From 02c5f74f2059dff88cc6f02655151e0728c28000 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Tue, 22 Oct 2024 14:57:59 +0200 Subject: [PATCH] New gh CLI sources --- ql/lib/codeql/actions/config/Config.qll | 14 ++- .../actions/config/ConfigExtensions.qll | 7 +- .../codeql/actions/dataflow/FlowSources.qll | 30 ++++- .../security/OutputClobberingQuery.qll | 2 +- ql/lib/ext/config/untrusted_gh_command.yml | 56 +++++++++ ...commands.yml => untrusted_git_command.yml} | 2 +- .../CWE-094/.github/workflows/test19.yml | 112 ++++++++++++++++++ .../CWE-094/CodeInjectionCritical.expected | 108 +++++++++++++++++ .../CWE-094/CodeInjectionMedium.expected | 90 ++++++++++++++ 9 files changed, 412 insertions(+), 9 deletions(-) create mode 100644 ql/lib/ext/config/untrusted_gh_command.yml rename ql/lib/ext/config/{untrusted_git_commands.yml => untrusted_git_command.yml} (96%) create mode 100644 ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll index 82b7a53a9d7..4dbdcbf5528 100644 --- a/ql/lib/codeql/actions/config/Config.qll +++ b/ql/lib/codeql/actions/config/Config.qll @@ -125,6 +125,16 @@ predicate vulnerableActionsDataModel( * - cmd_regex: Regular expression for matching untrusted git commands * - flag: Flag for the command */ -predicate untrustedGitCommandsDataModel(string cmd_regex, string flag) { - Extensions::untrustedGitCommandsDataModel(cmd_regex, flag) +predicate untrustedGitCommandDataModel(string cmd_regex, string flag) { + Extensions::untrustedGitCommandDataModel(cmd_regex, flag) +} + +/** + * MaD models for untrusted gh commands + * Fields: + * - cmd_regex: Regular expression for matching untrusted gh commands + * - flag: Flag for the command + */ +predicate untrustedGhCommandDataModel(string cmd_regex, string flag) { + Extensions::untrustedGhCommandDataModel(cmd_regex, flag) } diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll index a32e9c445f2..ed575de0eb4 100644 --- a/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -61,4 +61,9 @@ extensible predicate vulnerableActionsDataModel( /** * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. */ -extensible predicate untrustedGitCommandsDataModel(string cmd_regex, string flag); +extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag); + +/** + * Holds for gh commands that may introduce untrusted data + */ +extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag); diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 91b110f87ee..56c901434ce 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -80,7 +80,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { GitCommandSource() { exists(Step checkout, string cmd_regex | - // This shoould be: + // This should be: // source instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround @@ -105,8 +105,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { checkout.getAFollowingStep() = run and run.getScript().getAStmt() = cmd and cmd.indexOf("git") = 0 and - untrustedGitCommandsDataModel(cmd_regex, flag) and - cmd.regexpMatch(".*" + cmd_regex + ".*") + untrustedGitCommandDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex + ".*") ) } @@ -117,6 +117,28 @@ class GitCommandSource extends RemoteFlowSource, CommandSource { override Run getEnclosingRun() { result = run } } +class GhCLICommandSource extends RemoteFlowSource, CommandSource { + Run run; + string cmd; + string flag; + + GhCLICommandSource() { + exists(string cmd_regex | + this.asExpr() = run.getScript() and + run.getScript().getAStmt() = cmd and + cmd.indexOf("gh ") = 0 and + untrustedGhCommandDataModel(cmd_regex, flag) and + cmd.regexpMatch(cmd_regex + ".*") + ) + } + + override string getSourceType() { result = flag } + + override Run getEnclosingRun() { result = run } + + override string getCommand() { result = cmd } +} + class GitHubEventPathSource extends RemoteFlowSource, CommandSource { string cmd; string flag; @@ -206,7 +228,7 @@ class ArtifactSource extends RemoteFlowSource, FileSource { */ private class CheckoutSource extends RemoteFlowSource, FileSource { CheckoutSource() { - // This shoould be: + // This should be: // source instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 58b7b18ca62..311c3abdb69 100644 --- a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -20,7 +20,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink { ( step instanceof UntrustedArtifactDownloadStep or - // This shoould be: + // This should be: // artifact instanceof PRHeadCheckoutStep // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround diff --git a/ql/lib/ext/config/untrusted_gh_command.yml b/ql/lib/ext/config/untrusted_gh_command.yml new file mode 100644 index 00000000000..653f9e31c98 --- /dev/null +++ b/ql/lib/ext/config/untrusted_gh_command.yml @@ -0,0 +1,56 @@ +extensions: + - addsTo: + pack: github/actions-all + extensible: untrustedGhCommandDataModel + data: + # + # PULL REQUESTS + # + # HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') + - ["gh\\s+pr\\b.*\\bview\\b.*\\.headRefName.*", "branch,oneline"] + # TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) + - ["gh\\s+pr\\b.*\\bview\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh pr view $PR_NUMBER --json body --jq .body) + - ["gh\\s+pr\\b.*\\bview\\b.*\\.body.*", "text,multiline"] + # COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" + - ["gh\\s+pr\\b.*\\bview\\b.*\\.comments.*", "text,multiline"] + # CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" + - ["gh\\s+pr\\b.*\\bview\\b.*\\.files.*", "filename,multiline"] + # AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') + - ["gh\\s+pr\\b.*\\bview\\b.*\\.author.*", "username,oneline"] + # + # ISSUES + # + # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') + - ["gh\\s+issue\\b.