hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-28 06:36:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
530 Commits 1,673 Branches 157 Tags
80d2bbdc9be6269fe9fd37164cb79aeeaa974217
Commit Graph

530 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alvaro Muñoz
80d2bbdc9b Merge pull request #61 from github/missing_permissions 
fix(queries): Fix Missing Permissions query
 2024-07-31 11:45:54 +02:00
Alvaro Muñoz
ab8dd599b7 fix(queries): Fix Missing Permissions query 
If a job is only triggered by `workflow_call`, we dont report any issues
since they should be reported on the calling workflows
 2024-07-31 11:45:30 +02:00
Alvaro Muñoz
8ffac2935e Bump qlpack versions 2024-07-30 18:22:20 +02:00
Alvaro Muñoz
65ad387543 fix: Add printf as an equivalent to echo 2024-07-30 18:18:22 +02:00
Alvaro Muñoz
bf10603b5f Bump qlpack versions 2024-07-30 10:28:15 +02:00
Alvaro Muñoz
f5261237a4 feat(suites): Add a bughalla-specific query suite 2024-07-30 10:27:28 +02:00
Alvaro Muñoz
da36924bb1 feat(queries): Add Output Clobbering query 2024-07-30 10:26:41 +02:00
Alvaro Muñoz
06ec94e731 Bump qlpack versions 2024-07-29 22:38:42 +02:00
Alvaro Muñoz
e3df12d77b Update Query suite 2024-07-29 22:37:47 +02:00
Alvaro Muñoz
eaf034e8cb feat(config): Add pipx as poisonable step 2024-07-25 11:09:02 +02:00
Alvaro Muñoz
28cc06e136 Bump qlpack versions 2024-07-24 18:28:09 +02:00
Alvaro Muñoz
ba6ab04dfc feat(suite): Remove severity:warning queries from CodeScanning suite 2024-07-24 18:27:39 +02:00
Alvaro Muñoz
bb78bb6f57 refactor(queries): update severity level for workflow permissions 2024-07-24 18:27:00 +02:00
Alvaro Muñoz
da28f7dc0a feat(config): add asv to poisonable steps list 2024-07-24 15:56:47 +02:00
Alvaro Muñoz
12e78ac4fe fix(regex): update pattern to match both gh and hub commands 2024-07-23 23:37:04 +02:00
Alvaro Muñoz
2dffb865d0 Bump qlpack versions 2024-07-22 12:45:34 +02:00
Alvaro Muñoz
15649afd5c feat(queries): Improve envvar injection queries 
Consider those cases where the contents of a file are written to a var
and that var assigned to GITHUB_ENV
 2024-07-22 12:44:27 +02:00
Alvaro Muñoz
270ca2ad7d feat(queries): Experimental Output clobbering query 2024-07-15 21:00:54 +02:00
Alvaro Muñoz
fc39249f92 feat(queries): Consider untrusted checkout as a source for code injections 2024-07-15 21:00:28 +02:00
Alvaro Muñoz
76ded33280 Bump qlpack versions 2024-07-13 23:29:36 +02:00
Alvaro Muñoz
cc64c95dbc feat(dataflow): Update edges predicate to only link to next step 
Previously each step was linking to all possible following steps. This change makes a better flow path explanation flowing from the checkout to the poisonable step, step by step
 2024-07-13 23:28:47 +02:00
Alvaro Muñoz
c1d8ca0976 Bump qlpack versions 2024-07-13 00:01:49 +02:00
Alvaro Muñoz
44911382af feat(tests): Update tests results 2024-07-12 23:49:05 +02:00
Alvaro Muñoz
9917c46f6f feat(core): Add StepsContainer class 
A StepsContainer is an abstract class that includes all nodes with steps: Runs and LocalJobs
 2024-07-12 23:48:52 +02:00
Alvaro Muñoz
69d173f13c fix(refactor): Remove unnecessary variables 2024-07-12 23:47:52 +02:00
Alvaro Muñoz
7f77e89bbf feat(tests): Add test for checkout in composite action 2024-07-12 23:31:12 +02:00
Alvaro Muñoz
417d5a403e Bump qlpack versions 2024-07-12 12:46:03 +02:00
Alvaro Muñoz
a1787596d2 feat(tests): Update tests 2024-07-12 12:45:19 +02:00
Alvaro Muñoz
e0a075da57 feat(dataflow): Flow through bash assigments on artifact to GH env/output 2024-07-12 12:45:06 +02:00
Alvaro Muñoz
5785a21d56 feat(queries): Env-var injection 
Enable Uses sinks for envvar injection
 2024-07-12 12:44:25 +02:00
Alvaro Muñoz
f623f73f16 feat(models): Add dotenv models 
Envvar-injection sinks
 2024-07-12 12:43:25 +02:00
Alvaro Muñoz
8289bf97b9 feat(models): Add support for artifact to step output 2024-07-12 11:10:01 +02:00
Alvaro Muñoz
29d2b287c9 tests: Organize tests 2024-07-12 10:14:39 +02:00
Alvaro Muñoz
c5d31ce08c fix(refactor): Add comments and rename predicates 2024-07-12 10:13:49 +02:00
Alvaro Muñoz
3f8a791b2e fix(queries): Improve Argument Injection query 
Add GITHUB_HEAD_REF as a source
 2024-07-11 22:59:20 +02:00
Alvaro Muñoz
89024ad604 fix(models): Reuse command delimiter regexps 2024-07-11 22:58:20 +02:00
Alvaro Muñoz
7a54170b31 feat(ext): Move regexp delimiters to Config.qll 2024-07-11 12:59:34 +02:00
Alvaro Muñoz
f4581d0aa5 Bump qlpack versions 2024-07-11 11:36:18 +02:00
Alvaro Muñoz
eb66114d8b feat(models): New ArgInj sink 2024-07-11 11:35:44 +02:00
Alvaro Muñoz
56af52a729 feat(tests): New tests for Command Injection 
Injections on a workflow_run triggered protected by a allow branches list should not be reported as critical
 2024-07-11 10:46:37 +02:00
Alvaro Muñoz
adbb236465 fix(query): Better identification of argument injection commands 2024-07-11 10:45:49 +02:00
Alvaro Muñoz
8d75250da7 Bump qlpack versions 2024-07-11 10:05:29 +02:00
Alvaro Muñoz
732f0dc29f feat(queries): Argument Injection 
Make argument injection sinks congigurable with MaD
 2024-07-11 10:04:43 +02:00
Alvaro Muñoz
73c77bc93b Initial implementation 
Pending work: complete the regular expression
 2024-07-11 10:04:43 +02:00
Alvaro Muñoz
4ad7c1fc95 Merge pull request #57 from github/workflow_run_branches 
workflow run branches
 2024-07-10 13:09:36 +02:00
Alvaro Muñoz
621ead2266 Fix branches logic 2024-07-10 13:09:23 +02:00
Alvaro Muñoz
090b3d41d1 Fix branches logic 2024-07-10 13:08:54 +02:00
Alvaro Muñoz
53b88627e5 feat(core): Exclude worflow_run#branches#default branch from externally triggerable events 2024-07-10 12:15:49 +02:00
Alvaro Muñoz
f1d1c1e55a Bump QL versions 2024-07-10 11:49:37 +02:00
Alvaro Muñoz
f4dd771d1c feat(models): Add models for ssh-action 2024-07-10 11:49:18 +02:00