mirror of
https://github.com/github/codeql.git
synced 2026-07-03 10:35:29 +02:00
Compare commits
2 Commits
codeql-cli
...
nickrolfe/
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
600a18943e | ||
|
|
6cfe351916 |
@@ -1,10 +1,3 @@
|
|||||||
## 0.4.38
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
|
||||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
|
||||||
|
|
||||||
## 0.4.37
|
## 0.4.37
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
### Minor Analysis Improvements
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: fix
|
||||||
|
---
|
||||||
|
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
## 0.4.38
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
|
||||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.4.38
|
lastReleaseVersion: 0.4.37
|
||||||
|
|||||||
@@ -42,15 +42,6 @@ string actor_not_attacker_event() {
|
|||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets the outer caller of `ej`, i.e. the `ExternalJob` that calls the
|
|
||||||
* reusable workflow containing `ej`. Used with transitive closure to
|
|
||||||
* walk up nested reusable workflow chains.
|
|
||||||
*/
|
|
||||||
private ExternalJob getAnOuterCaller(ExternalJob ej) {
|
|
||||||
result = ej.getEnclosingWorkflow().(ReusableWorkflow).getACaller()
|
|
||||||
}
|
|
||||||
|
|
||||||
/** An If node that contains an actor, user or label check */
|
/** An If node that contains an actor, user or label check */
|
||||||
abstract class ControlCheck extends AstNode {
|
abstract class ControlCheck extends AstNode {
|
||||||
ControlCheck() {
|
ControlCheck() {
|
||||||
@@ -62,170 +53,43 @@ abstract class ControlCheck extends AstNode {
|
|||||||
|
|
||||||
predicate protects(AstNode node, Event event, string category) {
|
predicate protects(AstNode node, Event event, string category) {
|
||||||
// The check dominates the step it should protect
|
// The check dominates the step it should protect
|
||||||
this.dominates(node, event) and
|
this.dominates(node) and
|
||||||
// The check is effective against the event and category
|
// The check is effective against the event and category
|
||||||
this.protectsCategoryAndEvent(category, event.getName()) and
|
this.protectsCategoryAndEvent(category, event.getName()) and
|
||||||
// The check can be triggered by the event
|
// The check can be triggered by the event
|
||||||
this.getATriggerEvent() = event and
|
this.getATriggerEvent() = event
|
||||||
// For reusable workflows, there must be no unprotected caller chain for this event.
|
|
||||||
(
|
|
||||||
not node.getEnclosingWorkflow() instanceof ReusableWorkflow
|
|
||||||
or
|
|
||||||
this.dominatesSameWorkflow(node, event)
|
|
||||||
or
|
|
||||||
not exists(ExternalJob directCaller |
|
|
||||||
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
|
||||||
unprotectedCallerChain(directCaller, event, category)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
predicate dominates(AstNode node) {
|
||||||
* Holds if this control check must execute and pass before `node` can run.
|
|
||||||
*/
|
|
||||||
predicate dominates(AstNode node, Event event) {
|
|
||||||
this.dominatesSameWorkflow(node, event)
|
|
||||||
or
|
|
||||||
// When the node is inside a reusable workflow,
|
|
||||||
// this check dominates via at least one caller chain.
|
|
||||||
this.dominatesViaCaller(node, event, _)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if this control check dominates `node` within the same workflow.
|
|
||||||
*/
|
|
||||||
predicate dominatesSameWorkflow(AstNode node, Event event) {
|
|
||||||
this.getATriggerEvent() = event and
|
|
||||||
(
|
|
||||||
// Step-level: the check is an `if:` on the step containing `node`,
|
|
||||||
// or on the enclosing job, or on a needed job/step.
|
|
||||||
this instanceof If and
|
|
||||||
(
|
|
||||||
node.getEnclosingStep().getIf() = this or
|
|
||||||
node.getEnclosingJob().getIf() = this or
|
|
||||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
|
||||||
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Job-level: the check is an environment on the enclosing job or a needed job.
|
|
||||||
this instanceof Environment and
|
|
||||||
(
|
|
||||||
node.getEnclosingJob().getEnvironment() = this
|
|
||||||
or
|
|
||||||
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
|
||||||
)
|
|
||||||
or
|
|
||||||
// Step-level: the check is a Run/UsesStep that precedes `node`'s step
|
|
||||||
// in the same job, or is a step in a needed job.
|
|
||||||
(
|
|
||||||
this instanceof Run or
|
|
||||||
this instanceof UsesStep
|
|
||||||
) and
|
|
||||||
(
|
|
||||||
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
|
||||||
or
|
|
||||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this
|
|
||||||
)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if this control check dominates `node` in a reusable workflow
|
|
||||||
* via the caller chain starting at `directCaller`.
