Merge branch 'main' into post-release-prep/codeql-cli-2.21.1

2026-04-23 15:55:18 +02:00 · 2025-04-16 11:54:23 +01:00
parent d78736b1bf 67bfe108c2
commit bdd3207752
179 changed files with 39012 additions and 2465 deletions
--- a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md
+++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md
@@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v

 ### Exploitation

-An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
+An attacker would be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.

 ## References

--- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -1,6 +1,6 @@
 /**
 * @name Workflow does not contain permissions
- * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
+ * @description Workflows should contain explicit permissions to restrict the scope of the default GITHUB_TOKEN.
 * @kind problem
 * @security-severity 5.0
 * @problem.severity warning
--- a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
@@ -3,6 +3,7 @@
 * @description All organization and repository secrets are passed to the workflow runner.
 * @kind problem
 * @precision high
+ * @security-severity 5.0
 * @problem.severity warning
 * @id actions/excessive-secrets-exposure
 * @tags actions
--- a/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md
+++ b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md
@@ -2,11 +2,11 @@

 ## Description

-Secrets derived from other secrets are not known to the workflow runner and therefore not masked unless explicitly registered.
+Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered.

 ## Recommendations

-Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner.
+Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner.

 ## Examples

--- a/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md
+++ b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.