Merge branch 'main' into tutorial/library-pack

2026-04-28 18:25:24 +02:00 · 2023-01-03 14:08:37 -08:00
parent d2ee8c08c0 c5138674a4
commit 9988c19a42
406 changed files with 26663 additions and 5387 deletions
--- a/javascript/ql/src/AlertSuppression.ql
+++ b/javascript/ql/src/AlertSuppression.ql
@@ -5,10 +5,20 @@
 * @id js/alert-suppression
 */

-private import codeql.suppression.AlertSuppression as AS
+private import codeql.util.suppression.AlertSuppression as AS
 private import javascript as JS

-class SingleLineComment extends JS::Locatable {
+class AstNode extends JS::Locatable {
+  AstNode() { not this.(JS::HTML::TextNode).getText().regexpMatch("\\s*") }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+class SingleLineComment extends AstNode {
  private string text;

  SingleLineComment() {
@@ -20,13 +30,7 @@ class SingleLineComment extends JS::Locatable {
    not text.matches("%\n%")
  }

-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-
  string getText() { result = text }
 }

-import AS::Make<SingleLineComment>
+import AS::Make<AstNode, SingleLineComment>
--- a/javascript/ql/src/Security/CWE-201/examples/PostMessageStarGood.js
+++ b/javascript/ql/src/Security/CWE-201/examples/PostMessageStarGood.js
@@ -1 +1 @@
-window.parent.postMessage(userName, 'https://lgtm.com');
+window.parent.postMessage(userName, 'https://github.com');
--- a/javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js
+++ b/javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js
@@ -2,10 +2,10 @@ var express = require('express');
 var app = express();

 var actions = new Map();
-actions.put("play", function play(data) {
+actions.set("play", function play(data) {
  // ...
 });
-actions.put("pause", function pause(data) {
+actions.set("pause", function pause(data) {
  // ...
 });

--- a/javascript/ql/src/change-notes/2022-12-19-alert-suppressions.md
+++ b/javascript/ql/src/change-notes/2022-12-19-alert-suppressions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be place on the line before an alert.
--- a/javascript/ql/test/library-tests/frameworks/ReactNative/WebView.expected
+++ b/javascript/ql/test/library-tests/frameworks/ReactNative/WebView.expected
@@ -1 +1 @@
-| webview.js:6:12:6:56 | <WebVie ... om'}}/> |
+| webview.js:6:12:6:58 | <WebVie ... om'}}/> |
--- a/javascript/ql/test/library-tests/frameworks/ReactNative/webview.js
+++ b/javascript/ql/test/library-tests/frameworks/ReactNative/webview.js
@@ -1,8 +1,8 @@
 import { Component } from 'react';
 import { WebView } from 'react-native';

-class LgtmView extends Component {
+class CodeQLView extends Component {
  render() {
-    return <WebView source={{uri: 'https://lgtm.com'}}/>;
+    return <WebView source={{uri: 'https://github.com'}}/>;
  }
 }
--- a/javascript/ql/test/query-tests/AlertSuppression/AlertSuppression.expected
+++ b/javascript/ql/test/query-tests/AlertSuppression/AlertSuppression.expected
@@ -1,60 +1,126 @@
-| tst.html:5:30:5:42 | <!-- lgtm --> |  lgtm  | lgtm | tst.html:5:1:5:42 | suppression range |
+| tst.html:4:5:4:36 | <!-- codeql[js/duplicate-id] --> |  codeql[js/duplicate-id]  | lgtm[js/duplicate-id] | tst.html:5:0:5:0 | suppression range |
+| tst.html:6:30:6:42 | <!-- lgtm --> |  lgtm  | lgtm | tst.html:6:1:6:42 | suppression range |
 | tst.js:1:11:1:17 | // lgtm |  lgtm | lgtm | tst.js:1:1:1:17 | suppression range |
 | tst.js:2:1:2:30 | // lgtm ... tement] |  lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:2:1:2:30 | suppression range |
+| tst.js:2:1:2:30 | // lgtm ... tement] |  lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:3:0:3:0 | suppression range |
 | tst.js:3:1:3:61 | // lgtm ... nction] |  lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tst.js:3:1:3:61 | suppression range |
+| tst.js:3:1:3:61 | // lgtm ... nction] |  lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tst.js:4:0:4:0 | suppression range |
 | tst.js:4:1:4:22 | // lgtm ... llness] |  lgtm[@tag:nullness] | lgtm[@tag:nullness] | tst.js:4:1:4:22 | suppression range |
+| tst.js:4:1:4:22 | // lgtm ... llness] |  lgtm[@tag:nullness] | lgtm[@tag:nullness] | tst.js:5:0:5:0 | suppression range |
 | tst.js:5:1:5:44 | // lgtm ... tement] |  lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tst.js:5:1:5:44 | suppression range |
+| tst.js:5:1:5:44 | // lgtm ... tement] |  lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tst.js:6:0:6:0 | suppression range |
 | tst.js:6:1:6:28 | // lgtm ... -06-11] |  lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tst.js:6:1:6:28 | suppression range |
+| tst.js:6:1:6:28 | // lgtm ... -06-11] |  lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tst.js:7:0:7:0 | suppression range |
 | tst.js:7:1:7:70 | // lgtm ... an lgtm |  lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tst.js:7:1:7:70 | suppression range |
+| tst.js:7:1:7:70 | // lgtm ... an lgtm |  lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tst.js:8:0:8:0 | suppression range |
 | tst.js:8:1:8:18 | // lgtm: blah blah |  lgtm: blah blah | lgtm | tst.js:8:1:8:18 | suppression range |
+| tst.js:8:1:8:18 | // lgtm: blah blah |  lgtm: blah blah | lgtm | tst.js:9:0:9:0 | suppression range |
 | tst.js:9:1:9:32 | // lgtm ... ositive |  lgtm blah blah #falsepositive | lgtm | tst.js:9:1:9:32 | suppression range |
+| tst.js:9:1:9:32 | // lgtm ... ositive |  lgtm blah blah #falsepositive | lgtm | tst.js:10:0:10:0 | suppression range |
 | tst.js:10:1:10:39 | //lgtm  ... nction] | lgtm  [js/invocation-of-non-function] | lgtm  [js/invocation-of-non-function] | tst.js:10:1:10:39 | suppression range |
+| tst.js:10:1:10:39 | //lgtm  ... nction] | lgtm  [js/invocation-of-non-function] | lgtm  [js/invocation-of-non-function] | tst.js:11:0:11:0 | suppression range |
 | tst.js:11:1:11:10 | /* lgtm */ |  lgtm  | lgtm | tst.js:11:1:11:10 | suppression range |
+| tst.js:11:1:11:10 | /* lgtm */ |  lgtm  | lgtm | tst.js:12:0:12:0 | suppression range |
 | tst.js:12:1:12:9 | // lgtm[] |  lgtm[] | lgtm[] | tst.js:12:1:12:9 | suppression range |
+| tst.js:12:1:12:9 | // lgtm[] |  lgtm[] | lgtm[] | tst.js:13:0:13:0 | suppression range |
 | tst.js:14:1:14:6 | //lgtm | lgtm | lgtm | tst.js:14:1:14:6 | suppression range |
+| tst.js:14:1:14:6 | //lgtm | lgtm | lgtm | tst.js:15:0:15:0 | suppression range |
 | tst.js:15:1:15:7 | //\\tlgtm | \tlgtm | lgtm | tst.js:15:1:15:7 | suppression range |
+| tst.js:15:1:15:7 | //\\tlgtm | \tlgtm | lgtm | tst.js:16:0:16:0 | suppression range |
 | tst.js:16:1:16:31 | // lgtm ... tement] |  lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tst.js:16:1:16:31 | suppression range |
