Refactor trusted actions owner model

- use existing data extensions config and yml folder - rename from trustedActionsOwner to trustedActionsOwnerDataModel - update related predicates
2025-12-17 01:03:14 +01:00 · 2025-01-07 17:22:24 -05:00
parent 35587ed3e7
commit 3e94a4c2bf
7 changed files with 16 additions and 9 deletions
--- a/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md
+++ b/actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md
@@ -1,4 +1,4 @@
 ---
 category: feature
 ---
-* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwner` on the query `actions/unpinned-tag`
+* Trusted Action owner list can now be expanded using data extensions for `trustedActionsOwnerDataModel` on the query `actions/unpinned-tag`
--- a/actions/ql/lib/codeql/actions/config/Config.qll
+++ b/actions/ql/lib/codeql/actions/config/Config.qll
@@ -126,6 +126,13 @@ predicate vulnerableActionsDataModel(
 */
 predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }

+/**
+ * MaD models for trusted actions owners
+ * Fields:
+ *    - owner: owner name
+ */
+predicate trustedActionsOwnerDataModel(string owner) { Extensions::trustedActionsOwnerDataModel(owner) }
+
 /**
 * MaD models for untrusted git commands
 * Fields:
--- a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
+++ b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
@@ -63,6 +63,12 @@ extensible predicate vulnerableActionsDataModel(
 */
 extensible predicate immutableActionsDataModel(string action);

+
+/** 
+ * Holds for trusted Actions owners.
+ */
+extensible predicate trustedActionsOwnerDataModel(string owner);
+
 /**
 * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
 */
--- a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
+++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
@@ -9,11 +9,6 @@ class UnversionedImmutableAction extends UsesStep {
  }
 }

-// The following predicate is extended in data extensions under actions/ql/lib/codeql/actions/security/owner/
-// and can be extended with custom model packs as necessary.
-/** Holds for actions owner defined in data extensions */
-extensible predicate trustedActionsOwner(string owner);
-
 bindingset[version]
 predicate isSemVer(string version) {
  // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix
--- a/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml
+++ b/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml
@@ -1,7 +1,7 @@
 extensions:
  - addsTo: 
      pack: codeql/actions-all
-      extensible: trustedActionsOwner
+      extensible: trustedActionsOwnerDataModel
    data:      
      - ["actions"]
      - ["github"]
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -14,4 +14,3 @@ dataExtensions:
  - ext/manual/*.model.yml
  - ext/generated/**/*.model.yml
  - ext/config/*.yml
-  - codeql/actions/security/owner/**/*.model.yml
--- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -20,7 +20,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f
 bindingset[nwo]
 private predicate isTrustedOwner(string nwo) {
  // Gets the segment before the first '/' in the name with owner(nwo) string
-  trustedActionsOwner(nwo.substring(0, nwo.indexOf("/")))
+  trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
 }

 from UsesStep uses, string nwo, string version, Workflow workflow, string name