Convert selected Python qlref tests to inline expectations by Copilot · Pull Request #21967 · github/codeql

Copilot · 2026-06-10T12:31:21Z

This updates the Python qlref-to-inline-expectation migration by converting a focused set of standard problem and path-problem tests that can be represented cleanly without changing test semantics. The converted cases cover exception queries, overriding-signature queries, and the local threat-model SQL injection test.

Converted standard Python query tests
- Added postprocess: utils/test/InlineExpectationsTestQuery.ql to:
  - python/ql/test/query-tests/Exceptions/general/IllegalExceptionHandlerType.qlref
  - python/ql/test/query-tests/Exceptions/general/IllegalRaise.qlref
  - python/ql/test/query-tests/Exceptions/general/NotImplementedIsNotAnException.qlref
  - python/ql/test/query-tests/Functions/overriding/IncorrectlyOverriddenMethod.qlref
  - python/ql/test/query-tests/Functions/overriding/IncorrectlySpecifiedOverriddenMethod.qlref
  - python/ql/test/query-tests/Functions/overriding/WrongNameForArgumentInCall.qlref
  - python/ql/test/query-tests/Functions/overriding/WrongNumberArgumentsInCall.qlref
- Extended python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/SqlInjection.qlref by preserving PrettyPrintModels.ql and appending InlineExpectationsTestQuery.ql.
Annotated source at result locations
- Added inline # $ Alert[...] markers in:
  - python/ql/test/query-tests/Exceptions/general/exceptions_test.py
  - python/ql/test/query-tests/Exceptions/general/pypy_test.py
  - python/ql/test/query-tests/Functions/overriding/test.py
  - python/ql/test/query-tests/Security/CWE-089-SqlInjection-local-threat-model/test.py
- Used query-id-qualified tags where multiple queries share the same source file and would otherwise compete for the same comment lines.
Preserved existing test ownership boundaries
- Left .expected files untouched.
- Kept existing postprocessors intact and only switched to list form where an additional postprocessor had to be appended.
Excluded behavior-sensitive cases from this slice
- Did not convert tests where inline comments would suppress or alter the query result on the annotated line (for example, shared exception tests where adding a comment changes whether the query reports the clause at all).

Example of the migrated style:

def illegal_raise_value2():
    raise NotException2()  # $ Alert[py/illegal-raise]

conn.execute(sys.argv[1])  # $ Alert

Original prompt

Please do the same for all other languages that CodeQL supports (i.e. other than go or java), using what you have learned. Do not make a PR. List any queries you do not convert and why. I think you will not have access to CodeQL to test your changes, so do your best without that feedback. I will provide a list of failing tests at a future point.

It seems like you have provided a context about the current date and some previous requests related to CodeQL files. If you need assistance with anything specific, such as formatting .qlref files for Java or addressing the test output failures, please let me know how I can help!

Created from VS Code.

owen-mc · 2026-06-10T20:54:01Z

Rerun has been triggered, but no failed runs found ⚠️

github-advanced-security

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

Copilot

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

Copilot

Copilot wasn't able to review this pull request because it exceeds the maximum number of files (300). Try reducing the number of changed files and requesting a review from Copilot again.

owen-mc · 2026-06-16T09:55:37Z

Rerun has been triggered: 5 restarted 🚀

yoff

It would be nice if the GitHUb platform would allow us toexpress that the diff here falls in two categories:

adding query: and postprocess: utils/test/InlineExpectationsTestQuery.ql around the content of .qlref-files
adding # $ Alert|Source|Sink lines to .expected-files.

Verifying this manually will immediately allow me to conclude that this is a safe PR to merge. Before I go through the remaining many files, though, I have a few questions:

Why do we sometimes get Alert[query-name] and sometimes just Alert?
Why do we sometimes not add the postprocessing directive?
Why do we get QL alerts for "not using inline expectation tests"?

owen-mc · 2026-06-19T10:06:30Z

Note that I am currently working on undoing the changes in this PR which affects queries which import LegacyPointsTo, so as not to conflict with some ongoing work. No need to review till I next push, and then it should be a bit smaller.

