Convert .qlref test to inline expectations

go/ql/src/experimental/CWE-525/WebCacheDeception.ql

@@ -1,4 +1,4 @@
-/*
+/**
  * @name Web Cache Deception
  * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
  * @kind problem

go/ql/test/experimental/CWE-090/LDAPInjection.go

@@ -54,31 +54,31 @@ func main() {}
 // bad is an example of a bad implementation
 func (ld *Ldap) bad(req *http.Request) {
 	// ...
-	untrusted := req.UserAgent()
+	untrusted := req.UserAgent() // $ Source
 	goldap.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	goldapv3.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	gopkgldapv2.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	client := &ldapclient.LDAPClient{}
-	client.Authenticate(untrusted, "123456") // BAD: untrusted filter
-	client.GetGroupsOfUser(untrusted)        // BAD: untrusted filter
+	client.Authenticate(untrusted, "123456") // $ Alert // BAD: untrusted filter
+	client.GetGroupsOfUser(untrusted)        // $ Alert // BAD: untrusted filter
 	// ...
 }
 

go/ql/test/experimental/CWE-090/LDAPInjection.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-090/LDAPInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-203/Timing.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-203/Timing.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-203/timing.go

@@ -12,9 +12,9 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"
 
-	headerSecret := req.Header.Get(secretHeader)
+	headerSecret := req.Header.Get(secretHeader) // $ Source
 	secretStr := string(secret)
-	if len(headerSecret) != 0 && headerSecret != secretStr {
+	if len(headerSecret) != 0 && headerSecret != secretStr { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil
@@ -25,9 +25,9 @@ func bad2(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"
 
-	headerSecret := req.Header.Get(secretHeader)
+	headerSecret := req.Header.Get(secretHeader) // $ Source
 	secretStr := string(secret)
-	if len(headerSecret) != 0 && strings.Compare(headerSecret, secretStr) != 0 {
+	if len(headerSecret) != 0 && strings.Compare(headerSecret, secretStr) != 0 { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil
@@ -38,8 +38,8 @@ func bad4(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"
 
-	headerSecret := req.Header.Get(secretHeader)
-	if len(secret) != 0 && headerSecret != "SecretStringLiteral" {
+	headerSecret := req.Header.Get(secretHeader)                   // $ Source
+	if len(secret) != 0 && headerSecret != "SecretStringLiteral" { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil

go/ql/test/experimental/CWE-285/PamAuthBypass.qlref

@@ -1 +1,2 @@
-experimental/CWE-285/PamAuthBypass.ql
+query: experimental/CWE-285/PamAuthBypass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-285/main.go

@@ -9,7 +9,7 @@ import (
 func bad() error {
 	t, _ := pam.StartFunc("", "", func(s pam.Style, msg string) (string, error) {
 		return "", nil
-	})
+	}) // $ Alert
 	return t.Authenticate(0)
 
 }

go/ql/test/experimental/CWE-287/ImproperLdapAuth.go

@@ -15,7 +15,7 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	ldapServer := "ldap.example.com"
 	ldapPort := 389
 	bindDN := "cn=admin,dc=example,dc=com"
-	bindPassword := req.URL.Query()["password"][0]
+	bindPassword := req.URL.Query()["password"][0] // $ Source
 
 	// Connect to the LDAP server
 	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))
@@ -25,7 +25,7 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	defer l.Close()
 
 	// BAD: user input is not sanetized
-	err = l.Bind(bindDN, bindPassword)
+	err = l.Bind(bindDN, bindPassword) // $ Alert
 	if err != nil {
 		return fmt.Errorf("LDAP bind failed: %v", err), err
 	}
@@ -84,7 +84,7 @@ func bad2(req *http.Request) {
 	ldapPort := 389
 	bindDN := "cn=admin,dc=example,dc=com"
 	// BAD : empty password
-	bindPassword := ""
+	bindPassword := "" // $ Source
 
 	// Connect to the LDAP server
 	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))
@@ -94,7 +94,7 @@ func bad2(req *http.Request) {
 	defer l.Close()
 
 	// BAD : bindPassword is empty
-	err = l.Bind(bindDN, bindPassword)
+	err = l.Bind(bindDN, bindPassword) // $ Alert
 	if err != nil {
 		log.Fatalf("LDAP bind failed: %v", err)
 	}

go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-287/ImproperLdapAuth.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected

@@ -1,3 +1,6 @@
+#select
+| go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:24:32:24:37 | JwtKey | This  $@. | go-jose.v3.go:13:21:13:33 | "AllYourBase" | Constant Key is used as JWT Secret key |
+| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This  $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key |
 edges
 | go-jose.v3.go:13:14:13:34 | type conversion | go-jose.v3.go:24:32:24:37 | JwtKey | provenance |  |
 | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:13:14:13:34 | type conversion | provenance |  |
@@ -11,6 +14,3 @@ nodes
 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | semmle.label | "AllYourBase" |
 | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | semmle.label | JwtKey1 |
 subpaths
-#select
-| go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:24:32:24:37 | JwtKey | This  $@. | go-jose.v3.go:13:21:13:33 | "AllYourBase" | Constant Key is used as JWT Secret key |
-| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This  $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key |

go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref

@@ -1 +1,2 @@
-experimental/CWE-321-V2/HardCodedKeys.ql
+query: experimental/CWE-321-V2/HardCodedKeys.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-321-V2/go-jose.v3.go

@@ -10,7 +10,7 @@ import (
 )
 
 // NOT OK
-var JwtKey = []byte("AllYourBase")
+var JwtKey = []byte("AllYourBase") // $ Source
 
 func main2(r *http.Request) {
 	signedToken := r.URL.Query().Get("signedToken")
@@ -21,7 +21,7 @@ func verifyJWT(signedToken string) {
 	fmt.Println("verifying JWT")
 	DecodedToken, _ := jwt.ParseSigned(signedToken)
 	out := CustomerInfo{}
-	if err := DecodedToken.Claims(JwtKey, &out); err != nil {
+	if err := DecodedToken.Claims(JwtKey, &out); err != nil { // $ Alert
 		panic(err)
 	}
 	fmt.Printf("%v\n", out)

go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go

@@ -16,7 +16,7 @@ type CustomerInfo struct {
 }
 
 // BAD constant key
-var JwtKey1 = []byte("AllYourBase")
+var JwtKey1 = []byte("AllYourBase") // $ Source
 
 func main1(r *http.Request) {
 	signedToken := r.URL.Query().Get("signedToken")
@@ -24,7 +24,7 @@ func main1(r *http.Request) {
 }
 
 func LoadJwtKey(token *jwt.Token) (interface{}, error) {
-	return JwtKey1, nil
+	return JwtKey1, nil // $ Alert
 }
 
 func verifyJWT_golangjwt(signedToken string) {

go/ql/test/experimental/CWE-369/DivideByZero.go

@@ -7,37 +7,37 @@ import (
 )
 
 func myHandler1(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value, _ := strconv.Atoi(param1)
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }
 
 func myHandler2(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value := int(param1[0])
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }
 
 func myHandler3(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value, _ := strconv.ParseInt(param1, 10, 64)
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }
 
 func myHandler4(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value, _ := strconv.ParseFloat(param1, 32)
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }
 
 func myHandler5(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value, _ := strconv.ParseUint(param1, 10, 64)
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }
 
@@ -51,10 +51,10 @@ func myHandler6(w http.ResponseWriter, r *http.Request) {
 }
 
 func myHandler7(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value := int(param1[0])
 	if value >= 0 {
-		out := 1337 / value
+		out := 1337 / value // $ Alert
 		fmt.Println(out)
 	}
 }

go/ql/test/experimental/CWE-369/DivideByZero.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-369/DivideByZero.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected

@@ -1,3 +1,7 @@
+#select
+| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | This calls call to First in a $@. | DatabaseCallInLoop.go:7:2:11:2 | range statement | loop |
+| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:20:2:22:2 | for statement | loop |
+| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:24:2:26:2 | for statement | loop |
 edges
 | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First |
 | test.go:10:1:12:1 | function declaration | test.go:11:2:11:13 | call to Take |
@@ -7,7 +11,3 @@ edges
 | test.go:21:3:21:14 | call to runQuery | test.go:10:1:12:1 | function declaration |
 | test.go:24:2:26:2 | for statement | test.go:25:3:25:17 | call to runRunQuery |
 | test.go:25:3:25:17 | call to runRunQuery | test.go:14:1:16:1 | function declaration |
-#select
-| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | This calls call to First in a $@. | DatabaseCallInLoop.go:7:2:11:2 | range statement | loop |
-| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:20:2:22:2 | for statement | loop |
-| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:24:2:26:2 | for statement | loop |

go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go

@@ -6,8 +6,8 @@ func getUsers(db *gorm.DB, names []string) []User {
 	res := make([]User, 0, len(names))
 	for _, name := range names {
 		var user User
-		db.Where("name = ?", name).First(&user)
+		db.Where("name = ?", name).First(&user) // $ Alert
 		res = append(res, user)
-	}
+	} // $ Source
 	return res
 }

go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref

@@ -1 +1,2 @@
-experimental/CWE-400/DatabaseCallInLoop.ql
+query: experimental/CWE-400/DatabaseCallInLoop.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-400/test.go

@@ -8,7 +8,7 @@ type User struct {
 }
 
 func runQuery(db *gorm.DB) {
-	db.Take(nil)
+	db.Take(nil) // $ Alert
 }
 
 func runRunQuery(db *gorm.DB) {
@@ -19,9 +19,9 @@ func main() {
 	var db *gorm.DB
 	for i := 0; i < 10; i++ {
 		runQuery(db)
-	}
+	} // $ Source
 
 	for i := 10; i > 0; i-- {
 		runRunQuery(db)
-	}
+	} // $ Source
 }

go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-522-DecompressionBombs/test.go

@@ -56,41 +56,41 @@ func main() {
 func DecompressHandler(w http.ResponseWriter, request *http.Request) {
 	GZipOpenReaderSafe(request.PostFormValue("test"))
 	ZipOpenReaderSafe(request.PostFormValue("test"))
-	ZipOpenReader(request.FormValue("filepath"))
-	ZipNewReader(request.Body)
-	ZipNewReaderKlauspost(request.Body)
-	Bzip2Dsnet(request.Body)
+	ZipOpenReader(request.FormValue("filepath")) // $ Source
+	ZipNewReader(request.Body)                   // $ Source
+	ZipNewReaderKlauspost(request.Body)          // $ Source
+	Bzip2Dsnet(request.Body)                     // $ Source
 	Bzip2DsnetSafe(request.Body)
-	Bzip2(request.Body)
+	Bzip2(request.Body) // $ Source
 	Bzip2Safe(request.Body)
-	Flate(request.Body)
+	Flate(request.Body) // $ Source
 	FlateSafe(request.Body)
-	FlateKlauspost(request.Body)
+	FlateKlauspost(request.Body) // $ Source
 	FlateKlauspostSafe(request.Body)
-	FlateDsnet(request.Body)
+	FlateDsnet(request.Body) // $ Source
 	FlateDsnetSafe(request.Body)
-	ZlibKlauspost(request.Body)
+	ZlibKlauspost(request.Body) // $ Source
 	ZlibKlauspostSafe(request.Body)
-	Zlib(request.Body)
+	Zlib(request.Body) // $ Source
 	ZlibSafe(request.Body)
-	Snappy(request.Body)
+	Snappy(request.Body) // $ Source
 	SnappySafe(request.Body)
-	SnappyKlauspost(request.Body)
+	SnappyKlauspost(request.Body) // $ Source
 	SnappyKlauspostSafe(request.Body)
-	S2(request.Body)
+	S2(request.Body) // $ Source
 	S2Safe(request.Body)
-	Gzip(request.Body)
+	Gzip(request.Body) // $ Source
 	GzipSafe(request.Body)
-	GZipIoReader(request.Body, "dest")
-	GzipKlauspost(request.Body)
+	GZipIoReader(request.Body, "dest") // $ Source
+	GzipKlauspost(request.Body)        // $ Source
 	GzipKlauspostSafe(request.Body)
-	PzipKlauspost(request.Body)
+	PzipKlauspost(request.Body) // $ Source
 	PzipKlauspostSafe(request.Body)
-	Zstd_Klauspost(request.Body)
+	Zstd_Klauspost(request.Body) // $ Source
 	Zstd_KlauspostSafe(request.Body)
-	Zstd_DataDog(request.Body)
+	Zstd_DataDog(request.Body) // $ Source
 	Zstd_DataDogSafe(request.Body)
-	Xz(request.Body)
+	Xz(request.Body) // $ Source
 	XzSafe(request.Body)
 }
 
@@ -131,7 +131,7 @@ func ZipOpenReader(filename string) {
 	for _, f := range zipReader.File {
 		rc, _ := f.Open()
 		for {
-			result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc"
+			result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc" Alert
 			if result == 0 {
 				_ = rc.Close()
 				break
@@ -144,7 +144,7 @@ func ZipOpenReader(filename string) {
 	for _, f := range zipKlauspostReader.File {
 		rc, _ := f.Open()
 		for {
-			result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc"
+			result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc" Alert
 			if result == 0 {
 				_ = rc.Close()
 				break
@@ -161,7 +161,7 @@ func ZipNewReader(file io.Reader) {
 	for _, file := range zipReader.File {
 		fileWriter := bytes.NewBuffer([]byte{})
 		fileReaderCloser, _ := file.Open()
-		result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser"
+		result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser" Alert
 		fmt.Print(result)
 	}
 }
@@ -173,7 +173,7 @@ func ZipNewReaderKlauspost(file io.Reader) {
 		fileWriter := bytes.NewBuffer([]byte{})
 		// file.OpenRaw()
 		fileReaderCloser, _ := file.Open()
-		result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser"
+		result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser" Alert
 		fmt.Print(result)
 	}
 }
@@ -183,7 +183,7 @@ func Bzip2Dsnet(file io.Reader) {
 
 	bzip2Reader, _ := bzip2Dsnet.NewReader(file, &bzip2Dsnet.ReaderConfig{})
 	var out []byte = make([]byte, 70)
-	bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader"
+	bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader" Alert
 	tarRead = tar.NewReader(bzip2Reader)
 
 	TarDecompressor(tarRead)
@@ -210,7 +210,7 @@ func Bzip2(file io.Reader) {
 
 	bzip2Reader := bzip2.NewReader(file)
 	var out []byte = make([]byte, 70)
-	bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader"
+	bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader" Alert
 	tarRead = tar.NewReader(bzip2Reader)
 
 	TarDecompressor(tarRead)
@@ -235,7 +235,7 @@ func Flate(file io.Reader) {
 
 	flateReader := flate.NewReader(file)
 	var out []byte = make([]byte, 70)
-	flateReader.Read(out) // $ hasValueFlow="flateReader"
+	flateReader.Read(out) // $ hasValueFlow="flateReader" Alert
 	tarRead = tar.NewReader(flateReader)
 
 	TarDecompressor(tarRead)
@@ -260,7 +260,7 @@ func FlateKlauspost(file io.Reader) {
 
 	flateReader := flateKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	flateReader.Read(out) // $ hasValueFlow="flateReader"
+	flateReader.Read(out) // $ hasValueFlow="flateReader" Alert
 	tarRead = tar.NewReader(flateReader)
 
 	TarDecompressor(tarRead)
@@ -285,7 +285,7 @@ func FlateDsnet(file io.Reader) {
 
 	flateReader, _ := flateDsnet.NewReader(file, &flateDsnet.ReaderConfig{})
 	var out []byte = make([]byte, 70)
-	flateReader.Read(out) // $ hasValueFlow="flateReader"
+	flateReader.Read(out) // $ hasValueFlow="flateReader" Alert
 	tarRead = tar.NewReader(flateReader)
 
 	TarDecompressor(tarRead)
@@ -310,7 +310,7 @@ func ZlibKlauspost(file io.Reader) {
 
 	zlibReader, _ := zlibKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	zlibReader.Read(out) // $ hasValueFlow="zlibReader"
+	zlibReader.Read(out) // $ hasValueFlow="zlibReader" Alert
 	tarRead = tar.NewReader(zlibReader)
 
 	TarDecompressor(tarRead)
@@ -335,7 +335,7 @@ func Zlib(file io.Reader) {
 
 	zlibReader, _ := zlib.NewReader(file)
 	var out []byte = make([]byte, 70)
-	zlibReader.Read(out) // $ hasValueFlow="zlibReader"
+	zlibReader.Read(out) // $ hasValueFlow="zlibReader" Alert
 	tarRead = tar.NewReader(zlibReader)
 
 	TarDecompressor(tarRead)
@@ -360,8 +360,8 @@ func Snappy(file io.Reader) {
 
 	snappyReader := snappy.NewReader(file)
 	var out []byte = make([]byte, 70)
-	snappyReader.Read(out)  // $ hasValueFlow="snappyReader"
-	snappyReader.ReadByte() // $ hasValueFlow="snappyReader"
+	snappyReader.Read(out)  // $ hasValueFlow="snappyReader" Alert
+	snappyReader.ReadByte() // $ hasValueFlow="snappyReader" Alert
 	tarRead = tar.NewReader(snappyReader)
 
 	TarDecompressor(tarRead)
@@ -386,10 +386,10 @@ func SnappyKlauspost(file io.Reader) {
 
 	snappyReader := snappyKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	snappyReader.Read(out) // $ hasValueFlow="snappyReader"
+	snappyReader.Read(out) // $ hasValueFlow="snappyReader" Alert
 	var buf bytes.Buffer
-	snappyReader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="snappyReader"
-	snappyReader.ReadByte()                // $ hasValueFlow="snappyReader"
+	snappyReader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="snappyReader" Alert
+	snappyReader.ReadByte()                // $ hasValueFlow="snappyReader" Alert
 	tarRead = tar.NewReader(snappyReader)
 
 	TarDecompressor(tarRead)
@@ -414,10 +414,10 @@ func S2(file io.Reader) {
 
 	s2Reader := s2.NewReader(file)
 	var out []byte = make([]byte, 70)
-	s2Reader.Read(out)  // $ hasValueFlow="s2Reader"
-	s2Reader.ReadByte() // $ hasValueFlow="s2Reader"
+	s2Reader.Read(out)  // $ hasValueFlow="s2Reader" Alert
+	s2Reader.ReadByte() // $ hasValueFlow="s2Reader" Alert
 	var buf bytes.Buffer
-	s2Reader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="s2Reader"
+	s2Reader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="s2Reader" Alert
 	tarRead = tar.NewReader(s2Reader)
 
 	TarDecompressor(tarRead)
@@ -442,14 +442,14 @@ func GZipIoReader(src io.Reader, dst string) {
 	dstF, _ := os.OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755)
 	defer dstF.Close()
 	newSrc := io.Reader(gzipReader)
-	_, _ = io.Copy(dstF, newSrc) // $ hasValueFlow="newSrc"
+	_, _ = io.Copy(dstF, newSrc) // $ hasValueFlow="newSrc" Alert
 }
 func Gzip(file io.Reader) {
 	var tarRead *tar.Reader
 
 	gzipReader, _ := gzip.NewReader(file)
 	var out []byte = make([]byte, 70)
-	gzipReader.Read(out) // $ hasValueFlow="gzipReader"
+	gzipReader.Read(out) // $ hasValueFlow="gzipReader" Alert
 	tarRead = tar.NewReader(gzipReader)
 
 	TarDecompressor(tarRead)
@@ -474,9 +474,9 @@ func GzipKlauspost(file io.Reader) {
 
 	gzipReader, _ := gzipKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	gzipReader.Read(out) // $ hasValueFlow="gzipReader"
+	gzipReader.Read(out) // $ hasValueFlow="gzipReader" Alert
 	var buf bytes.Buffer
-	gzipReader.WriteTo(&buf) // $ hasValueFlow="gzipReader"
+	gzipReader.WriteTo(&buf) // $ hasValueFlow="gzipReader" Alert
 	tarRead = tar.NewReader(gzipReader)
 
 	TarDecompressor(tarRead)
@@ -501,9 +501,9 @@ func PzipKlauspost(file io.Reader) {
 
 	pgzipReader, _ := pgzipKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	pgzipReader.Read(out) // $ hasValueFlow="pgzipReader"
+	pgzipReader.Read(out) // $ hasValueFlow="pgzipReader" Alert
 	var buf bytes.Buffer
-	pgzipReader.WriteTo(&buf) // $ hasValueFlow="pgzipReader"
+	pgzipReader.WriteTo(&buf) // $ hasValueFlow="pgzipReader" Alert
 	tarRead = tar.NewReader(pgzipReader)
 
 	TarDecompressor(tarRead)
@@ -528,11 +528,11 @@ func Zstd_Klauspost(file io.Reader) {
 
 	zstdReader, _ := zstdKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	zstdReader.Read(out) // $ hasValueFlow="zstdReader"
+	zstdReader.Read(out) // $ hasValueFlow="zstdReader" Alert
 	var buf bytes.Buffer
-	zstdReader.WriteTo(&buf) // $ hasValueFlow="zstdReader"
+	zstdReader.WriteTo(&buf) // $ hasValueFlow="zstdReader" Alert
 	var src []byte
-	zstdReader.DecodeAll(src, nil) // $ hasValueFlow="zstdReader"
+	zstdReader.DecodeAll(src, nil) // $ hasValueFlow="zstdReader" Alert
 	tarRead = tar.NewReader(zstdReader)
 
 	TarDecompressor(tarRead)
@@ -557,7 +557,7 @@ func Zstd_DataDog(file io.Reader) {
 
 	zstdReader := zstdDataDog.NewReader(file)
 	var out []byte = make([]byte, 70)
-	zstdReader.Read(out) // $ hasValueFlow="zstdReader"
+	zstdReader.Read(out) // $ hasValueFlow="zstdReader" Alert
 	tarRead = tar.NewReader(zstdReader)
 
 	TarDecompressor(tarRead)
@@ -582,7 +582,7 @@ func Xz(file io.Reader) {
 
 	xzReader, _ := xz.NewReader(file)
 	var out []byte = make([]byte, 70)
-	xzReader.Read(out) // $ hasValueFlow="xzReader"
+	xzReader.Read(out) // $ hasValueFlow="xzReader" Alert
 	tarRead = tar.NewReader(xzReader)
 	fmt.Println(io.SeekStart)
 
@@ -618,7 +618,7 @@ func TarDecompressor(tarRead *tar.Reader) {
 		if cur.Typeflag != tar.TypeReg {
 			continue
 		}
-		data, _ := io.ReadAll(tarRead) // $ hasValueFlow="tarRead"
+		data, _ := io.ReadAll(tarRead) // $ hasValueFlow="tarRead" Alert
 		files[cur.Name] = &fstest.MapFile{Data: data}
 	}
 	fmt.Print(files)
@@ -626,7 +626,7 @@ func TarDecompressor(tarRead *tar.Reader) {
 
 func TarDecompressor2(tarRead *tar.Reader) {
 	var tarOut []byte = make([]byte, 70)
-	tarRead.Read(tarOut) // $ hasValueFlow="tarRead"
+	tarRead.Read(tarOut) // $ hasValueFlow="tarRead" Alert
 	fmt.Println("do sth with output:", tarOut)
 }
 

go/ql/test/experimental/CWE-525/WebCacheDeception.qlref

@@ -1 +1,2 @@
-experimental/CWE-525/WebCacheDeception.ql
+query: experimental/CWE-525/WebCacheDeception.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go

@@ -79,7 +79,7 @@ func badRoutingNet() {
 
 	http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/"))))
 
-	http.HandleFunc("/adminusers/", ShowAdminPageCache)
+	http.HandleFunc("/adminusers/", ShowAdminPageCache) // $ Alert
 	err := http.ListenAndServe(":1337", nil)
 	if err != nil {
 		log.Fatal("ListenAndServe: ", err)

go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go

@@ -12,12 +12,12 @@ func badRouting() {
 	log.Println("We are logging in Golang!")
 
 	// GET /api/register
-	app.Get("/api/*", func(c *fiber.Ctx) error {
+	app.Get("/api/*", func(c *fiber.Ctx) error { // $ Alert
 		msg := fmt.Sprintf("✋")
 		return c.SendString(msg) // => ✋ register
 	})
 
-	app.Post("/api/*", func(c *fiber.Ctx) error {
+	app.Post("/api/*", func(c *fiber.Ctx) error { // $ Alert
 		msg := fmt.Sprintf("✋")
 		return c.SendString(msg) // => ✋ register
 	})

go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go

@@ -10,7 +10,7 @@ import (
 func badRoutingChi() {
 	r := chi.NewRouter()
 	r.Use(middleware.Logger)
-	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
+	r.Get("/*", func(w http.ResponseWriter, r *http.Request) { // $ Alert
 		w.Write([]byte("welcome"))
 	})
 	http.ListenAndServe(":3000", r)

go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go

@@ -18,7 +18,7 @@ func Hello(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 
 func badHTTPRouter() {
 	router := httprouter.New()
-	router.GET("/test/*test", Index)
+	router.GET("/test/*test", Index) // $ Alert
 	router.GET("/hello/:name", Hello)
 
 	log.Fatal(http.ListenAndServe(":8082", router))

go/ql/test/experimental/CWE-74/Dsn.go

@@ -23,10 +23,10 @@ func good() (interface{}, error) {
 }
 
 func bad() interface{} {
-	name2 := os.Args[1:]
+	name2 := os.Args[1:] // $ Source[go/dsn-injection-local]
 	// This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
 	dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, name2[0])
-	db, _ := sql.Open("mysql", dbDSN)
+	db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection-local]
 	return db
 }
 
@@ -44,10 +44,10 @@ func good2(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 }
 
 func bad2(w http.ResponseWriter, req *http.Request) interface{} {
-	name := req.FormValue("name")
+	name := req.FormValue("name") // $ Source[go/dsn-injection]
 	// This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
 	dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, name)
-	db, _ := sql.Open("mysql", dbDSN)
+	db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection]
 	return db
 }
 
@@ -60,12 +60,12 @@ func (Config) Parse([]string) error { return nil }
 
 func RegexFuncModelTest(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	cfg := NewConfig()
-	err := cfg.Parse(os.Args[1:]) // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
+	err := cfg.Parse(os.Args[1:]) // $ Source[go/dsn-injection-local] // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
 	if err != nil {
 		return nil, err
 	}
 	dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, cfg.dsn)
-	db, _ := sql.Open("mysql", dbDSN)
+	db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection-local]
 	return db, nil
 }
 

go/ql/test/experimental/CWE-74/DsnInjection.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-74/DsnInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref

@@ -1,2 +1,4 @@
 query: experimental/CWE-74/DsnInjectionLocal.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref

@@ -1 +1,2 @@
-experimental/CWE-807/SensitiveConditionBypass.ql
+query: experimental/CWE-807/SensitiveConditionBypass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-807/SensitiveConditionBypassBad.go

@@ -4,7 +4,7 @@ import "net/http"
 
 func example(w http.ResponseWriter, r *http.Request) {
 	test2 := "test"
-	if r.Header.Get("X-Password") != test2 {
+	if r.Header.Get("X-Password") != test2 { // $ Alert
 		login()
 	}
 }

go/ql/test/experimental/CWE-807/condition.go

@@ -13,7 +13,7 @@ const test = "localhost"
 
 // Should alert as authkey is sensitive
 func ex1(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("Origin") != test {
+	if r.Header.Get("Origin") != test { // $ Alert
 		authkey := "randomDatta"
 		io.WriteString(w, authkey)
 	}
@@ -22,7 +22,7 @@ func ex1(w http.ResponseWriter, r *http.Request) {
 // Should alert as authkey is sensitive
 func ex2(w http.ResponseWriter, r *http.Request) {
 	test2 := "test"
-	if r.Header.Get("Origin") != test2 {
+	if r.Header.Get("Origin") != test2 { // $ Alert
 		authkey := "randomDatta2"
 		io.WriteString(w, authkey)
 	}
@@ -31,7 +31,7 @@ func ex2(w http.ResponseWriter, r *http.Request) {
 // Should alert as login() is sensitive
 func ex3(w http.ResponseWriter, r *http.Request) {
 	test2 := "test"
-	if r.Header.Get("Origin") != test2 {
+	if r.Header.Get("Origin") != test2 { // $ Alert
 		login()
 	}
 }

go/ql/test/experimental/CWE-840/ConditionalBypass.qlref

@@ -1 +1,2 @@
-experimental/CWE-840/ConditionalBypass.ql
+query: experimental/CWE-840/ConditionalBypass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/CWE-840/ConditionalBypassBad.go

@@ -6,7 +6,7 @@ import (
 
 func exampleHandlerBad(w http.ResponseWriter, r *http.Request) {
 	// BAD: the Origin and Host headers are user controlled
-	if r.Header.Get("Origin") != "http://"+r.Host {
+	if r.Header.Get("Origin") != "http://"+r.Host { // $ Alert
 		//do something
 	}
 }

go/ql/test/experimental/CWE-840/condition.go

@@ -6,14 +6,14 @@ import (
 
 // BAD: taken from https://www.gorillatoolkit.org/pkg/websocket
 func ex1(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("Origin") != "http://"+r.Host {
+	if r.Header.Get("Origin") != "http://"+r.Host { // $ Alert
 		//do something
 	}
 }
 
 // BAD: both operands are from remote sources
 func ex2(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("Origin") != "http://"+r.Header.Get("Header") {
+	if r.Header.Get("Origin") != "http://"+r.Header.Get("Header") { // $ Alert
 		//do something
 	}
 }

go/ql/test/experimental/InconsistentCode/DeferInLoop.go

@@ -5,7 +5,7 @@ import "os"
 func openFiles(filenames []string) {
 	for _, filename := range filenames {
 		file, err := os.Open(filename)
-		defer file.Close()
+		defer file.Close() // $ Alert[go/examples/deferinloop]
 		if err != nil {
 			// handle error
 		}

go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref

@@ -1 +1,2 @@
-experimental/InconsistentCode/DeferInLoop.ql
+query: experimental/InconsistentCode/DeferInLoop.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.go

@@ -4,6 +4,6 @@ import "gorm.io/gorm"
 
 func getUserId(db *gorm.DB, name string) int64 {
 	var user User
-	db.Where("name = ?", name).First(&user)
+	db.Where("name = ?", name).First(&user) // $ Alert[go/examples/gorm-error-not-checked]
 	return user.Id
 }

go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref

@@ -1 +1,2 @@
-experimental/InconsistentCode/GORMErrorNotChecked.ql
+query: experimental/InconsistentCode/GORMErrorNotChecked.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/experimental/InconsistentCode/test.go

@@ -3,24 +3,24 @@ package main
 func test() {
 	var xs []int
 	for _ = range xs {
-		defer test() // not ok
+		defer test() // $ Alert[go/examples/deferinloop] // not ok
 	}
 
 	for _ = range xs {
 		if true {
-			defer test() // not ok
+			defer test() // $ Alert[go/examples/deferinloop] // not ok
 		}
 	}
 
 	for i := 0; i < 10; i++ {
-		defer test()
+		defer test() // $ Alert[go/examples/deferinloop]
 	}
 
 	for true {
-		defer test() // not ok
+		defer test() // $ Alert[go/examples/deferinloop] // not ok
 	}
 
 	for false {
-		defer test() // fine but caught
+		defer test() // $ Alert[go/examples/deferinloop] // fine but caught
 	}
 }

go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected

@@ -1,3 +1,15 @@
+#select
+| WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | $@. | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | Dangerous array type casting to [8]uint8 from an index expression ([8]uint8)[2] (the destination type is 2 elements longer) |
+| WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | $@. | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | Dangerous array type casting to [17]uint8 from an index expression ([8]uint8)[0] (the destination type is 9 elements longer) |
+| WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | $@. | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
+| WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | $@. | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
+| WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | $@. | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | Dangerous array type casting to [17]string from [8]string |
+| WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | $@. | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | Dangerous type up-casting to [17]uint8 from struct type |
+| WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | $@. | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
+| WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | $@. | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
+| WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | $@. | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | Dangerous array type casting to [4]int64 from [1]int64 |
+| WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | $@. | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | Dangerous numeric type casting to int64 from int8 |
+| WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | $@. | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | Dangerous numeric type casting to int from int8 |
 edges
 | WrongUsageOfUnsafe.go:17:24:17:48 | type conversion | WrongUsageOfUnsafe.go:17:13:17:49 | type conversion | provenance |  |
 | WrongUsageOfUnsafe.go:34:24:34:51 | type conversion | WrongUsageOfUnsafe.go:34:13:34:52 | type conversion | provenance |  |
@@ -48,15 +60,3 @@ nodes
 | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | semmle.label | type conversion |
 | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | semmle.label | type conversion |
 subpaths
-#select
-| WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | $@. | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | Dangerous array type casting to [8]uint8 from an index expression ([8]uint8)[2] (the destination type is 2 elements longer) |
-| WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | $@. | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | Dangerous array type casting to [17]uint8 from an index expression ([8]uint8)[0] (the destination type is 9 elements longer) |
-| WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | $@. | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
-| WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | $@. | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
-| WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | $@. | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | Dangerous array type casting to [17]string from [8]string |
-| WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | $@. | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | Dangerous type up-casting to [17]uint8 from struct type |
-| WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | $@. | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
-| WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | $@. | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
-| WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | $@. | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | Dangerous array type casting to [4]int64 from [1]int64 |
-| WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | $@. | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | Dangerous numeric type casting to int64 from int8 |
-| WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | $@. | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | Dangerous numeric type casting to int from int8 |

go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go

@@ -74,7 +74,7 @@ func badIndexExpr() {
 	// the address of the 3rd element of the `harmless` array,
 	// and continue for 8 bytes, going out of the boundaries of
 	// `harmless` and crossing into the memory occupied by `secret`.
-	var leaking = (*[8]byte)(unsafe.Pointer(&harmless[2])) // BAD
+	var leaking = (*[8]byte)(unsafe.Pointer(&harmless[2])) // $ Alert // BAD
 
 	fmt.Println(string((*leaking)[:]))
 
@@ -108,7 +108,7 @@ func bad0() {
 
 	// Read before secret, overflowing into secret
 	// (notice we get the pointer to the first byte of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless[0])) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless[0])) // $ Alert // BAD
 
 	fmt.Println(string((*leaking)[:]))
 
@@ -126,7 +126,7 @@ func bad1() {
 
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert // BAD
 
 	fmt.Println(string((*leaking)[:]))
 
@@ -146,7 +146,7 @@ func bad2() {
 
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert // BAD
 
 	fmt.Println(string((*leaking)[:]))
 
@@ -163,7 +163,7 @@ func bad3() {
 
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]string)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[8 + 9]string)(unsafe.Pointer(&harmless)) // $ Alert // BAD
 
 	fmt.Println(*leaking)
 	fmt.Println([17]string((*leaking)))
@@ -186,7 +186,7 @@ func bad4() {
 
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert // BAD
 
 	fmt.Println(string((*leaking)[:]))
 
@@ -208,7 +208,7 @@ func bad5() {
 
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless.Data)) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless.Data)) // $ Alert // BAD
 
 	fmt.Println(string(leaking[:]))
 
@@ -224,7 +224,7 @@ func bad6() {
 	secret := [9]byte{'s', 'e', 'n', 's', 'i', 't', 'i', 'v', 'e'}
 
 	// Read before secret:
-	var leaking = buffer_request(unsafe.Pointer(&harmless)) // BAD (see inside buffer_request func)
+	var leaking = buffer_request(unsafe.Pointer(&harmless)) // $ Source // BAD (see inside buffer_request func)
 
 	fmt.Println((string)(leaking[:]))
 
@@ -240,7 +240,7 @@ func buffer_request(req unsafe.Pointer) [8 + 9]byte {
 	// will be read, the read will also contain pieces of
 	// data from `secret`.
 	var buf [8 + 9]byte
-	buf = *(*[8 + 9]byte)(req) // BAD (from above func)
+	buf = *(*[8 + 9]byte)(req) // $ Alert // BAD (from above func)
 	return buf
 }
 func bad7() {
@@ -253,7 +253,7 @@ func bad7() {
 	// (notice we read more than the length of harmless);
 	// the leaking array will not contain letters,
 	// but integers representing bytes from `secret`.
-	var leaking = (*[4]int64)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[4]int64)(unsafe.Pointer(&harmless)) // $ Alert // BAD
 
 	fmt.Println(*leaking)
 
@@ -271,7 +271,7 @@ func bad8() {
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless);
 	// the leaking data will contain some bits from `secret`.
-	var leaking = (*int64)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*int64)(unsafe.Pointer(&harmless)) // $ Alert // BAD
 
 	fmt.Println(*leaking)
 
@@ -289,7 +289,7 @@ func bad9() {
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless);
 	// the leaking data will contain some bits from `secret`.
-	var leaking = (*int)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*int)(unsafe.Pointer(&harmless)) // $ Alert // BAD
 
 	fmt.Println(*leaking)
 

go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref

@@ -1 +1,2 @@
-experimental/Unsafe/WrongUsageOfUnsafe.ql
+query: experimental/Unsafe/WrongUsageOfUnsafe.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-089/SqlInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-079/StoredXss.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/test.go

@@ -8,61 +8,61 @@ import (
 
 // BAD: using untrusted data in SQL queries
 func testDbMethods(bdb *orm.DB, untrustedSource *http.Request) {
-	untrusted := untrustedSource.UserAgent()
+	untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection]
 
-	bdb.Exec(untrusted)                 // $ querystring=untrusted
-	bdb.ExecContext(nil, untrusted)     // $ querystring=untrusted
-	bdb.Prepare(untrusted)              // $ querystring=untrusted
-	bdb.PrepareContext(nil, untrusted)  // $ querystring=untrusted
-	bdb.Query(untrusted)                // $ querystring=untrusted
-	bdb.QueryContext(nil, untrusted)    // $ querystring=untrusted
-	bdb.QueryRow(untrusted)             // $ querystring=untrusted
-	bdb.QueryRowContext(nil, untrusted) // $ querystring=untrusted
+	bdb.Exec(untrusted)                 // $ querystring=untrusted Alert[go/sql-injection]
+	bdb.ExecContext(nil, untrusted)     // $ querystring=untrusted Alert[go/sql-injection]
+	bdb.Prepare(untrusted)              // $ querystring=untrusted Alert[go/sql-injection]
+	bdb.PrepareContext(nil, untrusted)  // $ querystring=untrusted Alert[go/sql-injection]
+	bdb.Query(untrusted)                // $ querystring=untrusted Alert[go/sql-injection]
+	bdb.QueryContext(nil, untrusted)    // $ querystring=untrusted Alert[go/sql-injection]
+	bdb.QueryRow(untrusted)             // $ querystring=untrusted Alert[go/sql-injection]
+	bdb.QueryRowContext(nil, untrusted) // $ querystring=untrusted Alert[go/sql-injection]
 }
 
 // BAD: using untrusted data to build SQL queries (QueryBuilder does not sanitize its arguments)
 func testQueryBuilderMethods(qb orm.QueryBuilder, untrustedSource *http.Request) {
-	untrusted := untrustedSource.UserAgent()
-	untrusted2 := untrustedSource.UserAgent()
+	untrusted := untrustedSource.UserAgent()  // $ Source[go/sql-injection]
+	untrusted2 := untrustedSource.UserAgent() // $ Source[go/sql-injection]
 
