Release preparation for version 2.12.0

2026-05-03 12:45:27 +02:00 · 2023-01-05 16:32:14 +00:00
parent f58ec799dd
commit b6a8193785
163 changed files with 521 additions and 377 deletions
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -1,3 +1,24 @@
+## 0.7.0
+
+### Major Analysis Improvements
+
+* The _PAM authorization bypass due to incorrect usage_ (`py/pam-auth-bypass`) query has been converted to a taint-tracking query, resulting in significantly fewer false positives.
+
+### Minor Analysis Improvements
+
+- Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
+ * The data-flow library has been rewritten to no longer rely on the points-to analysis in order to
+   resolve references to modules. Improvements in the module resolution can lead to more results.
+* Deleted the deprecated `importNode` predicate from the `DataFlowUtil.qll` file.
+* Deleted the deprecated features from `PEP249.qll` that were not inside the `PEP249` module.
+* Deleted the deprecated `werkzeug` from the `Werkzeug` module in `Werkzeug.qll`.
+* Deleted the deprecated `methodResult` predicate from `PEP249::Cursor`.
+
+### Bug Fixes
+
+* `except*` is now supported.
+* The result of `Try.getAHandler` and `Try.getHandler(<index>)` is no longer of type `ExceptStmt`, as handlers may also be `ExceptGroupStmt`s (After Python 3.11 introduced PEP 654). Instead, it is of the new type `ExceptionHandler` of which `ExceptStmt` and `ExceptGroupStmt` are subtypes. To support selecting only one type of handler, `Try.getANormalHandler` and `Try.getAGroupHandler` have been added. Existing uses of `Try.getAHandler` for which it is important to select only normal handlers, will need to be updated to `Try.getANormalHandler`.
+
 ## 0.6.6

 No user-facing changes.
--- a/python/ql/lib/change-notes/2022-11-14-grouped-exceptions.md
+++ b/python/ql/lib/change-notes/2022-11-14-grouped-exceptions.md
@@ -1,5 +0,0 @@
---
-category: fix
---
-* `except*` is now supported.
-* The result of `Try.getAHandler` and `Try.getHandler(<index>)` is no longer of type `ExceptStmt`, as handlers may also be `ExceptGroupStmt`s (After Python 3.11 introduced PEP 654). Instead, it is of the new type `ExceptionHandler` of which `ExceptStmt` and `ExceptGroupStmt` are subtypes. To support selecting only one type of handler, `Try.getANormalHandler` and `Try.getAGroupHandler` have been added. Existing uses of `Try.getAHandler` for which it is important to select only normal handlers, will need to be updated to `Try.getANormalHandler`.
--- a/python/ql/lib/change-notes/2022-11-17-deleted-deps.md
+++ b/python/ql/lib/change-notes/2022-11-17-deleted-deps.md
@@ -1,7 +0,0 @@
---
-category: minorAnalysis
---
-* Deleted the deprecated `importNode` predicate from the `DataFlowUtil.qll` file.
-* Deleted the deprecated features from `PEP249.qll` that were not inside the `PEP249` module.
-* Deleted the deprecated `werkzeug` from the `Werkzeug` module in `Werkzeug.qll`.
-* Deleted the deprecated `methodResult` predicate from `PEP249::Cursor`.
--- a/python/ql/lib/change-notes/2022-11-17-py-pam-improve.md
+++ b/python/ql/lib/change-notes/2022-11-17-py-pam-improve.md
@@ -1,4 +0,0 @@
---
- category: majorAnalysis
---
-* The _PAM authorization bypass due to incorrect usage_ (`py/pam-auth-bypass`) query has been converted to a taint-tracking query, resulting in significantly fewer false positives.
--- a/python/ql/lib/change-notes/2022-11-21-module-resolution-rewrite.md
+++ b/python/ql/lib/change-notes/2022-11-21-module-resolution-rewrite.md
@@ -1,5 +0,0 @@
---
- category: minorAnalysis
---
- * The data-flow library has been rewritten to no longer rely on the points-to analysis in order to
-   resolve references to modules. Improvements in the module resolution can lead to more results.
--- a/python/ql/lib/change-notes/2022-12-03-new-stdlib-cmdi-sinks.md
+++ b/python/ql/lib/change-notes/2022-12-03-new-stdlib-cmdi-sinks.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
- Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
-
--- a/python/ql/lib/change-notes/released/0.7.0.md
+++ b/python/ql/lib/change-notes/released/0.7.0.md
@@ -0,0 +1,20 @@
+## 0.7.0
+
+### Major Analysis Improvements
+
+* The _PAM authorization bypass due to incorrect usage_ (`py/pam-auth-bypass`) query has been converted to a taint-tracking query, resulting in significantly fewer false positives.
+
+### Minor Analysis Improvements
+
+- Added `subprocess.getoutput` and `subprocess.getoutputstatus` as new command injection sinks for the StdLib.
+ * The data-flow library has been rewritten to no longer rely on the points-to analysis in order to
+   resolve references to modules. Improvements in the module resolution can lead to more results.
+* Deleted the deprecated `importNode` predicate from the `DataFlowUtil.qll` file.
+* Deleted the deprecated features from `PEP249.qll` that were not inside the `PEP249` module.
+* Deleted the deprecated `werkzeug` from the `Werkzeug` module in `Werkzeug.qll`.
+* Deleted the deprecated `methodResult` predicate from `PEP249::Cursor`.
+
+### Bug Fixes
+
+* `except*` is now supported.
+* The result of `Try.getAHandler` and `Try.getHandler(<index>)` is no longer of type `ExceptStmt`, as handlers may also be `ExceptGroupStmt`s (After Python 3.11 introduced PEP 654). Instead, it is of the new type `ExceptionHandler` of which `ExceptStmt` and `ExceptGroupStmt` are subtypes. To support selecting only one type of handler, `Try.getANormalHandler` and `Try.getAGroupHandler` have been added. Existing uses of `Try.getAHandler` for which it is important to select only normal handlers, will need to be updated to `Try.getANormalHandler`.
--- a/python/ql/lib/codeql-pack.release.yml
+++ b/python/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.6
+lastReleaseVersion: 0.7.0
--- a/python/ql/lib/qlpack.yml
+++ b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 0.7.0-dev
+version: 0.7.0
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
--- a/python/ql/src/CHANGELOG.md
+++ b/python/ql/src/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 0.6.0
+
+### Minor Analysis Improvements
+
+* The `analysis/AlertSuppression.ql` query has moved to the root folder. Users that refer to this query by path should update their configurations. The query has been updated to support the new `# codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `# lgtm` and `# lgtm[query-id]` comments can now also be place on the line before an alert.
+* Bumped the minimum keysize we consider secure for elliptic curve cryptography from 224 to 256 bits, following current best practices. This might effect results from the _Use of weak cryptographic key_ (`py/weak-crypto-key`) query.
+ * Added modeling of `getpass.getpass` as a source of passwords, which will be an additional source for `py/clear-text-logging-sensitive-data`, `py/clear-text-storage-sensitive-data`, and `py/weak-sensitive-data-hashing`.
+
 ## 0.5.6

