Merge branch 'main' into calumgrant/remove-lgtm

2026-04-29 18:55:14 +02:00 · 2023-01-03 10:27:30 +00:00
parent 2d0f8798a4 dcd0be04c4
commit ad55706527
410 changed files with 27055 additions and 5870 deletions
--- a/javascript/ql/src/AlertSuppression.ql
+++ b/javascript/ql/src/AlertSuppression.ql
@@ -5,76 +5,32 @@
 * @id js/alert-suppression
 */

-import javascript
+private import codeql.util.suppression.AlertSuppression as AS
+private import javascript as JS

-/**
- * An alert suppression comment.
- */
-class SuppressionComment extends Locatable {
-  string text;
-  string annotation;
+class AstNode extends JS::Locatable {
+  AstNode() { not this.(JS::HTML::TextNode).getText().regexpMatch("\\s*") }

-  SuppressionComment() {
-    (
-      text = this.(Comment).getText() or
-      text = this.(HTML::CommentNode).getText()
-    ) and
-    // suppression comments must be single-line
-    not text.matches("%\n%") and
-    (
-      // match `lgtm[...]` anywhere in the comment
-      annotation = text.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _)
-      or
-      // match `lgtm` at the start of the comment and after semicolon
-      annotation = text.regexpFind("(?i)(?<=^|;)\\s*lgtm(?!\\B|\\s*\\[)", _, _).trim()
-    )
-  }
-
-  /** Gets the text of this suppression comment, not including delimiters. */
-  string getText() { result = text }
-
-  /** Gets the suppression annotation in this comment. */
-  string getAnnotation() { result = annotation }
-
-  /**
-   * Holds if this comment applies to the range from column `startcolumn` of line `startline`
-   * to column `endcolumn` of line `endline` in file `filepath`.
-   */
-  predicate covers(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
-    this.getLocation().hasLocationInfo(filepath, startline, _, endline, endcolumn) and
-    startcolumn = 1
-  }
-
-  /** Gets the scope of this suppression. */
-  SuppressionScope getScope() { this = result.getSuppressionComment() }
-}
-
-/**
- * The scope of an alert suppression comment.
- */
-class SuppressionScope extends @locatable instanceof SuppressionComment {
-  /** Gets a suppression comment with this scope. */
-  SuppressionComment getSuppressionComment() { result = this }
-
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
  predicate hasLocationInfo(
    string filepath, int startline, int startcolumn, int endline, int endcolumn
  ) {
-    super.covers(filepath, startline, startcolumn, endline, endcolumn)
+    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
  }
-
-  /** Gets a textual representation of this element. */
-  string toString() { result = "suppression range" }
 }

-from SuppressionComment c
-select c, // suppression comment
-  c.getText(), // text of suppression comment (excluding delimiters)
-  c.getAnnotation(), // text of suppression annotation
-  c.getScope() // scope of suppression
+class SingleLineComment extends AstNode {
+  private string text;
+
+  SingleLineComment() {
+    (
+      text = this.(JS::Comment).getText() or
+      text = this.(JS::HTML::CommentNode).getText()
+    ) and
+    // suppression comments must be single-line
+    not text.matches("%\n%")
+  }
+
+  string getText() { result = text }
+}
+
+import AS::Make<AstNode, SingleLineComment>
--- a/javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js
+++ b/javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js
@@ -2,10 +2,10 @@ var express = require('express');
 var app = express();

 var actions = new Map();
-actions.put("play", function play(data) {
+actions.set("play", function play(data) {
  // ...
 });
-actions.put("pause", function pause(data) {
+actions.set("pause", function pause(data) {
  // ...
 });

--- a/javascript/ql/src/change-notes/2022-12-19-alert-suppressions.md
+++ b/javascript/ql/src/change-notes/2022-12-19-alert-suppressions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be place on the line before an alert.
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -10,3 +10,4 @@ dependencies:
  codeql/javascript-all: ${workspace}
  codeql/suite-helpers: ${workspace}
  codeql/typos: ${workspace}
+  codeql/util: ${workspace}
--- a/javascript/ql/test/query-tests/AlertSuppression/AlertSuppression.expected
+++ b/javascript/ql/test/query-tests/AlertSuppression/AlertSuppression.expected
@@ -1,60 +1,126 @@
-| tst.html:5:30:5:42 | <!-- lgtm --> |  lgtm  | lgtm | tst.html:5:1:5:42 | suppression range |
+| tst.html:4:5:4:36 | <!-- codeql[js/duplicate-id] --> |  codeql[js/duplicate-id]  | lgtm[js/duplicate-id] | tst.html:5:0:5:0 | suppression range |
+| tst.html:6:30:6:42 | <!-- lgtm --> |  lgtm  | lgtm | tst.html:6:1:6:42 | suppression range |
 | tst.js:1:11:1:17 | // lgtm |  lgtm | lgtm | tst.js:1:1:1:17 | suppression range |
 | tst.js:2:1:2:30 | // lgtm ... tement] |  lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:2:1:2:30 | suppression range |
+| tst.js:2:1:2:30 | // lgtm ... tement] |  lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:3:0:3:0 | suppression range |
 | tst.js:3:1:3:61 | // lgtm ... nction] |  lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tst.js:3:1:3:61 | suppression range |
+| tst.js:3:1:3:61 | // lgtm ... nction] |  lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tst.js:4:0:4:0 | suppression range |
 | tst.js:4:1:4:22 | // lgtm ... llness] |  lgtm[@tag:nullness] | lgtm[@tag:nullness] | tst.js:4:1:4:22 | suppression range |
+| tst.js:4:1:4:22 | // lgtm ... llness] |  lgtm[@tag:nullness] | lgtm[@tag:nullness] | tst.js:5:0:5:0 | suppression range |
 | tst.js:5:1:5:44 | // lgtm ... tement] |  lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tst.js:5:1:5:44 | suppression range |
+| tst.js:5:1:5:44 | // lgtm ... tement] |  lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tst.js:6:0:6:0 | suppression range |
 | tst.js:6:1:6:28 | // lgtm ... -06-11] |  lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tst.js:6:1:6:28 | suppression range |
+| tst.js:6:1:6:28 | // lgtm ... -06-11] |  lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tst.js:7:0:7:0 | suppression range |
 | tst.js:7:1:7:70 | // lgtm ... an lgtm |  lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tst.js:7:1:7:70 | suppression range |
+| tst.js:7:1:7:70 | // lgtm ... an lgtm |  lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tst.js:8:0:8:0 | suppression range |
 | tst.js:8:1:8:18 | // lgtm: blah blah |  lgtm: blah blah | lgtm | tst.js:8:1:8:18 | suppression range |
+| tst.js:8:1:8:18 | // lgtm: blah blah |  lgtm: blah blah | lgtm | tst.js:9:0:9:0 | suppression range |
 | tst.js:9:1:9:32 | // lgtm ... ositive |  lgtm blah blah #falsepositive | lgtm | tst.js:9:1:9:32 | suppression range |
+| tst.js:9:1:9:32 | // lgtm ... ositive |  lgtm blah blah #falsepositive | lgtm | tst.js:10:0:10:0 | suppression range |
 | tst.js:10:1:10:39 | //lgtm  ... nction] | lgtm  [js/invocation-of-non-function] | lgtm  [js/invocation-of-non-function] | tst.js:10:1:10:39 | suppression range |
+| tst.js:10:1:10:39 | //lgtm  ... nction] | lgtm  [js/invocation-of-non-function] | lgtm  [js/invocation-of-non-function] | tst.js:11:0:11:0 | suppression range |
 | tst.js:11:1:11:10 | /* lgtm */ |  lgtm  | lgtm | tst.js:11:1:11:10 | suppression range |
+| tst.js:11:1:11:10 | /* lgtm */ |  lgtm  | lgtm | tst.js:12:0:12:0 | suppression range |
 | tst.js:12:1:12:9 | // lgtm[] |  lgtm[] | lgtm[] | tst.js:12:1:12:9 | suppression range |
+| tst.js:12:1:12:9 | // lgtm[] |  lgtm[] | lgtm[] | tst.js:13:0:13:0 | suppression range |
 | tst.js:14:1:14:6 | //lgtm | lgtm | lgtm | tst.js:14:1:14:6 | suppression range |
+| tst.js:14:1:14:6 | //lgtm | lgtm | lgtm | tst.js:15:0:15:0 | suppression range |
 | tst.js:15:1:15:7 | //\\tlgtm | \tlgtm | lgtm | tst.js:15:1:15:7 | suppression range |
+| tst.js:15:1:15:7 | //\\tlgtm | \tlgtm | lgtm | tst.js:16:0:16:0 | suppression range |
 | tst.js:16:1:16:31 | // lgtm ... tement] |  lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tst.js:16:1:16:31 | suppression range |
+| tst.js:16:1:16:31 | // lgtm ... tement] |  lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tst.js:17:0:17:0 | suppression range |
 | tst.js:19:1:19:12 | // foo; lgtm |  foo; lgtm | lgtm | tst.js:19:1:19:12 | suppression range |
+| tst.js:19:1:19:12 | // foo; lgtm |  foo; lgtm | lgtm | tst.js:20:0:20:0 | suppression range |
 | tst.js:20:1:20:35 | // foo; ... tement] |  foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:20:1:20:35 | suppression range |
+| tst.js:20:1:20:35 | // foo; ... tement] |  foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:21:0:21:0 | suppression range |
 | tst.js:22:1:22:34 | // foo  ... tement] |  foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:22:1:22:34 | suppression range |
+| tst.js:22:1:22:34 | // foo  ... tement] |  foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:23:0:23:0 | suppression range |
 | tst.js:24:1:24:38 | // foo  ... nt] bar |  foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tst.js:24:1:24:38 | suppression range |
+| tst.js:24:1:24:38 | // foo  ... nt] bar |  foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tst.js:25:0:25:0 | suppression range |
 | tst.js:25:1:25:8 | // LGTM! |  LGTM! | LGTM | tst.js:25:1:25:8 | suppression range |
+| tst.js:25:1:25:8 | // LGTM! |  LGTM! | LGTM | tst.js:26:0:26:0 | suppression range |
 | tst.js:26:1:26:30 | // LGTM ... tement] |  LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tst.js:26:1:26:30 | suppression range |
+| tst.js:26:1:26:30 | // LGTM ... tement] |  LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tst.js:27:0:27:0 | suppression range |
 | tst.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tst.js:27:1:27:70 | suppression range |
+| tst.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tst.js:28:0:28:0 | suppression range |
 | tst.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tst.js:27:1:27:70 | suppression range |
+| tst.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tst.js:28:0:28:0 | suppression range |
 | tst.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm | tst.js:28:1:28:36 | suppression range |
+| tst.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm | tst.js:29:0:29:0 | suppression range |
 | tst.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tst.js:28:1:28:36 | suppression range |
+| tst.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tst.js:29:0:29:0 | suppression range |
 | tst.js:29:1:29:12 | /* lgtm[] */ |  lgtm[]  | lgtm[] | tst.js:29:1:29:12 | suppression range |
