Factor out use-use flow in order to do this.
Also improve names and comments.
I also wanted to change the types in `difinitionFlowStep`, but
that broke the module instantiation.
copy, pop, get, getitem, setdefault
Also add read steps to taint tracking.
Reading from a tainted collection can be done in two situations:
1. There is an acces path
In this case a read step (possibly from a flow summary)
gives rise to a taint step.
2. There is no access path
In this case an explicit taint step (possibly via a flow
summary) should exist.
Since we can analyze operator.py from Python3, but not in Python 2
(since it's implemented in C), we get a difference for the index tests.
note: `operator.length_hint` is only available in Python 3.4 and later,
so would always fail under Python 2.
Adjusted `tracked.ql`
- no need to annotate results on line 0
this could happen for global SSA variables
- no need to annotate scope entry definitons
they look a bit weird, as the annotation goes on the
line of the function definition.
This is a bit of an edge case, but allowed. Since we currently don't
provide information on positional only arguments, we can't do much to
solve it right now.
Similar to the Ruby changes from
https://github.com/github/codeql/pull/11461
I feel the change to `DataFlowFunciton.getParameter` where we use
`not exists(func.getArgByName(_))` is not very great, but I was not allowed
to use `not exists(this.getParameter(any(ParameterPosition _).isKeyword(_)))`
because of negative recursion.
validTest.py did not pass, since we use `SINK3_F`.
I initially tried swapping the order
```
args = (arg1, arg2) # $ arg1 arg2 func=starargs_only
more_args = (arg4, arg3)
starargs_only(*args, *more_args)
```
But then asked myself, what is it _actually_ we're testing here? and it
seems to be the way we handle multiple *args arguments in the same call,
so I converted the test to be that instead! (and it matches what we do
in test_stararg_mixed)
When resolving merge conflict after flow-summaries was merged, this is
the original commit where I introduced ParameterNodeImpl, so this is the
commit where differences in that implementation was committed...
I removed TParameterNode, since I could not see we we gain anything from
having it.
For now this is JUST from `**kwargs` in arguments, to `**kwargs`
parameters, and this part is based on field-flow
Note that dataflow-library complains about missing post update nodes for
these. This needs to be ignored, since post update nodes for `**kwargs`
arguments doesn't make sense, it's not possible to alter the dictionary
inside the method.
