Skip to content

Commit 66ddf3b

Browse files
committed
Remove unnecessary changenote for the hotfix
1 parent 1af9609 commit 66ddf3b

2 files changed

Lines changed: 11 additions & 13 deletions

File tree

python/ql/lib/CHANGELOG.md

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@
77

88
### Minor Analysis Improvements
99

10-
- Temporarily disabled the `instanceFieldStep` disjunct of the internal `TypeTrackingInput::levelStepCall` predicate, which was introduced in 7.2.0 and caused catastrophic query slowdowns on some OOP-heavy Python codebases (e.g. `mypy` and `dask`).
1110
* Python type tracking now follows values stored in instance attributes such as `self.attr` across instance methods, including across a class hierarchy (for example, a value stored on `self.attr` in a base class and read in a subclass, or vice versa). As a result, analysis is more likely to recognize user-defined objects that are stored on `self` and used later in other methods, which may produce additional results.
1211
* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged.
1312
* Python taint tracking is now more precise for values flowing through container contents, such as list, set, tuple, and dictionary elements. This may remove some false positive alerts.
@@ -71,7 +70,7 @@ No user-facing changes.
7170

7271
### Minor Analysis Improvements
7372

74-
* Added new full SSRF sanitization barrier from the new AntiSSRF library.
73+
* Added new full SSRF sanitization barrier from the new AntiSSRF library.
7574
* When a guard such as `isSafe(x)` is defined, we now also automatically handle `isSafe(x) == true` and `isSafe(x) != false`.
7675

7776
## 6.1.1
@@ -170,7 +169,7 @@ No user-facing changes.
170169
### Minor Analysis Improvements
171170

172171
- The modelling of Psycopg2 now supports the use of `psycopg2.pool` connection pools for handling database connections.
173-
* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks.
172+
* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks.
174173

175174
## 4.0.13
176175

@@ -263,7 +262,7 @@ No user-facing changes.
263262
### Minor Analysis Improvements
264263

265264
* The sensitive data library has been improved so that `snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
266-
- Additional taint steps through methods of `lxml.etree.Element` and `lxml.etree.ElementTree` objects from the `lxml` PyPI package have been modeled.
265+
- Additional taint steps through methods of `lxml.etree.Element` and `lxml.etree.ElementTree` objects from the `lxml` PyPI package have been modeled.
267266

268267
## 3.1.0
269268

@@ -317,7 +316,7 @@ No user-facing changes.
317316

318317
### Minor Analysis Improvements
319318

320-
* The common sanitizer guard `StringConstCompareBarrier` has been renamed to `ConstCompareBarrier` and expanded to cover comparisons with other constant values such as `None`. This may result in fewer false positive results for several queries.
319+
* The common sanitizer guard `StringConstCompareBarrier` has been renamed to `ConstCompareBarrier` and expanded to cover comparisons with other constant values such as `None`. This may result in fewer false positive results for several queries.
321320

322321
## 2.0.0
323322

@@ -546,7 +545,7 @@ No user-facing changes.
546545

547546
### New Features
548547

549-
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
548+
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
550549
Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
551550

552551
### Minor Analysis Improvements
@@ -573,7 +572,7 @@ No user-facing changes.
573572
* Deleted many deprecated predicates and classes with uppercase `API`, `HTTP`, `XSS`, `SQL`, etc. in their names. Use the PascalCased versions instead.
574573
* Deleted the deprecated `getName()` predicate from the `Container` class, use `getAbsolutePath()` instead.
575574
* Deleted many deprecated module names that started with a lowercase letter, use the versions that start with an uppercase letter instead.
576-
* Deleted many deprecated predicates in `PointsTo.qll`.
575+
* Deleted many deprecated predicates in `PointsTo.qll`.
577576
* Deleted many deprecated files from the `semmle.python.security` package.
578577
* Deleted the deprecated `BottleRoutePointToExtension` class from `Extensions.qll`.
579578
* Type tracking is now aware of flow summaries. This leads to a richer API graph, and may lead to more results in some queries.
@@ -730,7 +729,7 @@ No user-facing changes.
730729
### Deprecated APIs
731730

732731
* Some unused predicates in `SsaDefinitions.qll`, `TObject.qll`, `protocols.qll`, and the `pointsto/` folder have been deprecated.
733-
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
732+
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
734733
The old name still exists as a deprecated alias.
735734

736735
### Minor Analysis Improvements
@@ -749,9 +748,9 @@ No user-facing changes.
749748

750749
### Deprecated APIs
751750

752-
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
751+
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
753752
The old name still exists as a deprecated alias.
754-
* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package.
753+
* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package.
755754
The previous files still exist as deprecated aliases.
756755

757756
### Minor Analysis Improvements
@@ -844,9 +843,9 @@ No user-facing changes.
844843

845844
### Deprecated APIs
846845

847-
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
846+
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
848847
The old name still exists as a deprecated alias.
849-
* Some modules that started with a lowercase letter have been renamed to follow our style-guide.
848+
* Some modules that started with a lowercase letter have been renamed to follow our style-guide.
850849
The old name still exists as a deprecated alias.
851850

852851
### New Features

python/ql/lib/change-notes/released/7.2.0.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@
77

88
### Minor Analysis Improvements
99

10-
- Temporarily disabled the `instanceFieldStep` disjunct of the internal `TypeTrackingInput::levelStepCall` predicate, which was introduced in 7.2.0 and caused catastrophic query slowdowns on some OOP-heavy Python codebases (e.g. `mypy` and `dask`).
1110
* Python type tracking now follows values stored in instance attributes such as `self.attr` across instance methods, including across a class hierarchy (for example, a value stored on `self.attr` in a base class and read in a subclass, or vice versa). As a result, analysis is more likely to recognize user-defined objects that are stored on `self` and used later in other methods, which may produce additional results.
1211
* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged.
1312
* Python taint tracking is now more precise for values flowing through container contents, such as list, set, tuple, and dictionary elements. This may remove some false positive alerts.

0 commit comments

Comments
 (0)