-	qb.Select(untrusted)                 // $ querystring=untrusted
-	qb.From(untrusted)                   // $ querystring=untrusted
-	qb.InnerJoin(untrusted)              // $ querystring=untrusted
-	qb.LeftJoin(untrusted)               // $ querystring=untrusted
-	qb.RightJoin(untrusted)              // $ querystring=untrusted
-	qb.On(untrusted)                     // $ querystring=untrusted
-	qb.Where(untrusted)                  // $ querystring=untrusted
-	qb.And(untrusted)                    // $ querystring=untrusted
-	qb.Or(untrusted)                     // $ querystring=untrusted
-	qb.In(untrusted)                     // $ querystring=untrusted
-	qb.OrderBy(untrusted)                // $ querystring=untrusted
-	qb.GroupBy(untrusted)                // $ querystring=untrusted
-	qb.Having(untrusted)                 // $ querystring=untrusted
-	qb.Update(untrusted)                 // $ querystring=untrusted
-	qb.Set(untrusted)                    // $ querystring=untrusted
-	qb.Delete(untrusted)                 // $ querystring=untrusted
-	qb.InsertInto(untrusted, untrusted2) // $ querystring=untrusted querystring=untrusted2
-	qb.Values(untrusted)                 // $ querystring=untrusted
-	qb.Subquery(untrusted, untrusted2)   // $ querystring=untrusted querystring=untrusted2
+	qb.Select(untrusted)                 // $ querystring=untrusted Alert[go/sql-injection]
+	qb.From(untrusted)                   // $ querystring=untrusted Alert[go/sql-injection]
+	qb.InnerJoin(untrusted)              // $ querystring=untrusted Alert[go/sql-injection]
+	qb.LeftJoin(untrusted)               // $ querystring=untrusted Alert[go/sql-injection]
+	qb.RightJoin(untrusted)              // $ querystring=untrusted Alert[go/sql-injection]
+	qb.On(untrusted)                     // $ querystring=untrusted Alert[go/sql-injection]
+	qb.Where(untrusted)                  // $ querystring=untrusted Alert[go/sql-injection]
+	qb.And(untrusted)                    // $ querystring=untrusted Alert[go/sql-injection]
+	qb.Or(untrusted)                     // $ querystring=untrusted Alert[go/sql-injection]
+	qb.In(untrusted)                     // $ querystring=untrusted Alert[go/sql-injection]
+	qb.OrderBy(untrusted)                // $ querystring=untrusted Alert[go/sql-injection]
+	qb.GroupBy(untrusted)                // $ querystring=untrusted Alert[go/sql-injection]
+	qb.Having(untrusted)                 // $ querystring=untrusted Alert[go/sql-injection]
+	qb.Update(untrusted)                 // $ querystring=untrusted Alert[go/sql-injection]
+	qb.Set(untrusted)                    // $ querystring=untrusted Alert[go/sql-injection]
+	qb.Delete(untrusted)                 // $ querystring=untrusted Alert[go/sql-injection]
+	qb.InsertInto(untrusted, untrusted2) // $ querystring=untrusted querystring=untrusted2 Alert[go/sql-injection]
+	qb.Values(untrusted)                 // $ querystring=untrusted Alert[go/sql-injection]
+	qb.Subquery(untrusted, untrusted2)   // $ querystring=untrusted querystring=untrusted2 Alert[go/sql-injection]
 }
 
 func testOrmerRaw(ormer orm.Ormer, untrustedSource *http.Request) {
-	untrusted := untrustedSource.UserAgent()
+	untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection]
 	untrusted2 := untrustedSource.UserAgent()
-	ormer.Raw(untrusted, untrusted2)                    // $ querystring=untrusted         // BAD: using an untrusted string as a query
+	ormer.Raw(untrusted, untrusted2)                    // $ querystring=untrusted Alert[go/sql-injection] // BAD: using an untrusted string as a query
 	ormer.Raw("FROM ? SELECT ?", untrusted, untrusted2) // $ querystring="FROM ? SELECT ?" // GOOD: untrusted string used in argument context
 }
 
 func testFilterRaw(querySeter orm.QuerySeter, untrustedSource *http.Request) {
-	untrusted := untrustedSource.UserAgent()
-	querySeter.FilterRaw(untrusted, "safe") // $ querystring="safe"    // GOOD: untrusted used as a column name
-	querySeter.FilterRaw("safe", untrusted) // $ querystring=untrusted // BAD: untrusted used as a SQL fragment
+	untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection]
+	querySeter.FilterRaw(untrusted, "safe")  // $ querystring="safe"    // GOOD: untrusted used as a column name
+	querySeter.FilterRaw("safe", untrusted)  // $ querystring=untrusted Alert[go/sql-injection] // BAD: untrusted used as a SQL fragment
 }
 
 func testConditionRaw(cond orm.Condition, untrustedSource *http.Request) {
-	untrusted := untrustedSource.UserAgent()
-	cond.Raw(untrusted, "safe") // $ querystring="safe"    // GOOD: untrusted used as a column name
-	cond.Raw("safe", untrusted) // $ querystring=untrusted // BAD: untrusted used as a SQL fragment
+	untrusted := untrustedSource.UserAgent() // $ Source[go/sql-injection]
+	cond.Raw(untrusted, "safe")              // $ querystring="safe"    // GOOD: untrusted used as a column name
+	cond.Raw("safe", untrusted)              // $ querystring=untrusted Alert[go/sql-injection] // BAD: untrusted used as a SQL fragment
 }
 
 type SubStruct struct {
@@ -77,90 +77,90 @@ type MyStruct struct {
 // BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
 func testOrmerReads(ormer orm.Ormer, sink http.ResponseWriter) {
 	obj := MyStruct{}
-	ormer.Read(&obj)
-	sink.Write([]byte(obj.field))
-	sink.Write([]byte(obj.substructs[0].field))
+	ormer.Read(&obj)                            // $ Source[go/stored-xss]
+	sink.Write([]byte(obj.field))               // $ Alert[go/stored-xss]
+	sink.Write([]byte(obj.substructs[0].field)) // $ Alert[go/stored-xss]
 
 	obj2 := MyStruct{}
-	ormer.ReadForUpdate(&obj2)
-	sink.Write([]byte(obj2.field))
+	ormer.ReadForUpdate(&obj2)     // $ Source[go/stored-xss]
+	sink.Write([]byte(obj2.field)) // $ Alert[go/stored-xss]
 
 	obj3 := MyStruct{}
-	ormer.ReadOrCreate(&obj3, "arg")
-	sink.Write([]byte(obj3.field))
+	ormer.ReadOrCreate(&obj3, "arg") // $ Source[go/stored-xss]
+	sink.Write([]byte(obj3.field))   // $ Alert[go/stored-xss]
 }
 
 // BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
 func testFieldReads(textField *orm.TextField, jsonField *orm.JSONField, jsonbField *orm.JsonbField, sink http.ResponseWriter) {
-	sink.Write([]byte(textField.Value()))
-	sink.Write([]byte(textField.RawValue().(string)))
-	sink.Write([]byte(textField.String()))
-	sink.Write([]byte(jsonField.Value()))
-	sink.Write([]byte(jsonField.RawValue().(string)))
-	sink.Write([]byte(jsonField.String()))
-	sink.Write([]byte(jsonbField.Value()))
-	sink.Write([]byte(jsonbField.RawValue().(string)))
-	sink.Write([]byte(jsonbField.String()))
+	sink.Write([]byte(textField.Value()))              // $ Alert[go/stored-xss]
+	sink.Write([]byte(textField.RawValue().(string)))  // $ Alert[go/stored-xss]
+	sink.Write([]byte(textField.String()))             // $ Alert[go/stored-xss]
+	sink.Write([]byte(jsonField.Value()))              // $ Alert[go/stored-xss]
+	sink.Write([]byte(jsonField.RawValue().(string)))  // $ Alert[go/stored-xss]
+	sink.Write([]byte(jsonField.String()))             // $ Alert[go/stored-xss]
+	sink.Write([]byte(jsonbField.Value()))             // $ Alert[go/stored-xss]
+	sink.Write([]byte(jsonbField.RawValue().(string))) // $ Alert[go/stored-xss]
+	sink.Write([]byte(jsonbField.String()))            // $ Alert[go/stored-xss]
 }
 
 // BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
 func testQuerySeterReads(qs orm.QuerySeter, sink http.ResponseWriter) {
 	var objs []*MyStruct
-	qs.All(&objs)
-	sink.Write([]byte(objs[0].field))
+	qs.All(&objs)                     // $ Source[go/stored-xss]
+	sink.Write([]byte(objs[0].field)) // $ Alert[go/stored-xss]
 
 	var obj MyStruct
-	qs.One(&obj)
-	sink.Write([]byte(obj.field))
+	qs.One(&obj)                  // $ Source[go/stored-xss]
+	sink.Write([]byte(obj.field)) // $ Alert[go/stored-xss]
 
 	var allMaps []orm.Params
-	qs.Values(&allMaps)
-	sink.Write([]byte(allMaps[0]["field"].(string)))
+	qs.Values(&allMaps)                              // $ Source[go/stored-xss]
+	sink.Write([]byte(allMaps[0]["field"].(string))) // $ Alert[go/stored-xss]
 
 	var allLists []orm.ParamsList
-	qs.ValuesList(&allLists)
-	sink.Write([]byte(allLists[0][0].(string)))
+	qs.ValuesList(&allLists)                    // $ Source[go/stored-xss]
+	sink.Write([]byte(allLists[0][0].(string))) // $ Alert[go/stored-xss]
 
 	var oneList orm.ParamsList
-	qs.ValuesFlat(&oneList, "colname")
-	sink.Write([]byte(oneList[0].(string)))
+	qs.ValuesFlat(&oneList, "colname")      // $ Source[go/stored-xss]
+	sink.Write([]byte(oneList[0].(string))) // $ Alert[go/stored-xss]
 
 	var oneRowMap orm.Params
-	qs.RowsToMap(&oneRowMap, "key", "value")
-	sink.Write([]byte(oneRowMap["field"].(string)))
+	qs.RowsToMap(&oneRowMap, "key", "value")        // $ Source[go/stored-xss]
+	sink.Write([]byte(oneRowMap["field"].(string))) // $ Alert[go/stored-xss]
 
 	var oneRowStruct MyStruct
-	qs.RowsToStruct(&oneRowStruct, "key", "value")
-	sink.Write([]byte(oneRowStruct.field))
+	qs.RowsToStruct(&oneRowStruct, "key", "value") // $ Source[go/stored-xss]
+	sink.Write([]byte(oneRowStruct.field))         // $ Alert[go/stored-xss]
 }
 
 // BAD: (possible stored XSS) retrieving data from a database then writing to an HTTP response
 func testRawSeterReads(rs orm.RawSeter, sink http.ResponseWriter) {
 	var allMaps []orm.Params
-	rs.Values(&allMaps)
-	sink.Write([]byte(allMaps[0]["field"].(string)))
+	rs.Values(&allMaps)                              // $ Source[go/stored-xss]
+	sink.Write([]byte(allMaps[0]["field"].(string))) // $ Alert[go/stored-xss]
 
 	var allLists []orm.ParamsList
-	rs.ValuesList(&allLists)
-	sink.Write([]byte(allLists[0][0].(string)))
+	rs.ValuesList(&allLists)                    // $ Source[go/stored-xss]
+	sink.Write([]byte(allLists[0][0].(string))) // $ Alert[go/stored-xss]
 
 	var oneList orm.ParamsList
-	rs.ValuesFlat(&oneList, "colname")
-	sink.Write([]byte(oneList[0].(string)))
+	rs.ValuesFlat(&oneList, "colname")      // $ Source[go/stored-xss]
+	sink.Write([]byte(oneList[0].(string))) // $ Alert[go/stored-xss]
 
 	var oneRowMap orm.Params
-	rs.RowsToMap(&oneRowMap, "key", "value")
-	sink.Write([]byte(oneRowMap["field"].(string)))
+	rs.RowsToMap(&oneRowMap, "key", "value")        // $ Source[go/stored-xss]
+	sink.Write([]byte(oneRowMap["field"].(string))) // $ Alert[go/stored-xss]
 
 	var oneRowStruct MyStruct
-	rs.RowsToStruct(&oneRowStruct, "key", "value")
-	sink.Write([]byte(oneRowStruct.field))
+	rs.RowsToStruct(&oneRowStruct, "key", "value") // $ Source[go/stored-xss]
+	sink.Write([]byte(oneRowStruct.field))         // $ Alert[go/stored-xss]
 
 	var strField string
-	rs.QueryRow(&strField)
-	sink.Write([]byte(strField))
+	rs.QueryRow(&strField)       // $ Source[go/stored-xss]
+	sink.Write([]byte(strField)) // $ Alert[go/stored-xss]
 
 	var strFields []string
-	rs.QueryRows(&strFields)
-	sink.Write([]byte(strFields[0]))
+	rs.QueryRows(&strFields)         // $ Source[go/stored-xss]
+	sink.Write([]byte(strFields[0])) // $ Alert[go/stored-xss]
 }

go/ql/test/library-tests/semmle/go/frameworks/Chi/ReflectedXss.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-079/ReflectedXss.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/Chi/test.go

@@ -10,7 +10,7 @@ var hidden string
 
 func hideUserData(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		hidden = r.URL.Path
+		hidden = r.URL.Path // $ Source
 		next.ServeHTTP(w, r)
 	})
 }
@@ -18,10 +18,10 @@ func hideUserData(next http.Handler) http.Handler {
 func main() {
 	r := chi.NewRouter()
 	r.With(hideUserData).Get("/", func(w http.ResponseWriter, r *http.Request) {
-		w.Write([]byte(hidden))
-		w.Write([]byte(chi.URLParam(r, "someParam")))
-		w.Write([]byte(chi.URLParamFromCtx(r.Context(), "someKey")))
-		w.Write([]byte(chi.RouteContext(r.Context()).URLParam("someOtherKey")))
+		w.Write([]byte(hidden))                                                 // $ Alert
+		w.Write([]byte(chi.URLParam(r, "someParam")))                           // $ Alert
+		w.Write([]byte(chi.URLParamFromCtx(r.Context(), "someKey")))            // $ Alert
+		w.Write([]byte(chi.RouteContext(r.Context()).URLParam("someOtherKey"))) // $ Alert
 	})
 	http.ListenAndServe(":3000", r)
 }

go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-601/OpenUrlRedirect.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-079/ReflectedXss.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-022/TaintedPath.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go

@@ -12,81 +12,81 @@ import (
 // All are XSS vulnerabilities, except as specifically noted.
 
 func testParam(ctx echo.Context) error {
-	param := ctx.Param("someParam")
-	ctx.HTML(200, param)
+	param := ctx.Param("someParam") // $ Source[go/reflected-xss]
+	ctx.HTML(200, param)            // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testParamValues(ctx echo.Context) error {
-	param := ctx.ParamValues()[0]
-	ctx.HTML(200, param)
+	param := ctx.ParamValues()[0] // $ Source[go/reflected-xss]
+	ctx.HTML(200, param)          // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testQueryParam(ctx echo.Context) error {
-	param := ctx.QueryParam("someParam")
-	ctx.HTML(200, param)
+	param := ctx.QueryParam("someParam") // $ Source[go/reflected-xss]
+	ctx.HTML(200, param)                 // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testQueryParams(ctx echo.Context) error {
-	param := ctx.QueryParams()["someParam"][0]
-	ctx.HTML(200, param)
+	param := ctx.QueryParams()["someParam"][0] // $ Source[go/reflected-xss]
+	ctx.HTML(200, param)                       // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testQueryString(ctx echo.Context) error {
-	qstr := ctx.QueryString()
-	ctx.HTML(200, qstr)
+	qstr := ctx.QueryString() // $ Source[go/reflected-xss]
+	ctx.HTML(200, qstr)       // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testFormValue(ctx echo.Context) error {
-	val := ctx.FormValue("someField")
-	ctx.HTML(200, val)
+	val := ctx.FormValue("someField") // $ Source[go/reflected-xss]
+	ctx.HTML(200, val)                // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testFormParams(ctx echo.Context) error {
-	params, _ := ctx.FormParams()
-	ctx.HTML(200, params["someField"][0])
+	params, _ := ctx.FormParams()         // $ Source[go/reflected-xss]
+	ctx.HTML(200, params["someField"][0]) // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testFormFile(ctx echo.Context) error {
-	fileHeader, _ := ctx.FormFile("someFilename")
+	fileHeader, _ := ctx.FormFile("someFilename") // $ Source[go/reflected-xss]
 	file, _ := fileHeader.Open()
 	buffer := make([]byte, 100)
 	file.Read(buffer)
-	ctx.HTMLBlob(200, buffer)
+	ctx.HTMLBlob(200, buffer) // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testMultipartFormValue(ctx echo.Context) error {
-	form, _ := ctx.MultipartForm()
-	ctx.HTML(200, form.Value["someField"][0])
+	form, _ := ctx.MultipartForm()            // $ Source[go/reflected-xss]
+	ctx.HTML(200, form.Value["someField"][0]) // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testMultipartFormFile(ctx echo.Context) error {
-	form, _ := ctx.MultipartForm()
+	form, _ := ctx.MultipartForm() // $ Source[go/reflected-xss]
 	fileHeader := form.File["someFilename"][0]
 	file, _ := fileHeader.Open()
 	buffer := make([]byte, 100)
 	file.Read(buffer)
-	ctx.HTMLBlob(200, buffer)
+	ctx.HTMLBlob(200, buffer) // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testCookie(ctx echo.Context) error {
-	val, _ := ctx.Cookie("someKey")
-	ctx.HTML(200, val.Value)
+	val, _ := ctx.Cookie("someKey") // $ Source[go/reflected-xss]
+	ctx.HTML(200, val.Value)        // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testCookies(ctx echo.Context) error {
-	cookies := ctx.Cookies()
-	ctx.HTML(200, cookies[0].Value)
+	cookies := ctx.Cookies()        // $ Source[go/reflected-xss]
+	ctx.HTML(200, cookies[0].Value) // $ Alert[go/reflected-xss]
 	return nil
 }
 
@@ -96,8 +96,8 @@ type myStruct struct {
 
 func testBind(ctx echo.Context) error {
 	data := myStruct{}
-	ctx.Bind(&data)
-	ctx.HTML(200, data.s)
+	ctx.Bind(&data)       // $ Source[go/reflected-xss]
+	ctx.HTML(200, data.s) // $ Alert[go/reflected-xss]
 	return nil
 }
 
@@ -110,8 +110,8 @@ func testGetSetEmpty(ctx echo.Context) error {
 }
 
 func testGetSet(ctx echo.Context) error {
-	ctx.Set("someKey", ctx.Param("someParam"))
-	ctx.HTML(200, ctx.Get("someKey").(string)) // BAD, the context is tainted
+	ctx.Set("someKey", ctx.Param("someParam")) // $ Source[go/reflected-xss]
+	ctx.HTML(200, ctx.Get("someKey").(string)) // $ Alert[go/reflected-xss] // BAD, the context is tainted
 	return nil
 }
 
@@ -121,20 +121,20 @@ func testGetSet(ctx echo.Context) error {
 // All are XSS vulnerabilities, except as specifically noted.
 
 func testHTML(ctx echo.Context) error {
-	param := ctx.Param("someParam")
-	ctx.HTML(200, param)
+	param := ctx.Param("someParam") // $ Source[go/reflected-xss]
+	ctx.HTML(200, param)            // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testHTMLBlob(ctx echo.Context) error {
-	param := ctx.Param("someParam")
-	ctx.HTMLBlob(200, []byte(param))
+	param := ctx.Param("someParam")  // $ Source[go/reflected-xss]
+	ctx.HTMLBlob(200, []byte(param)) // $ Alert[go/reflected-xss]
 	return nil
 }
 
 func testBlob(ctx echo.Context) error {
-	param := ctx.Param("someParam")
-	ctx.Blob(200, "text/html", []byte(param)) // BAD, the content-type is HTML
+	param := ctx.Param("someParam")           // $ Source[go/reflected-xss]
+	ctx.Blob(200, "text/html", []byte(param)) // $ Alert[go/reflected-xss] // BAD, the content-type is HTML
 	return nil
 }
 
@@ -145,9 +145,9 @@ func testBlobSafe(ctx echo.Context) error {
 }
 
 func testStream(ctx echo.Context) error {
-	param := ctx.Param("someParam")
+	param := ctx.Param("someParam") // $ Source[go/reflected-xss]
 	reader := strings.NewReader(param)
-	ctx.Stream(200, "text/html", reader) // BAD, the content-type is HTML
+	ctx.Stream(200, "text/html", reader) // $ Alert[go/reflected-xss] // BAD, the content-type is HTML
 	return nil
 }
 
@@ -161,28 +161,28 @@ func testStreamSafe(ctx echo.Context) error {
 // Section: testing output methods defined on Response (XSS vulnerability)
 
 func testResponseWrite(ctx echo.Context) error {
-	param := ctx.Param("someParam")
-	ctx.Response().Write([]byte(param))
+	param := ctx.Param("someParam")     // $ Source[go/reflected-xss]
+	ctx.Response().Write([]byte(param)) // $ Alert[go/reflected-xss]
 	return nil
 }
 
 // Section: test detecting an open redirect using the Context.Redirect function:
 
 func testRedirect(ctx echo.Context) error {
-	param := ctx.Param("someParam")
-	ctx.Redirect(301, param)
+	param := ctx.Param("someParam") // $ Source[go/unvalidated-url-redirection]
+	ctx.Redirect(301, param)        // $ Alert[go/unvalidated-url-redirection]
 	return nil
 }
 
 func testLocalRedirects(ctx echo.Context) error {
-	param := ctx.Param("someParam")
+	param := ctx.Param("someParam") // $ Source[go/unvalidated-url-redirection]
 	param2 := param
 	param3 := param
 	// Gratuitous copy because sanitization of uses propagates to subsequent uses
 	// GOOD: local redirects are unproblematic
 	ctx.Redirect(301, "/local"+param)
 	// BAD: this could be a non-local redirect
-	ctx.Redirect(301, "/"+param2)
+	ctx.Redirect(301, "/"+param2) // $ Alert[go/unvalidated-url-redirection]
 	// GOOD: localhost redirects are unproblematic
 	ctx.Redirect(301, "//localhost/"+param3)
 	return nil
@@ -221,12 +221,12 @@ func testNonExploitableFields(ctx echo.Context) error {
 func fsOpsTest() {
 	e := echo.New()
 	e.GET("/", func(c echo.Context) error {
-		filepath := c.QueryParam("filePath")
-		return c.File(filepath) // $ FileSystemAccess=filepath
+		filepath := c.QueryParam("filePath") // $ Source[go/path-injection]
+		return c.File(filepath)              // $ FileSystemAccess=filepath Alert[go/path-injection]
 	})
 	e.GET("/attachment", func(c echo.Context) error {
-		filepath := c.QueryParam("filePath")
-		return c.Attachment(filepath, "file name in response") // $ FileSystemAccess=filepath
+		filepath := c.QueryParam("filePath")                   // $ Source[go/path-injection]
+		return c.Attachment(filepath, "file name in response") // $ FileSystemAccess=filepath Alert[go/path-injection]
 	})
 	_ = e.Start(":1323")
 }

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected

@@ -1,8 +1,8 @@
+#select
+| main.go:21:28:21:31 | name | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | This log entry depends on a $@. | main.go:18:46:18:48 | definition of req | user-provided value |
 edges
 | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | provenance |  |
 nodes
 | main.go:18:46:18:48 | definition of req | semmle.label | definition of req |
 | main.go:21:28:21:31 | name | semmle.label | name |
 subpaths
-#select
-| main.go:21:28:21:31 | name | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | This log entry depends on a $@. | main.go:18:46:18:48 | definition of req | user-provided value |

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.qlref

@@ -1 +1,2 @@
-Security/CWE-117/LogInjection.ql
+query: Security/CWE-117/LogInjection.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/GoMicro/main.go

@@ -15,10 +15,10 @@ import (
 
 type Greeter struct{}
 
-func (g *Greeter) Hello(ctx context.Context, req *pb.Request, rsp *pb.Response) error { // $ serverRequest="definition of req"
+func (g *Greeter) Hello(ctx context.Context, req *pb.Request, rsp *pb.Response) error { // $ serverRequest="definition of req" Source
 	// var access
 	name := req.Name
-	fmt.Println("Name :: %s", name)
+	fmt.Println("Name :: %s", name) // $ Alert
 	return nil
 }
 

go/ql/test/library-tests/semmle/go/frameworks/Revel/CONSISTENCY/DataFlowConsistency.expected

@@ -1,28 +1,28 @@
 reverseRead
-| EndToEnd.go:30:35:30:35 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:30:35:30:42 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:36:18:36:18 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:36:18:36:25 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:44:18:44:18 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:44:18:44:25 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:51:20:51:20 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:51:20:51:27 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:58:18:58:18 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:58:18:58:25 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:64:26:64:26 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:64:26:64:33 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:69:22:69:22 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:69:22:69:29 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:74:22:74:22 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:74:22:74:29 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:79:35:79:35 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:79:35:79:42 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:84:22:84:22 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:84:22:84:29 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:89:21:89:21 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:89:21:89:28 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:94:20:94:20 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
-| EndToEnd.go:94:20:94:27 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:31:35:31:35 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:31:35:31:42 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:37:18:37:18 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:37:18:37:25 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:45:18:45:18 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:45:18:45:25 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:52:20:52:20 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:52:20:52:27 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:59:18:59:18 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:59:18:59:25 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:65:26:65:26 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:65:26:65:33 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:70:22:70:22 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:70:22:70:29 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:75:22:75:22 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:75:22:75:29 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:80:35:80:35 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:80:35:80:42 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:85:22:85:22 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:85:22:85:29 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:90:21:90:21 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:90:21:90:28 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:95:20:95:20 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
+| EndToEnd.go:95:20:95:27 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | Revel.go:26:7:26:7 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
 | Revel.go:27:7:27:7 | implicit read of field Controller | Origin of readStep is missing a PostUpdateNode. |
 | Revel.go:27:7:27:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/library-tests/semmle/go/frameworks/Revel/EndToEnd.go

