updated all powershell tests to use inline expectatoins

chanel-y · chanel-y · commit b3626dbdd745 · 2026-04-17T11:42:58.000-07:00
diff --git a/powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.qlref b/powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.qlref
@@ -1 +1,2 @@
-experimental/ConvertToSecureStringAsPlainText.ql
+query: experimental/ConvertToSecureStringAsPlainText.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/test.ps1 b/powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/test.ps1
@@ -1,4 +1,4 @@
 $UserInput = Read-Host 'Please enter your secure code'
-$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force
+$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force # $ Alert
 
 $SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString
diff --git a/powershell/ql/test/query-tests/security/HardcodedComputerName/HardcodedComputerName.qlref b/powershell/ql/test/query-tests/security/HardcodedComputerName/HardcodedComputerName.qlref
@@ -1 +1,2 @@
-experimental/HardcodedComputerName.ql
+query: experimental/HardcodedComputerName.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/HardcodedComputerName/test.ps1 b/powershell/ql/test/query-tests/security/HardcodedComputerName/test.ps1
@@ -1,6 +1,6 @@
 Function Invoke-MyRemoteCommand ()
 {
-    Invoke-Command -Port 343 -ComputerName hardcoderemotehostname
+    Invoke-Command -Port 343 -ComputerName hardcoderemotehostname # $ Alert
 }
 
 Function Invoke-MyCommand ($ComputerName)
@@ -10,7 +10,7 @@ Function Invoke-MyCommand ($ComputerName)
 
 Function Invoke-MyLocalCommand ()
 {
-    Invoke-Command -Port 343 -ComputerName hardcodelocalhostname
+    Invoke-Command -Port 343 -ComputerName hardcodelocalhostname # $ Alert
 }
 
 Function Invoke-MyLocalCommand ()
diff --git a/powershell/ql/test/query-tests/security/UseOfReservedCmdletChar/UseOfReservedCmdletChar.qlref b/powershell/ql/test/query-tests/security/UseOfReservedCmdletChar/UseOfReservedCmdletChar.qlref
@@ -1 +1,2 @@
-experimental/UseOfReservedCmdletChar.ql
+query: experimental/UseOfReservedCmdletChar.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/UseOfReservedCmdletChar/test.ps1 b/powershell/ql/test/query-tests/security/UseOfReservedCmdletChar/test.ps1
@@ -1,2 +1,2 @@
-function MyFunction[1]
+function MyFunction[1] # $ Alert Alert
 {...}
diff --git a/powershell/ql/test/query-tests/security/UsernameOrPasswordParameter/UsernameOrPasswordParameter.qlref b/powershell/ql/test/query-tests/security/UsernameOrPasswordParameter/UsernameOrPasswordParameter.qlref
@@ -1 +1,2 @@
-experimental/UsernameOrPasswordParameter.ql
+query: experimental/UsernameOrPasswordParameter.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/UsernameOrPasswordParameter/test.ps1 b/powershell/ql/test/query-tests/security/UsernameOrPasswordParameter/test.ps1
@@ -4,8 +4,8 @@ function Test-Script
     Param
     (
         [String]
-        $Username,
+        $Username, # $ Alert
         [SecureString]
-        $Password
+        $Password # $ Alert
     )
 }
diff --git a/powershell/ql/test/query-tests/security/cwe-022/test.ps1 b/powershell/ql/test/query-tests/security/cwe-022/test.ps1
@@ -3,27 +3,27 @@ Add-Type -AssemblyName System.IO.Compression.FileSystem
 $zip = [System.IO.Compression.ZipFile]::OpenRead("MyPath\to\archive.zip")
 
 foreach ($entry in $zip.Entries) {
-    $targetPath = Join-Path $extractPath $entry.FullName
+    $targetPath = Join-Path $extractPath $entry.FullName # $ Source
     $fullTargetPath = [System.IO.Path]::GetFullPath($targetPath)
 
-    [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $fullTargetPath) # BAD
+    [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $fullTargetPath) # $ Alert
 }
 
 foreach ($entry in $zip.Entries) {
-    $targetPath = Join-Path $extractPath $entry.FullName
+    $targetPath = Join-Path $extractPath $entry.FullName # $ Source
     $fullTargetPath = [System.IO.Path]::GetFullPath($targetPath)
 