 No user-facing changes.
--- a/python/ql/src/change-notes/2022-11-22-getpass.md
+++ b/python/ql/src/change-notes/2022-11-22-getpass.md
@@ -1,4 +0,0 @@
---
- category: minorAnalysis
---
- * Added modeling of `getpass.getpass` as a source of passwords, which will be an additional source for `py/clear-text-logging-sensitive-data`, `py/clear-text-storage-sensitive-data`, and `py/weak-sensitive-data-hashing`.
--- a/python/ql/src/change-notes/2022-11-29-ecc-min-secure-keysize.md
+++ b/python/ql/src/change-notes/2022-11-29-ecc-min-secure-keysize.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Bumped the minimum keysize we consider secure for elliptic curve cryptography from 224 to 256 bits, following current best practices. This might effect results from the _Use of weak cryptographic key_ (`py/weak-crypto-key`) query.
--- a/python/ql/src/change-notes/2022-12-19-alert-suppressions.md
+++ b/python/ql/src/change-notes/2022-12-19-alert-suppressions.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `analysis/AlertSuppression.ql` query has moved to the root folder. Users that refer to this query by path should update their configurations. The query has been updated to support the new `# codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `# lgtm` and `# lgtm[query-id]` comments can now also be place on the line before an alert.
--- a/python/ql/src/change-notes/released/0.6.0.md
+++ b/python/ql/src/change-notes/released/0.6.0.md
@@ -0,0 +1,7 @@
+## 0.6.0
+
+### Minor Analysis Improvements
+
+* The `analysis/AlertSuppression.ql` query has moved to the root folder. Users that refer to this query by path should update their configurations. The query has been updated to support the new `# codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `# lgtm` and `# lgtm[query-id]` comments can now also be place on the line before an alert.
+* Bumped the minimum keysize we consider secure for elliptic curve cryptography from 224 to 256 bits, following current best practices. This might effect results from the _Use of weak cryptographic key_ (`py/weak-crypto-key`) query.
+ * Added modeling of `getpass.getpass` as a source of passwords, which will be an additional source for `py/clear-text-logging-sensitive-data`, `py/clear-text-storage-sensitive-data`, and `py/weak-sensitive-data-hashing`.
--- a/python/ql/src/codeql-pack.release.yml
+++ b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.6
+lastReleaseVersion: 0.6.0
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 0.6.0-dev
+version: 0.6.0
 groups: 
  - python
  - queries