Type-tracking-based modeling (Concepts, API graphs) misses values stored in a self attribute and read from another method. A typical symptom is a PEP 249 connection assigned to self._conn in one method not being recognized as a connection when used later, so downstream modeling such as SQL-execution sinks can be missed.

Changes

• TypeTrackingImpl.qll: Add localFieldStep, a no-call-graph type-tracking level step that models flow through self.attr across instance methods on the same class.
  • This complements the existing attribute store/read steps by relating writes to self.attr with later reads of the same attribute on the same class.
  • The step intentionally applies across instance methods in general, not just __init__, matching the existing instance-insensitive and order-insensitive treatment used for similar field tracking in Ruby and JavaScript.
• hdbcli/pep249.py: Add regression coverage for a connection stored in self._conn and used both directly and via a getter.
• attribute_tests.py: Update expectations to reflect tracking from values stored on self into later self.foo reads inside instance methods, while leaving external instance.foo reads unchanged.
• Experimental call-graph tests: Update inline expectations and the corresponding .expected file to reflect the improved type-tracker results.
• Change note: Add a Python library change note describing the additional analysis coverage.

Notes for reviewers

• The new step is deliberately an over-approximation for instance attributes on the same class; it does not distinguish different instances and does not require a write to be ordered before a read.
• External attribute reads such as instance.foo are still not modeled by this change.

Original prompt

This test has missing alerts when the object returned by connect() is stored in a class field (attribute). I believe the problem lies in execute(DataFlow::TypeTracker t). Investigate. This could be a missing step in type tracking, in which case we should fix it in general. There should be a store step into the attribute _conn in init (see attributeStoreStep in python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll) and then a read step from that attribute in get_connection (see attributeReadStep in python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll). Another option is that we are misusing type tracking in this case. Please investigate and explain the cause to me, with suggestions for how to fix.

The user has attached the following file paths as relevant context:

• python/ql/test/library-tests/frameworks/hdbcli/pep249.py
• python/ql/lib/semmle/python/frameworks/PEP249.qll
• .github/instructions/ql-files.instructions.md