hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 15:25:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
This commit is contained in:
Martin Costello
2025-02-14 17:21:24 +00:00
committed by GitHub
parent 5d2409e652
commit 979d604bf6
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
View File

@@ -40,7 +40,7 @@ where
) and
uses.getVersion() = version and
not isTrustedOwner(nwo) and
not if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version) and
not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
not isImmutableAction(uses, nwo)
select uses.getCalleeNode(),
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +

2
actions/ql/src/change-notes/2025-02-14-docker-false-positives.md
View File

@@ -2,4 +2,4 @@
category: minorAnalysis
---
* Fix CWE-829 false positives for Docker GitHub actions pinned by the container's SHA256 digest.
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.