github
diff --git a/‎change-notes/1.20/analysis-python.md‎
Lines changed: 3 additions & 0 deletions b/‎change-notes/1.20/analysis-python.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎python/ql/src/Expressions/HashedButNoHash.ql‎
Lines changed: 1 addition & 1 deletion b/‎python/ql/src/Expressions/HashedButNoHash.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql‎
Lines changed: 1 addition & 1 deletion b/‎python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎python/ql/src/Security/CWE-295/RequestWithoutValidation.ql‎
Lines changed: 1 addition & 1 deletion b/‎python/ql/src/Security/CWE-295/RequestWithoutValidation.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎python/ql/src/Security/CWE-326/WeakCrypto.ql‎
Lines changed: 2 additions & 2 deletions b/‎python/ql/src/Security/CWE-326/WeakCrypto.ql‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql‎
Lines changed: 2 additions & 2 deletions b/‎python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎python/ql/src/Security/CWE-327/InsecureProtocol.ql‎
Lines changed: 5 additions & 5 deletions b/‎python/ql/src/Security/CWE-327/InsecureProtocol.ql‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎python/ql/src/Security/CWE-732/WeakFilePermissions.ql‎
Lines changed: 2 additions & 2 deletions b/‎python/ql/src/Security/CWE-732/WeakFilePermissions.ql‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎python/ql/src/Security/CWE-798/HardcodedCredentials.ql‎
Lines changed: 1 addition & 1 deletion b/‎python/ql/src/Security/CWE-798/HardcodedCredentials.ql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎python/ql/src/Statements/StatementNoEffect.ql‎
Lines changed: 1 addition & 1 deletion b/‎python/ql/src/Statements/StatementNoEffect.ql‎
Lines changed: 1 addition & 1 deletion
@@ -8,6 +8,9 @@
 
 The constants `MULTILINE` and `VERBOSE` in `re` module, are now understood for Python 3.6 and upward. 
 Removes false positives seen when using Python 3.6, but not when using earlier versions.
+The API has been improved to declutter the global namespace and improve discoverability and readability.
+ * New predicates `ModuleObject::named(name)` and `ModuleObject.attr(name)` have been added, allowing more readable access to common objects. For example, `(any ModuleObject m | m.getName() = "sys").getAttribute("exit")` can be replaced with `ModuleObject::named("sys").attr("exit")`
+ * The API for accessing builtin functions has been improved. Predicates of the form `theXXXFunction()`, such as `theLenFunction()`, have been deprecated in favour of `Object::builtin(name)`.
 
  ## New queries
 
 
@@ -19,7 +19,7 @@ import python
 
 predicate numpy_array_type(ClassObject na) {
     exists(ModuleObject np | np.getName() = "numpy" or np.getName() = "numpy.core" |
-        na.getAnImproperSuperType() = np.getAttribute("ndarray")
+        na.getAnImproperSuperType() = np.attr("ndarray")
     )
 }
 
 
@@ -15,7 +15,7 @@ import python
 ClassObject jinja2EnvironmentOrTemplate() {
     exists(ModuleObject jinja2, string name |
         jinja2.getName() = "jinja2" and
-        jinja2.getAttribute(name) = result |
+        jinja2.attr(name) = result |
         name = "Environment" or
         name = "Template"
     )
 
@@ -17,7 +17,7 @@ import semmle.python.web.Http
 FunctionObject requestFunction() {
     exists(ModuleObject req |
         req.getName() = "requests" and
-        result = req.getAttribute(httpVerbLower())
+        result = req.attr(httpVerbLower())
     )
 }
 
