Python: Remove flow through stdlib

This means tests can pass on any machine now 👍

Author: RasmusWL

python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql

@@ -33,6 +33,8 @@ module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig {
     state = Django() and DjangoConstantSecretKeyConfig::isSource(source)
   }
 
+  predicate isBarrier(DataFlow::Node node) { node.getLocation().getFile().inStdlib() }
+
   predicate isSink(DataFlow::Node sink, FlowState state) {
     state = Flask() and FlaskConstantSecretKeyConfig::isSink(sink)
     or

python/ql/test/experimental/query-tests/Security/CWE-287-ConstantSecretKey/ConstantSecretKey.expected

@@ -12,10 +12,7 @@ edges
 | config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:18:43:18:51 | ControlFlowNode for aConstant |
 | config.py:17:38:17:46 | ControlFlowNode for aConstant | config.py:17:18:17:47 | ControlFlowNode for Attribute() |
 | config.py:17:38:17:46 | ControlFlowNode for aConstant | config.py:18:43:18:51 | ControlFlowNode for aConstant |
-| config.py:17:38:17:46 | ControlFlowNode for aConstant | file:///usr/lib/python3.8/os.py:766:17:766:23 | ControlFlowNode for default |
 | config.py:18:43:18:51 | ControlFlowNode for aConstant | config.py:18:18:18:52 | ControlFlowNode for Attribute() |
-| file:///usr/lib/python3.8/os.py:766:17:766:23 | ControlFlowNode for default | file:///usr/lib/python3.8/os.py:770:29:770:35 | ControlFlowNode for default |
-| file:///usr/lib/python3.8/os.py:770:29:770:35 | ControlFlowNode for default | file:///usr/lib/python3.8/os.py:770:12:770:36 | ControlFlowNode for Attribute() |
 nodes
 | app_safe.py:5:28:5:37 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
 | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
@@ -26,32 +23,20 @@ nodes
 | config2.py:5:14:5:24 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
 | config.py:7:1:7:9 | GSSA Variable aConstant | semmle.label | GSSA Variable aConstant |
 | config.py:7:13:7:23 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
-| config.py:11:18:11:38 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | config.py:12:18:12:26 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant |
 | config.py:12:18:12:26 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant |
-| config.py:13:18:13:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| config.py:14:18:14:41 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | config.py:17:18:17:47 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | config.py:17:38:17:46 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant |
 | config.py:18:18:18:52 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | config.py:18:43:18:51 | ControlFlowNode for aConstant | semmle.label | ControlFlowNode for aConstant |
-| config.py:19:18:19:37 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| file:///usr/lib/python3.8/os.py:766:17:766:23 | ControlFlowNode for default | semmle.label | ControlFlowNode for default |
-| file:///usr/lib/python3.8/os.py:770:12:770:36 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| file:///usr/lib/python3.8/os.py:770:29:770:35 | ControlFlowNode for default | semmle.label | ControlFlowNode for default |
 subpaths
-| config.py:17:38:17:46 | ControlFlowNode for aConstant | file:///usr/lib/python3.8/os.py:766:17:766:23 | ControlFlowNode for default | file:///usr/lib/python3.8/os.py:770:12:770:36 | ControlFlowNode for Attribute() | config.py:17:18:17:47 | ControlFlowNode for Attribute() |
 #select
 | app_safe.py:5:28:5:37 | ControlFlowNode for Str | app_safe.py:5:28:5:37 | ControlFlowNode for Str | app_safe.py:5:28:5:37 | ControlFlowNode for Str | The SECRET_KEY config variable is assigned by $@. | app_safe.py:5:28:5:37 | ControlFlowNode for Str |  this constant String |
 | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str | app_unsafe.py:5:28:5:36 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str |  this constant String |
 | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str | app_unsafe.py:6:18:6:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str |  this constant String |
 | app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str | app_unsafe.py:7:30:7:38 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str |  this constant String |
 | app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str | app_unsafe.py:8:36:8:44 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | app_unsafe.py:4:13:4:23 | ControlFlowNode for Str |  this constant String |
 | config2.py:5:14:5:24 | ControlFlowNode for Str | config2.py:5:14:5:24 | ControlFlowNode for Str | config2.py:5:14:5:24 | ControlFlowNode for Str | The SECRET_KEY config variable is assigned by $@. | config2.py:5:14:5:24 | ControlFlowNode for Str |  this constant String |
-| config.py:11:18:11:38 | ControlFlowNode for Attribute() | config.py:11:18:11:38 | ControlFlowNode for Attribute() | config.py:11:18:11:38 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:11:18:11:38 | ControlFlowNode for Attribute() |  this constant String |
 | config.py:12:18:12:26 | ControlFlowNode for aConstant | config.py:7:13:7:23 | ControlFlowNode for Str | config.py:12:18:12:26 | ControlFlowNode for aConstant | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for Str |  this constant String |
-| config.py:13:18:13:36 | ControlFlowNode for Attribute() | config.py:13:18:13:36 | ControlFlowNode for Attribute() | config.py:13:18:13:36 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:13:18:13:36 | ControlFlowNode for Attribute() |  this constant String |
-| config.py:14:18:14:41 | ControlFlowNode for Attribute() | config.py:14:18:14:41 | ControlFlowNode for Attribute() | config.py:14:18:14:41 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:14:18:14:41 | ControlFlowNode for Attribute() |  this constant String |
 | config.py:17:18:17:47 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for Str | config.py:17:18:17:47 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for Str |  this constant String |
 | config.py:18:18:18:52 | ControlFlowNode for Attribute() | config.py:7:13:7:23 | ControlFlowNode for Str | config.py:18:18:18:52 | ControlFlowNode for Attribute() | The SECRET_KEY config variable is assigned by $@. | config.py:7:13:7:23 | ControlFlowNode for Str |  this constant String |
-| config.py:19:18:19:37 | ControlFlowNode for Subscript | config.py:19:18:19:37 | ControlFlowNode for Subscript | config.py:19:18:19:37 | ControlFlowNode for Subscript | The SECRET_KEY config variable is assigned by $@. | config.py:19:18:19:37 | ControlFlowNode for Subscript |  this constant String |