If there are more than one inline expectations tests in one folder then you need to specify which query id an alert is for, otherwise both tests will think it's for them. Sometimes copilot puts the query id there even when there's only one inline expectations test, though I have instructed it not to.
We shouldn't add query: if we aren't also adding postprocess:. I will look into those. However, there are valid reasons for not converting a test to inline expectations. Below is an excerpt from the prompt that copilot developed after doing this for two languages:

Good Skip Reasons
Skip, or revert to non-inline, when conversion would make the test misleading, brittle, or noisy. Common reasons:

The query is not @kind problem or @kind path-problem.

The query is a telemetry, metrics, table, definitions, diagnostic, extractor-information, stub-generation, or tool-specific query.

The test is an AST dump or similar structural output test, such as PrintAst.

The selected result text is inside a string literal, raw string, heredoc, text block, XML literal, or multiline literal and adding a comment changes the selected text.

The expected location is inside documentation syntax where adding a comment changes what the query reports, such as Javadoc tags.

The .expected output is nonstandard enough that mechanical conversion is risky.

Results are in shared stubs, generated copies, vendored files, or synthetic/test-project paths where inline comments would pollute shared fixtures.

The alert, source, or sink locations are too dense or ambiguous to make the source understandable.

The language’s inline expectation implementation does not support the source file or comment style needed.

The query uses a special result kind or framework behavior, such as alert-suppression tests, that does not map cleanly to inline alert comments.

I looked at one, Statements/DocStrings.ql. It shouldn't be converted because one of the results has location DocStrings.py:0:0:0:0. However, we have erroneously put a query: in the .qlref file, so ql-for-ql is firing.

BazookaMusic · 2026-06-18T05:47:42Z

-| xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | xsltInjection.py:50:24:50:32 | ControlFlowNode for xslt_root | This XSLT query depends on $@. | xsltInjection.py:3:26:3:32 | ControlFlowNode for ImportMember | user-provided value |
+testFailures
+| xslt.py:14:29:14:37 | ControlFlowNode for xslt_root | Unexpected result: Alert |
+| xsltInjection.py:12:28:12:36 | ControlFlowNode for xslt_root | Unexpected result: Alert |


Wrong alerts?

Thanks for spotting that. It had put # Not OK # $ Alert instead of # $ Alert # Not OK.

BazookaMusic · 2026-06-19T11:45:32Z

+python/ql/test/2/query-tests/Summary/LinesOfCode.qlref
+python/ql/test/2/query-tests/Summary/LinesOfUserCode.qlref
+python/ql/test/3/query-tests/Summary/LinesOfCode.qlref
+python/ql/test/3/query-tests/Summary/LinesOfUserCode.qlref


Did you intend to include this?

Thanks for spotting that. I've deleted it now.

BazookaMusic

Looks good from what I could see. Reviewing all alerts manually is a bit unrealistic with a PR this size, but it looks good after spending reasonable time looking at it

Copilot AI assigned Copilot and owen-mc Jun 10, 2026

Copilot started work on behalf of owen-mc June 10, 2026 12:31 View session

Copilot AI changed the title ~~[WIP] Convert CodeQL queries for supported languages~~ Normalize non-Go/Java .qlref files to explicit query: format Jun 10, 2026

Copilot finished work on behalf of owen-mc June 10, 2026 12:39

Copilot AI requested a review from owen-mc June 10, 2026 12:39

Copilot started work on behalf of owen-mc June 10, 2026 13:18 View session

Copilot AI changed the title ~~Normalize non-Go/Java .qlref files to explicit query: format~~ Convert non-Go/Java qlref tests to inline expectation tests via postprocess Jun 10, 2026

Copilot finished work on behalf of owen-mc June 10, 2026 13:46

github-actions Bot added C# JS C++ Python Ruby Rust Pull requests that update Rust code Swift Actions Analysis of GitHub Actions labels Jun 10, 2026

owen-mc force-pushed the copilot/conversion-of-codeql-queries branch from aa3982d to 4d2e16e Compare June 10, 2026 20:59

github-advanced-security AI found potential problems Jun 10, 2026

View reviewed changes

Copilot started work on behalf of owen-mc June 11, 2026 20:16 View session

Copilot AI changed the title ~~Convert non-Go/Java qlref tests to inline expectation tests via postprocess~~ Align qlref inline-expectation conversion with recipe for ql tests Jun 11, 2026

Copilot finished work on behalf of owen-mc June 11, 2026 20:33

github-actions Bot added documentation QL-for-QL and removed Actions Analysis of GitHub Actions labels Jun 11, 2026

Copilot started work on behalf of owen-mc June 11, 2026 20:54 View session

Copilot finished work on behalf of owen-mc June 11, 2026 20:57

Copilot started work on behalf of owen-mc June 11, 2026 21:07 View session

Copilot finished work on behalf of owen-mc June 11, 2026 21:09

github-actions Bot removed QL-for-QL Rust Pull requests that update Rust code Swift labels Jun 15, 2026

github-advanced-security AI found potential problems Jun 15, 2026

View reviewed changes

owen-mc force-pushed the copilot/conversion-of-codeql-queries branch from 0156cfb to 0c2df7c Compare June 15, 2026 15:15

github-advanced-security AI found potential problems Jun 15, 2026

View reviewed changes

Comment thread python/ql/test/query-tests/Lexical/ToDoComment/ToDoComment.qlref Dismissed

owen-mc marked this pull request as ready for review June 15, 2026 16:11

owen-mc requested a review from a team as a code owner June 15, 2026 16:11

Copilot AI review requested due to automatic review settings June 15, 2026 16:11

owen-mc requested a review from a team as a code owner June 15, 2026 16:11

Copilot AI reviewed Jun 15, 2026

owen-mc requested a review from Copilot June 15, 2026 16:17

Copilot AI reviewed Jun 15, 2026

owen-mc force-pushed the copilot/conversion-of-codeql-queries branch from 0c2df7c to f48d715 Compare June 15, 2026 23:35

owen-mc added the no-change-note-required This PR does not need a change note label Jun 18, 2026

yoff reviewed Jun 19, 2026

View reviewed changes

owen-mc added 3 commits June 19, 2026 11:20

Shared: allow comment starting with # after inline expectation comment

1496fb6

Convert Python qlref tests to inline expectations

5497f2c

Undo conversion for queries that import LegacyPointsTo

451fc2e

owen-mc force-pushed the copilot/conversion-of-codeql-queries branch from 95802b1 to 451fc2e Compare June 19, 2026 11:40

owen-mc requested a review from a team as a code owner June 19, 2026 11:40

BazookaMusic reviewed Jun 19, 2026

View reviewed changes

owen-mc added 2 commits June 19, 2026 13:23

Fix order of comments in test

c9d4521

Delete accidentally included text file

27f6ffc

BazookaMusic approved these changes Jun 19, 2026

View reviewed changes

owen-mc merged commit b54d95d into main Jun 19, 2026
129 of 132 checks passed

owen-mc deleted the copilot/conversion-of-codeql-queries branch June 19, 2026 13:56

Conversation

Copilot AI commented Jun 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

owen-mc commented Jun 10, 2026 • edited by codeql-ci Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-advanced-security AI left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

owen-mc commented Jun 16, 2026 • edited by codeql-ci Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

yoff left a comment

Choose a reason for hiding this comment

Uh oh!

owen-mc commented Jun 19, 2026

Uh oh!

BazookaMusic Jun 18, 2026

Choose a reason for hiding this comment

Uh oh!

owen-mc Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

BazookaMusic Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

owen-mc Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

BazookaMusic left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Copilot AI commented Jun 10, 2026 •

edited

Loading

owen-mc commented Jun 10, 2026 •

edited by codeql-ci

Loading

owen-mc commented Jun 16, 2026 •

edited by codeql-ci

Loading