[False positive] `py/call-to-non-callable` on _decorated_ `__call__` magic methods

[amotl]

Hi there,

thanks a stack for bringing LGTM to CodeQL. We used your kickstart template PR crate/crash#373 for making the transition happen on one of our Python repositories and wanted to report back about a potential false positive, after mitigating all other admonitions on our end before.

With kind regards,
Andreas.

Description of the false positive

py/call-to-non-callable is raised on decorated __call__ magic methods.

Code samples or links to source code

class FooBarCommand(Command):

    @noargs_command
    def __call__(self, cmd, *args, **kwargs):
        return f"{cmd}: foobar"

• There is a corresponding PR, including the offending code, in a repro repository at Add noargs_command decorator to __call__ magic method crate-workbench/codeql-evaluations#3.

URL to the alert on GitHub code scanning (optional)

• https://github.com/crate/crash/security/code-scanning/5
• https://github.com/crate-workbench/codeql-evaluations/security/code-scanning/1

Thoughts

I wonder if anything can be done about it, other than manually dismissing corresponding admonitions? Do you have any other suggestions on this matter?

[MathiasVP]

Hi @amotl,

Indeed, this looks like a false positive. Thank you for reporting it!

Like I said in #11407, since our current focus is on improving our security analysis we will put this on our backlog and prioritize it if we get enough reports of the same underlying issue in other projects. We'll let you know here as soon as it's fixed!