 
@@ -21,7 +21,7 @@ int minimumSecureKeySize(string algo) {
 
 predicate dsaRsaKeySizeArg(FunctionObject obj, string algorithm, string arg) {
     exists(ModuleObject mod |
-        mod.getAttribute(_) = obj |
+        mod.attr(_) = obj |
         algorithm = "DSA" and
         (
             mod.getName() = "cryptography.hazmat.primitives.asymmetric.dsa" and arg = "key_size"
@@ -44,7 +44,7 @@ predicate dsaRsaKeySizeArg(FunctionObject obj, string algorithm, string arg) {
 
 predicate ecKeySizeArg(FunctionObject obj, string arg) {
     exists(ModuleObject mod |
-        mod.getAttribute(_) = obj |
+        mod.attr(_) = obj |
         mod.getName() = "cryptography.hazmat.primitives.asymmetric.ec" and arg = "curve"
     )
 }
 
@@ -13,11 +13,11 @@
 import python
 
 FunctionObject ssl_wrap_socket() {
-    result = any(ModuleObject ssl | ssl.getName() = "ssl").getAttribute("wrap_socket")
+    result = any(ModuleObject ssl | ssl.getName() = "ssl").attr("wrap_socket")
 }
 
 ClassObject ssl_Context_class() {
-    result = any(ModuleObject ssl | ssl.getName() = "ssl").getAttribute("SSLContext")
+    result = any(ModuleObject ssl | ssl.getName() = "ssl").attr("SSLContext")
 }
 
 CallNode unsafe_call(string method_name) {
 
@@ -12,11 +12,11 @@
 import python
 
 FunctionObject ssl_wrap_socket() {
-    result = the_ssl_module().getAttribute("wrap_socket")
+    result = the_ssl_module().attr("wrap_socket")
 }
 
 ClassObject ssl_Context_class() {
-    result = the_ssl_module().getAttribute("SSLContext")
+    result = the_ssl_module().attr("SSLContext")
 }
 
 string insecure_version_name() {
@@ -69,20 +69,20 @@ predicate unsafe_ssl_wrap_socket_call(CallNode call, string method_name, string
     insecure_version = insecure_version_name()
     and
     (
-        call.getArgByName("ssl_version").refersTo(the_ssl_module().getAttribute(insecure_version))
+        call.getArgByName("ssl_version").refersTo(the_ssl_module().attr(insecure_version))
         or
         probable_insecure_ssl_constant(call, insecure_version)
     )
 }
 
 ClassObject the_pyOpenSSL_Context_class() {
-    result = any(ModuleObject m | m.getName() = "pyOpenSSL.SSL").getAttribute("Context")
+    result = any(ModuleObject m | m.getName() = "pyOpenSSL.SSL").attr("Context")
 }
 
 predicate unsafe_pyOpenSSL_Context_call(CallNode call, string insecure_version) {
     call = the_pyOpenSSL_Context_class().getACall() and
     insecure_version = insecure_version_name() and
-    call.getArg(0).refersTo(the_pyOpenSSL_module().getAttribute(insecure_version))
+    call.getArg(0).refersTo(the_pyOpenSSL_module().attr(insecure_version))
 }
 
 from CallNode call, string method_name, string insecure_version
 
@@ -35,12 +35,12 @@ string permissive_permission(int p) {
 }
 
 predicate chmod_call(CallNode call, FunctionObject chmod, NumericObject num) {
-    any(ModuleObject os | os.getName() = "os").getAttribute("chmod") = chmod and
+    any(ModuleObject os | os.getName() = "os").attr("chmod") = chmod and
     chmod.getACall() = call and call.getArg(1).refersTo(num)
 }
 
 predicate open_call(CallNode call, FunctionObject open, NumericObject num) {
-    any(ModuleObject os | os.getName() = "os").getAttribute("open") = open and
+    any(ModuleObject os | os.getName() = "os").attr("open") = open and
     open.getACall() = call and call.getArg(2).refersTo(num)
 }
 
 
@@ -34,7 +34,7 @@ predicate fewer_characters_than(StrConst str, string char, float fraction) {
 }
 
 predicate possible_reflective_name(string name) {
-    exists(any(ModuleObject m).getAttribute(name))
+    exists(any(ModuleObject m).attr(name))
     or
     exists(any(ClassObject c).lookupAttribute(name))
     or
 
