Making QDots in IdQualified resolvable

[ihji]

test plan: make test

QDots in IdQualified need to be resolvable if we want to use a metavariable-type filter with the method annotation in Python, as shown in the example below:

from flask import Flask
 
app = Flask(__name__)

@app.get("/items/<item_id>")
def read_item(item_id: str):
    return {"item_id": item_id}

rules:
  - id: test
    message: Test
    languages:
      - python
    severity: WARNING
    patterns:
      - pattern: |
          @$APP.get(...)
          def $FUNC(..., $PARAM, ...):
            ... 
      - metavariable-type:
          metavariable: $APP
          type: Flask

@app.get("/items/<item_id>") is translated in AST as:

attrs=[NamedAttr((),
                IdQualified(
                  {name_last=(("get", ()), None); name_top=None; 
                   name_middle=Some(QDots([(("app", ()), None)])); 
                   name_info={id_info_id=7; id_flags=Ref(0); 
                              id_resolved=Ref(Some((GlobalName(
                                                      ["/Users/heejong/Works/semgrep-proprietary/temp/p";
                                                       "app"; "get"],
                                                      [["app"; "get"]]),
                                                    12)));
                              id_type=Ref(None); id_svalue=Ref(None); };
                   }), [Arg(L(String(("/items/<item_id>", ()))))])];

QDots is a list of ident so we can't infer the type.

[github-actions]

PR checklist:

• Purpose of the code is evident to future readers
• Tests included or PR comment includes a reproducible test plan
• Documentation is up-to-date
• A changelog entry was added to changelog.d for any user-facing change
• Change has no security implications (otherwise, ping security team)

If you're unsure about any of this, please see:

• Contribution guidelines!
• One of the more specific guides located here

[IagoAbal]

We need a test plan that actually shows something, some code that one can -dump_ast and see that now those annotations are getting resolved.

[IagoAbal]

No strong opinion, but I do wonder if it wouldn't be simpler and more general to just have NameAttr take an expr. We have another ticket/request for supporting sym-prop for attributes. The idents in the QDots are accompanied by type_arguments which to me suggests that they are not meant to encode expressions.

[aryx]

Yes maybe the issue here is how we currently encode app.get as a qualified name when really it's a DotAccess
One issue is that in Python it's not super clear when you see foo.bar.z
whether bar is a module, or a field.
So probably we should go more general and use DotAccess here.

[aryx]

maybe we can have an ExprAttr of ...
or encode it via OtherAttribute.

[IagoAbal]

@aryx do you have an opinion on this one?

[aryx]

looking

[aryx]

Let's fix how we translate Python instead. Let's not use QDots for
what is really a DotAccess.

[aryx]

Yes maybe the issue here is how we currently encode app.get as a qualified name when really it's a DotAccess
One issue is that in Python it's not super clear when you see foo.bar.z
whether bar is a module, or a field.
So probably we should go more general and use DotAccess here.

[aryx]

maybe we can have an ExprAttr of ...
or encode it via OtherAttribute.

[ihji]

superseded by #10221