codeanalyzer-python 0.1.13__py3-none-any.whl → 0.1.14__py3-none-any.whl

codeanalyzer/semantic_analysis/codeql/codeql_analysis.py

@@ -20,13 +20,16 @@ This module provides functionality to create and manage CodeQL databases
 for Python projects and execute queries against them.
 """
 
+from collections import Counter
 from pathlib import Path
-from typing import Union
+from typing import Any, Dict, Iterator, List, Tuple, Union
 
-from networkx import DiGraph
 from pandas import DataFrame
 
+from codeanalyzer.schema.py_schema import PyCallEdge, PyModule
+from codeanalyzer.semantic_analysis.call_graph import iter_callables_in_symbol_table
 from codeanalyzer.semantic_analysis.codeql.codeql_query_runner import CodeQLQueryRunner
+from codeanalyzer.utils import logger
 
 
 class CodeQL:
@@ -40,94 +43,258 @@ class CodeQL:
         temp_db (TemporaryDirectory or None): The temporary directory object if a temporary database was created.
     """
 
-    def __init__(self, project_dir: Union[str, Path], db_path: Path) -> None:
+    def __init__(
+        self,
+        project_dir: Union[str, Path],
+        db_path: Path,
+        codeql_bin: Union[str, Path, None] = None,
+        codeql_packs_dir: Union[str, Path, None] = None,
+    ) -> None:
         self.project_dir = project_dir
         self.db_path = db_path
+        self.codeql_bin = codeql_bin
+        self.codeql_packs_dir = codeql_packs_dir
+        self._cached_df: "DataFrame | None" = None
 
-    def _build_call_graph(self) -> DiGraph:
-        """Builds the call graph of the application.
+    def _query_call_edges(self) -> DataFrame:
+        """Runs the CodeQL query that emits one row per resolved call site.
 
-        Returns:
-            DiGraph: A directed graph representing the call graph of the application.
-        """
-        query = []
+        The query is written against CodeQL's Python library (``import python``).
+        It returns physical location handles for both endpoints so the
+        downstream post-processor can join into Jedi's existing
+        ``PyCallable.signature`` space via ``(file_path, start_line)`` —
+        no signature normalization required.
 
-        # Add import
-        query += ["import python"]
+        Filters:
+          * Caller must be a ``Function`` (skip module-level / class-body
+            calls — they have no ``PyCallable`` to anchor to).
+          * Callee may resolve to anything (in-source or library stub);
+            non-application callees become **ghost** nodes downstream so
+            RPC / third-party / framework edges are preserved.
 
-        # Add Call edges between caller and callee and filter to only capture application methods.
-        query += [
-            "from Method caller, Method callee",
+        Returns:
+            DataFrame: one row per resolved (caller, callee, call-site)
+            triple. Duplicate ``(caller_file, caller_start_line,
+            callee_file, callee_start_line)`` tuples represent multiple
+            call sites in the same caller targeting the same callee and
+            are coalesced into a single ``PyCallEdge`` (weight = count)
+            by the post-processor.
+        """
+        query = [
+            "/**",
+            " * @name Python call-graph edges",
+            " * @description One row per resolved call site: caller, callee,",
+            " *              and the call-expression location.",
+            " * @kind table",
+            " * @id py/codeanalyzer/call-graph-edges",
+            " */",
+            "import python",
+            # ``FunctionValue`` / ``ClassValue`` / the ``pointsTo`` predicate
+            # live in ObjectAPI, which ``import python`` only brings in as a
+            # private import — they aren't re-exported. Pull them in
+            # explicitly.
+            "import semmle.python.objects.ObjectAPI",
+            "",
+            # ``Value.getACall()`` is the modern call-resolution API in
+            # codeql/python-all 7.x — it returns the ``CallNode`` (CFG)
+            # whose target was resolved to that ``Value``. Cleaner than
+            # poking at ``pointsTo`` directly.
+            "from CallNode call, Function caller, FunctionValue calleeVal",
             "where",
-            "caller.fromSource() and",
-            "callee.fromSource() and",
-            "caller.calls(callee)",
+            "  call.getScope() = caller and",
+            "  (",
+            # Direct function / bound-method call:  foo()  or  obj.foo()
+            "    call = calleeVal.getACall()",
+            "    or",
+            # Constructor call:  A(...)  resolves to a ClassValue; the actual
+            # callee is the class's __init__ (via MRO lookup so subclasses
+            # without an explicit __init__ still resolve to the inherited one).
+            "    exists(ClassValue clsVal |",
+            "      call = clsVal.getACall() and",
+            '      clsVal.lookup("__init__") = calleeVal',
+            "    )",
+            "  )",
             "select",
+            # --- Caller endpoint --- (joins to PyCallable via file + start_line)
+            "  caller.getLocation().getFile().getAbsolutePath(),",
+            "  caller.getLocation().getStartLine(),",
+            "  caller.getQualifiedName(),",
+            # --- Callee endpoint --- (file/line may live in a library stub;
+            #     post-processor classifies as in-source or ghost)
+            "  calleeVal.getScope().getLocation().getFile().getAbsolutePath(),",
+            "  calleeVal.getScope().getLocation().getStartLine(),",
+            "  calleeVal.getQualifiedName(),",
+            # --- Call-site location --- (for PyCallsite augmentation)
+            "  call.getLocation().getStartLine(),",
+            "  call.getLocation().getStartColumn(),",
+            "  call.getLocation().getEndLine(),",
+            "  call.getLocation().getEndColumn()",
+            # ``is_constructor`` is derived in the post-processor by
+            # checking whether ``callee_qname`` ends in ``.__init__``;
+            # avoids QL's restrictive ``if-then-else`` typing here.
         ]
-
-        # Caller metadata
-        query += [
-            "caller.getFile().getAbsolutePath(),",
-            '"[" + caller.getBody().getLocation().getStartLine() + ", " + caller.getBody().getLocation().getEndLine() + "]", //Caller body slice indices',
-            "caller.getQualifiedName(), // Caller's fullsignature",
-            "caller.getAModifier(), // caller's method modifier",
-            "caller.paramsString(), // caller's method parameter types",
-            "caller.getReturnType().toString(),  // Caller's return type",
-            "caller.getDeclaringType().getQualifiedName(), // Caller's class",
-            "caller.getDeclaringType().getAModifier(), // Caller's class modifier",
-        ]
-
-        # Callee metadata
-        query += [
-            "callee.getFile().getAbsolutePath(),",
-            '"[" + callee.getBody().getLocation().getStartLine() + ", " + callee.getBody().getLocation().getEndLine() + "]", //Caller body slice indices',
-            "callee.getQualifiedName(), // Caller's fullsignature",
-            "callee.getAModifier(), // callee's method modifier",
-            "callee.paramsString(), // callee's method parameter types",
-            "callee.getReturnType().toString(),  // Caller's return type",
-            "callee.getDeclaringType().getQualifiedName(), // Caller's class",
-            "callee.getDeclaringType().getAModifier() // Caller's class modifier",
-        ]
+        if self._cached_df is not None:
+            return self._cached_df
 
         query_string = "\n".join(query)
 
-        # Execute the query using the CodeQLQueryRunner context manager
-        with CodeQLQueryRunner(self.db_path) as query:
-            query_result: DataFrame = query.execute(
+        with CodeQLQueryRunner(
+            self.db_path,
+            codeql_bin=self.codeql_bin,
+            codeql_packs_dir=self.codeql_packs_dir,
+        ) as runner:
+            df: DataFrame = runner.execute(
                 query_string,
                 column_names=[
-                    # Caller Columns
                     "caller_file",
-                    "caller_body_slice_index",
-                    "caller_signature",
-                    "caller_modifier",
-                    "caller_params",
-                    "caller_return_type",
-                    "caller_class_signature",
-                    "caller_class_modifier",
-                    # Callee Columns
+                    "caller_start_line",
+                    "caller_qname",
                     "callee_file",
-                    "callee_body_slice_index",
-                    "callee_signature",
-                    "callee_modifier",
-                    "callee_params",
-                    "callee_return_type",
-                    "callee_class_signature",
-                    "callee_class_modifier",
+                    "callee_start_line",
+                    "callee_qname",
+                    "call_start_line",
+                    "call_start_column",
+                    "call_end_line",
+                    "call_end_column",
                 ],
             )
-
-        # Process the query results into JMethod instances
-        callgraph: DiGraph = self.__process_call_edges_to_callgraph(query_result)
-        return callgraph
+        self._cached_df = df
+        return df
 
     @staticmethod
-    def __process_call_edges_to_callgraph(query_result: DataFrame) -> DiGraph:
-        """Processes call edges from query results into a call graph.
+    def _build_callable_location_index(
+        symbol_table: Dict[str, PyModule],
+    ) -> Dict[Tuple[str, int], "PyCallable"]:
+        """Build ``(absolute_file_path, start_line) -> PyCallable`` from Jedi.
+
+        Paths are resolved so they match CodeQL's ``getAbsolutePath()``
+        regardless of symlinks or the current working directory.
+        """
+        from codeanalyzer.schema.py_schema import PyCallable  # local to avoid cycle
+
+        index: Dict[Tuple[str, int], PyCallable] = {}
+        for c in iter_callables_in_symbol_table(symbol_table):
+            try:
+                abs_path = str(Path(c.path).resolve())
+            except (OSError, RuntimeError):
+                abs_path = c.path
+            index[(abs_path, c.start_line)] = c
+        return index
+
+    def _iter_resolved_rows(
+        self, symbol_table: Dict[str, PyModule]
+    ) -> "Iterator[Tuple[str, str, Any]]":
+        """Yield ``(source_sig, target_sig, row)`` for every CodeQL row.
+
+        Rows whose caller can't be matched to a ``PyCallable`` in the
+        symbol table are skipped. Callee misses fall back to
+        ``row.callee_qname`` (ghost). Used by both edge construction and
+        call-site augmentation so a single CodeQL query feeds both.
+        """
+        df = self._query_call_edges()
+        if df.empty:
+            return
+        location_index = self._build_callable_location_index(symbol_table)
+
+        skipped_unknown_caller = 0
+        ghost_callees = 0
+        for row in df.itertuples(index=False):
+            caller_key = (row.caller_file, int(row.caller_start_line))
+            caller = location_index.get(caller_key)
+            if caller is None:
+                skipped_unknown_caller += 1
+                continue
+
+            callee_key = (row.callee_file, int(row.callee_start_line))
+            callee = location_index.get(callee_key)
+            if callee is not None:
+                target_sig = callee.signature
+            else:
+                target_sig = row.callee_qname
+                ghost_callees += 1
 
-        Args:
-            query_result (DataFrame): The DataFrame containing call edge information.
+            yield caller.signature, target_sig, row
+
+        if skipped_unknown_caller:
+            logger.debug(
+                f"CodeQL: skipped {skipped_unknown_caller} rows whose caller "
+                f"was not in Jedi's symbol table."
+            )
+        if ghost_callees:
+            logger.debug(
+                f"CodeQL: {ghost_callees} rows resolved to ghost (external) callees."
+            )
+
+    def build_call_graph_edges(
+        self, symbol_table: Dict[str, PyModule]
+    ) -> List[PyCallEdge]:
+        """Run the CodeQL query and turn each row into a ``PyCallEdge``.
+
+        Edges are coalesced on ``(source, target)`` — ``weight`` is the
+        number of distinct call sites in the caller targeting the callee.
+        Provenance is always ``["codeql"]``; combine with Jedi-derived
+        edges via ``call_graph.merge_edges``.
+        """
+        edge_counts: Counter = Counter()
+        for source_sig, target_sig, _row in self._iter_resolved_rows(symbol_table):
+            edge_counts[(source_sig, target_sig)] += 1
+
+        return [
+            PyCallEdge(
+                source=src,
+                target=dst,
+                weight=count,
+                provenance=["codeql"],
+            )
+            for (src, dst), count in edge_counts.items()
+        ]
+
+    def augment_call_sites(self, symbol_table: Dict[str, PyModule]) -> int:
+        """Backfill ``PyCallsite.callee_signature`` using CodeQL resolution.
+
+        Walks every CodeQL row, locates the matching ``PyCallsite`` inside
+        the caller's ``PyCallable.call_sites`` by call-expression line range
+        (``start_line``, ``end_line``), and fills in ``callee_signature``
+        **only when Jedi left it empty**. Existing Jedi-resolved signatures
+        are kept (Jedi sees lexical context CodeQL can't, e.g. closures).
+
+        Match is by line range — column matching is brittle across the two
+        tools' 0- vs 1-based conventions. Ambiguity on a single line
+        (e.g. ``a.b().c()``) resolves to the first matching site, which is
+        an acceptable approximation given how rarely Jedi misses callees
+        on chained call lines.
 
         Returns:
-            DiGraph: A directed graph representing the call graph of the application.
+            Number of ``PyCallsite`` entries augmented.
         """
+        location_index = self._build_callable_location_index(symbol_table)
+        df = self._query_call_edges()
+        if df.empty:
+            return 0
+
+        augmented = 0
+        for row in df.itertuples(index=False):
+            caller_key = (row.caller_file, int(row.caller_start_line))
+            caller = location_index.get(caller_key)
+            if caller is None:
+                continue
+
+            callee_key = (row.callee_file, int(row.callee_start_line))
+            callee = location_index.get(callee_key)
+            resolved_sig = callee.signature if callee is not None else row.callee_qname
+
+            call_start = int(row.call_start_line)
+            call_end = int(row.call_end_line)
+            for site in caller.call_sites:
+                if site.start_line != call_start or site.end_line != call_end:
+                    continue
+                if not site.callee_signature:
+                    site.callee_signature = resolved_sig
+                    augmented += 1
+                break
+
+        if augmented:
+            logger.debug(
+                f"CodeQL: augmented {augmented} PyCallsite.callee_signature entries."
+            )
+        return augmented

codeanalyzer/semantic_analysis/codeql/codeql_loader.py

@@ -1,4 +1,6 @@
+import os
 import platform
+import stat
 import zipfile
 from pathlib import Path
 
@@ -52,12 +54,38 @@ class CodeQLLoader:
         extract_dir = temp_dir / filename.replace(".zip", "")
         extract_dir.mkdir(exist_ok=True)
 
-        print(f"Extracting CodeQL CLI to {extract_dir}")
+        logger.info(f"Extracting CodeQL CLI to {extract_dir}")
+        # zipfile.extractall drops Unix permissions (the executable bit), so
+        # we extract entries manually and copy each one's stored mode onto
+        # the file system. Without this, the CodeQL launcher script can't
+        # be executed and the next subprocess.Popen raises PermissionError.
         with zipfile.ZipFile(archive_path, "r") as zip_ref:
-            zip_ref.extractall(extract_dir)
+            for info in zip_ref.infolist():
+                extracted_path = zip_ref.extract(info, extract_dir)
+                stored_mode = info.external_attr >> 16
+                if stored_mode:
+                    os.chmod(extracted_path, stored_mode)
 
-        codeql_bin = next(extract_dir.rglob("codeql"), None)
-        if not codeql_bin or not codeql_bin.exists():
+        # Archive is no longer needed once extracted.
+        try:
+            archive_path.unlink()
+        except OSError as exc:
+            logger.warning(f"Could not remove CodeQL archive {archive_path}: {exc}")
+
+        # rglob("codeql") returns both the launcher file *and* an internal
+        # directory of the same name (CodeQL ships its own runtime under
+        # ``codeql/codeql/``); insist on a regular file so we never bind to
+        # the directory.
+        codeql_bin = next(
+            (p for p in extract_dir.rglob("codeql") if p.is_file()),
+            None,
+        )
+        if not codeql_bin:
             raise FileNotFoundError("CodeQL binary not found in extracted contents.")
 
+        # Belt-and-suspenders: ensure the binary is executable even if the
+        # archive entry's mode was zero (some older zip producers omit it).
+        st = codeql_bin.stat()
+        codeql_bin.chmod(st.st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+
         return codeql_bin.resolve()

codeanalyzer/semantic_analysis/codeql/codeql_query_runner.py

@@ -40,9 +40,13 @@ class CodeQLQueryRunner:
 
     Args:
         database_path (str): The path to the CodeQL database.
+        codeql_bin (str | Path | None): Absolute path to the CodeQL CLI
+            binary. When ``None``, falls back to whatever ``codeql`` is on
+            ``PATH``.
 
     Attributes:
         database_path (Path): The path to the CodeQL database.
+        codeql_bin (str): Resolved binary path or the literal ``"codeql"``.
         temp_file_path (Path): The path to the temporary query file.
         csv_output_file (Path): The path to the CSV output file.
         temp_bqrs_file_path (Path): The path to the temporary bqrs file.
@@ -52,39 +56,46 @@ class CodeQLQueryRunner:
         CodeQLQueryExecutionException: If there is an error executing the query.
     """
 
-    def __init__(self, database_path: str):
+    def __init__(self, database_path: str, codeql_bin=None, codeql_packs_dir=None):
         self.database_path: Path = Path(database_path)
+        self.codeql_bin: str = str(codeql_bin) if codeql_bin else "codeql"
+        self.codeql_packs_dir = (
+            Path(codeql_packs_dir) if codeql_packs_dir is not None else None
+        )
         self.temp_file_path: Path = None
 
     def __enter__(self):
-        """Context entry that creates temporary files to execute a CodeQL query.
-
-        Returns:
-            CodeQLQueryRunner: The instance of the class.
-
-        Note:
-            This method creates temporary files to hold the query and store their paths.
+        """Context entry that prepares paths to execute a CodeQL query.
+
+        The ``.ql`` file is written **inside the prepared qlpack
+        directory** (``codeql_packs_dir``) so ``import python`` resolves
+        against that pack's installed dependencies — no
+        ``--additional-packs`` or ``--search-path`` needed. The CSV /
+        BQRS output files live in ``tempfile`` because they're transient
+        per-query artifacts.
         """
-
-        # Create a temporary file to hold the query and store its path
-        temp_file = tempfile.NamedTemporaryFile("w", delete=False, suffix=".ql")
+        # CSV and BQRS files are transient per-query — fine in /tmp.
         csv_file = tempfile.NamedTemporaryFile("w", delete=False, suffix=".csv")
         bqrs_file = tempfile.NamedTemporaryFile("w", delete=False, suffix=".bqrs")
-        self.temp_file_path = Path(temp_file.name)
         self.csv_output_file = Path(csv_file.name)
         self.temp_bqrs_file_path = Path(bqrs_file.name)
-
-        # Let's close the files, we'll reopen them by path when needed.
-        temp_file.close()
-        bqrs_file.close()
         csv_file.close()
+        bqrs_file.close()
 
-        # Create a temporary qlpack.yml file
-        self.temp_qlpack_file = self.temp_file_path.parent / "qlpack.yml"
-        with self.temp_qlpack_file.open("w") as f:
-            f.write("name: temp\n")
-            f.write("version: 1.0.0\n")
-            f.write("libraryPathDependencies: codeql/java-all\n")
+        # The .ql file MUST live inside the prepared qlpack so its
+        # ``import python`` resolves via that pack's lock file. Writing
+        # outside the pack means CodeQL falls back to a default
+        # search-path that doesn't include downloaded library packs.
+        if self.codeql_packs_dir is None:
+            raise RuntimeError(
+                "CodeQLQueryRunner requires codeql_packs_dir — the directory "
+                "of an installed qlpack that depends on codeql/python-all."
+            )
+        ql_file = tempfile.NamedTemporaryFile(
+            "w", delete=False, suffix=".ql", dir=str(self.codeql_packs_dir)
+        )
+        self.temp_file_path = Path(ql_file.name)
+        ql_file.close()
 
         return self
 
@@ -108,32 +119,41 @@ class CodeQLQueryRunner:
         # Write the query to the temp file so we can execute it.
         self.temp_file_path.write_text(query_string)
 
-        # Construct and execute the CodeQL CLI command asking for a JSON output.
+        # The .ql file sits inside the qlpack directory whose lock file
+        # already resolves ``codeql/python-all`` and its transitive
+        # dependencies. ``codeql query run`` auto-discovers the enclosing
+        # qlpack — no extra flags required.
         codeql_query_cmd = shlex.split(
-            f"codeql query run {self.temp_file_path} --database={self.database_path} --output={self.temp_bqrs_file_path}",
+            f"{shlex.quote(self.codeql_bin)} query run {self.temp_file_path} "
+            f"--database={self.database_path} "
+            f"--output={self.temp_bqrs_file_path}",
             posix=False,
         )
 
-        call = subprocess.Popen(codeql_query_cmd, stdout=None, stderr=None)
+        call = subprocess.Popen(
+            codeql_query_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE
+        )
         _, err = call.communicate()
         if call.returncode != 0:
             raise CodeQLExceptions.CodeQLQueryExecutionException(
-                f"Error executing query: {err.stderr}"
+                f"Error executing query: {(err or b'').decode(errors='replace')}"
             )
 
         # Convert the bqrs file to a CSV file
         bqrs2csv_command = shlex.split(
-            f"codeql bqrs decode --format=csv --output={self.csv_output_file} {self.temp_bqrs_file_path}",
+            f"{shlex.quote(self.codeql_bin)} bqrs decode --format=csv --output={self.csv_output_file} {self.temp_bqrs_file_path}",
             posix=False,
         )
 
         # Read the CSV file content and cast it to a DataFrame
 
-        call = subprocess.Popen(bqrs2csv_command, stdout=None, stderr=None)
+        call = subprocess.Popen(
+            bqrs2csv_command, stdout=subprocess.PIPE, stderr=subprocess.PIPE
+        )
         _, err = call.communicate()
         if call.returncode != 0:
             raise CodeQLExceptions.CodeQLQueryExecutionException(
-                f"Error executing query: {err.stderr}"
+                f"Error decoding bqrs: {(err or b'').decode(errors='replace')}"
             )
         else:
             return pd.read_csv(
@@ -161,5 +181,5 @@ class CodeQLQueryRunner:
         if self.csv_output_file and self.csv_output_file.exists():
             self.csv_output_file.unlink()
 
-        if self.temp_qlpack_file and self.temp_qlpack_file.exists():
-            self.temp_qlpack_file.unlink()
+        if self.temp_bqrs_file_path and self.temp_bqrs_file_path.exists():
+            self.temp_bqrs_file_path.unlink()

codeanalyzer/syntactic_analysis/symbol_table_builder.py

@@ -4,7 +4,7 @@ import tokenize
 from ast import AST, ClassDef
 from io import StringIO
 from pathlib import Path
-from typing import Dict, List, Optional, Union
+from typing import Dict, List, Optional, Tuple, Union
 
 import jedi
 from jedi.api import Script
@@ -71,6 +71,32 @@ class SymbolTableBuilder:
             pass
         return None
 
+    @staticmethod
+    def _infer_callee(
+        script: Script, line: int, column: int
+    ) -> Tuple[Optional[str], bool]:
+        """Infer ``(qualified_name, is_class)`` at a call expression.
+
+        When the callee resolves to a class (e.g. ``A()``), the qualified
+        name is normalized to ``<class>.__init__`` so it joins to the
+        ``PyCallable`` entry for the constructor in the symbol table —
+        classes themselves are not ``PyCallable``s, so without this
+        rewrite every constructor call would surface as a ghost node in
+        the call graph.
+        """
+        try:
+            definitions = script.infer(line=line, column=column)
+            if not definitions:
+                return None, False
+            d = definitions[0]
+            is_class = (d.type == "class")
+            full = d.full_name
+            if is_class and full:
+                full = f"{full}.__init__"
+            return full, is_class
+        except Exception:
+            return None, False
+
     def build_pymodule_from_file(self, py_file: Path) -> PyModule:
         """Builds a PyModule from a Python file.
 
@@ -485,6 +511,63 @@ class SymbolTableBuilder:
                 symbols.append(symbol)
         return symbols
 
+    @staticmethod
+    def _iter_calls_in_scope(fn_node: ast.AST):
+        """Yield ``ast.Call`` nodes belonging to ``fn_node``'s own scope.
+
+        Naive ``ast.walk`` descends into nested ``FunctionDef`` / ``ClassDef``
+        bodies, attributing their calls to the outer function — wrong, since
+        those nested definitions have their own ``PyCallable`` entries
+        (built recursively by ``_callables``/``_add_class``) and own
+        ``call_sites`` lists.
+
+        Decorators, default arguments, return-type annotations, base
+        classes and class-level keyword args ARE evaluated in the
+        enclosing scope, so calls in those subtrees stay attributed to
+        ``fn_node``. Bodies of nested defs/classes are skipped. Lambdas,
+        comprehensions and inline conditionals don't get their own
+        ``PyCallable`` so their internals stay attributed to the enclosing
+        function.
+        """
+
+        def walk(node: ast.AST):
+            if isinstance(node, ast.Call):
+                yield node
+
+            if isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef)):
+                # Decorators, defaults, return annotations run in
+                # enclosing scope. Body and arg names run in inner scope.
+                for dec in node.decorator_list:
+                    yield from walk(dec)
+                for default in node.args.defaults:
+                    yield from walk(default)
+                for default in node.args.kw_defaults:
+                    if default is not None:
+                        yield from walk(default)
+                if node.returns is not None:
+                    yield from walk(node.returns)
+                return
+
+            if isinstance(node, ast.ClassDef):
+                # Decorators, bases, and keyword args run in enclosing scope.
+                # Body runs in class scope.
+                for dec in node.decorator_list:
+                    yield from walk(dec)
+                for base in node.bases:
+                    yield from walk(base)
+                for kw in node.keywords:
+                    yield from walk(kw.value)
+                return
+
+            for child in ast.iter_child_nodes(node):
+                yield from walk(child)
+
+        for stmt in getattr(fn_node, "body", []):
+            yield from walk(stmt)
+        # Decorators / defaults / returns of fn_node itself are evaluated
+        # in the ENCLOSING scope, so they belong to fn_node's parent, not
+        # fn_node. Don't yield them here.
+
     def _call_sites(self, fn_node: ast.FunctionDef, script: Script) -> List[PyCallsite]:
         """
         Finds all call sites made from within the function using Jedi for type inference.
@@ -498,14 +581,14 @@ class SymbolTableBuilder:
         """
         call_sites: List[PyCallsite] = []
 
-        for node in ast.walk(fn_node):
+        for node in self._iter_calls_in_scope(fn_node):
             if not isinstance(node, ast.Call):
                 continue
 
             func_expr = node.func
 
             method_name = "<unknown>"
-            callee_signature = self._infer_qualified_name(
+            callee_signature, is_constructor = self._infer_callee(
                 script, node.lineno, node.col_offset
             )
             return_type = self._infer_type(script, node.lineno, node.col_offset)
@@ -535,7 +618,7 @@ class SymbolTableBuilder:
                 .argument_types(argument_types)
                 .return_type(return_type)
                 .callee_signature(callee_signature)
-                .is_constructor_call(method_name == "__init__")
+                .is_constructor_call(is_constructor)
                 .start_line(getattr(node, "lineno", -1))
                 .start_column(getattr(node, "col_offset", -1))
                 .end_line(getattr(node, "end_lineno", -1))