@@ -84,7 +84,7 @@ predicate in_notebook(Expr e) {
 }
 
 FunctionObject assertRaises() {
-    result = ModuleObject::named("unittest").getAttribute("TestCase").(ClassObject).lookupAttribute("assertRaises")
+    result = ModuleObject::named("unittest").attr("TestCase").(ClassObject).lookupAttribute("assertRaises")
 }
 
 /** Holds if expression `e` is in a `with` block that tests for exceptions being raised. */
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ import python`
`19`	`19`
`20`	`20`	`predicate numpy_array_type(ClassObject na) {`
`21`	`21`	`exists(ModuleObject np \| np.getName() = "numpy" or np.getName() = "numpy.core" \|`
`22`		`- na.getAnImproperSuperType() = np.getAttribute("ndarray")`
	`22`	`+ na.getAnImproperSuperType() = np.attr("ndarray")`
`23`	`23`	`)`
`24`	`24`	`}`
`25`	`25`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ import python`
`15`	`15`	`ClassObject jinja2EnvironmentOrTemplate() {`
`16`	`16`	`exists(ModuleObject jinja2, string name \|`
`17`	`17`	`jinja2.getName() = "jinja2" and`
`18`		`- jinja2.getAttribute(name) = result \|`
	`18`	`+ jinja2.attr(name) = result \|`
`19`	`19`	`name = "Environment" or`
`20`	`20`	`name = "Template"`
`21`	`21`	`)`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import semmle.python.web.Http`
`17`	`17`	`FunctionObject requestFunction() {`
`18`	`18`	`exists(ModuleObject req \|`
`19`	`19`	`req.getName() = "requests" and`
`20`		`- result = req.getAttribute(httpVerbLower())`
	`20`	`+ result = req.attr(httpVerbLower())`
`21`	`21`	`)`
`22`	`22`	`}`
`23`	`23`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ int minimumSecureKeySize(string algo) {`
`21`	`21`
`22`	`22`	`predicate dsaRsaKeySizeArg(FunctionObject obj, string algorithm, string arg) {`
`23`	`23`	`exists(ModuleObject mod \|`
`24`		`- mod.getAttribute(_) = obj \|`
	`24`	`+ mod.attr(_) = obj \|`
`25`	`25`	`algorithm = "DSA" and`
`26`	`26`	`(`
`27`	`27`	`mod.getName() = "cryptography.hazmat.primitives.asymmetric.dsa" and arg = "key_size"`
`@@ -44,7 +44,7 @@ predicate dsaRsaKeySizeArg(FunctionObject obj, string algorithm, string arg) {`
`44`	`44`
`45`	`45`	`predicate ecKeySizeArg(FunctionObject obj, string arg) {`
`46`	`46`	`exists(ModuleObject mod \|`
`47`		`- mod.getAttribute(_) = obj \|`
	`47`	`+ mod.attr(_) = obj \|`
`48`	`48`	`mod.getName() = "cryptography.hazmat.primitives.asymmetric.ec" and arg = "curve"`
`49`	`49`	`)`
`50`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,11 +13,11 @@`
`13`	`13`	`import python`
`14`	`14`
`15`	`15`	`FunctionObject ssl_wrap_socket() {`
`16`		`- result = any(ModuleObject ssl \| ssl.getName() = "ssl").getAttribute("wrap_socket")`
	`16`	`+ result = any(ModuleObject ssl \| ssl.getName() = "ssl").attr("wrap_socket")`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`ClassObject ssl_Context_class() {`
`20`		`- result = any(ModuleObject ssl \| ssl.getName() = "ssl").getAttribute("SSLContext")`
	`20`	`+ result = any(ModuleObject ssl \| ssl.getName() = "ssl").attr("SSLContext")`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`CallNode unsafe_call(string method_name) {`
Original file line number	Diff line number	Diff line change
`@@ -12,11 +12,11 @@`
`12`	`12`	`import python`
`13`	`13`
`14`	`14`	`FunctionObject ssl_wrap_socket() {`
`15`		`- result = the_ssl_module().getAttribute("wrap_socket")`
	`15`	`+ result = the_ssl_module().attr("wrap_socket")`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`ClassObject ssl_Context_class() {`