-    $stream = [System.IO.File]::Open($fullTargetPath, 'Create') # BAD
+    $stream = [System.IO.File]::Open($fullTargetPath, 'Create') # $ Alert
     $entry.Open().CopyTo($stream)
     $stream.Close()
 }
 
 foreach ($entry in $zip.Entries) {
-    $targetPath = Join-Path $extractPath $entry.FullName
+    $targetPath = Join-Path $extractPath $entry.FullName # $ Source
     $fullTargetPath = [System.IO.Path]::GetFullPath($targetPath)
 
     $extractRoot = [System.IO.Path]::GetFullPath($extractPath)
     if ($fullTargetPath.StartsWith($extractRoot)) {
-        [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $fullTargetPath) # GOOD [FALSE POSITIVE]
+        [System.IO.Compression.ZipFileExtensions]::ExtractToFile($entry, $fullTargetPath) # $ Alert
     }
 }
diff --git a/powershell/ql/test/query-tests/security/cwe-022/zipslip.qlref b/powershell/ql/test/query-tests/security/cwe-022/zipslip.qlref
@@ -1 +1,2 @@
-queries/security/cwe-022/ZipSlip.ql
+query: queries/security/cwe-022/ZipSlip.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.qlref b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.qlref
@@ -1 +1,2 @@
-queries/security/cwe-078/CommandInjection.ql
+query: queries/security/cwe-078/CommandInjection.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref
@@ -1 +1,2 @@
-queries/security/cwe-078/DoNotUseInvokeExpression.ql
+query: queries/security/cwe-078/DoNotUseInvokeExpression.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1 b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1
@@ -1,2 +1,2 @@
 $command = "Get-Process"
-Invoke-Expression $Command
+Invoke-Expression $Command # $ Alert
diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.qlref b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.qlref
@@ -1 +1,2 @@
-queries/security/cwe-089/SqlInjection.ql
+query: queries/security/cwe-089/SqlInjection.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1
@@ -1,20 +1,20 @@
-$userinput = Read-Host "Please enter a value"
+$userinput = Read-Host "Please enter a value" # $ Source
 
 # Example using Invoke-Sqlcmd with string interpolation
 $query = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'"
-Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query # BAD
+Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query # $ Alert
 
 # Example using Invoke-Sqlcmd with string concatenation
 $query = "SELECT * FROM MyTable WHERE " + $userinput
-Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query # BAD
+Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query # $ Alert
 
 #Example using System.Data.SqlClient
 $connection = New-Object System.Data.SqlClient.SqlConnection
 $connection.ConnectionString = "Server=MyServer;Database=MyDatabase;"
 $connection.Open()
 
 $command = $connection.CreateCommand()
-$command.CommandText = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'" # BAD
+$command.CommandText = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'" # $ Alert
 $reader = $command.ExecuteReader()
 $reader.Close()
 $connection.Close()
@@ -25,7 +25,7 @@ $connection.ConnectionString = "Provider=SQLOLEDB;Data Source=MyServer;Initial C
 $connection.Open()
 
 $command = $connection.CreateCommand()
-$command.CommandText = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'" # BAD
+$command.CommandText = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'" # $ Alert
 $reader = $command.ExecuteReader()
 $reader.Close()
 $connection.Close()
@@ -78,7 +78,7 @@ $QueryConn2 = @{
     Query = "SELECT * FROM Customers WHERE id = $userinput"
 }
 
-Invoke-Sqlcmd @QueryConn2 # BAD
+Invoke-Sqlcmd @QueryConn2 # $ Alert
 
 function TakesTypedParameters([int]$i, [long]$l, [float]$f, [double]$d, [decimal]$dec, [char]$c, [bool]$b, [datetime]$dt) {
     $query1 = "SELECT * FROM MyTable WHERE MyColumn = '$i'"
@@ -122,7 +122,7 @@ function With-Validation() {
     )
 
     Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q $validated # GOOD
-    Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q "SELECT * FROM Customers where id = $($unvalidated)" # BAD
+    Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q "SELECT * FROM Customers where id = $($unvalidated)" # $ Alert
 }
 
