feat(sources): Do not take triggers into consideration

ql/src/Security/CWE-078/PrivilegedCommandInjection.ql

@@ -16,14 +16,16 @@ import actions
 import codeql.actions.security.CommandInjectionQuery
 import CommandInjectionFlow::PathGraph
 
+predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
+  w.getATriggerEvent() = trigger and
+  count(string t | w.getATriggerEvent() = t | t) = 1
+}
+
 from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w
 where
   CommandInjectionFlow::flowPath(source, sink) and
   w = source.getNode().asExpr().getEnclosingWorkflow() and
-  (
-    w instanceof ReusableWorkflow or
-    w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
-  )
+  not isSingleTriggerWorkflow(w, "pull_request")
 select sink.getNode(), source, sink,
   "Potential privileged command injection in $@, which may be controlled by an external user.",
   sink, sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-094/PrivilegedCodeInjection.ql

@@ -18,14 +18,16 @@ import actions
 import codeql.actions.security.CodeInjectionQuery
 import CodeInjectionFlow::PathGraph
 
+predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
+  w.getATriggerEvent() = trigger and
+  count(string t | w.getATriggerEvent() = t | t) = 1
+}
+
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Workflow w
 where
   CodeInjectionFlow::flowPath(source, sink) and
   w = source.getNode().asExpr().getEnclosingWorkflow() and
-  (
-    w instanceof ReusableWorkflow or
-    w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
-  )
+  not isSingleTriggerWorkflow(w, "pull_request")
 select sink.getNode(), source, sink,
   "Potential privileged code injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()