Python: Add note about incompleteness

yoff · yoff · commit 060481053a1b · 2020-10-21T15:15:19.000+02:00
I was going to do this in an issue, but it makes sense
to have it in the code. We could still add an issue as well.
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Django.qll b/python/ql/src/experimental/semmle/python/frameworks/Django.qll
@@ -131,6 +131,12 @@ private module Django {
       /** Gets a reference to the `django.db.connection.cursor.execute` function. */
       DataFlow::Node execute() { result = execute(DataFlow::TypeTracker::end()) }
 
+      // -------------------------------------------------------------------------
+      // django.db.models
+      // -------------------------------------------------------------------------
+      // NOTE: The modelling of django models is currently fairly incomplete.
+      // It does not fully take `Model`s, `Manager`s, `and QuerySet`s into account.
+      // It simply identifies some common dangerous cases.
       /** Gets a reference to the `django.db.models` module. */
       private DataFlow::Node models(DataFlow::TypeTracker t) {
         t.start() and
