mirror of
https://github.com/github/codeql.git
synced 2026-04-12 02:24:00 +02:00
4f74d421b9
Looking at the results of the the previous DCA run, there was a bunch of false positives where `bind` was being used with a `AF_UNIX` socket (a filesystem path encoded as a string), not a `(host, port)` tuple. These results should be excluded from the query, as they are not vulnerable. Ideally, we would just add `.TupleElement[0]` to the MaD sink, except we don't actually support this in Python MaD... So, instead I opted for a more low-tech solution: check that the argument in question flows from a tuple in the local scope. This eliminates a bunch of false positives on `python/cpython` leaving behind four true positive results.