+| tst.js:16:1:16:31 | // lgtm ... tement] |  lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tst.js:17:0:17:0 | suppression range |
 | tst.js:19:1:19:12 | // foo; lgtm |  foo; lgtm | lgtm | tst.js:19:1:19:12 | suppression range |
+| tst.js:19:1:19:12 | // foo; lgtm |  foo; lgtm | lgtm | tst.js:20:0:20:0 | suppression range |
 | tst.js:20:1:20:35 | // foo; ... tement] |  foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:20:1:20:35 | suppression range |
+| tst.js:20:1:20:35 | // foo; ... tement] |  foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:21:0:21:0 | suppression range |
 | tst.js:22:1:22:34 | // foo  ... tement] |  foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:22:1:22:34 | suppression range |
+| tst.js:22:1:22:34 | // foo  ... tement] |  foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:23:0:23:0 | suppression range |
 | tst.js:24:1:24:38 | // foo  ... nt] bar |  foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tst.js:24:1:24:38 | suppression range |
+| tst.js:24:1:24:38 | // foo  ... nt] bar |  foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tst.js:25:0:25:0 | suppression range |
 | tst.js:25:1:25:8 | // LGTM! |  LGTM! | LGTM | tst.js:25:1:25:8 | suppression range |
+| tst.js:25:1:25:8 | // LGTM! |  LGTM! | LGTM | tst.js:26:0:26:0 | suppression range |
 | tst.js:26:1:26:30 | // LGTM ... tement] |  LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tst.js:26:1:26:30 | suppression range |
+| tst.js:26:1:26:30 | // LGTM ... tement] |  LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tst.js:27:0:27:0 | suppression range |
 | tst.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tst.js:27:1:27:70 | suppression range |
+| tst.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tst.js:28:0:28:0 | suppression range |
 | tst.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tst.js:27:1:27:70 | suppression range |
+| tst.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tst.js:28:0:28:0 | suppression range |
 | tst.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm | tst.js:28:1:28:36 | suppression range |
+| tst.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm | tst.js:29:0:29:0 | suppression range |
 | tst.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tst.js:28:1:28:36 | suppression range |
+| tst.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tst.js:29:0:29:0 | suppression range |
 | tst.js:29:1:29:12 | /* lgtm[] */ |  lgtm[]  | lgtm[] | tst.js:29:1:29:12 | suppression range |
+| tst.js:29:1:29:12 | /* lgtm[] */ |  lgtm[]  | lgtm[] | tst.js:30:0:30:0 | suppression range |
 | tst.js:30:1:30:41 | /* lgtm ... ion] */ |  lgtm[js/invocation-of-non-function]  | lgtm[js/invocation-of-non-function] | tst.js:30:1:30:41 | suppression range |
+| tst.js:30:1:30:41 | /* lgtm ... ion] */ |  lgtm[js/invocation-of-non-function]  | lgtm[js/invocation-of-non-function] | tst.js:31:0:31:0 | suppression range |
 | tst.js:36:1:36:55 | /* lgtm ... ion] */ |  lgtm[@tag:nullness,js/invocation-of-non-function]  | lgtm[@tag:nullness,js/invocation-of-non-function] | tst.js:36:1:36:55 | suppression range |
+| tst.js:36:1:36:55 | /* lgtm ... ion] */ |  lgtm[@tag:nullness,js/invocation-of-non-function]  | lgtm[@tag:nullness,js/invocation-of-non-function] | tst.js:37:0:37:0 | suppression range |
 | tst.js:37:1:37:25 | /* lgtm ... ess] */ |  lgtm[@tag:nullness]  | lgtm[@tag:nullness] | tst.js:37:1:37:25 | suppression range |
-| tstWindows.html:5:30:5:42 | <!-- lgtm --> |  lgtm  | lgtm | tstWindows.html:5:1:5:42 | suppression range |
+| tst.js:37:1:37:25 | /* lgtm ... ess] */ |  lgtm[@tag:nullness]  | lgtm[@tag:nullness] | tst.js:38:0:38:0 | suppression range |
+| tst.js:38:1:38:32 | // code ... tement] |  codeql[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:39:0:39:0 | suppression range |
+| tst.js:39:1:39:32 | // CODE ... tement] |  CODEQL[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:40:0:40:0 | suppression range |
+| tst.js:40:1:40:69 | // code ...  codeql |  codeql[js/debugger-statement] -- because I know better than codeql | lgtm[js/debugger-statement] | tst.js:41:0:41:0 | suppression range |