+| tst.js:29:1:29:12 | /* lgtm[] */ |  lgtm[]  | lgtm[] | tst.js:30:0:30:0 | suppression range |
 | tst.js:30:1:30:41 | /* lgtm ... ion] */ |  lgtm[js/invocation-of-non-function]  | lgtm[js/invocation-of-non-function] | tst.js:30:1:30:41 | suppression range |
+| tst.js:30:1:30:41 | /* lgtm ... ion] */ |  lgtm[js/invocation-of-non-function]  | lgtm[js/invocation-of-non-function] | tst.js:31:0:31:0 | suppression range |
 | tst.js:36:1:36:55 | /* lgtm ... ion] */ |  lgtm[@tag:nullness,js/invocation-of-non-function]  | lgtm[@tag:nullness,js/invocation-of-non-function] | tst.js:36:1:36:55 | suppression range |
+| tst.js:36:1:36:55 | /* lgtm ... ion] */ |  lgtm[@tag:nullness,js/invocation-of-non-function]  | lgtm[@tag:nullness,js/invocation-of-non-function] | tst.js:37:0:37:0 | suppression range |
 | tst.js:37:1:37:25 | /* lgtm ... ess] */ |  lgtm[@tag:nullness]  | lgtm[@tag:nullness] | tst.js:37:1:37:25 | suppression range |
-| tstWindows.html:5:30:5:42 | <!-- lgtm --> |  lgtm  | lgtm | tstWindows.html:5:1:5:42 | suppression range |
+| tst.js:37:1:37:25 | /* lgtm ... ess] */ |  lgtm[@tag:nullness]  | lgtm[@tag:nullness] | tst.js:38:0:38:0 | suppression range |
+| tst.js:38:1:38:32 | // code ... tement] |  codeql[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:39:0:39:0 | suppression range |
+| tst.js:39:1:39:32 | // CODE ... tement] |  CODEQL[js/debugger-statement] | lgtm[js/debugger-statement] | tst.js:40:0:40:0 | suppression range |
+| tst.js:40:1:40:69 | // code ...  codeql |  codeql[js/debugger-statement] -- because I know better than codeql | lgtm[js/debugger-statement] | tst.js:41:0:41:0 | suppression range |
+| tst.js:41:1:41:35 | /* code ... ent] */ |  codeql[js/debugger-statement]  | lgtm[js/debugger-statement] | tst.js:42:0:42:0 | suppression range |
+| tstWindows.html:4:5:4:36 | <!-- codeql[js/duplicate-id] --> |  codeql[js/duplicate-id]  | lgtm[js/duplicate-id] | tstWindows.html:5:0:5:0 | suppression range |
+| tstWindows.html:6:30:6:42 | <!-- lgtm --> |  lgtm  | lgtm | tstWindows.html:6:1:6:42 | suppression range |
 | tstWindows.js:1:11:1:17 | // lgtm |  lgtm | lgtm | tstWindows.js:1:1:1:17 | suppression range |
 | tstWindows.js:2:1:2:30 | // lgtm ... tement] |  lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:2:1:2:30 | suppression range |
+| tstWindows.js:2:1:2:30 | // lgtm ... tement] |  lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:3:0:3:0 | suppression range |
 | tstWindows.js:3:1:3:61 | // lgtm ... nction] |  lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tstWindows.js:3:1:3:61 | suppression range |
+| tstWindows.js:3:1:3:61 | // lgtm ... nction] |  lgtm[js/debugger-statement, js/invocation-of-non-function] | lgtm[js/debugger-statement, js/invocation-of-non-function] | tstWindows.js:4:0:4:0 | suppression range |
 | tstWindows.js:4:1:4:22 | // lgtm ... llness] |  lgtm[@tag:nullness] | lgtm[@tag:nullness] | tstWindows.js:4:1:4:22 | suppression range |
+| tstWindows.js:4:1:4:22 | // lgtm ... llness] |  lgtm[@tag:nullness] | lgtm[@tag:nullness] | tstWindows.js:5:0:5:0 | suppression range |
 | tstWindows.js:5:1:5:44 | // lgtm ... tement] |  lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tstWindows.js:5:1:5:44 | suppression range |
