mirror of
https://github.com/github/codeql.git
synced 2025-12-19 10:23:15 +01:00
dee93783a2
Now there is a path from the _imports_ of the functions that would return sensitive data, so we produce more alerts. I'm not entirely happy about this "double reporting", but I'm not sure how to get around it without either: 1. disabling the extra taint-step for calls. Not ideal since we would loose good sources. 2. disabling the extra sources based on function name. Not ideal since we would loose good sources. 3. disabling the extra sources based on function name, for those calls that would be handled with the extra taint-step for calls. Not ideal since that would require running the data-flow query initially to prune these out :| So for now, I think the best approach is to accept some risk on this, and ship to learn :)