You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: python/ql/lib/CHANGELOG.md
+11-12Lines changed: 11 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,6 @@
7
7
8
8
### Minor Analysis Improvements
9
9
10
-
- Temporarily disabled the `instanceFieldStep` disjunct of the internal `TypeTrackingInput::levelStepCall` predicate, which was introduced in 7.2.0 and caused catastrophic query slowdowns on some OOP-heavy Python codebases (e.g. `mypy` and `dask`).
11
10
* Python type tracking now follows values stored in instance attributes such as `self.attr` across instance methods, including across a class hierarchy (for example, a value stored on `self.attr` in a base class and read in a subclass, or vice versa). As a result, analysis is more likely to recognize user-defined objects that are stored on `self` and used later in other methods, which may produce additional results.
12
11
* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged.
13
12
* Python taint tracking is now more precise for values flowing through container contents, such as list, set, tuple, and dictionary elements. This may remove some false positive alerts.
@@ -71,7 +70,7 @@ No user-facing changes.
71
70
72
71
### Minor Analysis Improvements
73
72
74
-
* Added new full SSRF sanitization barrier from the new AntiSSRF library.
73
+
* Added new full SSRF sanitization barrier from the new AntiSSRF library.
75
74
* When a guard such as `isSafe(x)` is defined, we now also automatically handle `isSafe(x) == true` and `isSafe(x) != false`.
76
75
77
76
## 6.1.1
@@ -170,7 +169,7 @@ No user-facing changes.
170
169
### Minor Analysis Improvements
171
170
172
171
- The modelling of Psycopg2 now supports the use of `psycopg2.pool` connection pools for handling database connections.
173
-
* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks.
172
+
* Removed `lxml` as an XML bomb sink. The underlying libxml2 library now includes [entity reference loop detection](https://github.com/lxml/lxml/blob/f33ac2c2f5f9c4c4c1fc47f363be96db308f2fa6/doc/FAQ.txt#L1077) that prevents XML bomb attacks.
174
173
175
174
## 4.0.13
176
175
@@ -263,7 +262,7 @@ No user-facing changes.
263
262
### Minor Analysis Improvements
264
263
265
264
* The sensitive data library has been improved so that `snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
266
-
- Additional taint steps through methods of `lxml.etree.Element` and `lxml.etree.ElementTree` objects from the `lxml` PyPI package have been modeled.
265
+
- Additional taint steps through methods of `lxml.etree.Element` and `lxml.etree.ElementTree` objects from the `lxml` PyPI package have been modeled.
267
266
268
267
## 3.1.0
269
268
@@ -317,7 +316,7 @@ No user-facing changes.
317
316
318
317
### Minor Analysis Improvements
319
318
320
-
* The common sanitizer guard `StringConstCompareBarrier` has been renamed to `ConstCompareBarrier` and expanded to cover comparisons with other constant values such as `None`. This may result in fewer false positive results for several queries.
319
+
* The common sanitizer guard `StringConstCompareBarrier` has been renamed to `ConstCompareBarrier` and expanded to cover comparisons with other constant values such as `None`. This may result in fewer false positive results for several queries.
321
320
322
321
## 2.0.0
323
322
@@ -546,7 +545,7 @@ No user-facing changes.
546
545
547
546
### New Features
548
547
549
-
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
548
+
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
550
549
Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
551
550
552
551
### Minor Analysis Improvements
@@ -573,7 +572,7 @@ No user-facing changes.
573
572
* Deleted many deprecated predicates and classes with uppercase `API`, `HTTP`, `XSS`, `SQL`, etc. in their names. Use the PascalCased versions instead.
574
573
* Deleted the deprecated `getName()` predicate from the `Container` class, use `getAbsolutePath()` instead.
575
574
* Deleted many deprecated module names that started with a lowercase letter, use the versions that start with an uppercase letter instead.
576
-
* Deleted many deprecated predicates in `PointsTo.qll`.
575
+
* Deleted many deprecated predicates in `PointsTo.qll`.
577
576
* Deleted many deprecated files from the `semmle.python.security` package.
578
577
* Deleted the deprecated `BottleRoutePointToExtension` class from `Extensions.qll`.
579
578
* Type tracking is now aware of flow summaries. This leads to a richer API graph, and may lead to more results in some queries.
@@ -730,7 +729,7 @@ No user-facing changes.
730
729
### Deprecated APIs
731
730
732
731
* Some unused predicates in `SsaDefinitions.qll`, `TObject.qll`, `protocols.qll`, and the `pointsto/` folder have been deprecated.
733
-
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
732
+
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
734
733
The old name still exists as a deprecated alias.
735
734
736
735
### Minor Analysis Improvements
@@ -749,9 +748,9 @@ No user-facing changes.
749
748
750
749
### Deprecated APIs
751
750
752
-
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
751
+
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
753
752
The old name still exists as a deprecated alias.
754
-
* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package.
753
+
* The utility files previously in the `semmle.python.security.performance` package have been moved to the `semmle.python.security.regexp` package.
755
754
The previous files still exist as deprecated aliases.
756
755
757
756
### Minor Analysis Improvements
@@ -844,9 +843,9 @@ No user-facing changes.
844
843
845
844
### Deprecated APIs
846
845
847
-
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
846
+
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
848
847
The old name still exists as a deprecated alias.
849
-
* Some modules that started with a lowercase letter have been renamed to follow our style-guide.
848
+
* Some modules that started with a lowercase letter have been renamed to follow our style-guide.
Copy file name to clipboardExpand all lines: python/ql/lib/change-notes/released/7.2.0.md
-1Lines changed: 0 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,6 @@
7
7
8
8
### Minor Analysis Improvements
9
9
10
-
- Temporarily disabled the `instanceFieldStep` disjunct of the internal `TypeTrackingInput::levelStepCall` predicate, which was introduced in 7.2.0 and caused catastrophic query slowdowns on some OOP-heavy Python codebases (e.g. `mypy` and `dask`).
11
10
* Python type tracking now follows values stored in instance attributes such as `self.attr` across instance methods, including across a class hierarchy (for example, a value stored on `self.attr` in a base class and read in a subclass, or vice versa). As a result, analysis is more likely to recognize user-defined objects that are stored on `self` and used later in other methods, which may produce additional results.
12
11
* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged.
13
12
* Python taint tracking is now more precise for values flowing through container contents, such as list, set, tuple, and dictionary elements. This may remove some false positive alerts.
0 commit comments