Cover a missing @tag security when @security-severity is used

ql/ql/src/queries/style/MissingSecurityMetadata.ql

@@ -0,0 +1,51 @@
+/**
+ * @name Missing security metadata
+ * @description Security queries should have both a `@tag security` and a `@security-severity` tag.
+ * @kind problem
+ * @problem.severity warning
+ * @precision very-high
+ * @id ql/missing-security-metadata
+ * @tags correctness
+ */
+
+import ql
+
+predicate missingSecuritySeverity(QLDoc doc) {
+  exists(string s | s = doc.getContents() |
+    exists(string securityTag | securityTag = s.splitAt("@") |
+      securityTag.matches("tags%security%")
+    ) and
+    exists(string precisionTag | precisionTag = s.splitAt("@") |
+      precisionTag.matches("precision %")
+    ) and
+    not exists(string securitySeverity | securitySeverity = s.splitAt("@") |
+      securitySeverity.matches("security-severity %")
+    )
+  )
+}
+
+predicate missingSecurityTag(QLDoc doc) {
+  exists(string s | s = doc.getContents() |
+    exists(string securitySeverity | securitySeverity = s.splitAt("@") |
+      securitySeverity.matches("security-severity %")
+    ) and
+    exists(string precisionTag | precisionTag = s.splitAt("@") |
+      precisionTag.matches("precision %")
+    ) and
+    not exists(string securityTag | securityTag = s.splitAt("@") |
+      securityTag.matches("tags%security%")
+    )
+  )
+}
+
+from TopLevel t, string msg
+where
+  t.getLocation().getFile().getBaseName().matches("%.ql") and
+  not t.getLocation().getFile().getRelativePath().matches(["%/experimental/%", "%/examples/%"]) and
+  (
+    missingSecuritySeverity(t.getQLDoc()) and
+    msg = "This query file is missing a `@security-severity` tag."
+    or
+    missingSecurityTag(t.getQLDoc()) and msg = "This query file is missing a `@tag security`."
+  )
+select t, msg

ql/ql/src/queries/style/MissingSecuritySeverity.ql

@@ -1,32 +0,0 @@
-/**
- * @name Missing security-severity tag
- * @description Queries tagged as `security` should also have a `@security-severity` tag.
- * @kind problem
- * @problem.severity warning
- * @precision very-high
- * @id ql/missing-security-severity
- * @tags correctness
- */
-
-import ql
-
-predicate missingSecuritySeverity(QLDoc doc) {
-  exists(string s | s = doc.getContents() |
-    exists(string securityTag | securityTag = s.splitAt("@") |
-      securityTag.matches("tags%security%")
-    ) and
-    exists(string precisionTag | precisionTag = s.splitAt("@") |
-      precisionTag.matches("precision %")
-    ) and
-    not exists(string securitySeverity | securitySeverity = s.splitAt("@") |
-      securitySeverity.matches("security-severity %")
-    )
-  )
-}
-
-from TopLevel t
-where
-  t.getLocation().getFile().getBaseName().matches("%.ql") and
-  not t.getLocation().getFile().getRelativePath().matches(["%/experimental/%", "%/examples/%"]) and
-  missingSecuritySeverity(t.getQLDoc())
-select t, "This query file is missing a `@security-severity` tag."

ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.expected

@@ -0,0 +1,2 @@
+| testcases/BadNoSecurity.ql:1:1:15:9 | TopLevel | This query file is missing a `@tag security`. |
+| testcases/BadNoSeverity.ql:1:1:15:9 | TopLevel | This query file is missing a `@security-severity` tag. |

ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.qlref

@@ -0,0 +1 @@
+queries/style/MissingSecurityMetadata.ql

ql/ql/test/queries/style/MissingSecurityMetadata/testcases/BadNoSecurity.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Some query
+ * @description Some description
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 10.0
+ * @precision very-high
+ * @id ql/some-query
+ * @tags quality
+ */
+
+import ql
+
+from Class c
+select c

ql/ql/test/queries/style/MissingSecuritySeverity/MissingSecuritySeverity.expected

@@ -1 +0,0 @@
-| testcases/Bad.ql:1:1:15:9 | TopLevel | This query file is missing a `@security-severity` tag. |

ql/ql/test/queries/style/MissingSecuritySeverity/MissingSecuritySeverity.qlref

@@ -1 +0,0 @@
-queries/style/MissingSecuritySeverity.ql