@@ -3,10 +3,11 @@ package main
 import (
 	"bytes"
 	"errors"
-	staticControllers "github.com/revel/modules/static/app/controllers"
-	"github.com/revel/revel"
 	"os"
 	"time"
+
+	staticControllers "github.com/revel/modules/static/app/controllers"
+	"github.com/revel/revel"
 )
 
 // Use typical inheritence pattern, per github.com/revel/examples/booking:
@@ -33,8 +34,8 @@ func (c MyRoute) Handler1() revel.Result {
 func (c MyRoute) Handler2() revel.Result {
 	// BAD: the RenderBinary function copies an `io.Reader` to the user's browser.
 	buf := &bytes.Buffer{}
-	buf.WriteString(c.Params.Form.Get("someField"))
-	return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf'
+	buf.WriteString(c.Params.Form.Get("someField"))                    // $ Source[go/reflected-xss]
+	return c.RenderBinary(buf, "index.html", revel.Inline, time.Now()) // $ responsebody='buf' Alert[go/reflected-xss]
 }
 
 func (c MyRoute) Handler3() revel.Result {
@@ -55,18 +56,18 @@ func (c MyRoute) Handler4() revel.Result {
 func (c MyRoute) Handler5() revel.Result {
 	// BAD: returning an arbitrary file (but this is detected at the os.Open call, not
 	// due to modelling Revel)
-	f, _ := os.Open(c.Params.Form.Get("someField"))
+	f, _ := os.Open(c.Params.Form.Get("someField")) // $ Alert[go/path-injection]
 	return c.RenderFile(f, revel.Inline)
 }
 
 func (c MyRoute) Handler6() revel.Result {
 	// BAD: returning an arbitrary file (detected as a user-controlled file-op, not XSS)
-	return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline)
+	return c.RenderFileName(c.Params.Form.Get("someField"), revel.Inline) // $ Alert[go/path-injection]
 }
 
 func (c MyRoute) Handler7() revel.Result {
 	// BAD: straightforward XSS
-	return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get'
+	return c.RenderHTML(c.Params.Form.Get("someField")) // $ responsebody='call to Get' Alert[go/reflected-xss]
 }
 
 func (c MyRoute) Handler8() revel.Result {
@@ -91,5 +92,5 @@ func (c MyRoute) Handler11() revel.Result {
 
 func (c MyRoute) Handler12() revel.Result {
 	// BAD: open redirect
-	return c.Redirect(c.Params.Form.Get("someField"))
+	return c.Redirect(c.Params.Form.Get("someField")) // $ Alert[go/unvalidated-url-redirection]
 }

go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.expected

@@ -1,19 +1,19 @@
 #select
-| EndToEnd.go:94:20:94:49 | call to Get | EndToEnd.go:94:20:94:27 | selection of Params | EndToEnd.go:94:20:94:49 | call to Get | This path to an untrusted URL redirection depends on a $@. | EndToEnd.go:94:20:94:27 | selection of Params | user-provided value |
+| EndToEnd.go:95:20:95:49 | call to Get | EndToEnd.go:95:20:95:27 | selection of Params | EndToEnd.go:95:20:95:49 | call to Get | This path to an untrusted URL redirection depends on a $@. | EndToEnd.go:95:20:95:27 | selection of Params | user-provided value |
 edges
-| EndToEnd.go:94:20:94:27 | implicit dereference | EndToEnd.go:94:20:94:27 | selection of Params [postupdate] | provenance | Config |
-| EndToEnd.go:94:20:94:27 | implicit dereference | EndToEnd.go:94:20:94:32 | selection of Form | provenance | Config |
-| EndToEnd.go:94:20:94:27 | selection of Params | EndToEnd.go:94:20:94:27 | implicit dereference | provenance | Src:MaD:2 Config |
-| EndToEnd.go:94:20:94:27 | selection of Params | EndToEnd.go:94:20:94:32 | selection of Form | provenance | Src:MaD:2 Config |
-| EndToEnd.go:94:20:94:27 | selection of Params [postupdate] | EndToEnd.go:94:20:94:27 | implicit dereference | provenance | Config |
-| EndToEnd.go:94:20:94:32 | selection of Form | EndToEnd.go:94:20:94:49 | call to Get | provenance | Config Sink:MaD:1 |
+| EndToEnd.go:95:20:95:27 | implicit dereference | EndToEnd.go:95:20:95:27 | selection of Params [postupdate] | provenance | Config |
+| EndToEnd.go:95:20:95:27 | implicit dereference | EndToEnd.go:95:20:95:32 | selection of Form | provenance | Config |
+| EndToEnd.go:95:20:95:27 | selection of Params | EndToEnd.go:95:20:95:27 | implicit dereference | provenance | Src:MaD:2 Config |
+| EndToEnd.go:95:20:95:27 | selection of Params | EndToEnd.go:95:20:95:32 | selection of Form | provenance | Src:MaD:2 Config |
+| EndToEnd.go:95:20:95:27 | selection of Params [postupdate] | EndToEnd.go:95:20:95:27 | implicit dereference | provenance | Config |
+| EndToEnd.go:95:20:95:32 | selection of Form | EndToEnd.go:95:20:95:49 | call to Get | provenance | Config Sink:MaD:1 |
 models
 | 1 | Sink: group:revel; Controller; true; Redirect; ; ; Argument[0]; url-redirection; manual |
 | 2 | Source: group:revel; Controller; true; Params; ; ; ; remote; manual |
 nodes
-| EndToEnd.go:94:20:94:27 | implicit dereference | semmle.label | implicit dereference |
-| EndToEnd.go:94:20:94:27 | selection of Params | semmle.label | selection of Params |
-| EndToEnd.go:94:20:94:27 | selection of Params [postupdate] | semmle.label | selection of Params [postupdate] |
-| EndToEnd.go:94:20:94:32 | selection of Form | semmle.label | selection of Form |
-| EndToEnd.go:94:20:94:49 | call to Get | semmle.label | call to Get |
+| EndToEnd.go:95:20:95:27 | implicit dereference | semmle.label | implicit dereference |
+| EndToEnd.go:95:20:95:27 | selection of Params | semmle.label | selection of Params |
+| EndToEnd.go:95:20:95:27 | selection of Params [postupdate] | semmle.label | selection of Params [postupdate] |
+| EndToEnd.go:95:20:95:32 | selection of Form | semmle.label | selection of Form |
+| EndToEnd.go:95:20:95:49 | call to Get | semmle.label | call to Get |
 subpaths

go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-601/OpenUrlRedirect.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.expected

@@ -1,16 +1,16 @@
 #select
-| EndToEnd.go:37:24:37:26 | buf | EndToEnd.go:36:18:36:25 | selection of Params | EndToEnd.go:37:24:37:26 | buf | Cross-site scripting vulnerability due to $@. | EndToEnd.go:36:18:36:25 | selection of Params | user-provided value | EndToEnd.go:0:0:0:0 | EndToEnd.go |  |
-| EndToEnd.go:69:22:69:51 | call to Get | EndToEnd.go:69:22:69:29 | selection of Params | EndToEnd.go:69:22:69:51 | call to Get | Cross-site scripting vulnerability due to $@. | EndToEnd.go:69:22:69:29 | selection of Params | user-provided value | EndToEnd.go:0:0:0:0 | EndToEnd.go |  |
+| EndToEnd.go:38:24:38:26 | buf | EndToEnd.go:37:18:37:25 | selection of Params | EndToEnd.go:38:24:38:26 | buf | Cross-site scripting vulnerability due to $@. | EndToEnd.go:37:18:37:25 | selection of Params | user-provided value | EndToEnd.go:0:0:0:0 | EndToEnd.go |  |
+| EndToEnd.go:70:22:70:51 | call to Get | EndToEnd.go:70:22:70:29 | selection of Params | EndToEnd.go:70:22:70:51 | call to Get | Cross-site scripting vulnerability due to $@. | EndToEnd.go:70:22:70:29 | selection of Params | user-provided value | EndToEnd.go:0:0:0:0 | EndToEnd.go |  |
 | Revel.go:70:22:70:35 | selection of Query | Revel.go:70:22:70:29 | selection of Params | Revel.go:70:22:70:35 | selection of Query | Cross-site scripting vulnerability due to $@. The value is $@. | Revel.go:70:22:70:29 | selection of Params | user-provided value | views/myAppController/rawRead.html:1:1:2:9 | {{raw .Foo}}\n{{.Bar}}\n | instantiated as a raw template |
 | examples/booking/app/init.go:36:44:36:53 | selection of Path | examples/booking/app/init.go:36:44:36:48 | selection of URL | examples/booking/app/init.go:36:44:36:53 | selection of Path | Cross-site scripting vulnerability due to $@. | examples/booking/app/init.go:36:44:36:48 | selection of URL | user-provided value | examples/booking/app/init.go:0:0:0:0 | examples/booking/app/init.go |  |
 | examples/booking/app/init.go:40:49:40:58 | selection of Path | examples/booking/app/init.go:40:49:40:53 | selection of URL | examples/booking/app/init.go:40:49:40:58 | selection of Path | Cross-site scripting vulnerability due to $@. | examples/booking/app/init.go:40:49:40:53 | selection of URL | user-provided value | examples/booking/app/init.go:0:0:0:0 | examples/booking/app/init.go |  |
 edges
-| EndToEnd.go:36:2:36:4 | buf [postupdate] | EndToEnd.go:37:24:37:26 | buf | provenance |  |
-| EndToEnd.go:36:18:36:25 | selection of Params | EndToEnd.go:36:18:36:30 | selection of Form | provenance | Src:MaD:1  |
-| EndToEnd.go:36:18:36:30 | selection of Form | EndToEnd.go:36:18:36:47 | call to Get | provenance | MaD:4 |
-| EndToEnd.go:36:18:36:47 | call to Get | EndToEnd.go:36:2:36:4 | buf [postupdate] | provenance | MaD:3 |
-| EndToEnd.go:69:22:69:29 | selection of Params | EndToEnd.go:69:22:69:34 | selection of Form | provenance | Src:MaD:1  |
-| EndToEnd.go:69:22:69:34 | selection of Form | EndToEnd.go:69:22:69:51 | call to Get | provenance | MaD:4 |
+| EndToEnd.go:37:2:37:4 | buf [postupdate] | EndToEnd.go:38:24:38:26 | buf | provenance |  |
+| EndToEnd.go:37:18:37:25 | selection of Params | EndToEnd.go:37:18:37:30 | selection of Form | provenance | Src:MaD:1  |
+| EndToEnd.go:37:18:37:30 | selection of Form | EndToEnd.go:37:18:37:47 | call to Get | provenance | MaD:4 |
+| EndToEnd.go:37:18:37:47 | call to Get | EndToEnd.go:37:2:37:4 | buf [postupdate] | provenance | MaD:3 |
+| EndToEnd.go:70:22:70:29 | selection of Params | EndToEnd.go:70:22:70:34 | selection of Form | provenance | Src:MaD:1  |
+| EndToEnd.go:70:22:70:34 | selection of Form | EndToEnd.go:70:22:70:51 | call to Get | provenance | MaD:4 |
 | Revel.go:70:22:70:29 | selection of Params | Revel.go:70:22:70:35 | selection of Query | provenance | Src:MaD:1  |
 | examples/booking/app/init.go:36:44:36:48 | selection of URL | examples/booking/app/init.go:36:44:36:53 | selection of Path | provenance | Src:MaD:2  |
 | examples/booking/app/init.go:40:49:40:53 | selection of URL | examples/booking/app/init.go:40:49:40:58 | selection of Path | provenance | Src:MaD:2  |
@@ -20,14 +20,14 @@ models
 | 3 | Summary: io; StringWriter; true; WriteString; ; ; Argument[0]; Argument[receiver]; taint; manual |
 | 4 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
 nodes
-| EndToEnd.go:36:2:36:4 | buf [postupdate] | semmle.label | buf [postupdate] |
-| EndToEnd.go:36:18:36:25 | selection of Params | semmle.label | selection of Params |
-| EndToEnd.go:36:18:36:30 | selection of Form | semmle.label | selection of Form |
-| EndToEnd.go:36:18:36:47 | call to Get | semmle.label | call to Get |
-| EndToEnd.go:37:24:37:26 | buf | semmle.label | buf |
-| EndToEnd.go:69:22:69:29 | selection of Params | semmle.label | selection of Params |
-| EndToEnd.go:69:22:69:34 | selection of Form | semmle.label | selection of Form |
-| EndToEnd.go:69:22:69:51 | call to Get | semmle.label | call to Get |
+| EndToEnd.go:37:2:37:4 | buf [postupdate] | semmle.label | buf [postupdate] |
+| EndToEnd.go:37:18:37:25 | selection of Params | semmle.label | selection of Params |
+| EndToEnd.go:37:18:37:30 | selection of Form | semmle.label | selection of Form |
+| EndToEnd.go:37:18:37:47 | call to Get | semmle.label | call to Get |
+| EndToEnd.go:38:24:38:26 | buf | semmle.label | buf |
+| EndToEnd.go:70:22:70:29 | selection of Params | semmle.label | selection of Params |
+| EndToEnd.go:70:22:70:34 | selection of Form | semmle.label | selection of Form |
+| EndToEnd.go:70:22:70:51 | call to Get | semmle.label | call to Get |
 | Revel.go:70:22:70:29 | selection of Params | semmle.label | selection of Params |
 | Revel.go:70:22:70:35 | selection of Query | semmle.label | selection of Query |
 | examples/booking/app/init.go:36:44:36:48 | selection of URL | semmle.label | selection of URL |

go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-079/ReflectedXss.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/Revel/Revel.go