 With-Validation $userinput $userinput
diff --git a/powershell/ql/test/query-tests/security/cwe-250/InsecureExecutionPolicy.qlref b/powershell/ql/test/query-tests/security/cwe-250/InsecureExecutionPolicy.qlref
@@ -1 +1,2 @@
-queries/security/cwe-250/InsecureExecutionPolicy.ql
+query: queries/security/cwe-250/InsecureExecutionPolicy.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-250/test.ps1 b/powershell/ql/test/query-tests/security/cwe-250/test.ps1
@@ -1,10 +1,10 @@
-Set-ExecutionPolicy Bypass -Force # BAD
+Set-ExecutionPolicy Bypass -Force # $ Alert
 Set-ExecutionPolicy RemoteSigned -Force # GOOD
 Set-ExecutionPolicy Bypass -Scope Process -Force # GOOD
 Set-ExecutionPolicy RemoteSigned -Scope Process -Force # GOOD
-Set-ExecutionPolicy Bypass -Scope MachinePolicy -Force # BAD
+Set-ExecutionPolicy Bypass -Scope MachinePolicy -Force # $ Alert
 
-Set-ExecutionPolicy Bypass -Force:$true # BAD
+Set-ExecutionPolicy Bypass -Force:$true # $ Alert
 Set-ExecutionPolicy Bypass -Force:$false # GOOD
 
 Set-ExecutionPolicy Bypass # GOOD
diff --git a/powershell/ql/test/query-tests/security/cwe-319/UnsafeSMBSettings.qlref b/powershell/ql/test/query-tests/security/cwe-319/UnsafeSMBSettings.qlref
@@ -1 +1,2 @@
-queries/security/cwe-319/UnsafeSMBSettings.ql
+query: queries/security/cwe-319/UnsafeSMBSettings.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-319/test.ps1 b/powershell/ql/test/query-tests/security/cwe-319/test.ps1
@@ -2,19 +2,19 @@
 
 #Bad Examples
 
-Set-SmbServerConfiguration -Smb2DialectMin None
+Set-SmbServerConfiguration -Smb2DialectMin None # $ Alert
 
-Set-SmbClientConfiguration -Smb2DialectMin SMB210
+Set-SmbClientConfiguration -Smb2DialectMin SMB210 # $ Alert
 
-Set-SmbServerConfiguration -encryptdata $false -rejectunencryptedaccess $false
+Set-SmbServerConfiguration -encryptdata $false -rejectunencryptedaccess $false # $ Alert Alert
 
-Set-SmbClientConfiguration -RequireEncryption $false
+Set-SmbClientConfiguration -RequireEncryption $false # $ Alert
 
-Set-SMbClientConfiguration -BlockNTLM $false 
+Set-SMbClientConfiguration -BlockNTLM $false # $ Alert
 
-Set-SMbClientConfiguration -BlockNTLM $false -RequireEncryption $false -Smb2DialectMin SMB210 
+Set-SMbClientConfiguration -BlockNTLM $false -RequireEncryption $false -Smb2DialectMin SMB210 # $ Alert Alert Alert
 
-Set-SmbServerConfiguration -Smb2DialectMin None -encryptdata $false -rejectunencryptedaccess $false
+Set-SmbServerConfiguration -Smb2DialectMin None -encryptdata $false -rejectunencryptedaccess $false # $ Alert Alert Alert
 
 #Good Examples
 
diff --git a/powershell/ql/test/query-tests/security/cwe-327/ApprovedCipherMode/ApprovedCipherMode.qlref b/powershell/ql/test/query-tests/security/cwe-327/ApprovedCipherMode/ApprovedCipherMode.qlref
@@ -1 +1,2 @@
-queries/security/cwe-327/ApprovedCipherMode.ql
+query: queries/security/cwe-327/ApprovedCipherMode.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-327/ApprovedCipherMode/Test.ps1 b/powershell/ql/test/query-tests/security/cwe-327/ApprovedCipherMode/Test.ps1
@@ -4,13 +4,13 @@ $aes = [System.Security.Cryptography.Aes]::Create()
 $aesManaged = New-Object "System.Security.Cryptography.AesManaged"
 