+| tst.js:41:1:41:35 | /* code ... ent] */ |  codeql[js/debugger-statement]  | lgtm[js/debugger-statement] | tst.js:42:0:42:0 | suppression range |
+| tstWindows.html:4:5:4:36 | <!-- codeql[js/duplicate-id] --> |  codeql[js/duplicate-id]  | lgtm[js/duplicate-id] | tstWindows.html:5:0:5:0 | suppression range |
+| tstWindows.html:6:30:6:42 | <!-- lgtm --> |  lgtm  | lgtm | tstWindows.html:6:1:6:42 | suppression range |
 | tstWindows.js:1:11:1:17 | // lgtm |  lgtm | lgtm | tstWindows.js:1:1:1:17 | suppression range |
 | tstWindows.js:2:1:2:30 | // lgtm ... tement] |  lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:2:1:2:30 | suppression range |
+| tstWindows.js:2:1:2:30 | // lgtm ... tement] |  lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:3:0:3:0 | suppression range |
 | tstWindows.js:3:1:3:61 | // lgtm ... nction] |  lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tstWindows.js:3:1:3:61 | suppression range |
+| tstWindows.js:3:1:3:61 | // lgtm ... nction] |  lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tstWindows.js:4:0:4:0 | suppression range |
 | tstWindows.js:4:1:4:22 | // lgtm ... llness] |  lgtm[@tag:nullness] | lgtm[@tag:nullness] | tstWindows.js:4:1:4:22 | suppression range |
+| tstWindows.js:4:1:4:22 | // lgtm ... llness] |  lgtm[@tag:nullness] | lgtm[@tag:nullness] | tstWindows.js:5:0:5:0 | suppression range |
 | tstWindows.js:5:1:5:44 | // lgtm ... tement] |  lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tstWindows.js:5:1:5:44 | suppression range |
+| tstWindows.js:5:1:5:44 | // lgtm ... tement] |  lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tstWindows.js:6:0:6:0 | suppression range |
 | tstWindows.js:6:1:6:28 | // lgtm ... -06-11] |  lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tstWindows.js:6:1:6:28 | suppression range |
+| tstWindows.js:6:1:6:28 | // lgtm ... -06-11] |  lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tstWindows.js:7:0:7:0 | suppression range |
 | tstWindows.js:7:1:7:70 | // lgtm ... an lgtm |  lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tstWindows.js:7:1:7:70 | suppression range |
+| tstWindows.js:7:1:7:70 | // lgtm ... an lgtm |  lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tstWindows.js:8:0:8:0 | suppression range |
 | tstWindows.js:8:1:8:18 | // lgtm: blah blah |  lgtm: blah blah | lgtm | tstWindows.js:8:1:8:18 | suppression range |
+| tstWindows.js:8:1:8:18 | // lgtm: blah blah |  lgtm: blah blah | lgtm | tstWindows.js:9:0:9:0 | suppression range |
 | tstWindows.js:9:1:9:32 | // lgtm ... ositive |  lgtm blah blah #falsepositive | lgtm | tstWindows.js:9:1:9:32 | suppression range |
+| tstWindows.js:9:1:9:32 | // lgtm ... ositive |  lgtm blah blah #falsepositive | lgtm | tstWindows.js:10:0:10:0 | suppression range |
 | tstWindows.js:10:1:10:39 | //lgtm  ... nction] | lgtm  [js/invocation-of-non-function] | lgtm  [js/invocation-of-non-function] | tstWindows.js:10:1:10:39 | suppression range |
+| tstWindows.js:10:1:10:39 | //lgtm  ... nction] | lgtm  [js/invocation-of-non-function] | lgtm  [js/invocation-of-non-function] | tstWindows.js:11:0:11:0 | suppression range |
 | tstWindows.js:11:1:11:10 | /* lgtm */ |  lgtm  | lgtm | tstWindows.js:11:1:11:10 | suppression range |
+| tstWindows.js:11:1:11:10 | /* lgtm */ |  lgtm  | lgtm | tstWindows.js:12:0:12:0 | suppression range |
 | tstWindows.js:12:1:12:9 | // lgtm[] |  lgtm[] | lgtm[] | tstWindows.js:12:1:12:9 | suppression range |
+| tstWindows.js:12:1:12:9 | // lgtm[] |  lgtm[] | lgtm[] | tstWindows.js:13:0:13:0 | suppression range |
 | tstWindows.js:14:1:14:6 | //lgtm | lgtm | lgtm | tstWindows.js:14:1:14:6 | suppression range |
+| tstWindows.js:14:1:14:6 | //lgtm | lgtm | lgtm | tstWindows.js:15:0:15:0 | suppression range |
 | tstWindows.js:15:1:15:7 | //\\tlgtm | \tlgtm | lgtm | tstWindows.js:15:1:15:7 | suppression range |
+| tstWindows.js:15:1:15:7 | //\\tlgtm | \tlgtm | lgtm | tstWindows.js:16:0:16:0 | suppression range |
 | tstWindows.js:16:1:16:31 | // lgtm ... tement] |  lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tstWindows.js:16:1:16:31 | suppression range |
+| tstWindows.js:16:1:16:31 | // lgtm ... tement] |  lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tstWindows.js:17:0:17:0 | suppression range |
 | tstWindows.js:19:1:19:12 | // foo; lgtm |  foo; lgtm | lgtm | tstWindows.js:19:1:19:12 | suppression range |
+| tstWindows.js:19:1:19:12 | // foo; lgtm |  foo; lgtm | lgtm | tstWindows.js:20:0:20:0 | suppression range |
 | tstWindows.js:20:1:20:35 | // foo; ... tement] |  foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:20:1:20:35 | suppression range |
+| tstWindows.js:20:1:20:35 | // foo; ... tement] |  foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:21:0:21:0 | suppression range |
 | tstWindows.js:22:1:22:34 | // foo  ... tement] |  foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:22:1:22:34 | suppression range |
+| tstWindows.js:22:1:22:34 | // foo  ... tement] |  foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:23:0:23:0 | suppression range |
 | tstWindows.js:24:1:24:38 | // foo  ... nt] bar |  foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tstWindows.js:24:1:24:38 | suppression range |
+| tstWindows.js:24:1:24:38 | // foo  ... nt] bar |  foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tstWindows.js:25:0:25:0 | suppression range |
 | tstWindows.js:25:1:25:8 | // LGTM! |  LGTM! | LGTM | tstWindows.js:25:1:25:8 | suppression range |
+| tstWindows.js:25:1:25:8 | // LGTM! |  LGTM! | LGTM | tstWindows.js:26:0:26:0 | suppression range |
 | tstWindows.js:26:1:26:30 | // LGTM ... tement] |  LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tstWindows.js:26:1:26:30 | suppression range |
+| tstWindows.js:26:1:26:30 | // LGTM ... tement] |  LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tstWindows.js:27:0:27:0 | suppression range |
 | tstWindows.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tstWindows.js:27:1:27:70 | suppression range |
+| tstWindows.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tstWindows.js:28:0:28:0 | suppression range |
 | tstWindows.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tstWindows.js:27:1:27:70 | suppression range |
+| tstWindows.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tstWindows.js:28:0:28:0 | suppression range |
 | tstWindows.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm | tstWindows.js:28:1:28:36 | suppression range |
+| tstWindows.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm | tstWindows.js:29:0:29:0 | suppression range |
 | tstWindows.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tstWindows.js:28:1:28:36 | suppression range |
+| tstWindows.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tstWindows.js:29:0:29:0 | suppression range |
 | tstWindows.js:29:1:29:12 | /* lgtm[] */ |  lgtm[]  | lgtm[] | tstWindows.js:29:1:29:12 | suppression range |
+| tstWindows.js:29:1:29:12 | /* lgtm[] */ |  lgtm[]  | lgtm[] | tstWindows.js:30:0:30:0 | suppression range |
 | tstWindows.js:30:1:30:41 | /* lgtm ... ion] */ |  lgtm[js/invocation-of-non-function]  | lgtm[js/invocation-of-non-function] | tstWindows.js:30:1:30:41 | suppression range |
+| tstWindows.js:30:1:30:41 | /* lgtm ... ion] */ |  lgtm[js/invocation-of-non-function]  | lgtm[js/invocation-of-non-function] | tstWindows.js:31:0:31:0 | suppression range |
 | tstWindows.js:36:1:36:55 | /* lgtm ... ion] */ |  lgtm[@tag:nullness,js/invocation-of-non-function]  | lgtm[@tag:nullness,js/invocation-of-non-function] | tstWindows.js:36:1:36:55 | suppression range |
+| tstWindows.js:36:1:36:55 | /* lgtm ... ion] */ |  lgtm[@tag:nullness,js/invocation-of-non-function]  | lgtm[@tag:nullness,js/invocation-of-non-function] | tstWindows.js:37:0:37:0 | suppression range |
 | tstWindows.js:37:1:37:25 | /* lgtm ... ess] */ |  lgtm[@tag:nullness]  | lgtm[@tag:nullness] | tstWindows.js:37:1:37:25 | suppression range |
+| tstWindows.js:37:1:37:25 | /* lgtm ... ess] */ |  lgtm[@tag:nullness]  | lgtm[@tag:nullness] | tstWindows.js:38:0:38:0 | suppression range |
