hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into constcrypto

Browse Source
This commit is contained in:
Geoffrey White
2025-07-17 16:13:58 +01:00
parent 898c569f1b a9fb49a2c3
commit c2ddf25f11
7652 changed files with 716835 additions and 149896 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.bazelrc
View File

@@ -37,5 +37,6 @@ build --java_language_version=17
build --tool_java_language_version=17
build --tool_java_runtime_version=remotejdk_17
build --java_runtime_version=remotejdk_17
build --@rules_python//python/config_settings:python_version=3.12
try-import %workspace%/local.bazelrc

2
.bazelrc.internal
View File

@@ -8,3 +8,5 @@ common --registry=https://bcr.bazel.build
# its implementation packages without providing any code itself.
# We either can depend on internal implementation details, or turn of strict deps.
common --@rules_dotnet//dotnet/settings:strict_deps=false
build --@rules_python//python/config_settings:python_version=3.12

2
.bazelversion
View File

@@ -1 +1 @@
8.0.0
8.1.1

7
.devcontainer/Dockerfile.codespaces Normal file
View File

@@ -0,0 +1,7 @@
FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
USER root
# Install needed packages according to https://codeql.github.com/docs/codeql-overview/system-requirements/
# most come from the base image, but we need to install some additional ones
RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y sudo man-db python3.12 npm unminimize
RUN yes | unminimize

5
.devcontainer/devcontainer.json
View File

@@ -1,5 +1,4 @@
{
"image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
"extensions": [
"rust-lang.rust-analyzer",
"bungcip.better-toml",
@@ -8,6 +7,10 @@
"ms-vscode.test-adapter-converter",
"slevesque.vscode-zipexplorer"
],
"build": {
// Path is relative to the devcontainer.json file.
"dockerfile": "Dockerfile.codespaces"
},
"settings": {
"files.watcherExclude": {
"**/target/**": true

4
.github/copilot-instructions.md vendored Normal file
View File

@@ -0,0 +1,4 @@
When reviewing code:
* do not review changes in files with `.expected` extension (they are automatically ensured to be correct).
* in `.ql` and `.qll` files, do not try to review the code itself as you don't understand the programming language
well enough to make comments in these languages. You can still check for typos or comment improvements.

6
.github/workflows/build-ripunzip.yml vendored
View File

@@ -6,18 +6,18 @@ on:
ripunzip-version:
description: "what reference to checktout from google/runzip"
required: false
default: v1.2.1
default: v2.0.2
openssl-version:
description: "what reference to checkout from openssl/openssl for Linux"
required: false
default: openssl-3.3.0
default: openssl-3.5.0
jobs:
build:
strategy:
fail-fast: false
matrix:
os: [ubuntu-20.04, macos-13, windows-2019]
os: [ubuntu-22.04, macos-13, windows-2022]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4

1
.github/workflows/check-change-note.yml vendored
View File

@@ -16,7 +16,6 @@ on:
- "shared/**/*.qll"
- "!**/experimental/**"
- "!ql/**"
- "!rust/**"
- ".github/workflows/check-change-note.yml"
jobs:

23
.github/workflows/check-overlay-annotations.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: Check overlay annotations
on:
push:
branches:
- main
- 'rc/*'
pull_request:
branches:
- main
- 'rc/*'
permissions:
contents: read
jobs:
sync:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check overlay annotations
run: python config/add-overlay-annotations.py --check java

4
.github/workflows/csharp-qltest.yml vendored
View File

@@ -36,7 +36,7 @@ jobs:
unit-tests:
strategy:
matrix:
os: [ubuntu-latest, windows-2019]
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
@@ -66,6 +66,6 @@ jobs:
# Update existing stubs in the repo with the freshly generated ones
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
git status
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
env:
GITHUB_TOKEN: ${{ github.token }}

36
.github/workflows/go-tests-other-os.yml vendored
View File

@@ -1,36 +0,0 @@
name: "Go: Run Tests - Other OS"
on:
pull_request:
paths:
- "go/**"
- "!go/documentation/**"
- "!go/ql/**" # don't run other-os if only ql/ files changed
- .github/workflows/go-tests-other-os.yml
- .github/actions/**
- codeql-workspace.yml
- MODULE.bazel
- .bazelrc
- misc/bazel/**
permissions:
contents: read
jobs:
test-mac:
name: Test MacOS
runs-on: macos-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run tests
uses: ./go/actions/test
test-win:
if: github.repository_owner == 'github'
name: Test Windows
runs-on: windows-latest-xl
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run tests
uses: ./go/actions/test

13
.github/workflows/go-tests.yml vendored
View File

@@ -1,20 +1,9 @@
name: "Go: Run Tests"
on:
push:
paths:
- "go/**"
- "!go/documentation/**"
- "shared/**"
- .github/workflows/go-tests.yml
- .github/actions/**
- codeql-workspace.yml
branches:
- main
- "rc/*"
pull_request:
paths:
- "go/**"
- "!go/documentation/**"
- "!go/documentation/**"
- "shared/**"
- .github/workflows/go-tests.yml
- .github/actions/**

2
.github/workflows/mad_modelDiff.yml vendored
View File

@@ -68,7 +68,7 @@ jobs:
DATABASE=$2
cd codeql-$QL_VARIANT
SHORTNAME=`basename $DATABASE`
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
mkdir -p $MODELS/$SHORTNAME
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
cd ..

35
.github/workflows/python-tooling.yml vendored Normal file
View File

@@ -0,0 +1,35 @@
name: Python tooling
on:
pull_request:
paths:
- "misc/bazel/**"
- "misc/codegen/**"
- "misc/scripts/models-as-data/bulk_generate_mad.py"
- "*.bazel*"
- .github/workflows/codegen.yml
- .pre-commit-config.yaml
branches:
- main
- rc/*
- codeql-cli-*
permissions:
contents: read
jobs:
check-python-tooling:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
name: Check that python code is properly formatted
with:
extra_args: black --all-files
- name: Run codegen tests
shell: bash
run: |
bazel test //misc/codegen/...

2
.github/workflows/ql-for-ql-dataset_measure.yml vendored
View File

@@ -53,7 +53,7 @@ jobs:
- name: Create database
run: |
"${CODEQL}" database create \
--search-path "${{ github.workspace }}"
--search-path "${{ github.workspace }}" \
--threads 4 \
--language ql --source-root "${{ github.workspace }}/repo" \
"${{ runner.temp }}/database"

40
.github/workflows/ruby-qltest-rtjo.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
name: "Ruby: Run RTJO Language Tests"
on:
pull_request:
types:
- opened
- synchronize
- reopened
- labeled
env:
CARGO_TERM_COLOR: always
defaults:
run:
working-directory: ruby
permissions:
contents: read
jobs:
qltest-rtjo:
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
runs-on: ubuntu-latest-xl
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/fetch-codeql
- uses: ./ruby/actions/create-extractor-pack
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: ruby-qltest
- name: Run QL tests
run: |
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env:
GITHUB_TOKEN: ${{ github.token }}

2
.github/workflows/ruby-qltest.yml vendored
View File

@@ -68,6 +68,6 @@ jobs:
key: ruby-qltest
- name: Run QL tests
run: |
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env:
GITHUB_TOKEN: ${{ github.token }}

77
.github/workflows/swift.yml vendored
View File

@@ -18,45 +18,39 @@ on:
- main
- rc/*
- codeql-cli-*
push:
paths:
- "swift/**"
- "misc/bazel/**"
- "misc/codegen/**"
- "shared/**"
- "*.bazel*"
- .github/workflows/swift.yml
- .github/actions/**
- codeql-workspace.yml
- .pre-commit-config.yaml
- "!**/*.md"
- "!**/*.qhelp"
branches:
- main
- rc/*
- codeql-cli-*
permissions:
contents: read
defaults:
run:
shell: bash
working-directory: swift
jobs:
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
# without waiting for the macOS build
build-and-test-macos:
build-and-test:
if: github.repository_owner == 'github'
runs-on: macos-13-xlarge
strategy:
matrix:
runner: [ubuntu-latest, macos-15-xlarge]
fail-fast: false
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@v4
- uses: ./swift/actions/build-and-test
qltests-macos:
if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
needs: build-and-test-macos
runs-on: macos-13-xlarge
steps:
- uses: actions/checkout@v4
- uses: ./swift/actions/run-ql-tests
- name: Setup (Linux)
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y uuid-dev zlib1g-dev
- name: Build Swift extractor
shell: bash
run: |
bazel run :install
- name: Run Swift tests
shell: bash
run: |
bazel test ... --test_tag_filters=-override --test_output=errors
clang-format:
if : ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
@@ -65,18 +59,9 @@ jobs:
with:
extra_args: clang-format --all-files
codegen:
if : ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: bazelbuild/setup-bazelisk@v2
- uses: actions/setup-python@v4
with:
python-version-file: 'swift/.python-version'
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
name: Check that python code is properly formatted
with:
extra_args: autopep8 --all-files
- uses: ./.github/actions/fetch-codeql
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
name: Check that QL generated code was checked in
@@ -84,22 +69,14 @@ jobs:
extra_args: swift-codegen --all-files
- name: Generate C++ files
run: |
bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
bazel run codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
- uses: actions/upload-artifact@v4
with:
name: swift-generated-cpp-files
path: generated-cpp-files/**
database-upgrade-scripts:
if : ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/fetch-codeql
- uses: ./swift/actions/database-upgrade-scripts
check-no-override:
if : github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- shell: bash
run: bazel test //swift/... --test_tag_filters=override --test_output=errors
- name: Check that no override is present in load.bzl
run: bazel test ... --test_tag_filters=override --test_output=errors

2
.github/workflows/validate-change-notes.yml vendored
View File

@@ -31,4 +31,4 @@ jobs:
- name: Fail if there are any errors with existing change notes
run: |
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental

5
.gitignore vendored
View File

@@ -62,6 +62,7 @@ node_modules/
# Temporary folders for working with generated models
.model-temp
/mad-generation-build
# bazel-built in-tree extractor packs
/*/extractor-pack
@@ -71,3 +72,7 @@ node_modules/
# cargo build directory
/target
# some upgrade/downgrade checks create these files
**/upgrades/*/*.dbscheme.stats
**/downgrades/*/*.dbscheme.stats

14
.pre-commit-config.yaml
View File

@@ -1,5 +1,7 @@
# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
default_language_version:
python: python3.12
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
@@ -7,18 +9,18 @@ repos:
- id: trailing-whitespace
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
- id: end-of-file-fixer
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
- repo: https://github.com/pre-commit/mirrors-clang-format
rev: v17.0.6
hooks:
- id: clang-format
- repo: https://github.com/pre-commit/mirrors-autopep8
rev: v2.0.4
- repo: https://github.com/psf/black
rev: 25.1.0
hooks:
- id: autopep8
files: ^misc/codegen/.*\.py
- id: black
files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
- repo: local
hooks:
@@ -72,7 +74,7 @@ repos:
- id: rust-codegen
name: Run Rust checked in code generation
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list|ast-generator/)
language: system
entry: bazel run //rust/codegen -- --quiet
pass_filenames: false

6
CODEOWNERS
View File

@@ -8,12 +8,17 @@
/javascript/ @github/codeql-javascript
/python/ @github/codeql-python
/ruby/ @github/codeql-ruby
/rust/ @github/codeql-rust
/swift/ @github/codeql-swift
/misc/codegen/ @github/codeql-swift
/java/kotlin-extractor/ @github/codeql-kotlin
/java/ql/test-kotlin1/ @github/codeql-kotlin
/java/ql/test-kotlin2/ @github/codeql-kotlin
# Experimental CodeQL cryptography
**/experimental/**/quantum/ @github/ps-codeql
/shared/quantum/ @github/ps-codeql
# CodeQL tools and associated docs
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
@@ -38,6 +43,7 @@ MODULE.bazel @github/codeql-ci-reviewers
/.github/workflows/go-* @github/codeql-go
/.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
/.github/workflows/ruby-* @github/codeql-ruby
/.github/workflows/rust.yml @github/codeql-rust
/.github/workflows/swift.yml @github/codeql-swift
# Misc

1112
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

6
Cargo.toml
View File

@@ -10,8 +10,4 @@ members = [
"rust/ast-generator",
"rust/autobuild",
]
[patch.crates-io]
# patch for build script bug preventing bazel build
# see https://github.com/rust-lang/rustc_apfloat/pull/17
rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }
exclude = ["mad-generation-build"]

