Update python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql

Explain why `TestScope` is not used.

Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>

Author: yoff

python/ql/src/Security/CWE-352/CSRFProtectionDisabled.ql

@@ -18,6 +18,8 @@ from HTTP::Server::CsrfProtectionSetting s
 where
   s.getVerificationSetting() = false and
   not exists(HTTP::Server::CsrfLocalProtectionSetting p | p.csrfEnabled()) and
-  // rule out test code as this is a common place to turn off CSRF protection
+  // rule out test code as this is a common place to turn off CSRF protection.
+  // We don't use normal `TestScope` to find test files, since we also want to match
+  // a settings file such as `.../integration-tests/settings.py`
   not s.getLocation().getFile().getAbsolutePath().matches("%test%")
 select s, "Potential CSRF vulnerability due to forgery protection being disabled or weakened."