hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Add missing change notes

Browse Source 
I looked through PRs between rc/1.24 and rc/1.25 and added missing change notes for:

- https://github.com/github/codeql/pull/3314
- https://github.com/github/codeql/pull/3302
- https://github.com/github/codeql/pull/3212
- https://github.com/github/codeql/pull/3453
- https://github.com/github/codeql/pull/3407
- https://github.com/github/codeql/pull/3563

```
git log --grep="Merge pull request" --format=oneline rc/1.24..rc/1.25 -- python/
```
This commit is contained in:
Rasmus Wriedt Larsen
2020-09-08 14:27:12 +02:00
parent 8e8c65a164
commit 2979f9813e
1 changed files with 6 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
change-notes/1.25/analysis-python.md
View File

@@ -1,22 +1,9 @@
# Improvements to Python analysis
The following changes in version 1.25 affect Python analysis in all applications.
## General improvements
## New queries
| **Query** | **Tags** | **Purpose** |
|-----------------------------|-----------|--------------------------------------------------------------------|
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|----------------------------|------------------------|------------------------------------------------------------------|
## Changes to libraries
* Importing `semmle.python.web.HttpRequest` will no longer import `UntrustedStringKind` transitively. `UntrustedStringKind` is the most commonly used non-abstract subclass of `ExternalStringKind`. If not imported (by one mean or another), taint-tracking queries that concern `ExternalStringKind` will not produce any results. Please ensure such queries contain an explicit import (`import semmle.python.security.strings.Untrusted`).
* Added model of taint sources for HTTP servers using `http.server`.
* Added taint modeling of routed parameters in flask.
* Improved modeling of builtin methods on strings for taint tracking.
* Improved classification of test files.
* New class `BoundMethodValue` exposing information about a bound method.
* The query `py/command-line-injection` now recognizes command execution with the `fabric` and `invoke` Python libraries.