hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add "Correct Usage" and "Incorrect Usage" headings

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-06-26 14:33:37 +01:00
parent 9521994adc
commit 9f0f40d6ce
4 changed files with 24 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
actions/ql/src/Security/CWE-275/MissingActionsPermissions.md
View File

@@ -4,7 +4,18 @@ If a GitHub Actions job or workflow has no explicit permissions set, then the re
## Recommendation
Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task:
Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task.
## Example
### Incorrect Usage
```yaml
name: "My workflow"
# No permissions block
```
### Correct Usage
```yaml
name: "My workflow"

4
actions/ql/src/Security/CWE-312/SecretsInArtifacts.md
View File

@@ -8,6 +8,8 @@ Only store information that is meant to be publicly available in a GitHub Action
## Example
### Incorrect Usage
The following example uses `actions/checkout` to checkout code which stores the GITHUB_TOKEN in the \`.git/config\` file and then stores the contents of the \`.git\` repository into the artifact:
```yaml
@@ -26,6 +28,8 @@ jobs:
path: .
```
### Correct Usage
The issue has been fixed below, where the `actions/upload-artifact` uses a version (v4+) which does not include hidden files or directories into the artifact.
```yaml

4
java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md
View File

@@ -8,6 +8,8 @@ Avoid calling `finalize()` in application code. Allow the JVM to determine a gar
## Example
### Incorrect Usage
```java
class LocalCache {
private Collection<File> cacheFiles = ...;
@@ -21,6 +23,8 @@ void main() {
}
```
### Correct Usage
```java
import java.lang.AutoCloseable;
import java.lang.Override;

4
ruby/ql/src/queries/variables/UninitializedLocal.md
View File

@@ -11,6 +11,8 @@ Note: You do not need to explicitly initialize the variable, if you can make the
## Example
### Incorrect Usage
In the following code, the call to `create_file` may fail and then the call `f.close` will raise a `NoMethodError` since `f` will be `nil` at that point.
```ruby
@@ -22,6 +24,8 @@ ensure
end
```
### Correct Usage
We can fix this by using safe navigation:
```ruby
def dump(x)