 #Setting weak modes via CipherMode enum
-$badMode = [System.Security.Cryptography.CipherMode]::ECB
+$badMode = [System.Security.Cryptography.CipherMode]::ECB # $ Source
 $aes.Mode = $badMode
-$aesManaged.Mode = $badMode
+$aesManaged.Mode = $badMode # $ Alert
 
 $aes.Mode = [System.Security.Cryptography.CipherMode]::ECB
-$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB
+$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::ECB # $ Alert
 
 # Setting weak modes directly
 $aes.Mode = "ecb"
-$aesManaged.Mode = "ecb"
+$aesManaged.Mode = "ecb" # $ Alert
diff --git a/powershell/ql/test/query-tests/security/cwe-327/ObsoleteKDFAlgorithm/ObsoleteKDFAlgorithm.ps1 b/powershell/ql/test/query-tests/security/cwe-327/ObsoleteKDFAlgorithm/ObsoleteKDFAlgorithm.ps1
@@ -24,7 +24,7 @@ function Test-PasswordDeriveBytesCryptDeriveKey {
     $pdb = New-Object System.Security.Cryptography.PasswordDeriveBytes($password, $salt)
 
     try {
-        $key = $pdb.CryptDeriveKey("TripleDES", "SHA1", 192, $iv)
+        $key = $pdb.CryptDeriveKey("TripleDES", "SHA1", 192, $iv) # $ Alert
         return $key
     }
     catch {
@@ -53,7 +53,7 @@ function Test-Rfc2898DeriveBytes {
     $kdf = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt)
     
     try {
-        $key = $kdf.CryptDeriveKey("TripleDES", "SHA1", 192, $iv)
+        $key = $kdf.CryptDeriveKey("TripleDES", "SHA1", 192, $iv) # $ Alert
         return $key
     }
     catch {
diff --git a/powershell/ql/test/query-tests/security/cwe-327/ObsoleteKDFAlgorithm/ObsoleteKDFAlgorithm.qlref b/powershell/ql/test/query-tests/security/cwe-327/ObsoleteKDFAlgorithm/ObsoleteKDFAlgorithm.qlref
@@ -1 +1,2 @@
-queries/security/cwe-327/ObsoleteKDFAlgorithm.ql
+query: queries/security/cwe-327/ObsoleteKDFAlgorithm.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/WeakAsymmetricKeySize.qlref b/powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/WeakAsymmetricKeySize.qlref
@@ -1 +1,2 @@
-queries/security/cwe-327/WeakAsymmetricKeySize.ql
+query: queries/security/cwe-327/WeakAsymmetricKeySize.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/test.ps1 b/powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/test.ps1
@@ -3,13 +3,13 @@
 # ===================================================================
 
 # --- Case 1: RSA.Create with 1024-bit key ---
-$rsa = [System.Security.Cryptography.RSA]::Create(1024) # BAD
+$rsa = [System.Security.Cryptography.RSA]::Create(1024) # $ Alert
 
 # --- Case 2: RSA.Create with 512-bit key ---
-$rsa = [System.Security.Cryptography.RSA]::Create(512) # BAD
+$rsa = [System.Security.Cryptography.RSA]::Create(512) # $ Alert
 
 # --- Case 3: RSACryptoServiceProvider with 1024-bit key via ::new() ---
-$rsa = [System.Security.Cryptography.RSACryptoServiceProvider]::new(1024) # BAD
+$rsa = [System.Security.Cryptography.RSACryptoServiceProvider]::new(1024) # $ Alert
 
 # ===================================================================
 # ========== TRUE NEGATIVES (should NOT trigger alert) ==============
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/WeakHashes.qlref b/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/WeakHashes.qlref
@@ -1 +1,2 @@
-queries/security/cwe-327/WeakHashes.ql
+query: queries/security/cwe-327/WeakHashes.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/test.ps1 b/powershell/ql/test/query-tests/security/cwe-327/WeakHashes/test.ps1
@@ -1,31 +1,31 @@
 # BAD: Using MD5 - cryptographically broken
-$md5 = [System.Security.Cryptography.MD5]::Create()
+$md5 = [System.Security.Cryptography.MD5]::Create() # $ Alert
 $md5Hash = $md5.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("password123"))
 
