add workflow to catch some ineligible wildcards and eligible latest version for immutable actions

ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll

@@ -6,11 +6,20 @@ class UnversionedImmutableAction extends UsesStep {
   UnversionedImmutableAction() {
     immutableActionsDataModel(immutable_action) and
     this.getCallee() = immutable_action and
-    isNotSemVer(this.getVersion())
+    not isSemVer(this.getVersion())
   }
 }
 
 bindingset[version]
-predicate isNotSemVer(string version) {
-  not version.regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$")
+predicate isSemVer(string version) {
+  // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix
+  version.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$")
+
+  // or N or N.x or N.N.x with optional v prefix
+  or version.regexpMatch("^v?[1-9]\\d*$")
+  or version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$")
+  or version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$")
+
+  // or latest which will work
+  or version = "latest"
 }

ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml

@@ -0,0 +1,38 @@
+name: Octokit (heuristics)
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  test1:
+    if: github.event.comment.body == '@metabase-bot run visual tests'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Fetch issue
+        uses: octokit/request-action@v2.x
+        id: fetch_issue
+        with:
+          route: GET ${{ github.event.issue.url }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Fetch PR minor and patch wildcard
+        uses: octokit/request-action@v2.x.x
+        id: fetch_pr
+        with:
+          route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout PR minor patch wildcard
+      - uses: actions/checkout@v2.x.xx
+        with:
+          ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout PR minor wildcard incomplete patch
+        uses: actions/checkout@v2.x.
+      - name: Run latest action
+        uses: some-action/some-repo@latest
+        with:
+          some-input: some-value
+      - name: run the latest checkout action
+        uses: actions/checkout@latest

ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected

@@ -4,6 +4,9 @@
 | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout |
 | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout |
 | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout |
+| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | octokit/request-action |
+| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | actions/checkout |
+| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | actions/checkout |
 | .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout |
 | .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages |
 | .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact |