Exclude some queries from query suites by lowering their precision. #19507
Conversation
michaelnebel
force-pushed
the
removehardcodedpassword
branch
from
e8a4b9f to
dabeddb
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR lowers the precision of several hardcoded credentials queries across Java, Go, and C#, excludes them from all query suites, and updates the corresponding integration-test expectations and change notes.
- Lowered precision from medium to low for hardcoded credential queries in Java, Go, and C#.
- Removed these queries from all query-suite expected listings and added them to
not_included_in_qls.expected. - Added change notes in Java, Go, and C# to document the removals.
Reviewed Changes
Copilot reviewed 41 out of 41 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| javascript/ql/integration-tests/query-suite/*.qls.expected | Removed HardcodedCredentials entries from JS query suites |
| java/ql/src/change-notes/2025-05-16-hardcoded-credentials.md | Added note for removed Java hardcoded-credential-api-call query |
| java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql | Lowered precision from medium to low |
| java/ql/integration-tests/java/query-suite/*.expected | Updated not_included_in_qls.expected, removed from suites |
| go/ql/src/change-notes/2025-05-16-hardcoded-credentials.md | Added note for removed Go hardcoded-credentials query |
| go/ql/src/Security/CWE-798/HardcodedCredentials.ql | Lowered precision from medium to low |
| go/ql/integration-tests/query-suite/*.expected | Updated not_included_in_qls.expected, removed from suites |
| csharp/ql/src/change-notes/2025-05-16-hardcoded-credentials.md | Added note for removed C# credential-related queries |
| csharp/ql/src/Security Features/CWE-798/*.ql | Lowered precision from medium to low |
| csharp/ql/integration-tests/posix/query-suite/*.expected | Updated not_included_in_qls.expected, removed from suites |
Comments suppressed due to low confidence (2)
javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql:7
- The JavaScript HardcodedCredentials query still has
@precision medium—it should be lowered to@precision lowto match the updates in other languages.
* @precision medium
|
Should we freeze the security and quality suite? Is it okay that we're removing queries from it? |
It is my understanding that these queries are to be removed from all suites that customers use, but I will ask concretely about this suite in the issue. |
Responding here - Yes, this is fine, mostly unrelated to the quality product |
The linked issue describes why the precisions are lowered (and it also includes a list of specific query IDs).