LGTM.com - false positive - @classmethod not seen

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security

https://codeql.github.com

MIT License

7.51k stars 1.49k forks source link

LGTM.com - false positive - @classmethod not seen #6527

Open DimitriPapadopoulos opened 3 years ago

DimitriPapadopoulos commented 3 years ago

Description of the false positive

In case of multiple class decorators, @classmethod does not seem to be taken into account unless it's the last in the list.

URL to the alert on the project page on LGTM.com

https://lgtm.com/projects/g/nipy/nibabel/snapshot/e1c3f08bde4a58dd3fdc39b96d9a39b788a33bfc/files/nibabel/gifti/gifti.py?sort=name&dir=ASC&mode=heatmap#x2a1483ff4c3ffedd:1

tausbn commented 3 years ago

Thank you for your report. I agree that there's something odd going on here.

As this is not related to our security queries, and as we are currently focused on improving our security analysis, this issue will be added to our backlog and revisited if enough instances pop up.

Some notes (mostly for the benefit of whoever ends up working on this): The order of the decorators seems to be a red herring, as we are correctly identifying that the function in question has the classmethod decorator. Somehow, though, this is not being propagated correctly through the rest of the analysis.

DimitriPapadopoulos commented 3 years ago

It's indeed a good idea to focus on security analysis.

In that case, I would suggest disabling other tests by default, because LGTM raises many false positives that give an unjustified bad image of open source projects.