Skip to content

Python: release hotfix#22108

Merged
mbg merged 2 commits into
github:codeql-cli-2.26.0from
hvitved:python-hot-fix
Jul 2, 2026
Merged

Python: release hotfix#22108
mbg merged 2 commits into
github:codeql-cli-2.26.0from
hvitved:python-hot-fix

Conversation

@hvitved

@hvitved hvitved commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Cherry-picked the commits from #22101.

@github-actions github-actions Bot added the Python label Jul 2, 2026
@hvitved hvitved marked this pull request as ready for review July 2, 2026 09:56
@hvitved hvitved requested a review from a team as a code owner July 2, 2026 09:56
Copilot AI review requested due to automatic review settings July 2, 2026 09:56
@hvitved hvitved added the no-change-note-required This PR does not need a change note label Jul 2, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Cherry-picks upstream work (from #22101) to make Python stdlib data-flow summaries more performant while keeping (or intentionally adjusting) the modeled behavior, and updates affected library tests accordingly.

Changes:

  • Updates Python stdlib flow summaries to use more generalized “any element/with content” access-path forms.
  • Hooks flow-summary “expects content” behavior into the dataflow internals.
  • Adjusts Python library tests to reflect newly-modeled flows (and newly-accepted imprecision) in zip(...) and Django ORM in_bulk.
Show a summary per file
File Description
python/ql/test/library-tests/frameworks/django-orm/testapp/orm_tests.py Updates Django ORM in_bulk expectations to assert the now-modeled flow through .values().
python/ql/test/library-tests/dataflow/coverage/test_builtins.py Updates zip(...) expectations (including recording a newly observed false positive).
python/ql/lib/semmle/python/frameworks/Stdlib.qll Refactors stdlib summaries to use generalized content encodings (e.g., any tuple/dict element, with-content).
python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll Adds encoding support for “with content” summaries.
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll Wires expectsContent to flow-summary-provided expectations.

Review details

  • Files reviewed: 4/5 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines 4452 to 4453
// We reduce generality slightly by not tracking tuple contents on list arguments beyond the first, for performance.
// TODO: Once we have TupleElementAny, this generality can be increased.

@mbg mbg left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving since this is already merged into main. We will need this in the codeql-cli-2.26.0 branch either way for follow-up testing.

@yoff yoff left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@mbg mbg merged commit 79eeaa2 into github:codeql-cli-2.26.0 Jul 2, 2026
13 of 14 checks passed
@hvitved hvitved deleted the python-hot-fix branch July 2, 2026 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no-change-note-required This PR does not need a change note Python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants