Merge branch 'main' into python-add-typetracker

python/ql/src/experimental/dataflow/DataFlow.qll

@@ -15,7 +15,7 @@
  * `DataFlow::localFlowStep` with arguments of type `DataFlow::Node`.
  */
 
-import python
+private import python
 
 /**
  * Provides classes for performing local (intra-procedural) and

python/ql/src/experimental/dataflow/DataFlow2.qll

@@ -15,7 +15,7 @@
  * `DataFlow::localFlowStep` with arguments of type `DataFlow::Node`.
  */
 
-import python
+private import python
 
 /**
  * Provides classes for performing local (intra-procedural) and

python/ql/src/experimental/dataflow/TaintTracking.qll

@@ -8,7 +8,7 @@
  * `TaintTracking::localTaintStep` with arguments of type `DataFlow::Node`.
  */
 
-import python
+private import python
 
 /**
  * Provides classes for performing local (intra-procedural) and

python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll

@@ -2,7 +2,7 @@
  * Provides Python-specific definitions for use in the data flow library.
  */
 
-import python
+private import python
 private import DataFlowPrivate
 import experimental.dataflow.TypeTracker
 

python/ql/src/experimental/dataflow/internal/TaintTrackingPrivate.qll

@@ -36,8 +36,8 @@ predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeT
  * Holds if taint can flow from `nodeFrom` to `nodeTo` with a step related to concatenation.
  *
  * Note that since we cannot easily distinguish interesting types (like string, list, tuple),
- * we consider any `+` operation to propagate taint. After consulting with the JS team, this
- * doesn't sound like it is a big problem in practice.
+ * we consider any `+` operation to propagate taint. This is what is done in the JS libraries,
+ * and isn't a big problem in practice.
  */
 predicate concatStep(DataFlow::CfgNode nodeFrom, DataFlow::CfgNode nodeTo) {
   exists(BinaryExprNode add | add = nodeTo.getNode() |

python/ql/test/TestUtilities/InlineExpectationsTest.qll

@@ -28,11 +28,11 @@
  *   }
  *
  *   override predicate hasActualResult(
- *     Location location, string element, string tag, string valuesasas
+ *     Location location, string element, string tag, string value
  *   ) {
  *     exists(Expr e |
  *       tag = "const" and // The tag for this test.
- *       valuesasas = e.getValue() and // The expected value. Will only hold for constant expressions.
+ *       value = e.getValue() and // The expected value. Will only hold for constant expressions.
  *       location = e.getLocation() and // The location of the result to be reported.
  *       element = e.toString() // The display text for the result.
  *     )

python/ql/test/experimental/dataflow/callGraphConfig.qll

@@ -1,3 +1,4 @@
+private import python
 import experimental.dataflow.DataFlow
 
 /**

python/ql/test/experimental/dataflow/coverage/argumentRouting1.ql

@@ -1,3 +1,4 @@
+import python
 import experimental.dataflow.DataFlow
 
 /**

python/ql/test/experimental/dataflow/coverage/argumentRouting2.ql

@@ -1,3 +1,4 @@
+import python
 import experimental.dataflow.DataFlow
 
 /**

python/ql/test/experimental/dataflow/coverage/argumentRouting3.ql

@@ -1,3 +1,4 @@
+import python
 import experimental.dataflow.DataFlow
 
 /**

python/ql/test/experimental/dataflow/coverage/argumentRouting4.ql

@@ -1,3 +1,4 @@
+import python
 import experimental.dataflow.DataFlow
 
 /**

python/ql/test/experimental/dataflow/coverage/dataflow.ql

@@ -2,6 +2,7 @@
  * @kind path-problem
  */
 
+import python
 import experimental.dataflow.testConfig
 import DataFlow::PathGraph
 

python/ql/test/experimental/dataflow/regression/dataflow.ql

@@ -5,6 +5,7 @@
  * hope to remove the false positive.
  */
 
+import python
 import experimental.dataflow.testConfig
 
 from DataFlow::Node source, DataFlow::Node sink

python/ql/test/experimental/dataflow/testConfig.qll

@@ -20,6 +20,7 @@
  * complex | `42j` (not supported yet)
  */
 
+private import python
 import experimental.dataflow.DataFlow
 
 class TestConfiguration extends DataFlow::Configuration {