`19`		`- result = the_ssl_module().getAttribute("SSLContext")`
	`19`	`+ result = the_ssl_module().attr("SSLContext")`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`string insecure_version_name() {`
`@@ -69,20 +69,20 @@ predicate unsafe_ssl_wrap_socket_call(CallNode call, string method_name, string`
`69`	`69`	`insecure_version = insecure_version_name()`
`70`	`70`	`and`
`71`	`71`	`(`
`72`		`- call.getArgByName("ssl_version").refersTo(the_ssl_module().getAttribute(insecure_version))`
	`72`	`+ call.getArgByName("ssl_version").refersTo(the_ssl_module().attr(insecure_version))`
`73`	`73`	`or`
`74`	`74`	`probable_insecure_ssl_constant(call, insecure_version)`
`75`	`75`	`)`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`ClassObject the_pyOpenSSL_Context_class() {`
`79`		`- result = any(ModuleObject m \| m.getName() = "pyOpenSSL.SSL").getAttribute("Context")`
	`79`	`+ result = any(ModuleObject m \| m.getName() = "pyOpenSSL.SSL").attr("Context")`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`predicate unsafe_pyOpenSSL_Context_call(CallNode call, string insecure_version) {`
`83`	`83`	`call = the_pyOpenSSL_Context_class().getACall() and`
`84`	`84`	`insecure_version = insecure_version_name() and`
`85`		`- call.getArg(0).refersTo(the_pyOpenSSL_module().getAttribute(insecure_version))`
	`85`	`+ call.getArg(0).refersTo(the_pyOpenSSL_module().attr(insecure_version))`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`from CallNode call, string method_name, string insecure_version`
Original file line number	Diff line number	Diff line change
`@@ -35,12 +35,12 @@ string permissive_permission(int p) {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`predicate chmod_call(CallNode call, FunctionObject chmod, NumericObject num) {`
`38`		`- any(ModuleObject os \| os.getName() = "os").getAttribute("chmod") = chmod and`
	`38`	`+ any(ModuleObject os \| os.getName() = "os").attr("chmod") = chmod and`
`39`	`39`	`chmod.getACall() = call and call.getArg(1).refersTo(num)`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`predicate open_call(CallNode call, FunctionObject open, NumericObject num) {`
`43`		`- any(ModuleObject os \| os.getName() = "os").getAttribute("open") = open and`
	`43`	`+ any(ModuleObject os \| os.getName() = "os").attr("open") = open and`
`44`	`44`	`open.getACall() = call and call.getArg(2).refersTo(num)`
`45`	`45`	`}`
`46`	`46`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ predicate fewer_characters_than(StrConst str, string char, float fraction) {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`predicate possible_reflective_name(string name) {`
`37`		`- exists(any(ModuleObject m).getAttribute(name))`
	`37`	`+ exists(any(ModuleObject m).attr(name))`
`38`	`38`	`or`
`39`	`39`	`exists(any(ClassObject c).lookupAttribute(name))`
`40`	`40`	`or`
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ predicate in_notebook(Expr e) {`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`FunctionObject assertRaises() {`
`87`		`- result = ModuleObject::named("unittest").getAttribute("TestCase").(ClassObject).lookupAttribute("assertRaises")`
	`87`	`+ result = ModuleObject::named("unittest").attr("TestCase").(ClassObject).lookupAttribute("assertRaises")`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	/** Holds if expression `e` is in a `with` block that tests for exceptions being raised. */