S610: false positive on unrelated method named extra

[nelsyeung]

main.py:

class A:
    def extra(self, foo): ...


A().extra(1)

> ruff --version
ruff 0.5.4

> ruff check main.py
main.py:5:10: S610 Use of Django `extra` can lead to SQL injection vulnerabilities
  |
5 | A().extra(1)
  |          ^^^ S610

See #1646 and #10316

[MichaReiser]

Thanks for reporting. Unfortunately, this is hard for ruff to get right at the moment without having type inference. But we're working on it.

[AlexWaygood]

I agree with @MichaReiser. I'd also note that erring on the side of false positives is probably the correct tradeoff when it comes to a security-related rule. I think you'd much rather have something be incorrectly flagged as a security issue than have some dangerous code accidentally slip through the net.

If you don't use django at all in your project, and the rule is causing false positives for you, I'd consider just switching the rule off for now in your Ruff configuration file.