Address review comments

2026-05-14 11:19:27 +02:00 · 2026-05-04 16:47:44 -04:00
parent b0bc0fdd61
commit 39b6cf9468
4 changed files with 10 additions and 4 deletions
--- a/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md
+++ b/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md
@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by any queries that use that library.
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
--- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md
+++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
--- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md
+++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
--- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md
+++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements.md
@@ -1,6 +1,4 @@
 ---
 category: majorAnalysis
 ---
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
-* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context. This will cause the same alerts to re-open for closed alerts of this query.
+* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.