@@ -67,7 +67,7 @@ func (c myAppController) accessingParamsJSONIsUnsafe() {
 func (c myAppController) rawRead() { // $ responsebody='argument corresponding to c'
 	c.ViewArgs["Foo"] = "<p>raw HTML</p>" // $ responsebody='"<p>raw HTML</p>"'
 	c.ViewArgs["Bar"] = "<p>not raw HTML</p>"
-	c.ViewArgs["Foo"] = c.Params.Query // $ responsebody='selection of Query'
+	c.ViewArgs["Foo"] = c.Params.Query // $ responsebody='selection of Query' Alert[go/reflected-xss]
 	c.Render()
 }
 

go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.expected

@@ -1,21 +1,21 @@
 #select
-| EndToEnd.go:58:18:58:47 | call to Get | EndToEnd.go:58:18:58:25 | selection of Params | EndToEnd.go:58:18:58:47 | call to Get | This path depends on a $@. | EndToEnd.go:58:18:58:25 | selection of Params | user-provided value |
-| EndToEnd.go:64:26:64:55 | call to Get | EndToEnd.go:64:26:64:33 | selection of Params | EndToEnd.go:64:26:64:55 | call to Get | This path depends on a $@. | EndToEnd.go:64:26:64:33 | selection of Params | user-provided value |
+| EndToEnd.go:59:18:59:47 | call to Get | EndToEnd.go:59:18:59:25 | selection of Params | EndToEnd.go:59:18:59:47 | call to Get | This path depends on a $@. | EndToEnd.go:59:18:59:25 | selection of Params | user-provided value |
+| EndToEnd.go:65:26:65:55 | call to Get | EndToEnd.go:65:26:65:33 | selection of Params | EndToEnd.go:65:26:65:55 | call to Get | This path depends on a $@. | EndToEnd.go:65:26:65:33 | selection of Params | user-provided value |
 edges
-| EndToEnd.go:58:18:58:25 | selection of Params | EndToEnd.go:58:18:58:30 | selection of Form | provenance | Src:MaD:3  |
-| EndToEnd.go:58:18:58:30 | selection of Form | EndToEnd.go:58:18:58:47 | call to Get | provenance | MaD:4 Sink:MaD:2 |
-| EndToEnd.go:64:26:64:33 | selection of Params | EndToEnd.go:64:26:64:38 | selection of Form | provenance | Src:MaD:3  |
-| EndToEnd.go:64:26:64:38 | selection of Form | EndToEnd.go:64:26:64:55 | call to Get | provenance | MaD:4 Sink:MaD:1 |
+| EndToEnd.go:59:18:59:25 | selection of Params | EndToEnd.go:59:18:59:30 | selection of Form | provenance | Src:MaD:3  |
+| EndToEnd.go:59:18:59:30 | selection of Form | EndToEnd.go:59:18:59:47 | call to Get | provenance | MaD:4 Sink:MaD:2 |
+| EndToEnd.go:65:26:65:33 | selection of Params | EndToEnd.go:65:26:65:38 | selection of Form | provenance | Src:MaD:3  |
+| EndToEnd.go:65:26:65:38 | selection of Form | EndToEnd.go:65:26:65:55 | call to Get | provenance | MaD:4 Sink:MaD:1 |
 models
 | 1 | Sink: group:revel; Controller; true; RenderFileName; ; ; Argument[0]; path-injection; manual |
 | 2 | Sink: os; ; false; Open; ; ; Argument[0]; path-injection; manual |
 | 3 | Source: group:revel; Controller; true; Params; ; ; ; remote; manual |
 | 4 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
 nodes
-| EndToEnd.go:58:18:58:25 | selection of Params | semmle.label | selection of Params |
-| EndToEnd.go:58:18:58:30 | selection of Form | semmle.label | selection of Form |
-| EndToEnd.go:58:18:58:47 | call to Get | semmle.label | call to Get |
-| EndToEnd.go:64:26:64:33 | selection of Params | semmle.label | selection of Params |
-| EndToEnd.go:64:26:64:38 | selection of Form | semmle.label | selection of Form |
-| EndToEnd.go:64:26:64:55 | call to Get | semmle.label | call to Get |
+| EndToEnd.go:59:18:59:25 | selection of Params | semmle.label | selection of Params |
+| EndToEnd.go:59:18:59:30 | selection of Form | semmle.label | selection of Form |
+| EndToEnd.go:59:18:59:47 | call to Get | semmle.label | call to Get |
+| EndToEnd.go:65:26:65:33 | selection of Params | semmle.label | selection of Params |
+| EndToEnd.go:65:26:65:38 | selection of Form | semmle.label | selection of Form |
+| EndToEnd.go:65:26:65:55 | call to Get | semmle.label | call to Get |
 subpaths

go/ql/test/library-tests/semmle/go/frameworks/Revel/TaintedPath.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-022/TaintedPath.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/Revel/examples/booking/app/init.go

@@ -33,11 +33,11 @@ func init() {
 		switch event {
 		case revel.ENGINE_BEFORE_INITIALIZED:
 			revel.AddHTTPMux("/this/is/a/test", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, it worked"'
+				fmt.Fprintln(w, "Hi there, it worked", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, it worked"' Alert[go/reflected-xss]
 				w.WriteHeader(200)
 			}))
 			revel.AddHTTPMux("/this/is/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, shorter prefix"'
+				fmt.Fprintln(w, "Hi there, shorter prefix", r.URL.Path) // $ responsebody='selection of Path' responsebody='"Hi there, shorter prefix"' Alert[go/reflected-xss]
 				w.WriteHeader(200)
 			}))
 		}

go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-079/ReflectedXss.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/SqlInjection.qlref

@@ -1,2 +1,4 @@
 query: Security/CWE-089/SqlInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/test.go

@@ -9,50 +9,50 @@ import (
 
 func test(request *http.Request, writer http.ResponseWriter) {
 
-	param1 := request.URL.Query().Get("param1")
+	param1 := request.URL.Query().Get("param1")     // $ Source[go/reflected-xss]
 	writer.Write([]byte(html.EscapeString(param1))) // GOOD: escaped.
 
-	writer.Write([]byte(html.UnescapeString(param1))) // BAD: unescaped.
+	writer.Write([]byte(html.UnescapeString(param1))) // $ Alert[go/reflected-xss] // BAD: unescaped.
 
-	node, _ := html.Parse(request.Body)
-	writer.Write([]byte(node.Data)) // BAD: writing unescaped HTML data
+	node, _ := html.Parse(request.Body) // $ Source[go/reflected-xss]
+	writer.Write([]byte(node.Data))     // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 
-	node2, _ := html.ParseWithOptions(request.Body)
-	writer.Write([]byte(node2.Data)) // BAD: writing unescaped HTML data
+	node2, _ := html.ParseWithOptions(request.Body) // $ Source[go/reflected-xss]
+	writer.Write([]byte(node2.Data))                // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 
-	nodes, _ := html.ParseFragment(request.Body, nil)
-	writer.Write([]byte(nodes[0].Data)) // BAD: writing unescaped HTML data
+	nodes, _ := html.ParseFragment(request.Body, nil) // $ Source[go/reflected-xss]
+	writer.Write([]byte(nodes[0].Data))               // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 
-	nodes2, _ := html.ParseFragmentWithOptions(request.Body, nil)
-	writer.Write([]byte(nodes2[0].Data)) // BAD: writing unescaped HTML data
+	nodes2, _ := html.ParseFragmentWithOptions(request.Body, nil) // $ Source[go/reflected-xss]
+	writer.Write([]byte(nodes2[0].Data))                          // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 
-	html.Render(writer, node) // BAD: rendering untrusted HTML to `writer`
+	html.Render(writer, node) // $ Alert[go/reflected-xss] // BAD: rendering untrusted HTML to `writer`
 
-	tokenizer := html.NewTokenizer(request.Body)
-	writer.Write(tokenizer.Buffered()) // BAD: writing unescaped HTML data
-	writer.Write(tokenizer.Raw())      // BAD: writing unescaped HTML data
+	tokenizer := html.NewTokenizer(request.Body) // $ Source[go/reflected-xss]
+	writer.Write(tokenizer.Buffered())           // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
+	writer.Write(tokenizer.Raw())                // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 	_, value, _ := tokenizer.TagAttr()
-	writer.Write(value)                          // BAD: writing unescaped HTML data
-	writer.Write(tokenizer.Text())               // BAD: writing unescaped HTML data
-	writer.Write([]byte(tokenizer.Token().Data)) // BAD: writing unescaped HTML data
+	writer.Write(value)                          // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
+	writer.Write(tokenizer.Text())               // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
+	writer.Write([]byte(tokenizer.Token().Data)) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 
-	tokenizerFragment := html.NewTokenizerFragment(request.Body, "some context")
-	writer.Write(tokenizerFragment.Buffered()) // BAD: writing unescaped HTML data
+	tokenizerFragment := html.NewTokenizerFragment(request.Body, "some context") // $ Source[go/reflected-xss]
+	writer.Write(tokenizerFragment.Buffered())                                   // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 
 	var cleanNode html.Node
-	taintedNode, _ := html.Parse(request.Body)
+	taintedNode, _ := html.Parse(request.Body) // $ Source[go/reflected-xss]
 	cleanNode.AppendChild(taintedNode)
-	html.Render(writer, &cleanNode) // BAD: writing unescaped HTML data
+	html.Render(writer, &cleanNode) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 
 	var cleanNode2 html.Node
-	taintedNode2, _ := html.Parse(request.Body)
+	taintedNode2, _ := html.Parse(request.Body) // $ Source[go/reflected-xss]
 	cleanNode2.InsertBefore(taintedNode2, &cleanNode2)
-	html.Render(writer, &cleanNode2) // BAD: writing unescaped HTML data
+	html.Render(writer, &cleanNode2) // $ Alert[go/reflected-xss] // BAD: writing unescaped HTML data
 
 }
 
 func sqlTest(request *http.Request, db *sql.DB) {
 	// Ensure EscapeString is a taint propagator for non-XSS queries, e.g. SQL injection:
-	cookie, _ := request.Cookie("SomeCookie")
-	db.Query(html.EscapeString(cookie.Value))
+	cookie, _ := request.Cookie("SomeCookie") // $ Source[go/sql-injection]
+	db.Query(html.EscapeString(cookie.Value)) // $ Alert[go/sql-injection]
 }

go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.go

@@ -2,7 +2,7 @@ package main
 
 func isPrefixOf(xs, ys []int) bool {
 	for i := 0; i < len(xs); i++ {
-		if len(ys) == 0 || xs[i] != ys[i] { // NOT OK
+		if len(ys) == 0 || xs[i] != ys[i] { // $ Alert // NOT OK
 			return false
 		}
 	}

go/ql/test/query-tests/InconsistentCode/ConstantLengthComparison/ConstantLengthComparison.qlref

@@ -1 +1,2 @@
-InconsistentCode/ConstantLengthComparison.ql
+query: InconsistentCode/ConstantLengthComparison.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.go

@@ -7,7 +7,7 @@ func zeroOutExceptBad(a []int, lower int, upper int) {
 	}
 
 	// zero out everything above index `upper`
-	for i := upper + 1; i < len(a); i-- { // NOT OK
+	for i := upper + 1; i < len(a); i-- { // $ Alert // NOT OK
 		a[i] = 0
 	}
 }

go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/InconsistentLoopOrientation.qlref

@@ -1 +1,2 @@
-InconsistentCode/InconsistentLoopOrientation.ql
+query: InconsistentCode/InconsistentLoopOrientation.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/InconsistentCode/InconsistentLoopOrientation/main.go

@@ -6,12 +6,12 @@ func f1(i int) {
 }
 
 func f2(i int, s string) {
-	for j := i + 1; j < len(s); j-- { // NOT OK
+	for j := i + 1; j < len(s); j-- { // $ Alert // NOT OK
 	}
 }
 
 func f3(s string) {
-	for i, l := 0, len(s); i > l; i++ { // NOT OK
+	for i, l := 0, len(s); i > l; i++ { // $ Alert // NOT OK
 	}
 }
 
@@ -22,7 +22,7 @@ func f4(lower int, a []int) {
 }
 
 func f5(upper int, a []int) {
-	for i := upper + 1; i < len(a); i-- { // NOT OK
+	for i := upper + 1; i < len(a); i-- { // $ Alert // NOT OK
 		a[i] = 0
 	}
 }

go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.go

@@ -5,9 +5,9 @@ import "strings"
 func containsBad(searchName string, names string) bool {
 	values := strings.Split(names, ",")
 	// BAD: index could be equal to length
-	for i := 0; i <= len(values); i++ {
+	for i := 0; i <= len(values); i++ { // $ Alert
 		// When i = length, this access will be out of bounds
-		if values[i] == searchName {
+		if values[i] == searchName { // $ Source
 			return true
 		}
 	}

go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/LengthComparisonOffByOne.qlref

@@ -1 +1,2 @@
-InconsistentCode/LengthComparisonOffByOne.ql
+query: InconsistentCode/LengthComparisonOffByOne.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/InconsistentCode/LengthComparisonOffByOne/main.go