 # BAD: Using MD5CryptoServiceProvider
-$md5Provider = New-Object System.Security.Cryptography.MD5CryptoServiceProvider
+$md5Provider = New-Object System.Security.Cryptography.MD5CryptoServiceProvider # $ Alert
 $md5ProviderHash = $md5Provider.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("secret"))
 
 # BAD: Using SHA1 - cryptographically weak
-$sha1 = [System.Security.Cryptography.SHA1]::Create()
+$sha1 = [System.Security.Cryptography.SHA1]::Create() # $ Alert
 $sha1Hash = $sha1.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("password123"))
 
 # BAD: Using SHA1CryptoServiceProvider
-$sha1Provider = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider
+$sha1Provider = New-Object System.Security.Cryptography.SHA1CryptoServiceProvider # $ Alert
 $sha1ProviderHash = $sha1Provider.ComputeHash([System.Text.Encoding]::UTF8.GetBytes("secret"))
 
 # BAD: Creating weak hash algorithms from name
-$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("MD5")
-$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("System.Security.Cryptography.MD5")
-$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("SHA1")
-$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("System.Security.Cryptography.SHA1")
+$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("MD5") # $ Alert
+$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("System.Security.Cryptography.MD5") # $ Alert
+$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("SHA1") # $ Alert
+$o = [System.Security.Cryptography.CryptoConfig]::CreateFromName("System.Security.Cryptography.SHA1") # $ Alert
 
 
 # BAD: Using Get-FileHash with MD5
-Get-FileHash -Path "C:\file.txt" -Algorithm MD5
+Get-FileHash -Path "C:\file.txt" -Algorithm MD5 # $ Alert
 
 # BAD: Using Get-FileHash with SHA1
-Get-FileHash -Path "C:\file.txt" -Algorithm SHA1
+Get-FileHash -Path "C:\file.txt" -Algorithm SHA1 # $ Alert
 
 # ---------------------------------------------------------
 # GOOD: Safe usage of cryptographically secure algorithms
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakSymmetricAlgorithm/WeakSymmetricAlgorithm.ps1 b/powershell/ql/test/query-tests/security/cwe-327/WeakSymmetricAlgorithm/WeakSymmetricAlgorithm.ps1
@@ -5,22 +5,22 @@ function Test-CreateRC2 {
     param()
     
     # BAD: RC2 created
-    $r1 = [System.Security.Cryptography.RC2]::Create()
+    $r1 = [System.Security.Cryptography.RC2]::Create() # $ Alert
     
     # BAD: RC2 created via SymmetricAlgorithm
-    $r2 = [System.Security.Cryptography.SymmetricAlgorithm]::Create("RC2")
+    $r2 = [System.Security.Cryptography.SymmetricAlgorithm]::Create("RC2") # $ Alert
     
     # BAD: RC2 created with explicit name
-    $r3 = [System.Security.Cryptography.RC2]::Create("RC2")
+    $r3 = [System.Security.Cryptography.RC2]::Create("RC2") # $ Alert
     
     # BAD: RC2 created with full type name
-    $r4 = [System.Security.Cryptography.SymmetricAlgorithm]::Create("System.Security.Cryptography.RC2")
+    $r4 = [System.Security.Cryptography.SymmetricAlgorithm]::Create("System.Security.Cryptography.RC2") # $ Alert
     
     # BAD: RC2CryptoServiceProvider created
-    $r5 = New-Object System.Security.Cryptography.RC2CryptoServiceProvider
+    $r5 = New-Object System.Security.Cryptography.RC2CryptoServiceProvider # $ Alert
     
     # BAD: RC2 created using CryptoConfig.CreateFromName
-    $r6 = [System.Security.Cryptography.CryptoConfig]::CreateFromName("RC2")
+    $r6 = [System.Security.Cryptography.CryptoConfig]::CreateFromName("RC2") # $ Alert
     
     return $r5
 }
diff --git a/powershell/ql/test/query-tests/security/cwe-327/WeakSymmetricAlgorithm/WeakSymmetricAlgorithm.qlref b/powershell/ql/test/query-tests/security/cwe-327/WeakSymmetricAlgorithm/WeakSymmetricAlgorithm.qlref
@@ -1 +1,2 @@
-queries/security/cwe-327/WeakSymmetricAlgorithm.ql
+query: queries/security/cwe-327/WeakSymmetricAlgorithm.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/JwtNoneAlgorithm.qlref b/powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/JwtNoneAlgorithm.qlref
@@ -1 +1,2 @@
-queries/security/cwe-347/JwtNoneAlgorithm.ql
+query: queries/security/cwe-347/JwtNoneAlgorithm.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/test.ps1 b/powershell/ql/test/query-tests/security/cwe-347/JwtNoneAlgorithm/test.ps1
@@ -4,10 +4,10 @@
 
 # --- Case 1: .NET JwtSecurityTokenHandler.CreateToken with "none" ---
 $handler = [System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler]::new()
-$token = $handler.CreateToken("none") # BAD
+$token = $handler.CreateToken("none") # $ Alert
 
 # --- Case 2: .NET JwtSecurityTokenHandler.CreateEncodedJwt with "none" ---
-$token = $handler.CreateEncodedJwt("none") # BAD
+$token = $handler.CreateEncodedJwt("none") # $ Alert
 
 # ===================================================================
 # ========== TRUE NEGATIVES (should NOT trigger alert) ==============
diff --git a/powershell/ql/test/query-tests/security/cwe-502/UnsafeDeserialization.qlref b/powershell/ql/test/query-tests/security/cwe-502/UnsafeDeserialization.qlref
diff --git a/powershell/ql/test/query-tests/security/cwe-502/test.ps1 b/powershell/ql/test/query-tests/security/cwe-502/test.ps1
diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/DeprecatedTls.qlref
diff --git a/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1 b/powershell/ql/test/query-tests/security/cwe-757/DeprecatedTls/test.ps1

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-experimental/ConvertToSecureStringAsPlainText.ql`
	`1`	`+query: experimental/ConvertToSecureStringAsPlainText.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-experimental/HardcodedComputerName.ql`
	`1`	`+query: experimental/HardcodedComputerName.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`Function Invoke-MyRemoteCommand ()`
`2`	`2`	`{`
`3`		`- Invoke-Command -Port 343 -ComputerName hardcoderemotehostname`
	`3`	`+ Invoke-Command -Port 343 -ComputerName hardcoderemotehostname # $ Alert`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`Function Invoke-MyCommand ($ComputerName)`
`@@ -10,7 +10,7 @@ Function Invoke-MyCommand ($ComputerName)`
`10`	`10`
`11`	`11`	`Function Invoke-MyLocalCommand ()`
`12`	`12`	`{`
`13`		`- Invoke-Command -Port 343 -ComputerName hardcodelocalhostname`
	`13`	`+ Invoke-Command -Port 343 -ComputerName hardcodelocalhostname # $ Alert`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`Function Invoke-MyLocalCommand ()`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-experimental/UseOfReservedCmdletChar.ql`
	`1`	`+query: experimental/UseOfReservedCmdletChar.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-function MyFunction[1]`
	`1`	`+function MyFunction[1] # $ Alert Alert`
`2`	`2`	`{...}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-experimental/UsernameOrPasswordParameter.ql`
	`1`	`+query: experimental/UsernameOrPasswordParameter.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`
Original file line number	Diff line number	Diff line change
`@@ -4,8 +4,8 @@ function Test-Script`
`4`	`4`	`Param`
`5`	`5`	`(`
`6`	`6`	`[String]`
`7`		`- $Username,`
	`7`	`+ $Username, # $ Alert`
`8`	`8`	`[SecureString]`
`9`		`- $Password`
	`9`	`+ $Password # $ Alert`
`10`	`10`	`)`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-queries/security/cwe-022/ZipSlip.ql`
	`1`	`+query: queries/security/cwe-022/ZipSlip.ql`
	`2`	`+postprocess: utils/test/InlineExpectationsTestQuery.ql`