False positive: Cyclic import in Python

[abadger]

Description of the false positive

CodeQL falsely detects a cyclic import in a Pull request.

• There is an existing cyclic import in the code which is mitigated with an import inside of a function.

  toolopts imports global variables from systeminfo inside of _register_options()
  systeminfo imports toolopts

• The pull request includes switching the python modules that the identifiers are being defined in and reversing the imports so that only one module has to import the other

  toolopts now implements the global variables
  toolopts no longer imports systeminfo at all
  systeminfo now imports the global variables from toolopts

Code samples or links to source code

• Site of the additional import: https://github.com/oamg/convert2rhel/pull/820/files#diff-1e030442df599479d1af356a7eaa61a744973513548846a1a885b8eaca6f489cR28
• Site of the removal of import: https://github.com/oamg/convert2rhel/pull/820/files#diff-a7331917babf0a1504893963baab7ad842640877734e5dbeb39ebf97ec584565L130

URL to the alert on GitHub code scanning (optional)

[RasmusWL]

Indeed, this sounds like a false positive. Thank you for reporting it!

Our current focus is on improving our security analysis. Because your report does not relate to a security query, we will put this on our backlog and prioritize it if we get enough reports of the same underlying issue in other projects. If you think that your report is related to our security analysis, please clarify that in a comment. Either way, we'll let you know here as soon as it's fixed!

I also want to point out that GitHub Code Scanning has facilities for suppressing individual alerts or disabling a query, just FYI.