codeql

mirror of https://github.com/github/codeql.git synced 2026-03-23 16:06:47 +01:00

Author	SHA1	Message	Date
Alvaro Muñoz	0b71d02407	fix: clean debug lefovers	2024-03-13 13:49:50 +01:00
Alvaro Muñoz	9b97dbd870	Refactor ast nodes	2024-03-12 10:16:43 +01:00
Alvaro Muñoz	86075c95bd	Improve ExpressionNode Location handling	2024-03-07 22:28:54 +01:00
Alvaro Muñoz	96246f4b74	Add Expression nodes and their corresponding locations	2024-03-07 15:35:47 +01:00
Alvaro Muñoz	e5527d7a18	Refactor ast nodes	2024-03-05 19:59:43 +01:00
Alvaro Muñoz	6875640c64	Refactor getXXXExpr methods	2024-03-04 10:33:26 +01:00
Alvaro Muñoz	1c2f19f4e1	Merge Actions.qll and Ast.qll	2024-03-01 16:06:06 +01:00
Alvaro Muñoz	bcf3081259	Refactor Input/Outpts	2024-03-01 11:17:23 +01:00
Alvaro Muñoz	0eabdd9507	Rename classes	2024-03-01 09:44:33 +01:00
Alvaro Muñoz	6b11506abb	test: Add tests	2024-02-29 13:23:59 +01:00
Alvaro Muñoz	8a9ec88b36	feat(matrix): Add support for flow through matrix vars	2024-02-28 13:21:29 +01:00
Alvaro Muñoz	8e7e5d03a5	fix(test): Add expected files	2024-02-28 11:15:38 +01:00
Alvaro Muñoz	fe976faf6a	feat(queries): Migrate queries from AdvancedSecurity repo	2024-02-27 15:20:35 +01:00
Alvaro Muñoz	98f3a1e7bf	fix(env): Improve env access support	2024-02-26 10:43:55 +01:00
Alvaro Muñoz	f513a19c24	fix: restrict EnvCtxAccessExpr to Env decarlations on the same file	2024-02-23 11:53:47 +01:00
Alvaro Muñoz	ecefb7ffb5	feat(untrusted checkout query): Add new query and tests	2024-02-22 13:12:37 +01:00
Alvaro Muñoz	d0b904a590	Fix QLpack names	2024-02-21 21:57:45 +01:00
Alvaro Muñoz	7a1369d9d0	Merge pull request #19 from GitHubSecurityLab/steps	2024-02-21 18:38:44 +01:00
Jorge	9e2be7d674	Apply suggestions from code review Co-authored-by: Alvaro Muñoz <pwntester@github.com>	2024-02-21 17:27:39 +01:00
Alvaro Muñoz	3d5567d698	Update ql/lib/codeql/actions/Ast.qll Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>	2024-02-21 16:50:44 +01:00
Alvaro Muñoz	a28f8e90f0	Update ql/lib/ext/tj-actions_branch-names.model.yml	2024-02-21 16:50:33 +01:00
Jorge	3ca7adab4f	Merge branch 'master' into steps	2024-02-21 15:31:42 +01:00
jorgectf	e1d6c7dac4	Add some steps	2024-02-21 15:29:27 +01:00
Alvaro Muñoz	a2b0a01298	fix: fix merge conflict	2024-02-21 10:57:51 +01:00
Alvaro Muñoz	ea29a09fd7	feat(triggers): New query for critical issues Adds a new query and the required changes to be able to account for the trigger events so that we dont report issues if they are not likely exploitable.	2024-02-21 10:56:17 +01:00
Alvaro Muñoz	3aa4f7f1af	feat(triggers): Add getEnclosingWorkflowStmt to Statement class	2024-02-21 10:56:17 +01:00
Alvaro Muñoz	3814462266	feat(triggers): New query for critical issues Adds a new query and the required changes to be able to account for the trigger events so that we dont report issues if they are not likely exploitable.	2024-02-21 10:23:37 +01:00
Alvaro Muñoz	4b9cec79dc	Merge pull request #17 from GitHubSecurityLab/reusable_workflow_models feat(reusable-workflow-models): Reusable workflow MaD	2024-02-21 10:20:40 +01:00
Alvaro Muñoz	a2210dca79	feat(triggers): Add getEnclosingWorkflowStmt to Statement class	2024-02-20 21:48:29 +01:00
Alvaro Muñoz	010d7df71d	feat(reusable-workflow-models): Reusable workflow MaD Add support to define sources/sinks/summaries for Reusable Workflows as MaD entries.	2024-02-20 11:58:54 +01:00
Alvaro Muñoz	1d582a4c4d	feat(model-generation): Add more model generation queries Add new queries for finding reusable workflows that behave as summaries, sources or sinks. Add new query for finding composite actions that behave as sinks. Add `github.event.inputs` context to the regular expression matching input var accesses.	2024-02-20 10:50:02 +01:00
Alvaro Muñoz	76f245b337	feat(actions): use published actions packs	2024-02-16 15:34:20 +01:00
Alvaro Muñoz	5d1264d3a4	feat(action): update references to qlpacks	2024-02-16 12:56:06 +01:00
Alvaro Muñoz	cf4ab41df2	feat(action): rename qlpacks to use githubsecuritylab prefix	2024-02-16 12:32:48 +01:00
Alvaro Muñoz	0105d63a44	Add Action to scan repos	2024-02-16 12:25:23 +01:00
Alvaro Muñoz	499c3e7ac3	Improve regexs	2024-02-15 12:03:06 +01:00
Alvaro Muñoz	1cd32195a7	feat(bash-step): Improve bash step accuracy Only pass the taint when the env var is directlty set as the step output	2024-02-15 11:51:28 +01:00
Alvaro Muñoz	3c12e43d3f	feat(composite-actions): Fix summary and source queries for composite actions analysis	2024-02-14 18:09:12 +01:00
Alvaro Muñoz	f65587e5cf	feat(fieldflow): Refactor flow through Job outputs Job output should flow to the “key” (YamlString) and be read from there from the JobOutputAccessExpr. - NeedsCtxAccessExpr.getRefExpr should point to the UsesExpr(RW calling Job) or to the OutputsStmt(Regular Job). - JobsCtxAccessExpr.getRefExpr should point to the OutputsStmt(Regular Job). - Create storeStep from OutputExpr to OutputStmt using output var name as the field name. - Create a readStep for CtxAccessExpr to read the referenced fields from the job outputs.	2024-02-14 17:08:13 +01:00
Alvaro Muñoz	90d1ae4a05	fix: simplify Ast	2024-02-14 14:06:28 +01:00
Alvaro Muñoz	494fb2470e	fix: refactor local, read and store steps	2024-02-14 14:05:13 +01:00
Alvaro Muñoz	ebaac5f5cb	fix: enforce input,output,env prefixes in MaD	2024-02-14 14:03:11 +01:00
Alvaro Muñoz	2b3b3732b9	resolve conflicts	2024-02-14 10:55:31 +01:00
Alvaro Muñoz	e6b4676f90	feat(field-flow): enhance dataflow tracking implement field flow to reduce false positives	2024-02-14 10:47:00 +01:00
jorgectf	29b3d6c9ef	Prefix sources with `output.`	2024-02-13 15:00:53 +01:00
jorgectf	6627a858e3	Suffix with `.model`	2024-02-13 13:24:25 +01:00
jorgectf	fa91837f63	Trim yaml	2024-02-13 13:22:18 +01:00
jorgectf	68901e252c	Add some changed-files sources	2024-02-13 13:18:52 +01:00
Alvaro Muñoz	271c512f4d	better identification of Composite Actions input and output nodes	2024-02-13 11:40:22 +01:00
Alvaro Muñoz	cc3f2eed68	add characteristic predicates to InputExpr and OutputExpr	2024-02-13 11:24:16 +01:00

1 2

68 Commits