Merge pull request #19136 from github/tausbn/python-modernise-mixed-tuple-returns-query

Python: Modernize `py/mixed-tuple-returns`
2025-12-16 16:53:25 +01:00 · 2025-04-01 17:31:56 +02:00
parent ffb25b7aac 6674288fd2
commit aacdc70a73
4 changed files with 22 additions and 7 deletions
--- a/python/ql/src/Functions/ReturnConsistentTupleSizes.ql
+++ b/python/ql/src/Functions/ReturnConsistentTupleSizes.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @tags reliability
 *       maintainability
+ *       quality
 * @problem.severity recommendation
 * @sub-severity high
 * @precision high
@@ -11,13 +12,15 @@
 */

 import python
+import semmle.python.ApiGraphs

-predicate returns_tuple_of_size(Function func, int size, AstNode origin) {
-  exists(Return return, TupleValue val |
+predicate returns_tuple_of_size(Function func, int size, Tuple tuple) {
+  exists(Return return, DataFlow::Node value |
+    value.asExpr() = return.getValue() and
    return.getScope() = func and
-    return.getValue().pointsTo(val, origin)
+    any(DataFlow::LocalSourceNode n | n.asExpr() = tuple).flowsTo(value)
  |
-    size = val.length()
+    size = count(int n | exists(tuple.getElt(n)))
  )
 }

@@ -25,6 +28,8 @@ from Function func, int s1, int s2, AstNode t1, AstNode t2
 where
  returns_tuple_of_size(func, s1, t1) and
  returns_tuple_of_size(func, s2, t2) and
-  s1 < s2
+  s1 < s2 and
+  // Don't report on functions that have a return type annotation
+  not exists(func.getDefinition().(FunctionExpr).getReturns())
 select func, func.getQualifiedName() + " returns $@ and $@.", t1, "tuple of size " + s1, t2,
  "tuple of size " + s2
--- a/python/ql/src/change-notes/2025-03-27-modernize-mixed-tuple-returns-query.md
+++ b/python/ql/src/change-notes/2025-03-27-modernize-mixed-tuple-returns-query.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+
+- The `py/mixed-tuple-returns` query no longer flags instances where the tuple is passed into the function as an argument, as this led to too many false positives.
--- a/python/ql/test/query-tests/Functions/return_values/ReturnConsistentTupleSizes.expected
+++ b/python/ql/test/query-tests/Functions/return_values/ReturnConsistentTupleSizes.expected
@@ -1,2 +1 @@
 | functions_test.py:306:1:306:39 | Function returning_different_tuple_sizes | returning_different_tuple_sizes returns $@ and $@. | functions_test.py:308:16:308:18 | Tuple | tuple of size 2 | functions_test.py:310:16:310:20 | Tuple | tuple of size 3 |
-| functions_test.py:324:1:324:50 | Function indirectly_returning_different_tuple_sizes | indirectly_returning_different_tuple_sizes returns $@ and $@. | functions_test.py:319:12:319:14 | Tuple | tuple of size 2 | functions_test.py:322:12:322:16 | Tuple | tuple of size 3 |
--- a/python/ql/test/query-tests/Functions/return_values/functions_test.py
+++ b/python/ql/test/query-tests/Functions/return_values/functions_test.py
@@ -321,7 +321,7 @@ def function_returning_2_tuple():
 def function_returning_3_tuple():
    return 1,2,3

-def indirectly_returning_different_tuple_sizes(x):
+def indirectly_returning_different_tuple_sizes(x): # OK, since we only look at local tuple returns
    if x:
        return function_returning_2_tuple()
    else:
@@ -347,3 +347,9 @@ def ok_match2(x):  # FP
            return 0
        case _:
            return 1
+
+def ok_tuple_returns_captured_in_type(x: bool) -> tuple[int, ...]: # OK because there is a type annotation present
+    if x:
+        return 1, 2
+    else:
+        return 1, 2, 3