line-too-long]; lgtm |  lgtm[py/line-too-long]; lgtm | lgtm[py/line-too-long] | testWindows.py:49:1:49:33 | suppression range |
+| testWindows.py:52:1:52:26 | Comment # codeql[py/line-too-long] |  codeql[py/line-too-long] | lgtm[py/line-too-long] | testWindows.py:53:0:53:0 | suppression range |
+| testWindows.py:54:1:54:25 | Comment #CODEQL[py/line-too-long] | CODEQL[py/line-too-long] | lgtm[py/line-too-long] | testWindows.py:55:0:55:0 | suppression range |
+| testWindows.py:56:1:56:63 | Comment # codeql[py/line-too-long] -- because I know better than codeql |  codeql[py/line-too-long] -- because I know better than codeql | lgtm[py/line-too-long] | testWindows.py:57:0:57:0 | suppression range |

python/ql/test/query-tests/analysis/suppression/AlertSuppression.qlref

@@ -1 +1 @@
-analysis/AlertSuppression.ql
+AlertSuppression.ql

python/ql/test/query-tests/analysis/suppression/test.py

@@ -64,3 +64,12 @@ class frozenbidict(BidictBase):  # noqa: E501; (line too long) pylint: disable=i
 
 "" # lgtm[py/line-too-long] and lgtm[py/non-callable-called]
 "" # lgtm[py/line-too-long]; lgtm
+
+#CodeQL comments
+# codeql[py/line-too-long]
+""
+#CODEQL[py/line-too-long]
+""
+# codeql[py/line-too-long] -- because I know better than codeql
+""
+"" # codeql[py/line-too-long]

python/ql/test/query-tests/analysis/suppression/testWindows.py

@@ -47,3 +47,12 @@ class C: # lgtm class
 
 "" # lgtm[py/line-too-long] and lgtm[py/non-callable-called]
 "" # lgtm[py/line-too-long]; lgtm
+
+#CodeQL comments
+# codeql[py/line-too-long]
+""
+#CODEQL[py/line-too-long]
+""
+# codeql[py/line-too-long] -- because I know better than codeql
+""
+"" # codeql[py/line-too-long]