+| tstWindows.js:5:1:5:44 | // lgtm ... tement] |  lgtm[@tag:nullness,js/debugger-statement] | lgtm[@tag:nullness,js/debugger-statement] | tstWindows.js:6:0:6:0 | suppression range |
 | tstWindows.js:6:1:6:28 | // lgtm ... -06-11] |  lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tstWindows.js:6:1:6:28 | suppression range |
+| tstWindows.js:6:1:6:28 | // lgtm ... -06-11] |  lgtm[@expires:2017-06-11] | lgtm[@expires:2017-06-11] | tstWindows.js:7:0:7:0 | suppression range |
 | tstWindows.js:7:1:7:70 | // lgtm ... an lgtm |  lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tstWindows.js:7:1:7:70 | suppression range |
+| tstWindows.js:7:1:7:70 | // lgtm ... an lgtm |  lgtm[js/invocation-of-non-function] because I know better than lgtm | lgtm[js/invocation-of-non-function] | tstWindows.js:8:0:8:0 | suppression range |
 | tstWindows.js:8:1:8:18 | // lgtm: blah blah |  lgtm: blah blah | lgtm | tstWindows.js:8:1:8:18 | suppression range |
+| tstWindows.js:8:1:8:18 | // lgtm: blah blah |  lgtm: blah blah | lgtm | tstWindows.js:9:0:9:0 | suppression range |
 | tstWindows.js:9:1:9:32 | // lgtm ... ositive |  lgtm blah blah #falsepositive | lgtm | tstWindows.js:9:1:9:32 | suppression range |
+| tstWindows.js:9:1:9:32 | // lgtm ... ositive |  lgtm blah blah #falsepositive | lgtm | tstWindows.js:10:0:10:0 | suppression range |
 | tstWindows.js:10:1:10:39 | //lgtm  ... nction] | lgtm  [js/invocation-of-non-function] | lgtm  [js/invocation-of-non-function] | tstWindows.js:10:1:10:39 | suppression range |
+| tstWindows.js:10:1:10:39 | //lgtm  ... nction] | lgtm  [js/invocation-of-non-function] | lgtm  [js/invocation-of-non-function] | tstWindows.js:11:0:11:0 | suppression range |
 | tstWindows.js:11:1:11:10 | /* lgtm */ |  lgtm  | lgtm | tstWindows.js:11:1:11:10 | suppression range |
+| tstWindows.js:11:1:11:10 | /* lgtm */ |  lgtm  | lgtm | tstWindows.js:12:0:12:0 | suppression range |
 | tstWindows.js:12:1:12:9 | // lgtm[] |  lgtm[] | lgtm[] | tstWindows.js:12:1:12:9 | suppression range |
+| tstWindows.js:12:1:12:9 | // lgtm[] |  lgtm[] | lgtm[] | tstWindows.js:13:0:13:0 | suppression range |
 | tstWindows.js:14:1:14:6 | //lgtm | lgtm | lgtm | tstWindows.js:14:1:14:6 | suppression range |
+| tstWindows.js:14:1:14:6 | //lgtm | lgtm | lgtm | tstWindows.js:15:0:15:0 | suppression range |
 | tstWindows.js:15:1:15:7 | //\\tlgtm | \tlgtm | lgtm | tstWindows.js:15:1:15:7 | suppression range |
+| tstWindows.js:15:1:15:7 | //\\tlgtm | \tlgtm | lgtm | tstWindows.js:16:0:16:0 | suppression range |
 | tstWindows.js:16:1:16:31 | // lgtm ... tement] |  lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tstWindows.js:16:1:16:31 | suppression range |
+| tstWindows.js:16:1:16:31 | // lgtm ... tement] |  lgtm\t[js/debugger-statement] | lgtm\t[js/debugger-statement] | tstWindows.js:17:0:17:0 | suppression range |
 | tstWindows.js:19:1:19:12 | // foo; lgtm |  foo; lgtm | lgtm | tstWindows.js:19:1:19:12 | suppression range |
+| tstWindows.js:19:1:19:12 | // foo; lgtm |  foo; lgtm | lgtm | tstWindows.js:20:0:20:0 | suppression range |
 | tstWindows.js:20:1:20:35 | // foo; ... tement] |  foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:20:1:20:35 | suppression range |
+| tstWindows.js:20:1:20:35 | // foo; ... tement] |  foo; lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:21:0:21:0 | suppression range |
