remove FPs related to parameters that are meant to be commands

Author: erik-krogh

python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll

@@ -21,7 +21,10 @@ module UnsafeShellCommandConstruction {
 
   /** An input parameter to a gem seen as a source. */
   private class LibraryInputAsSource extends Source instanceof DataFlow::ParameterNode {
-    LibraryInputAsSource() { this = Setuptools::getALibraryInput() }
+    LibraryInputAsSource() {
+      this = Setuptools::getALibraryInput() and
+      not this.getParameter().getName().matches(["cmd%", "command%", "%_command", "%_cmd"])
+    }
   }
 
   /** A sink for shell command constructed from library input vulnerabilities. */

python/ql/test/query-tests/Security/CWE-078-UnsafeShellCommandConstruction/src/unsafe_shell_test.py

@@ -43,4 +43,7 @@ def indirect(flag, x):
 
     indirect(True, name)
 
-    subprocess.Popen("ping " + name, shell=unknownValue) # OK - shell assumed to be False
+    subprocess.Popen("ping " + name, shell=unknownValue) # OK - shell assumed to be False
+
+def intentional(command): 
+    os.system("fish -ic " + command) # $result=OK - intentional