Python: Support type annotations in call graph

Adds support for tracking instances via type annotations. Also adds a
convenience method to the newly added `Annotation` class,
`getAnnotatedExpression`, that returns the expression that is annotated
with the given type. For return annotations this is any value returned
from the annotated function in question.

Co-authored-by: Napalys Klicius <[email protected]>

Author: tausbn

python/ql/lib/semmle/python/Exprs.qll

@@ -762,6 +762,17 @@ class Annotation extends Expr {
     or
     this = any(FunctionExpr f).getReturns()
   }
+
+  /** Gets the expression that this annotation annotates. */
+  Expr getAnnotatedExpression() {
+    result = any(AnnAssign a | a.getAnnotation() = this).getTarget()
+    or
+    result = any(Parameter p | p.getAnnotation() = this)
+    or
+    exists(FunctionExpr f |
+      this = f.getReturns() and result = f.getInnerScope().getReturnNode().getNode()
+    )
+  }
 }
 
 /* Expression Contexts */

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -580,6 +580,11 @@ private module TrackClassInstanceInput implements CallGraphConstruction::Simple:
   class State = Class;
 
   predicate start(Node start, Class cls) {
+    exists(Annotation ann |
+      ann = classTracker(cls).asExpr() and
+      start.asExpr() = ann.getAnnotatedExpression()
+    )
+    or
     resolveClassCall(start.(CallCfgNode).asCfgNode(), cls)
     or
     // result of `super().__new__` as used in a `__new__` method implementation