477 Commits

Author	SHA1	Message	Date
Dave Bartolomeo	be8a49228f	Delete dbscheme ... Update after merge	2024-11-13 13:42:57 -05:00
Dave Bartolomeo	14119c7d84	Merge remote-tracking branch 'origin/master' into dbartol/move-to-codeql	2024-11-13 13:28:00 -05:00
Alvaro Muñoz	064c983b47	Merge branch 'master' of https://github.com/github/codeql-actions	2024-11-09 10:40:14 +01:00
Alvaro Muñoz	44fd14caaf	Bump qlpack versions	2024-11-09 10:40:04 +01:00
Kylie Stradley	0110988b1c	Merge pull request #105 from github/immutable-actions ... Add CodeQL rule for Immutable actions, do not detect immutable actions in unpinned tag rule	2024-11-08 12:15:54 -05:00
Kylie Stradley	d6e38d5e83	Do not detect immutable actions in UnpinnedActionsTag ... * these should be handles by the UseOfUnversionedImmutableAction.qll query instead * factor out immutableAction detection for reuse in both queries * octokit should not longer ping in UnpinnedActionsTag	2024-11-08 11:51:25 -05:00
Dave Bartolomeo	1f3bab2b65	Move data extensions to use codeql org	2024-11-07 11:15:52 -05:00
Dave Bartolomeo	99a49fb27f	Move packs to codeql org	2024-11-07 10:43:05 -05:00
Brandon Stewart	6a1e814cde	Merge pull request #106 from github/advanced-config ... Add rule to detect cases where CodeQL default setup could be used instead of advanced setup	2024-11-06 15:21:31 -05:00
Kylie Stradley	0e94777b13	Merge branch 'master' into immutable-actions	2024-11-04 11:57:06 -05:00
Alvaro Muñoz	ae6856ab5a	models: add new control check model	2024-11-04 14:44:13 +01:00
Alvaro Muñoz	4f62573d17	Bump qlpack versions	2024-11-04 10:11:52 +01:00
Alvaro Muñoz	80f2b24eeb	Bump qlpack versions	2024-11-03 22:29:50 +01:00
Alvaro Muñoz	ea20e9b337	fix: Add versioned python binaries to poisonable steps	2024-11-03 22:29:20 +01:00
Brandon Stewart	0b7de6e86a	add rule to detect if default setup would be more appropriate	2024-10-31 15:28:55 +00:00
Alvaro Muñoz	230b2ff4d8	Bump qlpack versions	2024-10-31 14:17:44 +01:00
Alvaro Muñoz	0211902116	models: add models for zentered/issue-forms-parser	2024-10-31 13:38:17 +01:00
Alvaro Muñoz	d85ca10772	fix: account for tojson(expr) expressions	2024-10-31 13:36:59 +01:00
Alvaro Muñoz	ebd45ace50	feat: add source model for peter-murra/issue-forms-body-parser	2024-10-31 10:59:05 +01:00
Alvaro Muñoz	0157bf3297	fix: improve JS require/import poisonable step to account for cwd	2024-10-30 22:12:17 +01:00
Alvaro Muñoz	a2f162e482	Bump qlpack versions	2024-10-30 12:43:44 +01:00
Alvaro Muñoz	263582c796	feat: Add sanitizers for bash test commands	2024-10-30 12:43:19 +01:00
Alvaro Muñoz	685c9e97cc	Bump qlpack versions	2024-10-29 21:17:55 +01:00
Alvaro Muñoz	fcc7efbc5c	Bump qlpack versions	2024-10-29 19:19:06 +01:00
Alvaro Muñoz	58f060234a	fix: count(text.splitAt()) does not account for all lines, use max(text.splitAt(,i)) instead	2024-10-29 19:17:24 +01:00
Alvaro Muñoz	ee7e50c1cf	Bump qlpack versions	2024-10-29 13:42:02 +01:00
Alvaro Muñoz	0ad7f08c9f	fix: do not require github.event.workflow_run.id as an argument for gh run download	2024-10-28 16:15:47 +01:00
Alvaro Muñoz	aecb478e1c	Bump qlpack versions	2024-10-28 11:58:45 +01:00
Alvaro Muñoz	792e8555af	fix: remove context 2 events mappings ... client_paylaod (dispatch), commits (push), head_commit (push) and merge_group are not under external attacker control so remove them	2024-10-28 11:56:59 +01:00
Alvaro Muñoz	62d9302e8b	chore: remove leftover commented out code	2024-10-28 11:55:44 +01:00
Alvaro Muñoz	e34835f71a	fix: AstNode.getATriggerEvent() ... getATriggerEvent did not work for nodes outside a Job. If there is no enclosing job, get the trigger from the enclosing workflow	2024-10-28 11:55:23 +01:00
Alvaro Muñoz	6136a98764	Add getEvent to RemoteFlowSource for events able to trigger the source	2024-10-28 11:54:04 +01:00
Alvaro Muñoz	fe9c908880	Bump qlpack versions	2024-10-25 14:18:20 +02:00
Alvaro Muñoz	922ae57aba	Fix LabelIf ControlCheck so that it recognizes checks not at the beginning of the expression	2024-10-25 10:26:47 +02:00
Alvaro Muñoz	d8f79818d6	Improve extraction of Output/Env assignments	2024-10-25 10:25:47 +02:00
Alvaro Muñoz	6802cd2398	Improve checkout trigger events checks	2024-10-25 10:25:18 +02:00
Kylie Stradley	f8be8e768f	Merge branch 'master' into immutable-actions	2024-10-24 15:25:31 -04:00
Kylie Stradley	c9b1cd2c02	add workflow to catch some ineligible wildcards and eligible latest version for immutable actions	2024-10-23 21:18:04 -04:00
Alvaro Muñoz	dbcf113546	Bump qlpack versions	2024-10-23 22:04:01 +02:00
Alvaro Muñoz	b6a26e76d4	New azure models	2024-10-23 22:03:11 +02:00
Alvaro Muñoz	ae6309daf6	Account for tar -C option to specify path	2024-10-23 22:02:58 +02:00
Alvaro Muñoz	674afc5edd	Improve labelgate accuracy	2024-10-23 15:48:42 +02:00
Alvaro Muñoz	9a0795cc75	Bump qlpack versions	2024-10-23 12:16:32 +02:00
Alvaro Muñoz	315ffdff8d	Improve env var injection sanitizers	2024-10-23 12:15:54 +02:00
Alvaro Muñoz	fef37b6025	Remove pull_request from context event map so that accesss to github.event.pull_request are not considered a source for pull_request triggers	2024-10-23 12:15:26 +02:00
Alvaro Muñoz	c9bb42a46c	Enforce a checkout kind of trigger to consider gh pr/gh api ... pulls as a source of untrusted data	2024-10-23 12:14:20 +02:00
Alvaro Muñoz	6298f2520e	Bump qlpack versions	2024-10-23 10:37:33 +02:00
Alvaro Muñoz	d1d92ae68a	Create getATriggerEvent for Steps and refactor the code to use it	2024-10-23 10:13:20 +02:00
Alvaro Muñoz	b2a3aaacfd	Bump qlpack versions	2024-10-23 09:40:25 +02:00
Alvaro Muñoz	a057b9dd44	Add poisonable step for azure/powershell	2024-10-23 09:39:34 +02:00