Address review comments

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/test.c

@@ -73,7 +73,7 @@ int main(int argc, char** argv) { // $ Source=argv
     char buffer[1024];
     read(0, buffer, 1024); // $ Source=read_output1
     read(0, buffer, 1024); // $ Source=read_output2
-    fopen(buffer, "wb+"); // $ Alert=read_output1 $ Alert=read_output2
+    fopen(buffer, "wb+"); // $ SPURIOUS: Alert=read_output1 $ Alert=read_output2 [duplicated with both sources]
   }
 
   {

swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift

@@ -201,17 +201,17 @@ func testSync(_ sink: @escaping (String) -> ()) {
 	let url = URL(string: "http://example.com/")
 
 	sink(localString) // GOOD: the HTML data is local
-	sink(try! String(contentsOf: URL(string: "http://example.com/")!)) // $ Source=source1 $ MISSING: Alert HTML contains remote input, may access local secrets
-	sink(try! String(contentsOf: url!)) // $ Source=source2 $ MISSING: Alert
+	sink(try! String(contentsOf: URL(string: "http://example.com/")!)) // $ Source=source1
+	sink(try! String(contentsOf: url!)) // $ Source=source2
 
 	sink("console.log(" + localStringFragment + ")") // GOOD: the HTML data is local
-	sink("console.log(" + (try! String(contentsOf: url!)) + ")") // $ Source=source3 $ MISSING: Alert
+	sink("console.log(" + (try! String(contentsOf: url!)) + ")") // $ Source=source3
 
 	let localData = Data(localString.utf8)
 	let remoteData = Data((try! String(contentsOf: url!)).utf8) // $ Source=source4
 
 	sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local
-	sink(String(decoding: remoteData, as: UTF8.self)) // $ MISSING: Alert the data is remote
+	sink(String(decoding: remoteData, as: UTF8.self))
 
 	sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion
 	sink("console.log(" + String(Int(try! String(contentsOf: url!)) ?? 0) + ")") // GOOD: Primitive conversion