*\\bview\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body) + - ["gh\\s+issue\\b.*\\bview\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') + - ["gh\\s+issue\\b.*\\bview\\b.*\\.comments.*", "text,multiline"] + # + # API + # + # PR="$(gh api /repos/test/test/pulls/${PR_NUMBER})" + # + # HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.head.ref.*", "branch,oneline"] + # TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/comments\\b.*\\.body.*", "text,multiline"] + # CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/files\\b.*\\.filename.*", "filename,oneline"] + # AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.user\\.login.*", "username,oneline"] + # + # ISSUES + # + # TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.title.*", "title,oneline"] + # BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.body.*", "text,multiline"] + # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*/comments\\b.*\\.body.*", "text,multiline"] + diff --git a/ql/lib/ext/config/untrusted_git_commands.yml b/ql/lib/ext/config/untrusted_git_command.yml similarity index 96% rename from ql/lib/ext/config/untrusted_git_commands.yml rename to ql/lib/ext/config/untrusted_git_command.yml index b4b96a4af43..e862267027a 100644 --- a/ql/lib/ext/config/untrusted_git_commands.yml +++ b/ql/lib/ext/config/untrusted_git_command.yml @@ -1,7 +1,7 @@ extensions: - addsTo: pack: github/actions-all - extensible: untrustedGitCommandsDataModel + extensible: untrustedGitCommandDataModel data: # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r) - ["git\\b.*\\bdiff-tree\\b", "filename,multiline"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml new file mode 100644 index 00000000000..804d55a7db2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml @@ -0,0 +1,112 @@ +name: Pull Request Open + +on: + pull_request_target: + +jobs: + pulls1: + runs-on: ubuntu-latest + steps: + - id: head_ref + run: | + HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName') + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" + - id: title + run: | + TITLE=$(gh pr view $PR_NUMBER --json title --jq .title) + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh pr view $PR_NUMBER --json body --jq .body) + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')" + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + - id: files + run: | + CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')" + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" + - id: author + run: | + AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" + pulls2: + runs-on: ubuntu-latest + steps: + - id: head_ref + run: | + HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1) + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.head_ref.outputs.head_ref}}" + - id: title + run: | + TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title") + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body") + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + - id: files + run: | + CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename') + echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.files.outputs.files}}" + - id: author + run: | + AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login") + echo "author=$AUTHOR" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.author.outputs.author}}" + issues1: + runs-on: ubuntu-latest + steps: + - id: title + run: | + TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title') + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body') + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + issues2: + runs-on: ubuntu-latest + steps: + - id: title + run: | + TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title") + echo "title=$TITLE" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.title.outputs.title}}" + - id: body + run: | + BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body") + echo "body=$BODY" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.body.outputs.body}}" + - id: comments + run: | + COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body') + echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT" + - run: echo "${{ steps.comments.outputs.comments}}" + + + + diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 83faf4eb5e4..8a134a6f7ef 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -160,6 +160,42 @@ edges | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -487,6 +523,60 @@ nodes | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | @@ -643,6 +733,24 @@ subpaths | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | ${{ steps.head_ref.outputs.head_ref}} | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | ${{ steps.files.outputs.files}} | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | ${{ steps.author.outputs.author}} | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | ${{ steps.title.outputs.title}} | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index 15d526ca7b4..6afef323ff0 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -160,6 +160,42 @@ edges | .github/workflows/test17.yml:49:13:55:10 | Uses Step: issues | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | provenance | | | .github/workflows/test17.yml:60:13:68:10 | Uses Step: get-pull-request | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | provenance | | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | provenance | | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | provenance | | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | provenance | | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | provenance | | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | provenance | | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | provenance | | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | provenance | | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | provenance | | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | provenance | | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | provenance | | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | provenance | | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | provenance | | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance | | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance | | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | | @@ -487,6 +523,60 @@ nodes | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | | .github/workflows/test18.yml:8:9:16:6 | Uses Step: issues | semmle.label | Uses Step: issues | | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test19.yml:10:9:14:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:11:14:13:56 | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:14:21:14:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:15:9:19:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:16:14:18:50 | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:19:21:19:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:20:9:24:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:21:14:23:48 | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh pr view $PR_NUMBER --json body --jq .body)\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:24:21:24:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:25:9:29:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:26:14:28:56 | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:29:21:29:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:30:9:34:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:31:14:33:58 | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:34:21:34:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:35:9:39:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:36:14:38:52 | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') \necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:39:21:39:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:43:9:47:6 | Run Step: head_ref [head_ref] | semmle.label | Run Step: head_ref [head_ref] | +| .github/workflows/test19.yml:44:14:46:56 | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | semmle.label | HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' \| head -n 1)\necho "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:47:21:47:57 | steps.head_ref.outputs.head_ref | semmle.label | steps.head_ref.outputs.head_ref | +| .github/workflows/test19.yml:48:9:52:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:49:14:51:50 | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:52:21:52:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:53:9:57:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:54:14:56:48 | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:57:21:57:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:58:9:62:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:59:14:61:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:62:21:62:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:63:9:67:6 | Run Step: files [files] | semmle.label | Run Step: files [files] | +| .github/workflows/test19.yml:64:14:66:58 | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | semmle.label | CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')\necho "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:67:21:67:51 | steps.files.outputs.files | semmle.label | steps.files.outputs.files | +| .github/workflows/test19.yml:68:9:72:6 | Run Step: author [author] | semmle.label | Run Step: author [author] | +| .github/workflows/test19.yml:69:14:71:52 | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | semmle.label | AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")\necho "author=$AUTHOR" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:72:21:72:53 | steps.author.outputs.author | semmle.label | steps.author.outputs.author | +| .github/workflows/test19.yml:76:9:80:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:77:14:79:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:80:21:80:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:81:9:85:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:82:14:84:48 | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:85:21:85:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:86:9:90:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:87:14:89:56 | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:90:21:90:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | +| .github/workflows/test19.yml:94:9:98:6 | Run Step: title [title] | semmle.label | Run Step: title [title] | +| .github/workflows/test19.yml:95:14:97:50 | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:98:21:98:51 | steps.title.outputs.title | semmle.label | steps.title.outputs.title | +| .github/workflows/test19.yml:99:9:103:6 | Run Step: body [body] | semmle.label | Run Step: body [body] | +| .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | semmle.label | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | semmle.label | steps.body.outputs.body | +| .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | semmle.label | Run Step: comments [comments] | +| .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | semmle.label | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | +| .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | semmle.label | steps.comments.outputs.comments | | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |