Update python/ql/src/meta/alerts/RemoteFlowSourcesReach.ql

Co-authored-by: Rasmus Wriedt Larsen <[email protected]>

Author: yoff

python/ql/src/meta/alerts/RemoteFlowSourcesReach.ql

@@ -31,9 +31,17 @@ class RemoteFlowSourceReach extends TaintTracking::Configuration {
       or
       this.isAdditionalFlowStep(_, node)
     ) and
-    // we used to do `obj -> obj.meth` and `obj.meth -> obj.meth()` in two separate
-    // steps, and now do them in one `obj -> obj.meth()`. So we're going to ignore the
-    // fact that we no longer taint the node in the middle.
+    // In september 2021 we changed how we do taint-propagation for method calls (mostly
+    // relating to modeled frameworks/libraries). We used to do `obj -> obj.meth` and
+    // `obj.meth -> obj.meth()` in two separate steps, and now do them in one
+    // `obj -> obj.meth()`. To be able to compare the overall reach between these two
+    // version, we don't want this query to alert us to the fact that we no longer taint
+    // the node in the middle (since that is just noise).
+    // see https://github.com/github/codeql/pull/6349
+    //
+    // We should be able to remove the following few lines of code once we don't care to
+    // compare with the old (before September 2021) way of doing taint-propagation for
+    // method calls.
     not exists(DataFlow::MethodCallNode c |
       node = c.getFunction() and
       this.isAdditionalFlowStep(c.getObject(), node) and