mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Fix formatting
This commit is contained in:
Dave Bartolomeo
@@ -4,4 +4,3 @@ private import codeql.actions.controlflow.internal.Cfg as CfgInternal
|
||||
import CfgInternal::Completion
|
||||
import CfgInternal::CfgScope
|
||||
import CfgInternal::CfgImpl
|
||||
|
||||
|
||||
@@ -1,3 +1 @@
|
||||
import DataFlow::DataFlow::Consistency
|
||||
|
||||
|
||||
|
||||
@@ -7,9 +7,7 @@ private import actions
|
||||
* uses: github/codeql-action/init@v2
|
||||
* with:
|
||||
* languages: ruby, javascript
|
||||
*
|
||||
*/
|
||||
|
||||
class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep {
|
||||
DefaultableCodeQLInitiatlizeActionQuery() {
|
||||
this.getCallee() = "github/codeql-action/init" and
|
||||
@@ -17,7 +15,7 @@ class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
/**
|
||||
* Holds if the with: part of the workflow step contains any arguments for with: other than "languages".
|
||||
* e.g.
|
||||
* - name: Initialize CodeQL
|
||||
@@ -25,12 +23,10 @@ class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep {
|
||||
* with:
|
||||
* languages: ${{ matrix.language }}
|
||||
* config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml
|
||||
*
|
||||
*/
|
||||
|
||||
predicate customizedWorkflowStep(UsesStep codeQLInitStep) {
|
||||
exists(string arg |
|
||||
exists(codeQLInitStep.getArgument(arg)) and
|
||||
arg != "languages"
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -124,11 +124,7 @@ predicate vulnerableActionsDataModel(
|
||||
* Fields:
|
||||
* - action: action name
|
||||
*/
|
||||
predicate immutableActionsDataModel(
|
||||
string action
|
||||
) {
|
||||
Extensions::immutableActionsDataModel(action)
|
||||
}
|
||||
predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
|
||||
|
||||
/**
|
||||
* MaD models for untrusted git commands
|
||||
|
||||
@@ -61,9 +61,7 @@ extensible predicate vulnerableActionsDataModel(
|
||||
/**
|
||||
* Holds for actions that are known to be immutable.
|
||||
*/
|
||||
extensible predicate immutableActionsDataModel(
|
||||
string action
|
||||
);
|
||||
extensible predicate immutableActionsDataModel(string action);
|
||||
|
||||
/**
|
||||
* Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
|
||||
|
||||
@@ -16,4 +16,4 @@ File getFileBySourceArchiveName(string name) {
|
||||
// We can handle 2 and 3 together by unconditionally adding a leading slash
|
||||
// before replacing double slashes.
|
||||
name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,15 +12,14 @@ class UnversionedImmutableAction extends UsesStep {
|
||||
bindingset[version]
|
||||
predicate isSemVer(string version) {
|
||||
// https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix
|
||||
version.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$")
|
||||
|
||||
version
|
||||
.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") or
|
||||
// or N or N.x or N.N.x with optional v prefix
|
||||
or version.regexpMatch("^v?[1-9]\\d*$")
|
||||
or version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$")
|
||||
or version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$")
|
||||
|
||||
version.regexpMatch("^v?[1-9]\\d*$") or
|
||||
version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") or
|
||||
version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") or
|
||||
// or latest which will work
|
||||
or version = "latest"
|
||||
version = "latest"
|
||||
}
|
||||
|
||||
predicate isImmutableAction(UsesStep actionStep, string actionName) {
|
||||
|
||||
@@ -26,4 +26,3 @@ class Cfg extends PrintAstConfiguration {
|
||||
n.getLocation().getFile() = getFileBySourceArchiveName(selectedSourceFile())
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -7,47 +7,47 @@
|
||||
* @tags ide-contextual-queries/print-cfg
|
||||
*/
|
||||
|
||||
private import codeql.actions.Cfg
|
||||
private import codeql.actions.Cfg::TestOutput
|
||||
private import codeql.actions.ideContextual.IDEContextual
|
||||
private import codeql.Locations
|
||||
|
||||
/**
|
||||
* Gets the source file to generate a CFG from.
|
||||
*/
|
||||
external string selectedSourceFile();
|
||||
|
||||
external string selectedSourceLine();
|
||||
|
||||
external string selectedSourceColumn();
|
||||
|
||||
bindingset[file, line, column]
|
||||
private CfgScope smallestEnclosingScope(File file, int line, int column) {
|
||||
result =
|
||||
min(Location loc, CfgScope scope |
|
||||
loc = scope.getLocation() and
|
||||
(
|
||||
loc.getStartLine() < line
|
||||
or
|
||||
loc.getStartLine() = line and loc.getStartColumn() <= column
|
||||
) and
|
||||
(
|
||||
loc.getEndLine() > line
|
||||
or
|
||||
loc.getEndLine() = line and loc.getEndColumn() >= column
|
||||
) and
|
||||
loc.getFile() = file
|
||||
|
|
||||
scope
|
||||
order by
|
||||
loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn()
|
||||
)
|
||||
}
|
||||
|
||||
class MyRelevantNode extends RelevantNode {
|
||||
MyRelevantNode() {
|
||||
this.getScope() =
|
||||
smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()),
|
||||
selectedSourceLine().toInt(), selectedSourceColumn().toInt())
|
||||
}
|
||||
}
|
||||
private import codeql.actions.Cfg
|
||||
private import codeql.actions.Cfg::TestOutput
|
||||
private import codeql.actions.ideContextual.IDEContextual
|
||||
private import codeql.Locations
|
||||
|
||||
/**
|
||||
* Gets the source file to generate a CFG from.
|
||||
*/
|
||||
external string selectedSourceFile();
|
||||
|
||||
external string selectedSourceLine();
|
||||
|
||||
external string selectedSourceColumn();
|
||||
|
||||
bindingset[file, line, column]
|
||||
private CfgScope smallestEnclosingScope(File file, int line, int column) {
|
||||
result =
|
||||
min(Location loc, CfgScope scope |
|
||||
loc = scope.getLocation() and
|
||||
(
|
||||
loc.getStartLine() < line
|
||||
or
|
||||
loc.getStartLine() = line and loc.getStartColumn() <= column
|
||||
) and
|
||||
(
|
||||
loc.getEndLine() > line
|
||||
or
|
||||
loc.getEndLine() = line and loc.getEndColumn() >= column
|
||||
) and
|
||||
loc.getFile() = file
|
||||
|
|
||||
scope
|
||||
order by
|
||||
loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn()
|
||||
)
|
||||
}
|
||||
|
||||
class MyRelevantNode extends RelevantNode {
|
||||
MyRelevantNode() {
|
||||
this.getScope() =
|
||||
smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()),
|
||||
selectedSourceLine().toInt(), selectedSourceColumn().toInt())
|
||||
}
|
||||
}
|
||||
|
||||
@@ -14,6 +14,5 @@ import actions
|
||||
import codeql.actions.security.UseOfUnversionedImmutableAction
|
||||
|
||||
from UnversionedImmutableAction step
|
||||
select step,
|
||||
"The workflow is using an eligible immutable action ($@) without semantic versioning", step,
|
||||
step.getCallee()
|
||||
select step, "The workflow is using an eligible immutable action ($@) without semantic versioning",
|
||||
step, step.getCallee()
|
||||
|
||||
@@ -12,4 +12,4 @@
|
||||
import codeql.actions.Violations_Of_Best_Practices.DefaultableCodeQLInitiatlizeActionQuery
|
||||
|
||||
from DefaultableCodeQLInitiatlizeActionQuery action
|
||||
select action, "CodeQL Action could use default setup instead of advanced configuration."
|
||||
select action, "CodeQL Action could use default setup instead of advanced configuration."
|
||||
|
||||
Reference in New Issue
Block a user