diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 320ef23e413..34000094dd8 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -2,7 +2,7 @@ library: true warnOnImplicitThis: true name: github/actions-all -version: 0.1.11 +version: 0.1.12 dependencies: codeql/util: ^1.0.1 codeql/yaml: ^1.0.1 diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml index e7a98574a89..5ccbc7b9657 100644 --- a/ql/src/qlpack.yml +++ b/ql/src/qlpack.yml @@ -1,7 +1,7 @@ --- library: false name: github/actions-queries -version: 0.1.11 +version: 0.1.12 groups: [actions, queries] suites: codeql-suites extractor: javascript diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml index 47e032fd727..2d60b9fe6d4 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/test9.yml @@ -37,3 +37,7 @@ jobs: with: script: | core.setOutput('issue_title', ${{ github.event.issue.title }}.replaceAll(/"/g, '\\"')); + - uses: actions/github-script@v7 + with: + script: | + core.setOutput('issue_title', ${{ toJson(github.event.issue.title) }}.replaceAll(/"/g, '\\"')); diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected index 7f99d7c9b83..16119dd6453 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected @@ -1,4 +1,3 @@ -WARNING: Unused predicate test (CodeInjectionCritical.ql:21,11-15) edges | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | provenance | | | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | provenance | | @@ -269,6 +268,7 @@ nodes | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] | diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected index f835d492f68..d0834f0dff8 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected @@ -268,6 +268,7 @@ nodes | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | | .github/workflows/test9.yml:35:42:35:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test9.yml:39:42:39:72 | github.event.issue.title | semmle.label | github.event.issue.title | +| .github/workflows/test9.yml:43:42:43:80 | toJson(github.event.issue.title) | semmle.label | toJson(github.event.issue.title) | | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |