Python: Mixing implicit/explicit returns false positive

[henriquevcosta]

Description of the false positive

I am seeing an Mixing implicit and explicit returns may indicate an error as implicit returns always return None. alert where the code actually always has a return.
In my interpretation of the alert it seems that the issue is that CodeQL isn't considering the case _: in a match to be acting as a default case so it believes that there should be a return None outside of the match.

Code samples or links to source code

I had to slightly redact the code but I believe that this is the same:
(ironically this is in a piece of code that processes codeql alerts, don't get confused 😄)

    def codeql_severity_conversion(self, security_severity, severity):
        match (security_severity, severity):
            case ("critical", _) | ("high", _) | ("low", _):
                return security_severity
            case ("medium", _):
                return "moderate"
            case (None, "error"):
                return "high"
            case (None, "warning"):
                return "moderate"
            case (None, "note") | (None, "none"):
                return "low"
            case _:
                return "high"

URL to the alert on GitHub code scanning (optional)

I'd rather not share the link outside the enterprise. The link to the rule in the alert is https://github.com/github/codeql/blob/d42788844f7ec0a6b9832140313cc2318e513987/python/ql/src/Functions/ConsistentReturns.ql

[redsun82]

Hi @henriquevcosta, thanks for reporting this! We will internally track this, though be aware that fixing false positives is not currently our top priority. That said, this may hide a more general problem in our Python data flow modeling, so we may be still having a look at this.

[henriquevcosta]

Yup no worries. Thank you for the feedback