hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-22 15:36:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
79 Commits 1,712 Branches 163 Tags
ea29a09fd7ea8ccc8a1c87e7b5914a54333312eb
Commit Graph

42 Commits

Author SHA1 Message Date
Alvaro Muñoz
ea29a09fd7 feat(triggers): New query for critical issues 
Adds a new query and the required changes to be able to account for the trigger events so that we dont report issues if they are not likely exploitable.
 2024-02-21 10:56:17 +01:00
Alvaro Muñoz
3aa4f7f1af feat(triggers): Add getEnclosingWorkflowStmt to Statement class 2024-02-21 10:56:17 +01:00
Alvaro Muñoz
4b9cec79dc Merge pull request #17 from GitHubSecurityLab/reusable_workflow_models 
feat(reusable-workflow-models): Reusable workflow MaD
 2024-02-21 10:20:40 +01:00
Alvaro Muñoz
010d7df71d feat(reusable-workflow-models): Reusable workflow MaD 
Add support to define sources/sinks/summaries for Reusable Workflows as
MaD entries.
 2024-02-20 11:58:54 +01:00
Alvaro Muñoz
1d582a4c4d feat(model-generation): Add more model generation queries 
Add new queries for finding reusable workflows that behave as summaries, sources or sinks.
Add new query for finding composite actions that behave as sinks.
Add `github.event.inputs` context to the regular expression matching input var accesses.
 2024-02-20 10:50:02 +01:00
Alvaro Muñoz
76f245b337 feat(actions): use published actions packs 2024-02-16 15:34:20 +01:00
Alvaro Muñoz
5d1264d3a4 feat(action): update references to qlpacks 2024-02-16 12:56:06 +01:00
Alvaro Muñoz
cf4ab41df2 feat(action): rename qlpacks to use githubsecuritylab prefix 2024-02-16 12:32:48 +01:00
Alvaro Muñoz
0105d63a44 Add Action to scan repos 2024-02-16 12:25:23 +01:00
Alvaro Muñoz
499c3e7ac3 Improve regexs 2024-02-15 12:03:06 +01:00
Alvaro Muñoz
1cd32195a7 feat(bash-step): Improve bash step accuracy 
Only pass the taint when the env var is directlty set as the step output
 2024-02-15 11:51:28 +01:00
Alvaro Muñoz
3c12e43d3f feat(composite-actions): Fix summary and source queries for composite actions analysis 2024-02-14 18:09:12 +01:00
Alvaro Muñoz
f65587e5cf feat(fieldflow): Refactor flow through Job outputs 
Job output should flow to the “key” (YamlString) and be read from there
from the JobOutputAccessExpr.

- NeedsCtxAccessExpr.getRefExpr should point to the UsesExpr(RW calling Job)
  or to the OutputsStmt(Regular Job).
- JobsCtxAccessExpr.getRefExpr should point to the OutputsStmt(Regular Job).
- Create storeStep from OutputExpr to OutputStmt using output var name
  as the field name.
- Create a readStep for CtxAccessExpr to read the referenced fields from
  the job outputs.
 2024-02-14 17:08:13 +01:00
Alvaro Muñoz
90d1ae4a05 fix: simplify Ast 2024-02-14 14:06:28 +01:00
Alvaro Muñoz
494fb2470e fix: refactor local, read and store steps 2024-02-14 14:05:13 +01:00
Alvaro Muñoz
ebaac5f5cb fix: enforce input,output,env prefixes in MaD 2024-02-14 14:03:11 +01:00
Alvaro Muñoz
2b3b3732b9 resolve conflicts 2024-02-14 10:55:31 +01:00
Alvaro Muñoz
e6b4676f90 feat(field-flow): enhance dataflow tracking 
implement field flow to reduce false positives
 2024-02-14 10:47:00 +01:00
jorgectf
29b3d6c9ef Prefix sources with output. 2024-02-13 15:00:53 +01:00
jorgectf
6627a858e3 Suffix with .model 2024-02-13 13:24:25 +01:00
jorgectf
fa91837f63 Trim yaml 2024-02-13 13:22:18 +01:00
jorgectf
68901e252c Add some changed-files sources 2024-02-13 13:18:52 +01:00
Alvaro Muñoz
271c512f4d better identification of Composite Actions input and output nodes 2024-02-13 11:40:22 +01:00
Alvaro Muñoz
cc3f2eed68 add characteristic predicates to InputExpr and OutputExpr 2024-02-13 11:24:16 +01:00
Alvaro Muñoz
e9707af38d feat: support for composite action's analysis 2024-02-12 22:55:58 +01:00
Alvaro Muñoz
99358c62e2 Extend CFG to reach env expressions 2024-02-12 15:47:27 +01:00
Alvaro Muñoz
4b57cee300 Initial implementaion of env context support 2024-02-12 15:14:47 +01:00
Alvaro Muñoz
4f0b66ea03 Refactor MaD semantics 2024-02-12 13:47:44 +01:00
Alvaro Muñoz
2eaca7e826 Add support for external definitions 2024-02-09 22:55:10 +01:00
Alvaro Muñoz
b54316fc9a Refactor CfgScopes and Ast predicate names 2024-02-09 13:35:47 +01:00
Alvaro Muñoz
9c6fd20e5e Move reusable tests to src pack 2024-02-09 12:29:48 +01:00
Alvaro Muñoz
3152ed71ba dataflow through reusable workflows 2024-02-09 11:57:47 +01:00
Alvaro Muñoz
9659098ab6 Support for Reusable workflows 2024-02-08 15:40:06 +01:00
Alvaro Muñoz
db413361f7 Add Reusable Workflow test 2024-02-08 15:11:39 +01:00
Alvaro Muñoz
5006ffe203 Use the LibYaml default AST hierarchy 2024-02-08 12:01:41 +01:00
Alvaro Muñoz
83ca36bc76 Support RunExpr's env vars 2024-02-08 11:56:55 +01:00
Alvaro Muñoz
1708e0f19d Move tests files to .github/workflows 2024-02-08 11:55:21 +01:00
Alvaro Muñoz
da2ac2af03 Process only .github/workflows yaml files 2024-02-08 11:52:14 +01:00
Alvaro Muñoz
0398fbd0d7 Refactor AST layer 2024-02-05 18:04:37 +01:00
Alvaro Muñoz
093b1a2211 Remove test dbs 2024-02-05 10:45:52 +01:00
Alvaro Muñoz
355ccf42ee Do not compress local flow steps 
Use `neverSkipPathGrap` to `any()` so no local flow steps get pruned
and thrown away in order to compress the presented dataflow path.
 2024-02-05 10:44:37 +01:00
Alvaro Muñoz
45d959d13f Initial implementation 2024-02-05 09:26:11 +01:00