|
|
||||||
*/
|
|
||||||
predicate dominatesViaCaller(AstNode node, Event event, ExternalJob directCaller) {
|
|
||||||
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
|
||||||
directCaller.getATriggerEvent() = event and
|
|
||||||
exists(ExternalJob caller |
|
|
||||||
caller = getAnOuterCaller*(directCaller) and
|
|
||||||
this.dominatesCaller(caller)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if this control check directly dominates `caller`.
|
|
||||||
*/
|
|
||||||
predicate dominatesCaller(ExternalJob caller) {
|
|
||||||
this instanceof If and
|
this instanceof If and
|
||||||
(
|
(
|
||||||
caller.getIf() = this or
|
node.getEnclosingStep().getIf() = this or
|
||||||
caller.getANeededJob().(LocalJob).getIf() = this or
|
node.getEnclosingJob().getIf() = this or
|
||||||
caller.getANeededJob().(LocalJob).getAStep().getIf() = this
|
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||||
|
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
this instanceof Environment and
|
this instanceof Environment and
|
||||||
(
|
(
|
||||||
caller.getEnvironment() = this or
|
node.getEnclosingJob().getEnvironment() = this
|
||||||
caller.getANeededJob().getEnvironment() = this
|
or
|
||||||
|
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
(this instanceof Run or this instanceof UsesStep) and
|
(
|
||||||
caller.getANeededJob().(LocalJob).getAStep() = this
|
this instanceof Run or
|
||||||
|
this instanceof UsesStep
|
||||||
|
) and
|
||||||
|
(
|
||||||
|
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
||||||
|
or
|
||||||
|
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
abstract predicate protectsCategoryAndEvent(string category, string event);
|
abstract predicate protectsCategoryAndEvent(string category, string event);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if this control check directly protects `caller`.
|
|
||||||
*/
|
|
||||||
bindingset[caller, event, category]
|
|
||||||
private predicate protectedCaller(ExternalJob caller, Event event, string category) {
|
|
||||||
exists(ControlCheck check |
|
|
||||||
check.protectsCategoryAndEvent(category, event.getName()) and
|
|
||||||
check.getATriggerEvent() = event and
|
|
||||||
check.dominatesCaller(caller)
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
cached
|
|
||||||
private newtype TCallerState =
|
|
||||||
MkCallerState(ExternalJob caller, Event event, string category) {
|
|
||||||
caller.getATriggerEvent() = event and
|
|
||||||
category = any_category()
|
|
||||||
}
|
|
||||||
|
|
||||||
private class CallerState extends TCallerState, MkCallerState {
|
|
||||||
ExternalJob caller;
|
|
||||||
Event event;
|
|
||||||
string category;
|
|
||||||
|
|
||||||
CallerState() { this = MkCallerState(caller, event, category) }
|
|
||||||
|
|
||||||
ExternalJob getCaller() { result = caller }
|
|
||||||
|
|
||||||
Event getEvent() { result = event }
|
|
||||||
|
|
||||||
string getCategory() { result = category }
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets an outer caller state if this caller is not protected.
|
|
||||||
*/
|
|
||||||
CallerState getUnprotectedOuterState() {
|
|
||||||
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
|
||||||
result = MkCallerState(getAnOuterCaller(this.getCaller()), this.getEvent(), this.getCategory())
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isUnprotectedOutermost() {
|
|
||||||
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
|
||||||
not exists(getAnOuterCaller(this.getCaller()))
|
|
||||||
}
|
|
||||||
|
|
||||||
string toString() { result = caller + " / " + event + " / " + category }
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if there is a caller path from `caller` to an outer workflow that has no protection.
