mirror of
https://github.com/github/codeql.git
synced 2026-06-29 16:47:09 +02:00
Compare commits
2 Commits
bazookamus
...
nickrolfe/
| Author | SHA1 | Date | |
|---|---|---|---|
|
600a18943e | ||
|
|
6cfe351916 |
@@ -1,10 +1,3 @@
|
||||
## 0.4.38
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
|
||||
## 0.4.37
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
@@ -1,6 +0,0 @@
|
||||
## 0.4.38
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.38
|
||||
lastReleaseVersion: 0.4.37
|
||||
|
||||
@@ -42,15 +42,6 @@ string actor_not_attacker_event() {
|
||||
]
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the outer caller of `ej`, i.e. the `ExternalJob` that calls the
|
||||
* reusable workflow containing `ej`. Used with transitive closure to
|
||||
* walk up nested reusable workflow chains.
|
||||
*/
|
||||
private ExternalJob getAnOuterCaller(ExternalJob ej) {
|
||||
result = ej.getEnclosingWorkflow().(ReusableWorkflow).getACaller()
|
||||
}
|
||||
|
||||
/** An If node that contains an actor, user or label check */
|
||||
abstract class ControlCheck extends AstNode {
|
||||
ControlCheck() {
|
||||
@@ -62,170 +53,43 @@ abstract class ControlCheck extends AstNode {
|
||||
|
||||
predicate protects(AstNode node, Event event, string category) {
|
||||
// The check dominates the step it should protect
|
||||
this.dominates(node, event) and
|
||||
this.dominates(node) and
|
||||
// The check is effective against the event and category
|
||||
this.protectsCategoryAndEvent(category, event.getName()) and
|
||||
// The check can be triggered by the event
|
||||
this.getATriggerEvent() = event and
|
||||
// For reusable workflows, there must be no unprotected caller chain for this event.
|
||||
(
|
||||
not node.getEnclosingWorkflow() instanceof ReusableWorkflow
|
||||
or
|
||||
this.dominatesSameWorkflow(node, event)
|
||||
or
|
||||
not exists(ExternalJob directCaller |
|
||||
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
||||
unprotectedCallerChain(directCaller, event, category)
|
||||
)
|
||||
)
|
||||
this.getATriggerEvent() = event
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check must execute and pass before `node` can run.
|
||||
*/
|
||||
predicate dominates(AstNode node, Event event) {
|
||||
this.dominatesSameWorkflow(node, event)
|
||||
or
|
||||
// When the node is inside a reusable workflow,
|
||||
// this check dominates via at least one caller chain.
|
||||
this.dominatesViaCaller(node, event, _)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check dominates `node` within the same workflow.
|
||||
*/
|
||||
predicate dominatesSameWorkflow(AstNode node, Event event) {
|
||||
this.getATriggerEvent() = event and
|
||||
(
|
||||
// Step-level: the check is an `if:` on the step containing `node`,
|
||||
// or on the enclosing job, or on a needed job/step.
|
||||
this instanceof If and
|
||||
(
|
||||
node.getEnclosingStep().getIf() = this or
|
||||
node.getEnclosingJob().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||
)
|
||||
or
|
||||
// Job-level: the check is an environment on the enclosing job or a needed job.
|
||||
this instanceof Environment and
|
||||
(
|
||||
node.getEnclosingJob().getEnvironment() = this
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||
)
|
||||
or
|
||||
// Step-level: the check is a Run/UsesStep that precedes `node`'s step
|
||||
// in the same job, or is a step in a needed job.
|
||||
(
|
||||
this instanceof Run or
|
||||
this instanceof UsesStep
|
||||
) and
|
||||
(
|
||||
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check dominates `node` in a reusable workflow
|
||||
* via the caller chain starting at `directCaller`.
|
||||
*/
|
||||
predicate dominatesViaCaller(AstNode node, Event event, ExternalJob directCaller) {
|
||||
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
||||
directCaller.getATriggerEvent() = event and
|
||||
exists(ExternalJob caller |
|
||||
caller = getAnOuterCaller*(directCaller) and
|
||||
this.dominatesCaller(caller)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check directly dominates `caller`.
|
||||
*/
|
||||
predicate dominatesCaller(ExternalJob caller) {
|
||||
predicate dominates(AstNode node) {
|
||||
this instanceof If and
|
||||
(
|
||||
caller.getIf() = this or
|
||||
caller.getANeededJob().(LocalJob).getIf() = this or
|
||||
caller.getANeededJob().(LocalJob).getAStep().getIf() = this
|
||||
node.getEnclosingStep().getIf() = this or
|
||||
node.getEnclosingJob().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||
)
|
||||
or
|
||||
this instanceof Environment and
|
||||
(
|
||||
caller.getEnvironment() = this or
|
||||
caller.getANeededJob().getEnvironment() = this
|
||||
node.getEnclosingJob().getEnvironment() = this
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||
)
|
||||
or
|
||||
(this instanceof Run or this instanceof UsesStep) and
|
||||
caller.getANeededJob().(LocalJob).getAStep() = this
|
||||
(
|
||||
this instanceof Run or
|
||||
this instanceof UsesStep
|
||||
) and
|
||||
(
|
||||
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
||||
or
|
||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
|
||||
)
|
||||
}
|
||||
|
||||
abstract predicate protectsCategoryAndEvent(string category, string event);
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this control check directly protects `caller`.
|
||||
*/
|
||||
bindingset[caller, event, category]
|
||||
private predicate protectedCaller(ExternalJob caller, Event event, string category) {
|
||||
exists(ControlCheck check |
|
||||
check.protectsCategoryAndEvent(category, event.getName()) and
|
||||
check.getATriggerEvent() = event and
|
||||
check.dominatesCaller(caller)
|
||||
)
|
||||
}
|
||||
|
||||
cached
|
||||
private newtype TCallerState =
|
||||
MkCallerState(ExternalJob caller, Event event, string category) {
|
||||
caller.getATriggerEvent() = event and
|
||||
category = any_category()
|
||||
}
|
||||
|
||||
private class CallerState extends TCallerState, MkCallerState {
|
||||
ExternalJob caller;
|
||||
Event event;
|
||||
string category;
|
||||
|
||||
CallerState() { this = MkCallerState(caller, event, category) }
|
||||
|
||||
ExternalJob getCaller() { result = caller }
|
||||
|
||||
Event getEvent() { result = event }
|
||||
|
||||
string getCategory() { result = category }
|
||||
|
||||
/**
|
||||
* Gets an outer caller state if this caller is not protected.
|
||||
*/
|
||||
CallerState getUnprotectedOuterState() {
|
||||
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
||||
result = MkCallerState(getAnOuterCaller(this.getCaller()), this.getEvent(), this.getCategory())
|
||||
}
|
||||
|
||||
predicate isUnprotectedOutermost() {
|
||||
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
||||
not exists(getAnOuterCaller(this.getCaller()))
|
||||
}
|
||||
|
||||
string toString() { result = caller + " / " + event + " / " + category }
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if there is a caller path from `caller` to an outer workflow that has no protection.
|
||||
*/
|
||||
bindingset[caller, event, category]
|
||||
private predicate unprotectedCallerChain(ExternalJob caller, Event event, string category) {
|
||||
exists(CallerState start, CallerState outermost |
|
||||
start = MkCallerState(caller, event, category) and
|
||||
outermost = start.getUnprotectedOuterState*() and
|
||||
outermost.isUnprotectedOutermost()
|
||||
)
|
||||
}
|
||||
|
||||
abstract class AssociationCheck extends ControlCheck {
|
||||
// Checks if the actor is a MEMBER/OWNER the repo
|
||||
// - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.39-dev
|
||||
version: 0.4.38-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 0.6.30
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||
|
||||
## 0.6.29
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -18,7 +18,7 @@ from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event even
|
||||
where
|
||||
job.isPrivileged() and
|
||||
job.getAStep() = checkout and
|
||||
check.dominates(checkout, event) and
|
||||
check.dominates(checkout) and
|
||||
(
|
||||
job.getATriggerEvent() = event and
|
||||
event.getName() = "pull_request_target" and
|
||||
|
||||
@@ -34,8 +34,8 @@ where
|
||||
check instanceof AssociationCheck or
|
||||
check instanceof PermissionCheck
|
||||
) and
|
||||
check.dominates(checkout, event) and
|
||||
date_check.dominates(checkout, event)
|
||||
check.dominates(checkout) and
|
||||
date_check.dominates(checkout)
|
||||
)
|
||||
or
|
||||
// not issue_comment triggered workflows
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 0.6.30
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.30
|
||||
lastReleaseVersion: 0.6.29
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.31-dev
|
||||
version: 0.6.30-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
with:
|
||||
ref: ${{ inputs.COMMIT_SHA }}
|
||||
- run: |
|
||||
npm install
|
||||
npm run lint
|
||||
|
||||
@@ -1,13 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
build:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
|
||||
|
||||
@@ -1,33 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
COMMIT_SHA:
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build_safe:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
build_unsafe:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||
@@ -1,31 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
#needs: is-collaborator Mistake, doesn't wait for the collaborator - no security check
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # should alert
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
@@ -1,26 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -1,31 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build_unsafe:
|
||||
# needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
||||
build_safe:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -1,8 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested_branching.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -1,26 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
@@ -1,26 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
# needs: is-collaborator
|
||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -1,41 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
needs: is-collaborator
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
build_unsafe:
|
||||
runs-on: ubuntu-latest
|
||||
# needs: is-collaborator
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@4
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
||||
fetch-depth: 2
|
||||
- run: yarn test
|
||||
@@ -1,48 +0,0 @@
|
||||
on:
|
||||
pull_request_target:
|
||||
|
||||
jobs:
|
||||
is-collaborator-a:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
caller-a:
|
||||
needs: is-collaborator-a
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
is-collaborator-b:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Get User Permission
|
||||
id: checkAccess
|
||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||
with:
|
||||
require: write
|
||||
username: ${{ github.actor }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Check User Permission
|
||||
if: steps.checkAccess.outputs.require-result == 'false'
|
||||
run: |
|
||||
echo "${{ github.actor }} does not have permissions on this repo."
|
||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||
exit 1
|
||||
caller-b:
|
||||
needs: is-collaborator-b
|
||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||
with:
|
||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||
@@ -93,8 +93,6 @@ edges
|
||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
|
||||
| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
|
||||
| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:11:9:19:6 | Uses Step: checkAccess | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:19:9:25:2 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
|
||||
@@ -336,17 +334,6 @@ edges
|
||||
| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
|
||||
| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
|
||||
| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_no_needs.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permissions_check.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:31:9:32:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:16:9:22:2 | Run Step |
|
||||
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:30:9:38:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:38:9:44:2 | Run Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
|
||||
| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
|
||||
@@ -357,9 +344,6 @@ edges
|
||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
@@ -393,5 +377,3 @@ edges
|
||||
| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
|
||||
| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permissions_check.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||
|
||||
@@ -1,20 +1,3 @@
|
||||
## 11.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||
* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
|
||||
* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
|
||||
* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
|
||||
* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
|
||||
* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
|
||||
* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
|
||||
* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.
|
||||
|
||||
## 10.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
## 11.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 11.0.0
|
||||
lastReleaseVersion: 10.2.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 11.0.1-dev
|
||||
version: 10.2.1-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.6.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.6.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.6.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.6.5
|
||||
lastReleaseVersion: 1.6.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.6.6-dev
|
||||
version: 1.6.5-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.69
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.68
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.69
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.69
|
||||
lastReleaseVersion: 1.7.68
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.70-dev
|
||||
version: 1.7.69-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.69
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.68
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.69
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.69
|
||||
lastReleaseVersion: 1.7.68
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.70-dev
|
||||
version: 1.7.69-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,19 +1,3 @@
|
||||
## 7.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||
* Improved call target resolution for ref-return properties and indexers.
|
||||
|
||||
## 6.0.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved call target resolution for ref-return properties and indexers.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: breaking
|
||||
---
|
||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||
@@ -1,15 +0,0 @@
|
||||
## 7.0.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||
* Improved call target resolution for ref-return properties and indexers.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 7.0.0
|
||||
lastReleaseVersion: 6.0.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 7.0.1-dev
|
||||
version: 6.0.3-dev
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -14,6 +14,54 @@
|
||||
|
||||
import csharp
|
||||
|
||||
/**
|
||||
* Gets a callable that either directly captures local variable `v`, or which
|
||||
* is enclosed by the callable that declares `v` and encloses a callable that
|
||||
* captures `v`.
|
||||
*/
|
||||
Callable getACapturingCallableAncestor(LocalVariable v) {
|
||||
result = v.getACapturingCallable()
|
||||
or
|
||||
exists(Callable mid | mid = getACapturingCallableAncestor(v) |
|
||||
result = mid.getEnclosingCallable() and
|
||||
not v.getEnclosingCallable() = result
|
||||
)
|
||||
}
|
||||
|
||||
Expr getADelegateExpr(Callable c) {
|
||||
c = result.(CallableAccess).getTarget()
|
||||
or
|
||||
result = c.(AnonymousFunctionExpr)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `c` is a call where any delegate argument is evaluated immediately.
|
||||
*/
|
||||
predicate nonEscapingCall(Call c) {
|
||||
exists(string name | c.getTarget().hasName(name) |
|
||||
name =
|
||||
[
|
||||
"ForEach", "Count", "Any", "All", "Average", "Aggregate", "First", "Last", "FirstOrDefault",
|
||||
"LastOrDefault", "LongCount", "Max", "Single", "SingleOrDefault", "Sum"
|
||||
]
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `v` is a captured local variable, and one of the callables capturing
|
||||
* `v` may escape the local scope.
|
||||
*/
|
||||
predicate mayEscape(LocalVariable v) {
|
||||
exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
|
||||
e = getADelegateExpr(c) and
|
||||
DataFlow::localExprFlow(e, succ) and
|
||||
not succ = any(DelegateCall dc).getExpr() and
|
||||
not succ = any(Cast cast).getExpr() and
|
||||
not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
|
||||
not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()
|
||||
)
|
||||
}
|
||||
|
||||
class RelevantDefinition extends AssignableDefinition {
|
||||
RelevantDefinition() {
|
||||
this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
|
||||
@@ -46,6 +94,8 @@ class RelevantDefinition extends AssignableDefinition {
|
||||
// SSA definitions are only created for live variables
|
||||
this = any(SsaExplicitWrite ssaDef).getDefinition()
|
||||
or
|
||||
mayEscape(v)
|
||||
or
|
||||
v.isCaptured()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.5
|
||||
lastReleaseVersion: 1.7.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 1.7.6-dev
|
||||
version: 1.7.5-dev
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -10,7 +10,7 @@ toolchain go1.26.4
|
||||
// bazel mod tidy
|
||||
require (
|
||||
golang.org/x/mod v0.37.0
|
||||
golang.org/x/tools v0.47.0
|
||||
golang.org/x/tools v0.46.0
|
||||
)
|
||||
|
||||
require github.com/stretchr/testify v1.11.1
|
||||
|
||||
@@ -10,8 +10,8 @@ golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
|
||||
golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
|
||||
golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
|
||||
golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
||||
golang.org/x/tools v0.47.0 h1:7Kn5x/d1svx/PzryTsqeoZN4TZwqeH5pGWjefhLi/1Q=
|
||||
golang.org/x/tools v0.47.0/go.mod h1:dFHnyTvFWY212G+h7ZY4Vsp/K3U4/7W9TyVaAul8uCA=
|
||||
golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
|
||||
golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.0.52
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.0.51
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.0.52
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.0.52
|
||||
lastReleaseVersion: 1.0.51
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql-go-consistency-queries
|
||||
version: 1.0.53-dev
|
||||
version: 1.0.52-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,20 +1,3 @@
|
||||
## 7.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||
through `slog`.
|
||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||
* More logging functions are now recognized as not returning or panicking.
|
||||
|
||||
## 7.1.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* More logging functions are now recognized as not returning or panicking.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||
4
go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md
Normal file
4
go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||
8
go/ql/lib/change-notes/2026-06-17-model-log-slog.md
Normal file
8
go/ql/lib/change-notes/2026-06-17-model-log-slog.md
Normal file
@@ -0,0 +1,8 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||
through `slog`.
|
||||
@@ -1,16 +0,0 @@
|
||||
## 7.2.0
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||
through `slog`.
|
||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||
* More logging functions are now recognized as not returning or panicking.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 7.2.0
|
||||
lastReleaseVersion: 7.1.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 7.2.1-dev
|
||||
version: 7.1.3-dev
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -33,11 +33,9 @@ module StoredXss {
|
||||
walkFn.getACall().getArgument(1) = f.getASuccessor*()
|
||||
)
|
||||
or
|
||||
// The return value of a call to `os.DirEntry.Name`, `os.FileInfo.Name`
|
||||
// or `os.File.ReadDirNames`.
|
||||
exists(DataFlow::CallNode cn, Method m | m = cn.getTarget() and this = cn.getResult(0) |
|
||||
m.implements("io/fs", ["DirEntry", "FileInfo"], "Name") or
|
||||
m.hasQualifiedName("os", "File", "ReadDirNames")
|
||||
// A call to os.FileInfo.Name
|
||||
exists(Method m | m.implements("io/fs", "FileInfo", "Name") |
|
||||
m = this.(DataFlow::CallNode).getTarget()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 1.6.5
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
||||
|
||||
## 1.6.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 1.6.5
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.6.5
|
||||
lastReleaseVersion: 1.6.4
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 1.6.6-dev
|
||||
version: 1.6.5-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -156,3 +156,12 @@ nodes
|
||||
| websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] |
|
||||
| websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
|
||||
subpaths
|
||||
testFailures
|
||||
| websocketXss.go:30:32:30:60 | comment | Missing result: Source[go/reflected-xss] |
|
||||
| websocketXss.go:31:11:31:14 | xnet [postupdate] | Unexpected result: Source |
|
||||
| websocketXss.go:34:30:34:58 | comment | Missing result: Source[go/reflected-xss] |
|
||||
| websocketXss.go:35:21:35:25 | xnet2 [postupdate] | Unexpected result: Source |
|
||||
| websocketXss.go:46:38:46:66 | comment | Missing result: Source[go/reflected-xss] |
|
||||
| websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | Unexpected result: Source |
|
||||
| websocketXss.go:50:33:50:61 | comment | Missing result: Source[go/reflected-xss] |
|
||||
| websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | Unexpected result: Source |
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
#select
|
||||
| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
|
||||
| stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
|
||||
| stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | SSA def(path) | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | SSA def(path) | stored value |
|
||||
edges
|
||||
| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance | |
|
||||
| stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1 |
|
||||
| stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... [postupdate] | provenance | FunctionModel |
|
||||
| stored.go:25:29:25:33 | &... [postupdate] | stored.go:30:22:30:25 | name | provenance | |
|
||||
@@ -11,8 +9,6 @@ edges
|
||||
models
|
||||
| 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
|
||||
nodes
|
||||
| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name |
|
||||
| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
|
||||
| stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
|
||||
| stored.go:25:14:25:17 | rows | semmle.label | rows |
|
||||
| stored.go:25:29:25:33 | &... [postupdate] | semmle.label | &... [postupdate] |
|
||||
@@ -20,3 +16,5 @@ nodes
|
||||
| stored.go:59:30:59:33 | SSA def(path) | semmle.label | SSA def(path) |
|
||||
| stored.go:61:22:61:25 | path | semmle.label | path |
|
||||
subpaths
|
||||
testFailures
|
||||
| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |
|
||||
|
||||
@@ -27,12 +27,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
|
||||
origin := "test"
|
||||
{
|
||||
ws, _ := websocket.Dial(uri, "", origin)
|
||||
var xnet = make([]byte, 512)
|
||||
ws.Read(xnet) // $ Source[go/reflected-xss]
|
||||
var xnet = make([]byte, 512) // $ Source[go/reflected-xss]
|
||||
ws.Read(xnet)
|
||||
fmt.Fprintf(w, "%v", xnet) // $ Alert[go/reflected-xss]
|
||||
codec := &websocket.Codec{Marshal: marshal, Unmarshal: unmarshal}
|
||||
xnet2 := make([]byte, 512)
|
||||
codec.Receive(ws, xnet2) // $ Source[go/reflected-xss]
|
||||
xnet2 := make([]byte, 512) // $ Source[go/reflected-xss]
|
||||
codec.Receive(ws, xnet2)
|
||||
fmt.Fprintf(w, "%v", xnet2) // $ Alert[go/reflected-xss]
|
||||
}
|
||||
{
|
||||
@@ -43,12 +43,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
|
||||
{
|
||||
dialer := gorilla.Dialer{}
|
||||
conn, _, _ := dialer.Dial(uri, nil)
|
||||
var gorillaMsg = make([]byte, 512)
|
||||
gorilla.ReadJSON(conn, gorillaMsg) // $ Source[go/reflected-xss]
|
||||
fmt.Fprintf(w, "%v", gorillaMsg) // $ Alert[go/reflected-xss]
|
||||
var gorillaMsg = make([]byte, 512) // $ Source[go/reflected-xss]
|
||||
gorilla.ReadJSON(conn, gorillaMsg)
|
||||
fmt.Fprintf(w, "%v", gorillaMsg) // $ Alert[go/reflected-xss]
|
||||
|
||||
gorilla2 := make([]byte, 512)
|
||||
conn.ReadJSON(gorilla2) // $ Source[go/reflected-xss]
|
||||
gorilla2 := make([]byte, 512) // $ Source[go/reflected-xss]
|
||||
conn.ReadJSON(gorilla2)
|
||||
fmt.Fprintf(w, "%v", gorilla2) // $ Alert[go/reflected-xss]
|
||||
|
||||
_, gorilla3, _ := conn.ReadMessage() // $ Source[go/reflected-xss]
|
||||
|
||||
@@ -14,9 +14,7 @@ pluginManagement {
|
||||
repositories {
|
||||
gradlePluginPortal()
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
dependencyResolutionManagement {
|
||||
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
|
||||
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
rootProject.name = "Android Sample"
|
||||
|
||||
@@ -14,9 +14,7 @@ pluginManagement {
|
||||
repositories {
|
||||
gradlePluginPortal()
|
||||
google()
|
||||
maven {
|
||||
url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
dependencyResolutionManagement {
|
||||
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
|
||||
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
rootProject.name = "Android Sample"
|
||||
|
||||
@@ -14,9 +14,7 @@ pluginManagement {
|
||||
repositories {
|
||||
gradlePluginPortal()
|
||||
google()
|
||||
maven {
|
||||
url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
dependencyResolutionManagement {
|
||||
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
|
||||
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
rootProject.name = "Android Sample"
|
||||
|
||||
@@ -14,9 +14,7 @@ pluginManagement {
|
||||
repositories {
|
||||
gradlePluginPortal()
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
dependencyResolutionManagement {
|
||||
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
|
||||
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
rootProject.name = "Android Sample"
|
||||
|
||||
@@ -13,9 +13,7 @@ buildscript {
|
||||
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
|
||||
}
|
||||
jcenter()
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -41,8 +39,6 @@ buildscript {
|
||||
allprojects {
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
|
||||
}
|
||||
jcenter()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -13,9 +13,7 @@ buildscript {
|
||||
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
|
||||
}
|
||||
jcenter()
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -41,8 +39,6 @@ buildscript {
|
||||
allprojects {
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
|
||||
}
|
||||
jcenter()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -13,9 +13,7 @@ buildscript {
|
||||
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
jcenter()
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -41,8 +39,6 @@ buildscript {
|
||||
allprojects {
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
jcenter()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -13,9 +13,7 @@ buildscript {
|
||||
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
jcenter()
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -34,15 +32,13 @@ buildscript {
|
||||
* dependencies used by all modules in your project, such as third-party plugins
|
||||
* or libraries. However, you should configure module-specific dependencies in
|
||||
* each module-level build.gradle file. For new projects, Android Studio
|
||||
* includes Maven Central and Google's Maven repository by default, but it does not
|
||||
* includes JCenter and Google's Maven repository by default, but it does not
|
||||
* configure any dependencies (unless you select a template that requires some).
|
||||
*/
|
||||
|
||||
allprojects {
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
jcenter()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -14,9 +14,7 @@ pluginManagement {
|
||||
repositories {
|
||||
gradlePluginPortal()
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
dependencyResolutionManagement {
|
||||
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
|
||||
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
|
||||
repositories {
|
||||
google()
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
}
|
||||
rootProject.name = "Android Sample"
|
||||
|
||||
@@ -8,9 +8,7 @@
|
||||
apply plugin: 'java-library'
|
||||
|
||||
repositories {
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
|
||||
dependencies {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
|
||||
https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
|
||||
https://repo.maven.apache.org/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
|
||||
https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
|
||||
https://repo.maven.apache.org/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
|
||||
https://repo.maven.apache.org/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
|
||||
|
||||
@@ -8,9 +8,7 @@
|
||||
apply plugin: 'java-library'
|
||||
|
||||
repositories {
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
|
||||
dependencies {
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
https://maven-central.storage-download.googleapis.com/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
|
||||
https://repo.maven.apache.org/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
|
||||
https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
|
||||
|
||||
@@ -12,9 +12,9 @@ apply plugin: 'java'
|
||||
|
||||
// In this section you declare where to find the dependencies of your project
|
||||
repositories {
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
// Use 'jcenter' for resolving your dependencies.
|
||||
// You can declare any Maven/Ivy/file repository here.
|
||||
jcenter()
|
||||
}
|
||||
|
||||
// In this section you declare the dependencies for your production and test code
|
||||
|
||||
@@ -8,9 +8,7 @@
|
||||
apply plugin: 'java-library'
|
||||
|
||||
repositories {
|
||||
maven {
|
||||
url = 'https://maven-central.storage-download.googleapis.com/maven2/'
|
||||
}
|
||||
mavenCentral()
|
||||
}
|
||||
|
||||
dependencies {
|
||||
|
||||
@@ -1 +1 @@
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
|
||||
https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
<settings>
|
||||
<mirrors>
|
||||
<mirror>
|
||||
<id>google-maven-central</id>
|
||||
<name>GCS Maven Central mirror</name>
|
||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||
<mirrorOf>central</mirrorOf>
|
||||
</mirror>
|
||||
</mirrors>
|
||||
</settings>
|
||||
@@ -21,7 +21,6 @@ def test(codeql, java, cwd, check_diagnostics_java):
|
||||
_env={
|
||||
"MAVEN_OPTS": maven_opts,
|
||||
"CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH": str(certspath),
|
||||
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
||||
},
|
||||
)
|
||||
finally:
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||
https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.249/jenkins-war-2.249.war
|
||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||
@@ -12,7 +10,9 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
<settings>
|
||||
<mirrors>
|
||||
<mirror>
|
||||
<id>google-maven-central</id>
|
||||
<name>GCS Maven Central mirror</name>
|
||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||
<mirrorOf>central</mirrorOf>
|
||||
</mirror>
|
||||
</mirrors>
|
||||
</settings>
|
||||
@@ -1,5 +1,4 @@
|
||||
pom.xml
|
||||
settings.xml
|
||||
src/main/java/com/example/App.java
|
||||
src/main/resources/my-app.properties
|
||||
src/main/resources/page.xml
|
||||
|
||||
@@ -1,10 +1,7 @@
|
||||
import os
|
||||
|
||||
def test(codeql, java, check_diagnostics_java):
|
||||
codeql.database.create(
|
||||
_env={
|
||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
||||
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
||||
}
|
||||
)
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
||||
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||
@@ -11,7 +9,9 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user