@@ -3,8 +3,8 @@ package main
 import "regexp"
 
 func f1(i int, a []int) int {
-	if i <= len(a) { // NOT OK
-		return a[i]
+	if i <= len(a) { // $ Alert // NOT OK
+		return a[i] // $ Source
 	}
 	return -1
 }
@@ -26,8 +26,8 @@ func f3(i int, a []int) int {
 }
 
 func f4(i int, a []int) int {
-	if len(a) > 0 { // NOT OK
-		return a[1]
+	if len(a) > 0 { // $ Alert // NOT OK
+		return a[1] // $ Source
 	}
 	return -1
 }

go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/MissingErrorCheck.qlref

@@ -1 +1,2 @@
-InconsistentCode/MissingErrorCheck.ql
+query: InconsistentCode/MissingErrorCheck.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/InconsistentCode/MissingErrorCheck/tests.go

@@ -58,7 +58,7 @@ func missingCheckMayFail(fname string) {
 
 	result, err := os.Open(fname)
 
-	fmt.Printf("Opened: %v\n", *result) // NOT OK
+	fmt.Printf("Opened: %v\n", *result) // $ Alert // NOT OK
 	fmt.Printf("%v\n", err)             // use err
 
 }
@@ -240,7 +240,7 @@ func mishandlesMyError(input int) {
 
 	result, err := returnsMyError(input)
 
-	fmt.Printf("Got: %d\n", *result) // NOT OK
+	fmt.Printf("Got: %d\n", *result) // $ Alert // NOT OK
 	fmt.Printf("%v\n", err)          // use err
 
 }

go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.go

@@ -3,5 +3,5 @@ package main
 import "fmt"
 
 func test() {
-	fmt.Println(2 ^ 32) // should be 1 << 32
+	fmt.Println(2 ^ 32) // $ Alert // should be 1 << 32
 }

go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/MistypedExponentiation.qlref

@@ -1 +1,2 @@
-InconsistentCode/MistypedExponentiation.ql
+query: InconsistentCode/MistypedExponentiation.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/InconsistentCode/MistypedExponentiation/main.go

@@ -12,13 +12,13 @@ func main() {
 	expectingResponse := 1 << 5
 	power := 10
 
-	fmt.Println(3 ^ 5)                   // Not OK
+	fmt.Println(3 ^ 5)                   // $ Alert // Not OK
 	fmt.Println(0755 ^ 2423)             // OK
-	fmt.Println(2 ^ 32)                  // Not OK
-	fmt.Println(10 ^ 5)                  // Not OK
-	fmt.Println(10 ^ exp)                // Not OK
+	fmt.Println(2 ^ 32)                  // $ Alert // Not OK
+	fmt.Println(10 ^ 5)                  // $ Alert // Not OK
+	fmt.Println(10 ^ exp)                // $ Alert // Not OK
 	fmt.Println(253 ^ expectingResponse) // OK
-	fmt.Println(2 ^ power)               // Not OK
+	fmt.Println(2 ^ power)               // $ Alert // Not OK
 
 	mask := (((1 << 10) - 1) ^ 7) // OK
 

go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.go

@@ -3,5 +3,5 @@ package main
 // autoformat-ignore (otherwise gofmt will fix the spacing to reflect precedence)
 
 func isBitSetBad(x int, pos uint) bool {
-	return x & 1<<pos != 0
+	return x & 1<<pos != 0 // $ Alert
 }

go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref

@@ -1 +1,2 @@
-InconsistentCode/WhitespaceContradictsPrecedence.ql
+query: InconsistentCode/WhitespaceContradictsPrecedence.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/InconsistentCode/WhitespaceContradictsPrecedence/main.go

@@ -11,7 +11,7 @@ func ok2(x int) int {
 }
 
 func bad(x int) int {
-	return x+x >> 1;
+	return x+x >> 1; // $ Alert
 }
 
 func ok3(x int) int {

go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.go

@@ -28,7 +28,7 @@ func test1(input string) error {
 	}
 	if ok2, _ := f2(input); !ok2 {
 		// BAD: Wrapped error is always nil
-		return errors.Wrap(err, "")
+		return errors.Wrap(err, "") // $ Alert
 	}
 	return nil
 }
@@ -38,13 +38,13 @@ func test2(err error) {
 	errors.Wrap(err, "")
 
 	// BAD: Wrapped error is always nil
-	errors.Wrap(nil, "")
+	errors.Wrap(nil, "") // $ Alert
 
 	err = nil
 	// BAD: Wrapped error is always nil
-	errors.Wrap(err, "")
+	errors.Wrap(err, "") // $ Alert
 
 	var localErr error = nil
 	// BAD: Wrapped error is always nil
-	errors.Wrap(localErr, "")
+	errors.Wrap(localErr, "") // $ Alert
 }

go/ql/test/query-tests/InconsistentCode/WrappedErrorAlwaysNil/WrappedErrorAlwaysNil.qlref

@@ -1 +1,2 @@
-InconsistentCode/WrappedErrorAlwaysNil.ql
+query: InconsistentCode/WrappedErrorAlwaysNil.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.go

@@ -6,7 +6,7 @@ type Rectangle struct {
 
 func (r *Rectangle) containsBad(x, y int) bool {
 	return r.x <= x &&
-		y <= y && // NOT OK
+		y <= y && // $ Alert // NOT OK
 		x <= r.x+r.width &&
 		y <= r.y+r.height
 }

go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/CompareIdenticalValues.qlref

@@ -1 +1,2 @@
-RedundantCode/CompareIdenticalValues.ql
+query: RedundantCode/CompareIdenticalValues.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/tst.go

@@ -3,7 +3,7 @@ package main
 import "fmt"
 
 func foo(x int) bool {
-	return x == x // NOT OK
+	return x == x // $ Alert // NOT OK
 }
 
 func isNaN(x float32) bool {
@@ -57,5 +57,5 @@ func baz2() bool {
 func baz3() bool {
 	var y counter
 	y.bimp()
-	return y == 0 // NOT OK
+	return y == 0 // $ Alert // NOT OK
 }

go/ql/test/query-tests/RedundantCode/CompareIdenticalValues/vp.go

@@ -13,5 +13,5 @@ type t struct {
 }
 
 func (x *t) foo(other t) bool {
-	return x.GetLength() != x.GetLength()
+	return x.GetLength() != x.GetLength() // $ Alert
 }

go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.go

@@ -5,5 +5,5 @@ type counter struct {
 }
 
 func (w counter) reset() {
-	w.val = 0 // NOT OK
+	w.val = 0 // $ Alert // NOT OK
 }

go/ql/test/query-tests/RedundantCode/DeadStoreOfField/DeadStoreOfField.qlref

@@ -1 +1,2 @@
-RedundantCode/DeadStoreOfField.ql
+query: RedundantCode/DeadStoreOfField.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/DeadStoreOfLocal.qlref

@@ -1 +1,2 @@
-RedundantCode/DeadStoreOfLocal.ql
+query: RedundantCode/DeadStoreOfLocal.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/main.go

@@ -22,7 +22,7 @@ func main() {
 }
 
 func deadParameter(x int) bool { // we don't want to flag x here
-	x = deadStore() // but we do want to flag this
+	x = deadStore() // $ Alert // but we do want to flag this
 	return true
 }
 

go/ql/test/query-tests/RedundantCode/DeadStoreOfLocal/testdata.go

@@ -29,12 +29,12 @@ func _() {
 func _() {
 	var x int
 	_ = x
-	x = deadStore() // BAD
+	x = deadStore() // $ Alert // BAD
 }
 
 func _() {
 	var x int
-	x = deadStore() // BAD
+	x = deadStore() // $ Alert // BAD
 	x = 0
 	_ = x
 }
@@ -58,13 +58,13 @@ func _() {
 }
 
 func _() {
-	x := deadStore2() // BAD
+	x := deadStore2() // $ Alert // BAD
 	x = "def"
 	_ = x
 }
 
 func _() {
-	x := deadStore() // BAD
+	x := deadStore() // $ Alert // BAD
 	x = 0
 	_ = x
 }
@@ -96,18 +96,18 @@ func _() {
 }
 
 func _() {
-	x := deadStore() // BAD
+	x := deadStore() // $ Alert // BAD
 	if b {
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 	}
 	x = 0
 	_ = x
 }
 
 func _() {
-	x := deadStore() // BAD
+	x := deadStore() // $ Alert // BAD
 	for b {
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 	}
 	x = 0
 	_ = x
@@ -125,13 +125,13 @@ func _() {
 }
 
 func _() {
-	x := deadStore() // BAD
+	x := deadStore() // $ Alert // BAD
 	if b {
-		x = deadStore() // BAD
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
+		x = deadStore() // $ Alert // BAD
 	}
 	if b {
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 	}
 	x = 0
 	_ = x
@@ -140,7 +140,7 @@ func _() {
 func _() {
 	x := 0
 	if b {
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 		x = 0
 	}
 	if b {
@@ -161,7 +161,7 @@ func _() {
 	x := 0
 	for {
 		_ = x
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 		x = 0
 	}
 }
@@ -169,7 +169,7 @@ func _() {
 func _() {
 	x := 0
 	for {
-		x += deadStore() // BAD
+		x += deadStore() // $ Alert // BAD
 		x = 0
 	}
 }
@@ -177,7 +177,7 @@ func _() {
 func _() {
 	x := 0
 	for {
-		x++ // BAD
+		x++ // $ Alert // BAD
 		x = 0
 	}
 }
@@ -198,7 +198,7 @@ func _() {
 func _() {
 	x := struct{ f int }{42}
 	_ = x.f
-	x = struct{ f int }{23}
+	x = struct{ f int }{23} // $ Alert
 }
 
 func _() {
@@ -259,13 +259,13 @@ func _() (x int) {
 }
 
 func _() (x int) {
-	x = deadStore() // BAD
+	x = deadStore() // $ Alert // BAD
 	x = 0
 	return
 }
 
 func _() (x int) {
-	x = deadStore() // BAD
+	x = deadStore() // $ Alert // BAD
 	return 0
 }
 
@@ -306,7 +306,7 @@ func _(a float32, b float32) (x int) {
 
 func _(a float32, b float32) (x int) {
 	x = 1
-	a /= b
+	a /= b // $ Alert
 	return 2
 }
 
@@ -318,7 +318,7 @@ func _(a int, b int) (x int) {
 
 func _(a int, b int) (x int) {
 	x = 1
-	a %= b
+	a %= b // $ Alert
 	return 2
 }
 
@@ -384,7 +384,7 @@ func _() {
 	case true:
 		_ = x
 	default:
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 		fallthrough
 	case b:
 	}
@@ -429,16 +429,16 @@ func _() {
 	var ch chan int
 	select {
 	case ch <- 0:
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 	case <-ch:
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 	default:
 		_ = x
 	}
 }
 
 func _() {
-	x := deadStore() // BAD
+	x := deadStore() // $ Alert // BAD
 	var ch chan int
 	select {
 	case ch <- 0:
@@ -485,7 +485,7 @@ func _() {
 func _() {
 	var x int
 	if b {
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 	}
 	if x = 0; b {
 
@@ -539,7 +539,7 @@ func _() {
 func _() {
 	x := 0
 	for x < 0 {
-		x = deadStore() // BAD
+		x = deadStore() // $ Alert // BAD
 		if b {
 			break
 		}
@@ -577,7 +577,7 @@ func _() {
 	var x int
 	for {
 		if b {
-			x = deadStore() // BAD
+			x = deadStore() // $ Alert // BAD
 			break
 		}
 		_ = x
@@ -626,7 +626,7 @@ func _(v1, v2 int32) (int32, int32) {
 
 func _(v1, v2 int32) (int32, int32) {
 	if v1 > v2 {
-		v1, _ = v2, v1
+		v1, _ = v2, v1 // $ Alert
 	}
 	v1, v2 = 0, 0
 	return v1, v2

go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.go

@@ -1,7 +1,7 @@
 package main
 
 func abs(x int) int {
-	if x >= 0 {
+	if x >= 0 { // $ Alert
 		return x
 	} else {
 		return x

go/ql/test/query-tests/RedundantCode/DuplicateBranches/DuplicateBranches.qlref

@@ -1 +1,2 @@
-RedundantCode/DuplicateBranches.ql
+query: RedundantCode/DuplicateBranches.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

go/ql/test/query-tests/RedundantCode/DuplicateBranches/main.go

@@ -3,7 +3,7 @@ package main
 import "fmt"
 
 func bad(x int) {
-	if x < 0 { // NOT OK
+	if x < 0 { // $ Alert // NOT OK
 		fmt.Println("x is negative")
 	} else {
 		fmt.Println("x is negative")

go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.go

@@ -1,9 +1,9 @@
 package main
 
 func controller(msg string) {
-	if msg == "start" {
+	if msg == "start" { // $ Source
 		start()
-	} else if msg == "start" { // NOT OK
+	} else if msg == "start" { // $ Alert // NOT OK
 		stop()
 	} else {
 		panic("Message not understood.")

go/ql/test/query-tests/RedundantCode/DuplicateCondition/DuplicateCondition.qlref

@@ -1 +1,2 @@
-RedundantCode/DuplicateCondition.ql
+query: RedundantCode/DuplicateCondition.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql