codeql/change-notes/1.25/analysis-python.md

Improvements to Python analysis

• Importing semmle.python.web.HttpRequest will no longer import UntrustedStringKind transitively. UntrustedStringKind is the most commonly used non-abstract subclass of ExternalStringKind. If not imported (by one mean or another), taint-tracking queries that concern ExternalStringKind will not produce any results. Please ensure such queries contain an explicit import (import semmle.python.security.strings.Untrusted).
• Added model of taint sources for HTTP servers using http.server.
• Added taint modeling of routed parameters in Flask.
• Improved modeling of built-in methods on strings for taint tracking.
• Improved classification of test files.
• New class BoundMethodValue represents a bound method during runtime.
• The query py/command-line-injection now recognizes command execution with the fabric and invoke Python libraries.