|
|
||||||
*/
|
|
||||||
bindingset[caller, event, category]
|
|
||||||
private predicate unprotectedCallerChain(ExternalJob caller, Event event, string category) {
|
|
||||||
exists(CallerState start, CallerState outermost |
|
|
||||||
start = MkCallerState(caller, event, category) and
|
|
||||||
outermost = start.getUnprotectedOuterState*() and
|
|
||||||
outermost.isUnprotectedOutermost()
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
abstract class AssociationCheck extends ControlCheck {
|
abstract class AssociationCheck extends ControlCheck {
|
||||||
// Checks if the actor is a MEMBER/OWNER the repo
|
// Checks if the actor is a MEMBER/OWNER the repo
|
||||||
// - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR
|
// - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/actions-all
|
name: codeql/actions-all
|
||||||
version: 0.4.38
|
version: 0.4.38-dev
|
||||||
library: true
|
library: true
|
||||||
warnOnImplicitThis: true
|
warnOnImplicitThis: true
|
||||||
dependencies:
|
dependencies:
|
||||||
|
|||||||
@@ -1,9 +1,3 @@
|
|||||||
## 0.6.30
|
|
||||||
|
|
||||||
### Query Metadata Changes
|
|
||||||
|
|
||||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
|
||||||
|
|
||||||
## 0.6.29
|
## 0.6.29
|
||||||
|
|
||||||
### Query Metadata Changes
|
### Query Metadata Changes
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event even
|
|||||||
where
|
where
|
||||||
job.isPrivileged() and
|
job.isPrivileged() and
|
||||||
job.getAStep() = checkout and
|
job.getAStep() = checkout and
|
||||||
check.dominates(checkout, event) and
|
check.dominates(checkout) and
|
||||||
(
|
(
|
||||||
job.getATriggerEvent() = event and
|
job.getATriggerEvent() = event and
|
||||||
event.getName() = "pull_request_target" and
|
event.getName() = "pull_request_target" and
|
||||||
|
|||||||
@@ -34,8 +34,8 @@ where
|
|||||||
check instanceof AssociationCheck or
|
check instanceof AssociationCheck or
|
||||||
check instanceof PermissionCheck
|
check instanceof PermissionCheck
|
||||||
) and
|
) and
|
||||||
check.dominates(checkout, event) and
|
check.dominates(checkout) and
|
||||||
date_check.dominates(checkout, event)
|
date_check.dominates(checkout)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
// not issue_comment triggered workflows
|
// not issue_comment triggered workflows
|
||||||
|
|||||||
@@ -1,5 +1,4 @@
|
|||||||
## 0.6.30
|
---
|
||||||
|
category: queryMetadata
|
||||||
### Query Metadata Changes
|
---
|
||||||
|
|
||||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.6.30
|
lastReleaseVersion: 0.6.29
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/actions-queries
|
name: codeql/actions-queries
|
||||||
version: 0.6.30
|
version: 0.6.30-dev
|
||||||
library: false
|
library: false
|
||||||
warnOnImplicitThis: true
|
warnOnImplicitThis: true
|
||||||
groups: [actions, queries]
|
groups: [actions, queries]
|
||||||
|
|||||||
@@ -1,17 +0,0 @@
|
|||||||
on:
|
|
||||||
workflow_call:
|
|
||||||
inputs:
|
|
||||||
COMMIT_SHA:
|
|
||||||
type: string
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
build:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v6
|
|
||||||
with:
|
|
||||||
ref: ${{ inputs.COMMIT_SHA }}
|
|
||||||
- run: |
|
|
||||||
npm install
|
|
||||||
npm run lint
|
|
||||||
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
on:
|
|
||||||
workflow_call:
|
|
||||||
inputs:
|
|
||||||
COMMIT_SHA:
|
|
||||||
type: string
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
build:
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
|
||||||
|
|
||||||
|
|
||||||
@@ -1,33 +0,0 @@
|
|||||||
on:
|
|
||||||
workflow_call:
|
|
||||||
inputs:
|
|
||||||
COMMIT_SHA:
|
|
||||||
type: string
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
is-collaborator:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
build_safe:
|
|
||||||
needs: is-collaborator
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
|
||||||
build_unsafe:
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
|
||||||
@@ -1,31 +0,0 @@
|
|||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
is-collaborator:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
build:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
#needs: is-collaborator Mistake, doesn't wait for the collaborator - no security check
|
|
||||||
steps:
|
|
||||||
- name: Checkout repo
|
|
||||||
uses: actions/checkout@4
|
|
||||||
with:
|
|
||||||
ref: ${{ github.event.pull_request.head.sha }} # should alert
|
|
||||||
fetch-depth: 2
|
|
||||||
- run: yarn test
|
|
||||||
@@ -1,26 +0,0 @@
|
|||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
is-collaborator:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
build:
|
|
||||||
needs: is-collaborator
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
|
||||||
@@ -1,31 +0,0 @@
|
|||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
is-collaborator:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
build_unsafe:
|
|
||||||
# needs: is-collaborator
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
|
||||||
build_safe:
|
|
||||||
needs: is-collaborator
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
build:
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build_nested_branching.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
|
||||||
@@ -1,26 +0,0 @@
|
|||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
is-collaborator:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
build:
|
|
||||||
needs: is-collaborator
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
|
||||||
@@ -1,26 +0,0 @@
|
|||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
is-collaborator:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
build:
|
|
||||||
# needs: is-collaborator
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
|
||||||
@@ -1,41 +0,0 @@
|
|||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
is-collaborator:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
build:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: is-collaborator
|
|
||||||
steps:
|
|
||||||
- name: Checkout repo
|
|
||||||
uses: actions/checkout@4
|
|
||||||
with:
|
|
||||||
ref: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
|
||||||
fetch-depth: 2
|
|
||||||
- run: yarn test
|
|
||||||
build_unsafe:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
# needs: is-collaborator
|
|
||||||
steps:
|
|
||||||
- name: Checkout repo
|
|
||||||
uses: actions/checkout@4
|
|
||||||
with:
|
|
||||||
ref: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
|
||||||
fetch-depth: 2
|
|
||||||
- run: yarn test
|
|
||||||
@@ -1,48 +0,0 @@
|
|||||||
on:
|
|
||||||
pull_request_target:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
is-collaborator-a:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
caller-a:
|
|
||||||
needs: is-collaborator-a
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
|
||||||
is-collaborator-b:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Get User Permission
|
|
||||||
id: checkAccess
|
|
||||||
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
|
||||||
with:
|
|
||||||
require: write
|
|
||||||
username: ${{ github.actor }}
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
- name: Check User Permission
|
|
||||||
if: steps.checkAccess.outputs.require-result == 'false'
|
|
||||||
run: |
|
|
||||||
echo "${{ github.actor }} does not have permissions on this repo."