+| tstWindows.js:38:1:38:32 | // code ... tement] |  codeql[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:39:0:39:0 | suppression range |
+| tstWindows.js:39:1:39:32 | // CODE ... tement] |  CODEQL[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:40:0:40:0 | suppression range |
+| tstWindows.js:40:1:40:69 | // code ...  codeql |  codeql[js/debugger-statement] -- because I know better than codeql | lgtm[js/debugger-statement] | tstWindows.js:41:0:41:0 | suppression range |
+| tstWindows.js:41:1:41:35 | /* code ... ent] */ |  codeql[js/debugger-statement]  | lgtm[js/debugger-statement] | tstWindows.js:42:0:42:0 | suppression range |
--- a/javascript/ql/test/query-tests/AlertSuppression/tst.html
+++ b/javascript/ql/test/query-tests/AlertSuppression/tst.html
@@ -1,6 +1,7 @@
 <html>
  <head><title>Title</title></title>
  <body>
+    <!-- codeql[js/duplicate-id] -->
    <div id="duplicate-id"/>
    <div id="duplicate-id"/> <!-- lgtm -->
  </body>
--- a/javascript/ql/test/query-tests/AlertSuppression/tst.js
+++ b/javascript/ql/test/query-tests/AlertSuppression/tst.js
@@ -35,3 +35,10 @@ debugger; // lgtm
 */
 /* lgtm[@tag:nullness,js/invocation-of-non-function] */
 /* lgtm[@tag:nullness] */
+// codeql[js/debugger-statement]
+// CODEQL[js/debugger-statement]
+// codeql[js/debugger-statement] -- because I know better than codeql
+/* codeql[js/debugger-statement] */
+/* codeql[js/debugger-statement] 
+*/
+debugger; // codeql[js/debugger-statement]
--- a/javascript/ql/test/query-tests/AlertSuppression/tstWindows.html
+++ b/javascript/ql/test/query-tests/AlertSuppression/tstWindows.html
@@ -1,6 +1,7 @@
 <html>
  <head><title>Title</title></title>
  <body>
+    <!-- codeql[js/duplicate-id] -->  
    <div id="duplicate-id"/>
    <div id="duplicate-id"/> <!-- lgtm -->
  </body>
--- a/javascript/ql/test/query-tests/AlertSuppression/tstWindows.js
+++ b/javascript/ql/test/query-tests/AlertSuppression/tstWindows.js
@@ -35,3 +35,10 @@ debugger; // lgtm
 */
 /* lgtm[@tag:nullness,js/invocation-of-non-function] */
 /* lgtm[@tag:nullness] */
+// codeql[js/debugger-statement]
+// CODEQL[js/debugger-statement]
+// codeql[js/debugger-statement] -- because I know better than codeql
+/* codeql[js/debugger-statement] */
+/* codeql[js/debugger-statement] 
+*/
+debugger; // codeql[js/debugger-statement]
--- a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStarGood.js
+++ b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStarGood.js
@@ -1 +1 @@
-window.parent.postMessage(userName, 'https://lgtm.com');
+window.parent.postMessage(userName, 'https://github.com');
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst4.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst4.js
@@ -1,5 +1,5 @@
 function h() {
  var href = window.location.href;
  // OK
-  window.location = "https://lgtm.com?" + href.substring(href.indexOf('?')+1);
+  window.location = "https://github.com?" + href.substring(href.indexOf('?')+1);
 }
--- a/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst8.js
+++ b/javascript/ql/test/query-tests/Security/CWE-601/ClientSideUrlRedirect/tst8.js
@@ -1,7 +1,7 @@
 function k() {
  var search = window.location.search.substr(1);
  // OK
-  window.location = "https://lgtm.com" + questionMark() + search;
+  window.location = "https://github.com" + questionMark() + search;
 }

 function questionMark() {
--- a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js
+++ b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js
@@ -2,10 +2,10 @@ var express = require('express');
 var app = express();

 var actions = new Map();
-actions.put("play", function play(data) {
+actions.set("play", function play(data) {
    // ...
 });
-actions.put("pause", function pause(data) {
+actions.set("pause", function pause(data) {
    // ...
 });

@@ -14,4 +14,4 @@ app.get('/perform/:action/:payload', function(req, res) {
        let action = actions.get(req.params.action);
        res.end(action(req.params.payload)); // NOT OK, but not flagged [INCONSISTENCY]
    }
-});
+});