128
MODULE.bazel
View File

@@ -24,11 +24,11 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
bazel_dep(name = "fmt", version = "10.0.0")
bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
bazel_dep(name = "gazelle", version = "0.40.0")
bazel_dep(name = "rules_dotnet", version = "0.17.4")
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
bazel_dep(name = "rules_rust", version = "0.57.1")
bazel_dep(name = "rules_rust", version = "0.58.0")
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -37,7 +37,8 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
RUST_EDITION = "2024"
RUST_VERSION = "1.85.0"
# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
RUST_VERSION = "1.86.0"
rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
rust.toolchain(
@@ -47,6 +48,29 @@ rust.toolchain(
"x86_64-apple-darwin",
"aarch64-apple-darwin",
],
# generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
sha256s = {
"rustc-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "4438b809ce4a083af31ed17aeeedcc8fc60ccffc0625bef1926620751b6989d7",
"rustc-1.86.0-x86_64-apple-darwin.tar.xz": "42b76253626febb7912541a30d3379f463dec89581aad4cb72c6c04fb5a71dc5",
"rustc-1.86.0-aarch64-apple-darwin.tar.xz": "23b8f52102249a47ab5bc859d54c9a3cb588a3259ba3f00f557d50edeca4fde9",
"rustc-1.86.0-x86_64-pc-windows-msvc.tar.xz": "fdde839fea274529a31e51eb85c6df1782cc8479c9d1bc24e2914d66a0de41ab",
"clippy-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "02aaff2c1407d2da8dba19aa4970dd873e311902b120a66cbcdbe51eb8836edf",
"clippy-1.86.0-x86_64-apple-darwin.tar.xz": "bb85efda7bbffaf124867f5ca36d50932b1e8f533c62ee923438afb32ff8fe9a",
"clippy-1.86.0-aarch64-apple-darwin.tar.xz": "239fa3a604b124f0312f2af08537874a1227dba63385484b468cca62e7c4f2f2",
"clippy-1.86.0-x86_64-pc-windows-msvc.tar.xz": "d00498f47d49219f032e2c5eeebdfc3d32317c0dc3d3fd7125327445bc482cb4",
"cargo-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "c5c1590f7e9246ad9f4f97cfe26ffa92707b52a769726596a9ef81565ebd908b",
"cargo-1.86.0-x86_64-apple-darwin.tar.xz": "af163eb02d1a178044d1b4f2375960efd47130f795f6e33d09e345454bb26f4e",
"cargo-1.86.0-aarch64-apple-darwin.tar.xz": "3cb13873d48c3e1e4cc684d42c245226a11fba52af6b047c3346ed654e7a05c0",
"cargo-1.86.0-x86_64-pc-windows-msvc.tar.xz": "e57a9d89619b5604899bac443e68927bdd371e40f2e03e18950b6ceb3eb67966",
"llvm-tools-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "282145ab7a63c98b625856f44b905b4dc726b497246b824632a5790debe95a78",
"llvm-tools-1.86.0-x86_64-apple-darwin.tar.xz": "b55706e92f7da989207c50c13c7add483a9fedd233bc431b106eca2a8f151ec9",
"llvm-tools-1.86.0-aarch64-apple-darwin.tar.xz": "04d3618c686845853585f036e3211eb9e18f2d290f4610a7a78bdc1fcce1ebd9",
"llvm-tools-1.86.0-x86_64-pc-windows-msvc.tar.xz": "721a17cc8dc219177e4277a3592253934ef08daa1e1b12eda669a67d15fad8dd",
"rust-std-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "67be7184ea388d8ce0feaf7fdea46f1775cfc2970930264343b3089898501d37",
"rust-std-1.86.0-x86_64-apple-darwin.tar.xz": "3b1140d54870a080080e84700143f4a342fbd02a410a319b05d9c02e7dcf44cc",
"rust-std-1.86.0-aarch64-apple-darwin.tar.xz": "0fb121fb3b8fa9027d79ff598500a7e5cd086ddbc3557482ed3fdda00832c61b",
"rust-std-1.86.0-x86_64-pc-windows-msvc.tar.xz": "3d5354b7b9cb950b58bff3fce18a652aa374bb30c8f70caebd3bd0b43cb41a33",
},
versions = [RUST_VERSION],
)
use_repo(rust, "rust_toolchains")
@@ -71,13 +95,13 @@ use_repo(
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
use_repo(
tree_sitter_extractors_deps,
"vendor_ts__anyhow-1.0.96",
"vendor_ts__anyhow-1.0.98",
"vendor_ts__argfile-0.2.1",
"vendor_ts__chalk-ir-0.99.0",
"vendor_ts__chrono-0.4.39",
"vendor_ts__clap-4.5.31",
"vendor_ts__chalk-ir-0.103.0",
"vendor_ts__chrono-0.4.41",
"vendor_ts__clap-4.5.40",
"vendor_ts__dunce-1.0.5",
"vendor_ts__either-1.14.0",
"vendor_ts__either-1.15.0",
"vendor_ts__encoding-0.2.33",
"vendor_ts__figment-0.10.19",
"vendor_ts__flate2-1.1.0",
@@ -87,33 +111,33 @@ use_repo(
"vendor_ts__lazy_static-1.5.0",
"vendor_ts__mustache-0.9.0",
"vendor_ts__num-traits-0.2.19",
"vendor_ts__num_cpus-1.16.0",
"vendor_ts__proc-macro2-1.0.93",
"vendor_ts__quote-1.0.38",
"vendor_ts__ra_ap_base_db-0.0.266",
"vendor_ts__ra_ap_cfg-0.0.266",
"vendor_ts__ra_ap_hir-0.0.266",
"vendor_ts__ra_ap_hir_def-0.0.266",
"vendor_ts__ra_ap_hir_expand-0.0.266",
"vendor_ts__ra_ap_hir_ty-0.0.266",
"vendor_ts__ra_ap_ide_db-0.0.266",
"vendor_ts__ra_ap_intern-0.0.266",
"vendor_ts__ra_ap_load-cargo-0.0.266",
"vendor_ts__ra_ap_parser-0.0.266",
"vendor_ts__ra_ap_paths-0.0.266",
"vendor_ts__ra_ap_project_model-0.0.266",
"vendor_ts__ra_ap_span-0.0.266",
"vendor_ts__ra_ap_stdx-0.0.266",
"vendor_ts__ra_ap_syntax-0.0.266",
"vendor_ts__ra_ap_vfs-0.0.266",
"vendor_ts__rand-0.9.0",
"vendor_ts__num_cpus-1.17.0",
"vendor_ts__proc-macro2-1.0.95",
"vendor_ts__quote-1.0.40",
"vendor_ts__ra_ap_base_db-0.0.288",
"vendor_ts__ra_ap_cfg-0.0.288",
"vendor_ts__ra_ap_hir-0.0.288",
"vendor_ts__ra_ap_hir_def-0.0.288",
"vendor_ts__ra_ap_hir_expand-0.0.288",
"vendor_ts__ra_ap_hir_ty-0.0.288",
"vendor_ts__ra_ap_ide_db-0.0.288",
"vendor_ts__ra_ap_intern-0.0.288",
"vendor_ts__ra_ap_load-cargo-0.0.288",
"vendor_ts__ra_ap_parser-0.0.288",
"vendor_ts__ra_ap_paths-0.0.288",
"vendor_ts__ra_ap_project_model-0.0.288",
"vendor_ts__ra_ap_span-0.0.288",
"vendor_ts__ra_ap_stdx-0.0.288",
"vendor_ts__ra_ap_syntax-0.0.288",
"vendor_ts__ra_ap_vfs-0.0.288",
"vendor_ts__rand-0.9.1",
"vendor_ts__rayon-1.10.0",
"vendor_ts__regex-1.11.1",
"vendor_ts__serde-1.0.218",
"vendor_ts__serde_json-1.0.139",
"vendor_ts__serde_with-3.12.0",
"vendor_ts__syn-2.0.98",
"vendor_ts__toml-0.8.20",
"vendor_ts__serde-1.0.219",
"vendor_ts__serde_json-1.0.140",
"vendor_ts__serde_with-3.13.0",
"vendor_ts__syn-2.0.103",
"vendor_ts__toml-0.8.23",
"vendor_ts__tracing-0.1.41",
"vendor_ts__tracing-flame-0.2.0",
"vendor_ts__tracing-subscriber-0.3.19",
@@ -124,6 +148,7 @@ use_repo(
"vendor_ts__tree-sitter-ruby-0.23.1",
"vendor_ts__triomphe-0.1.14",
"vendor_ts__ungrammar-1.16.1",
"vendor_ts__zstd-0.13.3",
)
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -155,7 +180,7 @@ use_repo(csharp_main_extension, "paket.main")
pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
pip.parse(
hub_name = "codegen_deps",
python_version = "3.11",
python_version = "3.12",
requirements_lock = "//misc/codegen:requirements_lock.txt",
)
use_repo(pip, "codegen_deps")
@@ -193,10 +218,6 @@ use_repo(
kotlin_extractor_deps,
"codeql_kotlin_defaults",
"codeql_kotlin_embeddable",
"kotlin-compiler-1.5.0",
"kotlin-compiler-1.5.10",
"kotlin-compiler-1.5.20",
"kotlin-compiler-1.5.30",
"kotlin-compiler-1.6.0",
"kotlin-compiler-1.6.20",
"kotlin-compiler-1.7.0",
@@ -208,10 +229,7 @@ use_repo(
"kotlin-compiler-2.0.20-Beta2",
"kotlin-compiler-2.1.0-Beta1",
"kotlin-compiler-2.1.20-Beta1",
"kotlin-compiler-embeddable-1.5.0",
"kotlin-compiler-embeddable-1.5.10",
"kotlin-compiler-embeddable-1.5.20",
"kotlin-compiler-embeddable-1.5.30",
"kotlin-compiler-2.2.0-Beta1",
"kotlin-compiler-embeddable-1.6.0",
"kotlin-compiler-embeddable-1.6.20",
"kotlin-compiler-embeddable-1.7.0",
@@ -223,10 +241,7 @@ use_repo(
"kotlin-compiler-embeddable-2.0.20-Beta2",
"kotlin-compiler-embeddable-2.1.0-Beta1",
"kotlin-compiler-embeddable-2.1.20-Beta1",
"kotlin-stdlib-1.5.0",
"kotlin-stdlib-1.5.10",
"kotlin-stdlib-1.5.20",
"kotlin-stdlib-1.5.30",
"kotlin-compiler-embeddable-2.2.0-Beta1",
"kotlin-stdlib-1.6.0",
"kotlin-stdlib-1.6.20",
"kotlin-stdlib-1.7.0",
@@ -238,6 +253,7 @@ use_repo(
"kotlin-stdlib-2.0.20-Beta2",
"kotlin-stdlib-2.1.0-Beta1",
"kotlin-stdlib-2.1.20-Beta1",
"kotlin-stdlib-2.2.0-Beta1",
)
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
@@ -247,24 +263,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
go_deps.from_file(go_mod = "//go/extractor:go.mod")
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
lfs_files(
lfs_archive(
name = "ripunzip-linux",
srcs = ["//misc/ripunzip:ripunzip-linux"],
executable = True,
src = "//misc/ripunzip:ripunzip-Linux.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
lfs_files(
lfs_archive(
name = "ripunzip-windows",
srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
executable = True,
src = "//misc/ripunzip:ripunzip-Windows.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
lfs_files(
lfs_archive(
name = "ripunzip-macos",
srcs = ["//misc/ripunzip:ripunzip-macos"],
executable = True,
src = "//misc/ripunzip:ripunzip-macOS.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
register_toolchains(