|
|
||||||
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
|
||||||
exit 1
|
|
||||||
caller-b:
|
|
||||||
needs: is-collaborator-b
|
|
||||||
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
|
||||||
with:
|
|
||||||
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
|
||||||
@@ -93,8 +93,6 @@ edges
|
|||||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
|
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
|
||||||
| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
|
| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
|
||||||
| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
|
| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step |
|
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:11:9:19:6 | Uses Step: checkAccess | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:19:9:25:2 | Run Step |
|
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
|
||||||
@@ -336,17 +334,6 @@ edges
|
|||||||
| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
|
| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
|
||||||
| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
|
| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
|
||||||
| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
|
| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
|
||||||
| .github/workflows/untrusted_checkout_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_no_needs.yml:16:9:22:2 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_permission_check_reusable2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:16:9:22:2 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_permission_check_reusable.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable.yml:16:9:22:2 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:16:9:22:2 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:16:9:22:2 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_permissions_check.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permissions_check.yml:16:9:22:2 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_permissions_check.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:31:9:32:2 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:16:9:22:2 | Run Step |
|
|
||||||
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:30:9:38:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:38:9:44:2 | Run Step |
|
|
||||||
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
|
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
|
||||||
| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
|
| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
|
||||||
| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
|
| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
|
||||||
@@ -357,9 +344,6 @@ edges
|
|||||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
@@ -393,5 +377,3 @@ edges
|
|||||||
| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
|
| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
|
||||||
| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
|
||||||
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permissions_check.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
|
||||||
|
|||||||
@@ -1,20 +1,3 @@
|
|||||||
## 11.0.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
|
||||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
|
||||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
|
||||||
* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
|
|
||||||
* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
|
|
||||||
* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
|
|
||||||
* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
|
|
||||||
* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
|
|
||||||
* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
|
|
||||||
* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
|
|
||||||
* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
|
|
||||||
* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.
|
|
||||||
|
|
||||||
## 10.2.0
|
## 10.2.0
|
||||||
|
|
||||||
### Deprecated APIs
|
### Deprecated APIs
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
## 11.0.0
|
---
|
||||||
|
category: breaking
|
||||||
### Breaking Changes
|
---
|
||||||
|
|
||||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 11.0.0
|
lastReleaseVersion: 10.2.0
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/cpp-all
|
name: codeql/cpp-all
|
||||||
version: 11.0.0
|
version: 10.2.1-dev
|
||||||
groups: cpp
|
groups: cpp
|
||||||
dbscheme: semmlecode.cpp.dbscheme
|
dbscheme: semmlecode.cpp.dbscheme
|
||||||
extractor: cpp
|
extractor: cpp
|
||||||
|
|||||||
@@ -1,7 +1,3 @@
|
|||||||
## 1.6.5
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 1.6.4
|
## 1.6.4
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 1.6.5
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.6.5
|
lastReleaseVersion: 1.6.4
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/cpp-queries
|
name: codeql/cpp-queries
|
||||||
version: 1.6.5
|
version: 1.6.5-dev
|
||||||
groups:
|
groups:
|
||||||
- cpp
|
- cpp
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,7 +1,3 @@
|
|||||||
## 1.7.69
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 1.7.68
|
## 1.7.68
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 1.7.69
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.7.69
|
lastReleaseVersion: 1.7.68
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-solorigate-all
|
name: codeql/csharp-solorigate-all
|
||||||
version: 1.7.69
|
version: 1.7.69-dev
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- solorigate
|
- solorigate
|
||||||
|
|||||||
@@ -1,7 +1,3 @@
|
|||||||
## 1.7.69
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 1.7.68
|
## 1.7.68
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 1.7.69
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.7.69
|
lastReleaseVersion: 1.7.68
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-solorigate-queries
|
name: codeql/csharp-solorigate-queries
|
||||||
version: 1.7.69
|
version: 1.7.69-dev
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- solorigate
|
- solorigate
|
||||||
|
|||||||
@@ -1,19 +1,3 @@
|
|||||||
## 7.0.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
|
||||||
|
|
||||||
### Major Analysis Improvements
|
|
||||||
|
|
||||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
|
||||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
|
||||||
* Improved call target resolution for ref-return properties and indexers.
|
|
||||||
|
|
||||||
## 6.0.2
|
## 6.0.2
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
### Minor Analysis Improvements
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* Improved call target resolution for ref-return properties and indexers.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: majorAnalysis
|
||||||
|
---
|
||||||
|
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: breaking
|
||||||
|
---
|
||||||
|
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
## 7.0.0
|
|
||||||
|
|
||||||
### Breaking Changes
|
|
||||||
|
|
||||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
|
||||||
|
|
||||||
### Major Analysis Improvements
|
|
||||||
|
|
||||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
|
||||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
|
||||||
* Improved call target resolution for ref-return properties and indexers.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 7.0.0
|
lastReleaseVersion: 6.0.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-all
|
name: codeql/csharp-all
|
||||||
version: 7.0.0
|
version: 6.0.3-dev
|
||||||
groups: csharp
|
groups: csharp
|
||||||
dbscheme: semmlecode.csharp.dbscheme
|
dbscheme: semmlecode.csharp.dbscheme
|
||||||
extractor: csharp
|
extractor: csharp
|
||||||
|
|||||||
@@ -1,7 +1,3 @@
|
|||||||
## 1.7.5
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 1.7.4
|
## 1.7.4
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -14,6 +14,54 @@
|
|||||||
|
|
||||||
import csharp
|
import csharp
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets a callable that either directly captures local variable `v`, or which
|
||||||
|
* is enclosed by the callable that declares `v` and encloses a callable that
|
||||||
|
* captures `v`.
|
||||||
|
*/
|
||||||
|
Callable getACapturingCallableAncestor(LocalVariable v) {
|
||||||
|
result = v.getACapturingCallable()
|
||||||
|
or
|
||||||
|
exists(Callable mid | mid = getACapturingCallableAncestor(v) |
|
||||||
|
result = mid.getEnclosingCallable() and
|
||||||
|
not v.getEnclosingCallable() = result
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
Expr getADelegateExpr(Callable c) {
|
||||||
|
c = result.(CallableAccess).getTarget()
|
||||||
|
or
|
||||||
|
result = c.(AnonymousFunctionExpr)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if `c` is a call where any delegate argument is evaluated immediately.
|
||||||
|
*/
|
||||||
|
predicate nonEscapingCall(Call c) {
|
||||||
|
exists(string name | c.getTarget().hasName(name) |
|
||||||
|
name =
|
||||||
|
[
|
||||||
|
"ForEach", "Count", "Any", "All", "Average", "Aggregate", "First", "Last", "FirstOrDefault",
|
||||||
|
"LastOrDefault", "LongCount", "Max", "Single", "SingleOrDefault", "Sum"
|
||||||
|
]
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if `v` is a captured local variable, and one of the callables capturing
|
||||||
|
* `v` may escape the local scope.
|
||||||
|
*/
|
||||||
|
predicate mayEscape(LocalVariable v) {
|
||||||
|
exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
|
||||||
|
e = getADelegateExpr(c) and
|
||||||
|
DataFlow::localExprFlow(e, succ) and
|
||||||
|
not succ = any(DelegateCall dc).getExpr() and
|
||||||
|
not succ = any(Cast cast).getExpr() and
|
||||||
|
not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
|
||||||
|
not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
class RelevantDefinition extends AssignableDefinition {
|
class RelevantDefinition extends AssignableDefinition {
|
||||||
RelevantDefinition() {
|
RelevantDefinition() {
|
||||||
this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
|
this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
|
||||||
@@ -46,6 +94,8 @@ class RelevantDefinition extends AssignableDefinition {
|
|||||||
// SSA definitions are only created for live variables
|
// SSA definitions are only created for live variables
|
||||||
this = any(SsaExplicitWrite ssaDef).getDefinition()
|
this = any(SsaExplicitWrite ssaDef).getDefinition()
|
||||||
or
|
or
|
||||||
|
mayEscape(v)
|
||||||
|
or
|
||||||
v.isCaptured()
|
v.isCaptured()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 1.7.5
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.7.5
|
lastReleaseVersion: 1.7.4
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-queries
|
name: codeql/csharp-queries
|
||||||
version: 1.7.5
|
version: 1.7.5-dev
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,7 +1,3 @@
|
|||||||
## 1.0.52
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 1.0.51
|
## 1.0.51
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 1.0.52
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.0.52
|
lastReleaseVersion: 1.0.51
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql-go-consistency-queries
|
name: codeql-go-consistency-queries
|
||||||
version: 1.0.52
|
version: 1.0.52-dev
|
||||||
groups:
|
groups:
|
||||||
- go
|
- go
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,20 +1,3 @@
|
|||||||
## 7.2.0
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
|
||||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
|
||||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
|
||||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
|
||||||
through `slog`.
|
|
||||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
|
||||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
|
||||||
* More logging functions are now recognized as not returning or panicking.
|
|
||||||
|
|
||||||
## 7.1.2
|
## 7.1.2
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* More logging functions are now recognized as not returning or panicking.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: deprecated
|
||||||
|
---
|
||||||
|
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||||
4
go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md
Normal file
4
go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||||
8
go/ql/lib/change-notes/2026-06-17-model-log-slog.md
Normal file
8
go/ql/lib/change-notes/2026-06-17-model-log-slog.md
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
category: minorAnalysis
|
||||||
|
---
|
||||||
|
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||||
|
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||||
|
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||||
|
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||||
|
through `slog`.
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
## 7.2.0
|
|
||||||
|
|
||||||
### Deprecated APIs
|
|
||||||
|
|
||||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
|
||||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
|
||||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
|
||||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
|
||||||
through `slog`.
|
|
||||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
|
||||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
|
||||||
* More logging functions are now recognized as not returning or panicking.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 7.2.0
|
lastReleaseVersion: 7.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/go-all
|
name: codeql/go-all
|
||||||
version: 7.2.0
|
version: 7.1.3-dev
|
||||||
groups: go
|
groups: go
|
||||||
dbscheme: go.dbscheme
|
dbscheme: go.dbscheme
|
||||||
extractor: go
|
extractor: go
|
||||||
|
|||||||
@@ -1,9 +1,3 @@
|
|||||||
## 1.6.5
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
|
||||||
|
|
||||||
## 1.6.4
|
## 1.6.4
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,5 +1,4 @@
|
|||||||
## 1.6.5
|
---
|
||||||
|
category: minorAnalysis
|
||||||
### Minor Analysis Improvements
|
---
|
||||||
|
|
||||||
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.6.5
|
lastReleaseVersion: 1.6.4
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/go-queries
|
name: codeql/go-queries
|
||||||
version: 1.6.5
|
version: 1.6.5-dev
|
||||||
groups:
|
groups:
|
||||||
- go
|
- go
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
<settings>
|
|
||||||
<mirrors>
|
|
||||||
<mirror>
|
|
||||||
<id>google-maven-central</id>
|
|
||||||
<name>GCS Maven Central mirror</name>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<mirrorOf>central</mirrorOf>
|
|
||||||
</mirror>
|
|
||||||
</mirrors>
|
|
||||||
</settings>
|
|
||||||
@@ -21,7 +21,6 @@ def test(codeql, java, cwd, check_diagnostics_java):
|
|||||||
_env={
|
_env={
|
||||||
"MAVEN_OPTS": maven_opts,
|
"MAVEN_OPTS": maven_opts,
|
||||||
"CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH": str(certspath),
|
"CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH": str(certspath),
|
||||||
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
finally:
|
finally:
|
||||||
|
|||||||
@@ -1,5 +1,3 @@
|
|||||||
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.249/jenkins-war-2.249.war
|
https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.249/jenkins-war-2.249.war
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
@@ -12,7 +10,9 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
<settings>
|
|
||||||
<mirrors>
|
|
||||||
<mirror>
|
|
||||||
<id>google-maven-central</id>
|
|
||||||
<name>GCS Maven Central mirror</name>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<mirrorOf>central</mirrorOf>
|
|
||||||
</mirror>
|
|
||||||
</mirrors>
|
|
||||||
</settings>
|
|
||||||
@@ -1,5 +1,4 @@
|
|||||||
pom.xml
|
pom.xml
|
||||||
settings.xml
|
|
||||||
src/main/java/com/example/App.java
|
src/main/java/com/example/App.java
|
||||||
src/main/resources/my-app.properties
|
src/main/resources/my-app.properties
|
||||||
src/main/resources/page.xml
|
src/main/resources/page.xml
|
||||||
|
|||||||
@@ -1,10 +1,7 @@
|
|||||||
import os
|
|
||||||
|
|
||||||
def test(codeql, java, check_diagnostics_java):
|
def test(codeql, java, check_diagnostics_java):
|
||||||
codeql.database.create(
|
codeql.database.create(
|
||||||
_env={
|
_env={
|
||||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
||||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
||||||
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -1,5 +1,3 @@
|
|||||||
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -11,7 +9,9 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
|
Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
|
||||||
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
||||||
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
|
||||||
|
|||||||
@@ -111,30 +111,4 @@
|
|||||||
</plugins>
|
</plugins>
|
||||||
</pluginManagement>
|
</pluginManagement>
|
||||||
</build>
|
</build>
|
||||||
|
|
||||||
<!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
|
|
||||||
<repositories>
|
|
||||||
<repository>
|
|
||||||
<id>central</id>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<snapshots>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</snapshots>
|
|
||||||
<releases>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</releases>
|
|
||||||
</repository>
|
|
||||||
</repositories>
|
|
||||||
<pluginRepositories>
|
|
||||||
<pluginRepository>
|
|
||||||
<id>central</id>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<snapshots>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</snapshots>
|
|
||||||
<releases>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</releases>
|
|
||||||
</pluginRepository>
|
|
||||||
</pluginRepositories>
|
|
||||||
</project>
|
</project>
|
||||||
@@ -1,5 +1,3 @@
|
|||||||
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -24,3 +22,5 @@ https://repo.maven.apache.org/maven2/org/minijax/minijax-example-websocket/0.5.1
|
|||||||
https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
|
https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
|
||||||
https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
|
https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
|
https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
|
||||||
|
https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
|
https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
|
|||||||
@@ -73,6 +73,6 @@ Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferst
|
|||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom
|
||||||
Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
|
Downloaded from mirror-force-central: https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.pom
|
||||||
Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
||||||
Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
||||||
|
|||||||
@@ -111,30 +111,4 @@
|
|||||||
</plugins>
|
</plugins>
|
||||||
</pluginManagement>
|
</pluginManagement>
|
||||||
</build>
|
</build>
|
||||||
|
|
||||||
<!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
|
|
||||||
<repositories>
|
|
||||||
<repository>
|
|
||||||
<id>central</id>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<snapshots>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</snapshots>
|
|
||||||
<releases>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</releases>
|
|
||||||
</repository>
|
|
||||||
</repositories>
|
|
||||||
<pluginRepositories>
|
|
||||||
<pluginRepository>
|
|
||||||
<id>central</id>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<snapshots>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</snapshots>
|
|
||||||
<releases>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</releases>
|
|
||||||
</pluginRepository>
|
|
||||||
</pluginRepositories>
|
|
||||||
</project>
|
</project>
|
||||||
@@ -5,11 +5,11 @@
|
|||||||
|
|
||||||
<mirror>
|
<mirror>
|
||||||
|
|
||||||
<id>google-maven-central</id>
|
<id>mirror-force-central</id>
|
||||||
|
|
||||||
<name>GCS Maven Central mirror</name>
|
<name>Mirror Repository</name>
|
||||||
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
<url>https://repo1.maven.org/maven2</url>
|
||||||
|
|
||||||
<mirrorOf>*,!codeql-depgraph-plugin-repo</mirrorOf>
|
<mirrorOf>*,!codeql-depgraph-plugin-repo</mirrorOf>
|
||||||
|
|
||||||
|
|||||||
@@ -1,9 +1,9 @@
|
|||||||
<settings>
|
<settings>
|
||||||
<mirrors>
|
<mirrors>
|
||||||
<mirror>
|
<mirror>
|
||||||
<id>google-maven-central</id>
|
<id>mirror-force-central</id>
|
||||||
<name>GCS Maven Central mirror</name>
|
<name>Mirror Repository</name>
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
<url>https://repo1.maven.org/maven2</url>
|
||||||
<mirrorOf>*</mirrorOf>
|
<mirrorOf>*</mirrorOf>
|
||||||
</mirror>
|
</mirror>
|
||||||
</mirrors>
|
</mirrors>
|
||||||
|
|||||||
@@ -1,6 +1,3 @@
|
|||||||
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
|
|
||||||
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -12,7 +9,10 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
<settings>
|
|
||||||
<mirrors>
|
|
||||||
<mirror>
|
|
||||||
<id>google-maven-central</id>
|
|
||||||
<name>GCS Maven Central mirror</name>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<mirrorOf>central</mirrorOf>
|
|
||||||
</mirror>
|
|
||||||
</mirrors>
|
|
||||||
</settings>
|
|
||||||
@@ -1,5 +1,4 @@
|
|||||||
pom.xml
|
pom.xml
|
||||||
settings.xml
|
|
||||||
submod1/pom.xml
|
submod1/pom.xml
|
||||||
submod1/src/main/java/com/example/App.java
|
submod1/src/main/java/com/example/App.java
|
||||||
submod1/src/main/resources/my-app.properties
|
submod1/src/main/resources/my-app.properties
|
||||||
|
|||||||
@@ -1,10 +1,7 @@
|
|||||||
import os
|
|
||||||
|
|
||||||
def test(codeql, java, check_diagnostics_java):
|
def test(codeql, java, check_diagnostics_java):
|
||||||
codeql.database.create(
|
codeql.database.create(
|
||||||
_env={
|
_env={
|
||||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
||||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
||||||
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
<settings>
|
|
||||||
<mirrors>
|
|
||||||
<mirror>
|
|
||||||
<id>google-maven-central</id>
|
|
||||||
<name>GCS Maven Central mirror</name>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<mirrorOf>central</mirrorOf>
|
|
||||||
</mirror>
|
|
||||||
</mirrors>
|
|
||||||
</settings>
|
|
||||||
@@ -1,6 +1,5 @@
|
|||||||
.mvn/wrapper/maven-wrapper.properties
|
.mvn/wrapper/maven-wrapper.properties
|
||||||
pom.xml
|
pom.xml
|
||||||
settings.xml
|
|
||||||
src/main/java/com/example/App.java
|
src/main/java/com/example/App.java
|
||||||
src/main/resources/my-app.properties
|
src/main/resources/my-app.properties
|
||||||
src/main/resources/page.xml
|
src/main/resources/page.xml
|
||||||
|
|||||||
@@ -1,11 +1,6 @@
|
|||||||
import os
|
|
||||||
|
|
||||||
def test(codeql, java, check_diagnostics_java):
|
def test(codeql, java, check_diagnostics_java):
|
||||||
# mvnw has been rigged to stall for a long time by trying to fetch from a black-hole IP. We should find the timeout logic fires and buildless aborts the Maven run quickly.
|
# mvnw has been rigged to stall for a long time by trying to fetch from a black-hole IP. We should find the timeout logic fires and buildless aborts the Maven run quickly.
|
||||||
codeql.database.create(
|
codeql.database.create(
|
||||||
build_mode="none",
|
build_mode="none",
|
||||||
_env={
|
_env={"CODEQL_EXTRACTOR_JAVA_BUILDLESS_CHILD_PROCESS_IDLE_TIMEOUT": "5"},
|
||||||
"CODEQL_EXTRACTOR_JAVA_BUILDLESS_CHILD_PROCESS_IDLE_TIMEOUT": "5",
|
|
||||||
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
|
||||||
},
|
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
<settings>
|
|
||||||
<mirrors>
|
|
||||||
<mirror>
|
|
||||||
<id>google-maven-central</id>
|
|
||||||
<name>GCS Maven Central mirror</name>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<mirrorOf>central</mirrorOf>
|
|
||||||
</mirror>
|
|
||||||
</mirrors>
|
|
||||||
</settings>
|
|
||||||
@@ -1,9 +1,4 @@
|
|||||||
import os
|
|
||||||
|
|
||||||
def test(codeql, java, check_diagnostics_java):
|
def test(codeql, java, check_diagnostics_java):
|
||||||
codeql.database.create(
|
codeql.database.create(
|
||||||
build_mode="none",
|
build_mode="none",
|
||||||
_env={
|
|
||||||
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
|
||||||
}
|
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -1,5 +1,3 @@
|
|||||||
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -11,7 +9,9 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
|
Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
|
||||||
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
||||||
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
|
||||||
|
|||||||
@@ -111,30 +111,4 @@
|
|||||||
</plugins>
|
</plugins>
|
||||||
</pluginManagement>
|
</pluginManagement>
|
||||||
</build>
|
</build>
|
||||||
|
|
||||||
<!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
|
|
||||||
<repositories>
|
|
||||||
<repository>
|
|
||||||
<id>central</id>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<snapshots>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</snapshots>
|
|
||||||
<releases>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</releases>
|
|
||||||
</repository>
|
|
||||||
</repositories>
|
|
||||||
<pluginRepositories>
|
|
||||||
<pluginRepository>
|
|
||||||
<id>central</id>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<snapshots>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</snapshots>
|
|
||||||
<releases>
|
|
||||||
<enabled>true</enabled>
|
|
||||||
</releases>
|
|
||||||
</pluginRepository>
|
|
||||||
</pluginRepositories>
|
|
||||||
</project>
|
</project>
|
||||||
@@ -1,5 +1,3 @@
|
|||||||
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -11,7 +9,9 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
|
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
<settings>
|
|
||||||
<mirrors>
|
|
||||||
<mirror>
|
|
||||||
<id>google-maven-central</id>
|
|
||||||
<name>GCS Maven Central mirror</name>
|
|
||||||
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
|
||||||
<mirrorOf>central</mirrorOf>
|
|
||||||
</mirror>
|
|
||||||
</mirrors>
|
|
||||||
</settings>
|
|
||||||
@@ -1,5 +1,4 @@
|
|||||||
pom.xml
|
pom.xml
|
||||||
settings.xml
|
|
||||||
src/main/java/com/example/App.java
|
src/main/java/com/example/App.java
|
||||||
src/main/resources/my-app.properties
|
src/main/resources/my-app.properties
|
||||||
src/main/resources/page.xml
|
src/main/resources/page.xml
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user