From 8dff865c5745b8932b361d7ab530278ad851091c Mon Sep 17 00:00:00 2001
From: Stella Huang <stellahuang@microsoft.com>
Date: Thu, 28 May 2026 14:09:29 -0700
Subject: [PATCH] Fix TSA #2816219: suppress Flawfinder false positive on
 Cython read-loop iterator

Flawfinder's buffer/read rule (CWE-120, CWE-20) fires whenever an
identifier named "read" appears inside a loop, assuming it refers to the
POSIX read() syscall. The Cython 3.x ModuleStateLookup boilerplate in
__Pyx_State_ConvertFromInterpIdAsIndex uses "read" as the name of a
pointer iterator that walks data->table, bounded by
end = read + data->count. There is no syscall and no unbounded buffer
access -- this is a false positive.

Add an inline /* Flawfinder: ignore */ annotation to the flagged line in
the Cython-generated _pydevd_sys_monitoring_cython.c and extend the
existing post-processing block in setup_pydevd_cython.py so the annotation
is re-applied automatically whenever Cython regenerates the .c files.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../_pydevd_sys_monitoring_cython.c                      | 2 +-
 src/debugpy/_vendored/pydevd/setup_pydevd_cython.py      | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/debugpy/_vendored/pydevd/_pydevd_sys_monitoring/_pydevd_sys_monitoring_cython.c b/src/debugpy/_vendored/pydevd/_pydevd_sys_monitoring/_pydevd_sys_monitoring_cython.c
index 30b927110..389088c29 100644
--- a/src/debugpy/_vendored/pydevd/_pydevd_sys_monitoring/_pydevd_sys_monitoring_cython.c
+++ b/src/debugpy/_vendored/pydevd/_pydevd_sys_monitoring/_pydevd_sys_monitoring_cython.c
@@ -41994,7 +41994,7 @@ static void __Pyx_State_ConvertFromInterpIdAsIndex(__Pyx_ModuleStateLookupData *
     __Pyx_InterpreterIdAndModule *read = data->table;
     __Pyx_InterpreterIdAndModule *write = data->table;
     __Pyx_InterpreterIdAndModule *end = read + data->count;
-    for (; read<end; ++read) {
+    for (; read<end; ++read) { /* Flawfinder: ignore */
         if (read->module) {
             write->id = read->id;
             write->module = read->module;
diff --git a/src/debugpy/_vendored/pydevd/setup_pydevd_cython.py b/src/debugpy/_vendored/pydevd/setup_pydevd_cython.py
index 14f73f4f8..8ec4c12a5 100644
--- a/src/debugpy/_vendored/pydevd/setup_pydevd_cython.py
+++ b/src/debugpy/_vendored/pydevd/setup_pydevd_cython.py
@@ -177,6 +177,15 @@ def build_extension(dir_name, extension_name, target_pydevd_name, force_cython,
                 c_file_contents = c_file_contents.replace(r"_pydevd_bundle\\pydevd_cython.pxd", "_pydevd_bundle/pydevd_cython.pxd")
                 c_file_contents = c_file_contents.replace(r"_pydevd_bundle\\pydevd_cython.pyx", "_pydevd_bundle/pydevd_cython.pyx")
 
+                # Suppress Flawfinder false positive (CWE-120/CWE-20) in the
+                # Cython 3.x ModuleStateLookup boilerplate (`__Pyx_State_ConvertFromInterpIdAsIndex`):
+                # `read` is a bounded pointer iterator (not POSIX read()), and the loop is
+                # guarded by `read < end` where `end = read + data->count`.
+                c_file_contents = c_file_contents.replace(
+                    "    for (; read<end; ++read) {\n",
+                    "    for (; read<end; ++read) { /* Flawfinder: ignore */\n",
+                )
+
                 with open(c_file, "w") as stream:
                     stream.write(c_file_contents)