 | tstWindows.js:22:1:22:34 | // foo  ... tement] |  foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:22:1:22:34 | suppression range |
+| tstWindows.js:22:1:22:34 | // foo  ... tement] |  foo lgtm[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:23:0:23:0 | suppression range |
 | tstWindows.js:24:1:24:38 | // foo  ... nt] bar |  foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tstWindows.js:24:1:24:38 | suppression range |
+| tstWindows.js:24:1:24:38 | // foo  ... nt] bar |  foo lgtm[js/debugger-statement] bar | lgtm[js/debugger-statement] | tstWindows.js:25:0:25:0 | suppression range |
 | tstWindows.js:25:1:25:8 | // LGTM! |  LGTM! | LGTM | tstWindows.js:25:1:25:8 | suppression range |
+| tstWindows.js:25:1:25:8 | // LGTM! |  LGTM! | LGTM | tstWindows.js:26:0:26:0 | suppression range |
 | tstWindows.js:26:1:26:30 | // LGTM ... tement] |  LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tstWindows.js:26:1:26:30 | suppression range |
+| tstWindows.js:26:1:26:30 | // LGTM ... tement] |  LGTM[js/debugger-statement] | LGTM[js/debugger-statement] | tstWindows.js:27:0:27:0 | suppression range |
 | tstWindows.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tstWindows.js:27:1:27:70 | suppression range |
+| tstWindows.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/debugger-statement] | tstWindows.js:28:0:28:0 | suppression range |
 | tstWindows.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tstWindows.js:27:1:27:70 | suppression range |
+| tstWindows.js:27:1:27:70 | // lgtm ... nction] |  lgtm[js/debugger-statement] and lgtm[js/invocation-of-non-function] | lgtm[js/invocation-of-non-function] | tstWindows.js:28:0:28:0 | suppression range |
 | tstWindows.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm | tstWindows.js:28:1:28:36 | suppression range |
+| tstWindows.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm | tstWindows.js:29:0:29:0 | suppression range |
 | tstWindows.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tstWindows.js:28:1:28:36 | suppression range |
+| tstWindows.js:28:1:28:36 | // lgtm ... ]; lgtm |  lgtm[js/debugger-statement]; lgtm | lgtm[js/debugger-statement] | tstWindows.js:29:0:29:0 | suppression range |
 | tstWindows.js:29:1:29:12 | /* lgtm[] */ |  lgtm[]  | lgtm[] | tstWindows.js:29:1:29:12 | suppression range |
+| tstWindows.js:29:1:29:12 | /* lgtm[] */ |  lgtm[]  | lgtm[] | tstWindows.js:30:0:30:0 | suppression range |
 | tstWindows.js:30:1:30:41 | /* lgtm ... ion] */ |  lgtm[js/invocation-of-non-function]  | lgtm[js/invocation-of-non-function] | tstWindows.js:30:1:30:41 | suppression range |
+| tstWindows.js:30:1:30:41 | /* lgtm ... ion] */ |  lgtm[js/invocation-of-non-function]  | lgtm[js/invocation-of-non-function] | tstWindows.js:31:0:31:0 | suppression range |
 | tstWindows.js:36:1:36:55 | /* lgtm ... ion] */ |  lgtm[@tag:nullness,js/invocation-of-non-function]  | lgtm[@tag:nullness,js/invocation-of-non-function] | tstWindows.js:36:1:36:55 | suppression range |
+| tstWindows.js:36:1:36:55 | /* lgtm ... ion] */ |  lgtm[@tag:nullness,js/invocation-of-non-function]  | lgtm[@tag:nullness,js/invocation-of-non-function] | tstWindows.js:37:0:37:0 | suppression range |
