hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix query

Browse Source 
Fix various issues with the query.
This commit is contained in:
martincostello
2025-02-14 12:59:02 +00:00
parent 9a29cebe58
commit 71bc89beda
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
View File

@@ -27,7 +27,7 @@ bindingset[version]
private predicate isPinnedContainer(string version) { version.regexpMatch("^sha256:[A-Fa-f0-9]{64}$") }
bindingset[nwo]
private predicate isContainerImage(string nwo) { version.regexpMatch("^docker:\/\/.*") }
private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
from UsesStep uses, string nwo, string version, Workflow workflow, string name
where
@@ -39,17 +39,17 @@ where
not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
) and
uses.getVersion() = version and
isContainerImage(nwo) = isContainer and
not isTrustedOwner(nwo) and
not isImmutableAction(uses, nwo)
not (
not isImmutableAction(uses, nwo) and
not
(
(
isContainer and
isPinnedCommit(version)
isContainerImage(nwo) and
isPinnedContainer(version)
)
or
(
not isContainer and
not isContainerImage(nwo) and
isPinnedCommit(version)
)
)