45
actions/extractor/tools/autobuild-impl.ps1
View File

@@ -1,27 +1,34 @@
if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
Write-Output 'Path filters set. Passing them through to the JavaScript extractor.'
} else {
Write-Output 'No path filters set. Using the default filters.'
# Note: We're adding the `reusable_workflows` subdirectories to proactively
# record workflows that were called cross-repo, check them out locally,
# and enable an interprocedural analysis across the workflow files.
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
$DefaultPathFilters = @(
'exclude:**/*',
'include:.github/workflows/*.yml',
'include:.github/workflows/*.yaml',
'include:.github/reusable_workflows/**/*.yml',
'include:.github/reusable_workflows/**/*.yaml',
'include:**/action.yml',
'include:**/action.yaml'
)
# Note: We're adding the `reusable_workflows` subdirectories to proactively
# record workflows that were called cross-repo, check them out locally,
# and enable an interprocedural analysis across the workflow files.
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
$DefaultPathFilters = @(
'exclude:**/*',
'include:.github/workflows/*.yml',
'include:.github/workflows/*.yaml',
'include:.github/reusable_workflows/**/*.yml',
'include:.github/reusable_workflows/**/*.yaml',
'include:**/action.yml',
'include:**/action.yaml'
)
if ($null -ne $env:LGTM_INDEX_FILTERS) {
Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
# Begin with the default path inclusions only,
# followed by the user-provided filters.
# If the user provided `paths`, those patterns override the default inclusions
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
# If the user provided `paths-ignore`, those patterns are excluded.
$PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
$env:LGTM_INDEX_FILTERS = $PathFilters
} else {
Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
$env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
}
# Find the JavaScript extractor directory via `codeql resolve extractor`.
$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
if ($LASTEXITCODE -ne 0) {
throw 'Failed to resolve JavaScript extractor.'
}
@@ -40,7 +47,7 @@ $env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTI
$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
&$JavaScriptAutoBuild
&"$JavaScriptAutoBuild"
if ($LASTEXITCODE -ne 0) {
throw "JavaScript autobuilder failed."
}

3
actions/extractor/tools/autobuild.cmd
View File

@@ -1,3 +1,4 @@
@echo off
rem All of the work is done in the PowerShell script
powershell.exe %~dp0autobuild-impl.ps1
echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
powershell.exe -File "%~dp0autobuild-impl.ps1"

22
actions/extractor/tools/autobuild.sh
View File

@@ -17,16 +17,28 @@ include:**/action.yaml
END
)
if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
echo "Path filters set. Passing them through to the JavaScript extractor."
if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
# Begin with the default path inclusions only,
# followed by the user-provided filters.
# If the user provided `paths`, those patterns override the default inclusions
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
# If the user provided `paths-ignore`, those patterns are excluded.
PATH_FILTERS="$(cat << END
${DEFAULT_PATH_FILTERS}
${LGTM_INDEX_FILTERS}
END
)"
LGTM_INDEX_FILTERS="${PATH_FILTERS}"
export LGTM_INDEX_FILTERS
else
echo "No path filters set. Using the default filters."
echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
export LGTM_INDEX_FILTERS
fi
# Find the JavaScript extractor directory via `codeql resolve extractor`.
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
@@ -42,4 +54,4 @@ env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGN
CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
${JAVASCRIPT_AUTO_BUILD}
"${JAVASCRIPT_AUTO_BUILD}"

5
actions/ql/integration-tests/filters-default/actions.ql Normal file
View File

@@ -0,0 +1,5 @@
import actions
from AstNode n
where n instanceof Workflow or n instanceof CompositeAction
select n

6
actions/ql/integration-tests/filters/actions.default-filters.expected Normal file
View File

@@ -0,0 +1,6 @@
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
| src/action.yml:1:1:11:32 | name: ' ... action' |
| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
| src/included/action.yml:1:1:11:32 | name: ' ... action' |

2
actions/ql/integration-tests/filters/actions.paths-and-paths-ignore.expected Normal file
View File

@@ -0,0 +1,2 @@
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |

5
actions/ql/integration-tests/filters/actions.paths-ignore-only.expected Normal file
View File

@@ -0,0 +1,5 @@
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
| src/action.yml:1:1:11:32 | name: ' ... action' |
| src/included/action.yml:1:1:11:32 | name: ' ... action' |

2
actions/ql/integration-tests/filters/actions.paths-only.expected Normal file
View File

@@ -0,0 +1,2 @@
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |

5
actions/ql/integration-tests/filters/actions.ql Normal file
View File

@@ -0,0 +1,5 @@
import actions
from AstNode n
where n instanceof Workflow or n instanceof CompositeAction
select n

4
actions/ql/integration-tests/filters/codeql-config.paths-and-paths-ignore.yml Normal file
View File

@@ -0,0 +1,4 @@
paths:
- 'included'
paths-ignore:
- 'excluded'

2
actions/ql/integration-tests/filters/codeql-config.paths-ignore-only.yml Normal file
View File

@@ -0,0 +1,2 @@
paths-ignore:
- 'excluded'

2
actions/ql/integration-tests/filters/codeql-config.paths-only.yml Normal file
View File

@@ -0,0 +1,2 @@
paths:
- 'included'

6
actions/ql/integration-tests/filters/source_archive.default-filters.expected Normal file
View File

@@ -0,0 +1,6 @@
src/.github/action.yaml
src/.github/actions/action-name/action.yml
src/.github/workflows/workflow.yml
src/action.yml
src/excluded/action.yml
src/included/action.yml

3
actions/ql/integration-tests/filters/source_archive.paths-and-paths-ignore.expected Normal file
View File

@@ -0,0 +1,3 @@
src/included/action.yml
src/included/not-an-action.yml
src/included/unreachable-workflow.yml

5
actions/ql/integration-tests/filters/source_archive.paths-ignore-only.expected Normal file
View File

@@ -0,0 +1,5 @@
src/.github/action.yaml
src/.github/actions/action-name/action.yml
src/.github/workflows/workflow.yml
src/action.yml
src/included/action.yml

3
actions/ql/integration-tests/filters/source_archive.paths-only.expected Normal file
View File

@@ -0,0 +1,3 @@
src/included/action.yml
src/included/not-an-action.yml
src/included/unreachable-workflow.yml

11
actions/ql/integration-tests/filters/src/.github/action.yaml vendored Normal file
View File

@@ -0,0 +1,11 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

11
actions/ql/integration-tests/filters/src/.github/actions/action-name/action.yml vendored Normal file
View File

@@ -0,0 +1,11 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

12
actions/ql/integration-tests/filters/src/.github/unreachable-workflow.yml vendored Normal file
View File

@@ -0,0 +1,12 @@
name: An unreachable workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

12
actions/ql/integration-tests/filters/src/.github/workflows/workflow.yml vendored Normal file
View File

@@ -0,0 +1,12 @@
name: A workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

11
actions/ql/integration-tests/filters/src/action.yml Normal file
View File

@@ -0,0 +1,11 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

11
actions/ql/integration-tests/filters/src/excluded/action.yml Normal file
View File

@@ -0,0 +1,11 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

12
actions/ql/integration-tests/filters/src/excluded/unreachable-workflow.yml Normal file
View File

@@ -0,0 +1,12 @@
name: An unreachable workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

11
actions/ql/integration-tests/filters/src/included/action.yml Normal file
View File

@@ -0,0 +1,11 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

1
actions/ql/integration-tests/filters/src/included/not-an-action.yml Normal file
View File

@@ -0,0 +1 @@
name: 'Not an action, just a YAML file'

12
actions/ql/integration-tests/filters/src/included/unreachable-workflow.yml Normal file
View File

@@ -0,0 +1,12 @@
name: An unreachable workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

12
actions/ql/integration-tests/filters/src/unreachable-workflow.yml Normal file
View File

@@ -0,0 +1,12 @@
name: An unreachable workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

18
actions/ql/integration-tests/filters/test.py Executable file
View File

@@ -0,0 +1,18 @@
import pytest
@pytest.mark.ql_test(expected=".default-filters.expected")
def test_default_filters(codeql, actions, check_source_archive):
check_source_archive.expected_suffix = ".default-filters.expected"
codeql.database.create(source_root="src")
@pytest.mark.ql_test(expected=".paths-only.expected")
def test_config_paths_only(codeql, actions):
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-only.yml")
@pytest.mark.ql_test(expected=".paths-ignore-only.expected")
def test_config_paths_ignore_only(codeql, actions):
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-ignore-only.yml")
@pytest.mark.ql_test(expected=".paths-and-paths-ignore.expected")
def test_config_paths_and_paths_ignore(codeql, actions):
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-and-paths-ignore.yml")

1
actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected Normal file
View File

@@ -0,0 +1 @@

1
actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected Normal file
View File

@@ -0,0 +1 @@

17
actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected Normal file
View File

@@ -0,0 +1,17 @@
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

27
actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected Normal file
View File

@@ -0,0 +1,27 @@
ql/actions/ql/src/Debug/SyntaxError.ql
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql

23
actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected Normal file
View File

@@ -0,0 +1,23 @@
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

17
actions/ql/integration-tests/query-suite/not_included_in_qls.expected Normal file
View File

@@ -0,0 +1,17 @@
ql/actions/ql/src/Debug/partial.ql
ql/actions/ql/src/Models/CompositeActionsSinks.ql
ql/actions/ql/src/Models/CompositeActionsSources.ql
ql/actions/ql/src/Models/CompositeActionsSummaries.ql
ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql

14
actions/ql/integration-tests/query-suite/test.py Normal file
View File

@@ -0,0 +1,14 @@
import runs_on
import pytest
from query_suites import *
well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
@runs_on.posix
@pytest.mark.parametrize("query_suite", well_known_query_suites)
def test(codeql, actions, check_query_suite, query_suite):
check_query_suite(query_suite)
@runs_on.posix
def test_not_included_queries(codeql, actions, check_queries_not_included):
check_queries_not_included('actions', well_known_query_suites)

49
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,52 @@
## 0.4.13
No user-facing changes.
## 0.4.12
### Minor Analysis Improvements
* Fixed performance issues in the parsing of Bash scripts in workflow files,
which led to out-of-disk errors when analysing certain workflow files with
complex interpolations of shell commands or quoted strings.
## 0.4.11
No user-facing changes.
## 0.4.10
No user-facing changes.
## 0.4.9
No user-facing changes.
## 0.4.8
No user-facing changes.
## 0.4.7
### New Features
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
## 0.4.6
### Bug Fixes
* The query `actions/code-injection/medium` now produces alerts for injection
vulnerabilities on `pull_request` events.
## 0.4.5
No user-facing changes.
## 0.4.4
No user-facing changes.
## 0.4.3
### New Features

4
actions/ql/lib/change-notes/2025-07-11-artifact-poisoning.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: fix
---
* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.

3
actions/ql/lib/change-notes/released/0.4.10.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.10
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.11.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.11
No user-facing changes.

7
actions/ql/lib/change-notes/released/0.4.12.md Normal file
View File

@@ -0,0 +1,7 @@
## 0.4.12
### Minor Analysis Improvements
* Fixed performance issues in the parsing of Bash scripts in workflow files,
which led to out-of-disk errors when analysing certain workflow files with
complex interpolations of shell commands or quoted strings.

3
actions/ql/lib/change-notes/released/0.4.13.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.13
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.4.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.4
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.5.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.5
No user-facing changes.

6
actions/ql/lib/change-notes/released/0.4.6.md Normal file
View File

@@ -0,0 +1,6 @@
## 0.4.6
### Bug Fixes
* The query `actions/code-injection/medium` now produces alerts for injection
vulnerabilities on `pull_request` events.

5
actions/ql/lib/change-notes/released/0.4.7.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.4.7
### New Features
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.

3
actions/ql/lib/change-notes/released/0.4.8.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.8
No user-facing changes.

3
actions/ql/lib/change-notes/released/0.4.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.9
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.3
lastReleaseVersion: 0.4.13

4
actions/ql/lib/codeql/actions/Ast.qll
View File

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
string getNormalizedExpression() { result = normalizeExpr(expression) }
}
/** A common class for `env` in workflow, job or step. */
abstract class Env extends AstNode instanceof EnvImpl {
/** An `env` in workflow, job or step. */
class Env extends AstNode instanceof EnvImpl {
/** Gets an environment variable value given its name. */
ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }

138
actions/ql/lib/codeql/actions/Bash.qll
View File

@@ -8,35 +8,64 @@ class BashShellScript extends ShellScript {
)
}
private string lineProducer(int i) {
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
/**
* Gets the line at 0-based index `lineIndex` within this shell script,
* assuming newlines as separators.
*/
private string lineProducer(int lineIndex) {
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
}
private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
exists(string line | line = this.lineProducer(k) |
exists(int i, int j |
cmdSubs =
// $() cmd substitution
line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
.regexpReplaceAll("^\\$\\(", "")
.regexpReplaceAll("\\)$", "") and
id = "cmdsubs:" + k + ":" + i + ":" + j
)
or
exists(int i, int j |
// `...` cmd substitution
cmdSubs =
line.regexpFind("\\`[^\\`]+\\`", i, j)
.regexpReplaceAll("^\\`", "")
.regexpReplaceAll("\\`$", "") and
id = "cmd:" + k + ":" + i + ":" + j
)
private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
this.commandInSubstitution(lineIndex, command, id)
or
this.commandInBackticks(lineIndex, command, id)
}
/**
* Holds if there is a command substitution `$(command)` in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this command.
*/
private predicate commandInSubstitution(int lineIndex, string command, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
command =
// Look for the command inside a $(...) command substitution
this.lineProducer(lineIndex)
.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
occurrenceOffset)
// trim starting $( - TODO do this in first regex
.regexpReplaceAll("^\\$\\(", "")
// trim ending ) - TODO do this in first regex
.regexpReplaceAll("\\)$", "") and
id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
)
}
private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
this.cmdSubstitutionReplacement(old, new, _)
/**
* Holds if `command` is a command in backticks `` `...` `` in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this command.
*/
private predicate commandInBackticks(int lineIndex, string command, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
command =
this.lineProducer(lineIndex)
.regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
// trim leading backtick - TODO do this in first regex
.regexpReplaceAll("^\\`", "")
// trim trailing backtick - TODO do this in first regex
.regexpReplaceAll("\\`$", "") and
id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
)
}
private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
// rank commands by their unique IDs
commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
// since we cannot output (command, ID) tuples from the rank operation,
// we need to work out the specific command associated with the resulting ID
this.cmdSubstitutionReplacement(command, commandId, _)
}
private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -64,31 +93,56 @@ class BashShellScript extends ShellScript {
this.cmdSubstitutionReplacement(result, _, i)
}
/**
* Holds if `quotedStr` is a string in double quotes in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this quoted string.
*/
private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
// double quoted string
quotedStr =
this.cmdSubstitutedLineProducer(lineIndex)
.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
id =
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
}
/**
* Holds if `quotedStr` is a string in single quotes in
* the line at `lineIndex` in the shell script,
* and `id` is a unique identifier for this quoted string.
*/
private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
exists(int occurrenceIndex, int occurrenceOffset |
// single quoted string
quotedStr =
this.cmdSubstitutedLineProducer(lineIndex)
.regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
id =
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
}
private predicate quotedStringReplacement(string quotedStr, string id) {
exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
exists(int i, int j |
// double quoted string
quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
id =
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
exists(int lineIndex |
this.doubleQuotedString(lineIndex, quotedStr, id)
or
exists(int i, int j |
// single quoted string
quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
id =
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
)
this.singleQuotedString(lineIndex, quotedStr, id)
) and
// Only do this for strings that might otherwise disrupt subsequent parsing
quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
}
private predicate rankedQuotedStringReplacements(int i, string old, string new) {
old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
this.quotedStringReplacement(old, new)
private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
// rank quoted strings by their nearly-unique IDs
quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
// since we cannot output (string, ID) tuples from the rank operation,
// we need to work out the specific string associated with the resulting ID
this.quotedStringReplacement(quotedString, quotedStringId)
}
private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {

2
actions/ql/lib/codeql/actions/Helper.qll
View File

@@ -72,7 +72,7 @@ string normalizePath(string path) {
then result = path
else
// foo -> GITHUB_WORKSPACE/foo
if path.regexpMatch("^[^/~].*")
if path.regexpMatch("^[^$/~].*")
then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "")
else
// ~/foo -> ~/foo

10
actions/ql/lib/codeql/actions/config/Config.qll
View File

@@ -154,3 +154,13 @@ predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
}
/**
* MaD models for permissions needed by actions
* Fields:
* - action: action name, e.g. `actions/checkout`
* - permission: permission name, e.g. `contents: read`
*/
predicate actionsPermissionsDataModel(string action, string permission) {
Extensions::actionsPermissionsDataModel(action, permission)
}

11
actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
View File

@@ -77,3 +77,14 @@ extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag)
* Holds for gh commands that may introduce untrusted data
*/
extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
/**
* Holds if `action` needs `permission` to run.
* - 'action' is the name of the action without any version information.
* E.g. for the action selector `actions/checkout@v2`, `action` is `actions/checkout`.
* - `permission` is of the form `scope-name: read|write`, for example `contents: read`.
* - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions
* for an example of recommended permissions.
* - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
*/
extensible predicate actionsPermissionsDataModel(string action, string permission);

4
actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
View File

@@ -262,8 +262,10 @@ class ArtifactPoisoningSink extends DataFlow::Node {
ArtifactPoisoningSink() {
download.getAFollowingStep() = poisonable and
// excluding artifacts downloaded to /tmp
// excluding artifacts downloaded to the temporary directory
not download.getPath().regexpMatch("^/tmp.*") and
not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
(
poisonable.(Run).getScript() = this.asExpr() and
(

4
actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
View File

@@ -214,6 +214,10 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
)
)
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

4
actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
View File

@@ -16,6 +16,10 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

4
actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
View File

@@ -15,6 +15,10 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

42
actions/ql/lib/ext/config/actions_permissions.yml Normal file
View File

@@ -0,0 +1,42 @@
extensions:
- addsTo:
pack: codeql/actions-all
extensible: actionsPermissionsDataModel
data:
- ["actions/checkout", "contents: read"]
- ["actions/setup-node", "contents: read"]
- ["actions/setup-python", "contents: read"]
- ["actions/setup-java", "contents: read"]
- ["actions/setup-go", "contents: read"]
- ["actions/setup-dotnet", "contents: read"]
- ["actions/labeler", "contents: read"]
- ["actions/labeler", "pull-requests: write"]
- ["actions/attest", "id-token: write"]
- ["actions/attest", "attestations: write"]
# No permissions needed for actions/add-to-project
- ["actions/dependency-review-action", "contents: read"]
- ["actions/attest-sbom", "id-token: write"]
- ["actions/attest-sbom", "attestations: write"]
- ["actions/stale", "contents: write"]
- ["actions/stale", "issues: write"]
- ["actions/stale", "pull-requests: write"]
- ["actions/attest-build-provenance", "id-token: write"]
- ["actions/attest-build-provenance", "attestations: write"]
- ["actions/deploy-pages", "pages: write"]
- ["actions/deploy-pages", "id-token: write"]
- ["actions/delete-package-versions", "packages: write"]
- ["actions/jekyll-build-pages", "contents: read"]
- ["actions/jekyll-build-pages", "pages: write"]
- ["actions/jekyll-build-pages", "id-token: write"]
- ["actions/publish-action", "contents: write"]
- ["actions/versions-package-tools", "contents: read"]
- ["actions/versions-package-tools", "actions: read"]
- ["actions/reusable-workflows", "contents: read"]
- ["actions/reusable-workflows", "actions: read"]
- ["actions/ai-inference", "contents: read"]
- ["actions/ai-inference", "models: read"]
# TODO: Add permissions for actions/download-artifact
# TODO: Add permissions for actions/upload-artifact
# No permissions needed for actions/upload-pages-artifact
# TODO: Add permissions for actions/cache
# No permissions needed for actions/configure-pages

3
actions/ql/lib/ext/config/context_event_map.yml
View File

@@ -30,6 +30,9 @@ extensions:
- ["pull_request_review_comment", "github.event.review"]
- ["pull_request_review_comment", "github.head_ref"]
- ["pull_request_review_comment", "github.event.changes"]
- ["pull_request", "github.event.pull_request"]
- ["pull_request", "github.head_ref"]
- ["pull_request", "github.event.changes"]
- ["pull_request_target", "github.event.pull_request"]
- ["pull_request_target", "github.head_ref"]
- ["pull_request_target", "github.event.changes"]

1
actions/ql/lib/ext/config/externally_triggereable_events.yml
View File

@@ -12,6 +12,7 @@ extensions:
- ["pull_request_comment"]
- ["pull_request_review"]
- ["pull_request_review_comment"]
- ["pull_request"]
- ["pull_request_target"]
- ["workflow_run"] # depending on branch filter
- ["workflow_call"] # depending on caller

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.4-dev
version: 0.4.14-dev
library: true
warnOnImplicitThis: true
dependencies:

74
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,77 @@
## 0.6.5
No user-facing changes.
## 0.6.4
No user-facing changes.
## 0.6.3
No user-facing changes.
## 0.6.2
### Minor Analysis Improvements
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
## 0.6.1
No user-facing changes.
## 0.6.0
### Breaking Changes
* The following queries have been removed from the `security-and-quality` suite.
They are not intended to produce user-facing
alerts describing vulnerabilities.
Any existing alerts for these queries will be closed automatically.
* `actions/composite-action-sinks`
* `actions/composite-action-sources`
* `actions/composite-action-summaries`
* `actions/reusable-workflow-sinks`
(renamed from `actions/reusable-wokflow-sinks`)
* `actions/reusable-workflow-sources`
* `actions/reusable-workflow-summaries`
### Bug Fixes
* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
## 0.5.4
### New Features
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
### Bug Fixes
* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
## 0.5.3
### Bug Fixes
* Fixed typos in the query and alert titles for the queries
`actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
## 0.5.2
No user-facing changes.
## 0.5.1
### Bug Fixes
* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
Immutable Actions feature is not yet available for customer use. The query has also been moved
to the experimental folder and will not be used in code scanning unless it is explicitly added
to a code scanning configuration. Once the Immutable Actions feature is available, the query will
be updated to report alerts again.
## 0.5.0
### Breaking Changes

4
actions/ql/src/Models/CompositeActionsSinks.ql
View File

@@ -24,6 +24,10 @@ private module MyConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
module MyFlow = TaintTracking::Global<MyConfig>;

4
actions/ql/src/Models/CompositeActionsSources.ql
View File

@@ -34,6 +34,10 @@ private module MyConfig implements DataFlow::ConfigSig {
isSink(node) and
set instanceof DataFlow::FieldContent
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
module MyFlow = TaintTracking::Global<MyConfig>;

4
actions/ql/src/Models/CompositeActionsSummaries.ql
View File

@@ -25,6 +25,10 @@ private module MyConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
module MyFlow = TaintTracking::Global<MyConfig>;

6
actions/ql/src/Models/ReusableWorkflowsSinks.ql
View File

@@ -5,7 +5,7 @@
* @problem.severity warning
* @security-severity 9.3
* @precision high
* @id actions/reusable-wokflow-sinks
* @id actions/reusable-workflow-sinks
* @tags actions
* model-generator
* external/cwe/cwe-020
@@ -24,6 +24,10 @@ private module MyConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
module MyFlow = TaintTracking::Global<MyConfig>;

4
actions/ql/src/Models/ReusableWorkflowsSources.ql
View File

@@ -34,6 +34,10 @@ private module MyConfig implements DataFlow::ConfigSig {
isSink(node) and
set instanceof DataFlow::FieldContent
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
module MyFlow = TaintTracking::Global<MyConfig>;

4
actions/ql/src/Models/ReusableWorkflowsSummaries.ql
View File

@@ -25,6 +25,10 @@ private module MyConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}
module MyFlow = TaintTracking::Global<MyConfig>;

10
actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.md
View File

@@ -1,6 +1,4 @@
# Environment Path Injection
## Description
## Overview
GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.
@@ -12,11 +10,11 @@ echo "$HOME/.local/bin" >> $GITHUB_PATH
If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.
## Recommendations
## Recommendation
Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
## Examples
## Example
### Incorrect Usage
@@ -36,4 +34,4 @@ If an attacker can manipulate the value being set, such as through artifact down
## References
- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).

10
actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.md
View File

@@ -1,6 +1,4 @@
# Environment Path Injection
## Description
## Overview
GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.
@@ -12,11 +10,11 @@ echo "$HOME/.local/bin" >> $GITHUB_PATH
If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.
## Recommendations
## Recommendation
Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
## Examples
## Example
### Incorrect Usage
@@ -36,4 +34,4 @@ If an attacker can manipulate the value being set, such as through artifact down
## References
- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).

12
actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.md
View File

@@ -1,6 +1,4 @@
# Environment Variable Injection
## Description
## Overview
GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
@@ -37,7 +35,7 @@ steps:
If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`.
## Recommendations
## Recommendation
1. **Do not allow untrusted data to influence environment variables**:
@@ -64,7 +62,7 @@ If an attacker can control the values assigned to environment variables and ther
} >> "$GITHUB_ENV"
```
## Examples
## Example
### Example of Vulnerability
@@ -113,5 +111,5 @@ An attacker is be able to run arbitrary code by injecting environment variables
## References
- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)
- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).
- Synacktiv: [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation).

14
actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md
View File

@@ -1,6 +1,4 @@
# Environment Variable Injection
## Description
## Overview
GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
@@ -37,7 +35,7 @@ steps:
If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`.
## Recommendations
## Recommendation
1. **Do not allow untrusted data to influence environment variables**:
@@ -64,7 +62,7 @@ If an attacker can control the values assigned to environment variables and ther
} >> "$GITHUB_ENV"
```
## Examples
## Example
### Example of Vulnerability
@@ -109,9 +107,9 @@ An attacker could craft a malicious artifact that writes dangerous environment v
### Exploitation
An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
An attacker would be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
## References
- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)
- GitHub Docs: [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions).
- Synacktiv: [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation).

8
actions/ql/src/Security/CWE-094/CodeInjectionCritical.md
View File

@@ -1,18 +1,16 @@
# Code Injection in GitHub Actions
## Description
## Overview
Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
## Recommendations
## Recommendation
The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_).
It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
## Examples
## Example
### Incorrect Usage

8
actions/ql/src/Security/CWE-094/CodeInjectionMedium.md
View File

@@ -1,18 +1,16 @@
# Code Injection in GitHub Actions
## Description
## Overview
Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
## Recommendations
## Recommendation
The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_).
It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
## Examples
## Example
### Incorrect Usage

8
actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.md
View File

@@ -1,13 +1,11 @@
# Use of Actions with known vulnerabilities
## Description
## Overview
The security of the workflow and the repository could be compromised by GitHub Actions workflows that utilize GitHub Actions with known vulnerabilities.
## Recommendations
## Recommendation
Either remove the component from the workflow or upgrade it to a version that is not vulnerable.
## References
- [GitHub Docs: Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot)
- GitHub Docs: [Keeping your actions up to date with Dependabot](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot).

Some files were not shown because too many files have changed in this diff Show More