 | tstWindows.js:37:1:37:25 | /* lgtm ... ess] */ |  lgtm[@tag:nullness]  | lgtm[@tag:nullness] | tstWindows.js:37:1:37:25 | suppression range |
+| tstWindows.js:37:1:37:25 | /* lgtm ... ess] */ |  lgtm[@tag:nullness]  | lgtm[@tag:nullness] | tstWindows.js:38:0:38:0 | suppression range |
+| tstWindows.js:38:1:38:32 | // code ... tement] |  codeql[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:39:0:39:0 | suppression range |
+| tstWindows.js:39:1:39:32 | // CODE ... tement] |  CODEQL[js/debugger-statement] | lgtm[js/debugger-statement] | tstWindows.js:40:0:40:0 | suppression range |
+| tstWindows.js:40:1:40:69 | // code ...  codeql |  codeql[js/debugger-statement] -- because I know better than codeql | lgtm[js/debugger-statement] | tstWindows.js:41:0:41:0 | suppression range |
+| tstWindows.js:41:1:41:35 | /* code ... ent] */ |  codeql[js/debugger-statement]  | lgtm[js/debugger-statement] | tstWindows.js:42:0:42:0 | suppression range |
--- a/javascript/ql/test/query-tests/AlertSuppression/tst.html
+++ b/javascript/ql/test/query-tests/AlertSuppression/tst.html
@@ -1,6 +1,7 @@
 <html>
  <head><title>Title</title></title>
  <body>
+    <!-- codeql[js/duplicate-id] -->
    <div id="duplicate-id"/>
    <div id="duplicate-id"/> <!-- lgtm -->
  </body>
--- a/javascript/ql/test/query-tests/AlertSuppression/tst.js
+++ b/javascript/ql/test/query-tests/AlertSuppression/tst.js
@@ -35,3 +35,10 @@ debugger; // lgtm
 */
 /* lgtm[@tag:nullness,js/invocation-of-non-function] */
 /* lgtm[@tag:nullness] */
+// codeql[js/debugger-statement]
+// CODEQL[js/debugger-statement]
+// codeql[js/debugger-statement] -- because I know better than codeql
+/* codeql[js/debugger-statement] */
+/* codeql[js/debugger-statement] 
+*/
+debugger; // codeql[js/debugger-statement]
--- a/javascript/ql/test/query-tests/AlertSuppression/tstWindows.html
+++ b/javascript/ql/test/query-tests/AlertSuppression/tstWindows.html
@@ -1,6 +1,7 @@
 <html>
  <head><title>Title</title></title>
  <body>
+    <!-- codeql[js/duplicate-id] -->  
    <div id="duplicate-id"/>
    <div id="duplicate-id"/> <!-- lgtm -->
  </body>
--- a/javascript/ql/test/query-tests/AlertSuppression/tstWindows.js
+++ b/javascript/ql/test/query-tests/AlertSuppression/tstWindows.js
@@ -35,3 +35,10 @@ debugger; // lgtm
 */
 /* lgtm[@tag:nullness,js/invocation-of-non-function] */
 /* lgtm[@tag:nullness] */
+// codeql[js/debugger-statement]
+// CODEQL[js/debugger-statement]
+// codeql[js/debugger-statement] -- because I know better than codeql
+/* codeql[js/debugger-statement] */
+/* codeql[js/debugger-statement] 
+*/
+debugger; // codeql[js/debugger-statement]
--- a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js
+++ b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js
@@ -2,10 +2,10 @@ var express = require('express');
 var app = express();

 var actions = new Map();
-actions.put("play", function play(data) {
+actions.set("play", function play(data) {
    // ...
 });
-actions.put("pause", function pause(data) {
+actions.set("pause", function pause(data) {
    // ...
 });

@@ -14,4 +14,4 @@ app.get('/perform/:action/:payload', function(req, res) {
        let action = actions.get(req.params.action);
        res.end(action(req.params.payload)); // NOT OK, but not flagged [INCONSISTENCY]
    }
-});
+});