Add Avro MaD models for testing

.github/workflows/go-version-update.yml

@@ -1,208 +0,0 @@
-name: Update Go version
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  update-go-version:
-    name: Check and update Go version
-    if: github.repository == 'github/codeql'
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - name: Set up Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-
-      - name: Fetch latest Go version
-        id: fetch-version
-        run: |
-          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
-          
-          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
-            echo "Error: Failed to fetch latest Go version from go.dev"
-            exit 1
-          fi
-          
-          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
-          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
-          
-          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
-          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
-          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
-          
-          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
-          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
-          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
-
-      - name: Check current Go version
-        id: current-version
-        run: |
-          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
-          
-          if [ -z "$CURRENT_VERSION" ]; then
-            echo "Error: Could not extract Go version from MODULE.bazel"
-            exit 1
-          fi
-          
-          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
-          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
-          
-          # Extract major.minor version
-          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
-          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
-
-      - name: Compare versions
-        id: compare
-        run: |
-          LATEST="${{ steps.fetch-version.outputs.version_num }}"
-          CURRENT="${{ steps.current-version.outputs.version }}"
-          
-          echo "Latest: $LATEST"
-          echo "Current: $CURRENT"
-          
-          if [ "$LATEST" = "$CURRENT" ]; then
-            echo "Go version is up to date"
-            echo "needs_update=false" >> $GITHUB_OUTPUT
-          else
-            echo "Go version needs update from $CURRENT to $LATEST"
-            echo "needs_update=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Update Go version in files
-        if: steps.compare.outputs.needs_update == 'true'
-        run: |
-          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
-          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
-          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
-          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
-          
-          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
-          
-          # Escape dots in current version strings for use in sed patterns
-          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
-          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
-          
-          # Update MODULE.bazel
-          sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
-          if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
-            echo "Error: Failed to update MODULE.bazel"
-            exit 1
-          fi
-          
-          # Update go/extractor/go.mod
-          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
-            echo "Warning: Failed to update go directive in go.mod"
-          fi
-          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
-            echo "Warning: Failed to update toolchain in go.mod"
-          fi
-          
-          # Update go/extractor/autobuilder/build-environment.go
-          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
-            echo "Warning: Failed to update build-environment.go"
-          fi
-          
-          # Update go/actions/test/action.yml
-          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
-            echo "Warning: Failed to update action.yml"
-          fi
-          
-          # Show what changed
-          git diff
-
-      - name: Check for changes
-        id: check-changes
-        if: steps.compare.outputs.needs_update == 'true'
-        run: |
-          if git diff --quiet; then
-            echo "No changes detected"
-            echo "has_changes=false" >> $GITHUB_OUTPUT
-          else
-            echo "Changes detected"
-            echo "has_changes=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Check for existing PR
-        if: steps.check-changes.outputs.has_changes == 'true'
-        id: check-pr
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          BRANCH_NAME="workflow/go-version-update"
-          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
-          
-          if [ -n "$PR_NUMBER" ]; then
-            echo "Existing PR found: #$PR_NUMBER"
-            echo "pr_exists=true" >> $GITHUB_OUTPUT
-            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
-          else
-            echo "No existing PR found"
-            echo "pr_exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Commit and push changes
-        if: steps.check-changes.outputs.has_changes == 'true'
-        run: |
-          BRANCH_NAME="workflow/go-version-update"
-          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
-          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
-          
-          # Create or switch to branch
-          git checkout -B "$BRANCH_NAME"
-          
-          # Stage and commit changes
-          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
-          git commit -m "Go: Update to $LATEST_VERSION_NUM"
-          
-          # Push changes
-          git push --force-with-lease origin "$BRANCH_NAME"
-
-      - name: Create or update PR
-        if: steps.check-changes.outputs.has_changes == 'true'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          BRANCH_NAME="workflow/go-version-update"
-          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
-          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
-          
-          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
-          
-          PR_BODY=$(cat <<EOF
-          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
-
-          Updated files:
-          - \`MODULE.bazel\` - go_sdk.download version
-          - \`go/extractor/go.mod\` - go directive and toolchain
-          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
-          - \`go/actions/test/action.yml\` - default go-test-version
-
-          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
-          EOF
-          )
-          
-          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
-            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
-            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
-          else
-            echo "Creating new PR"
-            gh pr create \
-              --title "$PR_TITLE" \
-              --body "$PR_BODY" \
-              --base main \
-              --head "$BRANCH_NAME" \
-              --label "Go"
-          fi

MODULE.bazel

@@ -273,7 +273,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.4")
+go_sdk.download(version = "1.26.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/lib/CHANGELOG.md

@@ -1,15 +1,3 @@
-## 0.4.37
-
-### Minor Analysis Improvements
-
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
-
-## 0.4.36
-
-### Minor Analysis Improvements
-
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
-
 ## 0.4.35
 
 No user-facing changes.

actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md

@@ -1,5 +1,4 @@
-## 0.4.36
-
-### Minor Analysis Improvements
-
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
+---
+category: minorAnalysis
+---
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.

actions/ql/lib/change-notes/2026-05-12-improved-alphanumeric-regex.md

@@ -1,5 +1,4 @@
-## 0.4.37
-
-### Minor Analysis Improvements
-
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+---
+category: minorAnalysis
+---
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.37
+lastReleaseVersion: 0.4.35

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.38-dev
+version: 0.4.36-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,36 +1,3 @@
-## 0.6.29
-
-### Query Metadata Changes
-
-* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
-
-### Major Analysis Improvements
-
-* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
-
-### Minor Analysis Improvements
-
-* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
-* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
-
-### Bug Fixes
-
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
-
-## 0.6.28
-
-### Query Metadata Changes
-
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
-
-### Minor Analysis Improvements
-
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
-
-### Bug Fixes
-
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
-
 ## 0.6.27
 
 No user-facing changes.

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql

@@ -52,5 +52,4 @@ where
   not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
   not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
 select checkout, checkout, poisonable,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
-  event, event.getName()
+  "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName()

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a privileged context
+ * @name Checkout of untrusted code in privileged context without privileged context use
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.
@@ -42,6 +42,5 @@ where
     not event.getName() = "issue_comment" and
     not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
   )
-select checkout,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
-  event, event.getName()
+select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event,
+  event.getName()

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a trusted context
+ * @name Checkout of untrusted code in trusted context
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.

actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.

actions/ql/src/change-notes/2026-04-20-unpinned-tag-composite-actions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.

actions/ql/src/change-notes/2026-05-05-untrusted-checkout-high.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.

actions/ql/src/change-notes/2026-05-12-sha256-pinned-actions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.

actions/ql/src/change-notes/released/0.6.28.md

@@ -1,13 +0,0 @@
-## 0.6.28
-
-### Query Metadata Changes
-
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
-
-### Minor Analysis Improvements
-
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
-
-### Bug Fixes
-
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/change-notes/released/0.6.29.md

@@ -1,18 +0,0 @@
-## 0.6.29
-
-### Query Metadata Changes
-
-* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
-
-### Major Analysis Improvements
-
-* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
-
-### Minor Analysis Improvements
-
-* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
-* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
-
-### Bug Fixes
-
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.29
+lastReleaseVersion: 0.6.27

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.30-dev
+version: 0.6.28-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml

@@ -3,14 +3,14 @@ name: Reusable workflow example
 on:
   workflow_call:
     inputs:
-      config-path: # $ Source[actions/reusable-workflow-sinks] Source[actions/reusable-workflow-summaries]
+      config-path:
         required: true
         type: string
     outputs:
       workflow-output1:
-        value: ${{ jobs.job1.outputs.job-output1 }} # $ Alert[actions/reusable-workflow-summaries]
+        value: ${{ jobs.job1.outputs.job-output1 }}
       workflow-output2:
-        value: ${{ jobs.job1.outputs.job-output2 }} # $ Alert[actions/reusable-workflow-sources]
+        value: ${{ jobs.job1.outputs.job-output2 }}
     secrets:
       token:
         required: true
@@ -26,9 +26,9 @@ jobs:
         env:
           CONFIG_PATH: ${{ inputs.config-path }}
         run: |
-          echo ${{ inputs.config-path }} # $ Alert[actions/reusable-workflow-sinks]
+          echo ${{ inputs.config-path }}
           echo "::set-output name=step-output::$CONFIG_PATH"
       - name: Get changed files
         id: step2
-        uses: tj-actions/changed-files@v40 # $ Source[actions/reusable-workflow-sources]
+        uses: tj-actions/changed-files@v40
 

actions/ql/test/query-tests/Models/CompositeActionsSinks.expected

@@ -1,6 +1,3 @@
-#select
-| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
-| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
 edges
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance |  |
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance |  |
@@ -13,3 +10,6 @@ nodes
 | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value |
 | action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
+#select
+| action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
+| action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |

actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref

@@ -1,2 +1 @@
-query: Models/CompositeActionsSinks.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/CompositeActionsSinks.ql

actions/ql/test/query-tests/Models/CompositeActionsSources.expected

@@ -1,9 +1,3 @@
-#select
-| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
-| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
-| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
-| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
-| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 edges
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
 | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance |  |
@@ -19,3 +13,9 @@ nodes
 | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] |
 | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
 subpaths
+#select
+| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
+| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
+| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
+| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
+| action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |

actions/ql/test/query-tests/Models/CompositeActionsSources.qlref

@@ -1,2 +1,2 @@
-query: Models/CompositeActionsSources.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/CompositeActionsSources.ql
+

actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected

@@ -1,5 +1,3 @@
-#select
-| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
 edges
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance |  |
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
@@ -10,3 +8,5 @@ nodes
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
 | action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
+#select
+| action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |

actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref

@@ -1,2 +1,2 @@
-query: Models/CompositeActionsSummaries.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/CompositeActionsSummaries.ql
+

actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected

@@ -1,5 +1,3 @@
-#select
-| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
 edges
 | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance |  |
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
@@ -22,3 +20,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
+#select
+| .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |

actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref

@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSinks.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/ReusableWorkflowsSinks.ql
+

actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected

@@ -1,5 +1,3 @@
-#select
-| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
 edges
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance |  |
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance |  |
@@ -10,3 +8,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
 subpaths
+#select
+| .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |

actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref

@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSources.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/ReusableWorkflowsSources.ql
+

actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected

@@ -1,5 +1,3 @@
-#select
-| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
 edges
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance |  |
@@ -14,3 +12,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
+#select
+| .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |

actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref

@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSummaries.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Models/ReusableWorkflowsSummaries.ql
+

actions/ql/test/query-tests/Models/action1/action.yml

@@ -1,17 +1,17 @@
 name: 'Hello World'
 description: 'Greet someone'
 inputs:
-  who-to-greet:  # id of input # $ Source[actions/composite-action-sinks] Source[actions/composite-action-summaries]
+  who-to-greet:  # id of input
     description: 'Who to greet'
     required: true
     default: 'World'
 outputs:
   reflected:
     description: "Reflected input"
-    value: ${{ steps.reflector.outputs.reflected }} # $ Alert[actions/composite-action-sources] Alert[actions/composite-action-summaries]
+    value: ${{ steps.reflector.outputs.reflected }}
   tainted:
     description: "Reflected input"
-    value: ${{ steps.source.outputs.tainted}} # $ Alert[actions/composite-action-sources]
+    value: ${{ steps.source.outputs.tainted}}
 
 runs:
   using: "composite"
@@ -29,23 +29,23 @@ runs:
         find: 'foo'
         replace: ''
     - id: sink 
-      run: echo ${{ steps.replace.outputs.value }} # $ Alert[actions/composite-action-sinks]
+      run: echo ${{ steps.replace.outputs.value }}
       shell: bash
     - name: Vulnerable Set Greeting
-      run: echo "Hello ${{ inputs.who-to-greet }}." # $ Alert[actions/composite-action-sinks]
+      run: echo "Hello ${{ inputs.who-to-greet }}."
       shell: bash
     - id: reflector 
       run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT
       shell: bash
       env:
-        INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} # $ Source[actions/composite-action-sources]
+        INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
     - id: changed-files
       uses: tj-actions/changed-files@v40
-    - id: source # $ Source[actions/composite-action-sources]
+    - id: source
       run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT
       shell: bash
       env:
-        TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} # $ Source[actions/composite-action-sources]
+        TAINTED: ${{ steps.changed-files.outputs.all_changed_files }}
 
 
 

actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml

@@ -6,11 +6,11 @@ jobs:
     steps:
       - id: clob1
         env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
         run: |
           # VULNERABLE
           echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
-          echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT # $ Alert
+          echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
       - id: clob2
         run: |
           echo ${{ steps.clob1.outputs.OUTPUT_1 }}
@@ -32,8 +32,8 @@ jobs:
         with:
           run_id: ${{ github.event.workflow_run.id }}
           name: pr_number 
-      - id: clob1 # $ Source
+      - id: clob1
         run: |
           # VULNERABLE
           echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
-          echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT # $ Alert
+          echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT

actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml

@@ -6,18 +6,18 @@ jobs:
     steps:
       - id: clob1
         env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
         run: |
           # VULNERABLE
           echo $BODY
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
       - id: clob2
         env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
         run: |
           # VULNERABLE
           echo "::set-output name=OUTPUT::SAFE"
-          echo $BODY # $ Alert
+          echo $BODY
       - id: clob3
         run: |
           echo ${{ steps.clob1.outputs.OUTPUT }}
@@ -38,25 +38,25 @@ jobs:
         with:
           run_id: ${{ github.event.workflow_run.id }}
           name: pr_number 
-      - id: clob1 # $ Source
+      - id: clob1
         run: |
           # VULNERABLE
           PR="$(<pr-number)"
           echo "$PR"
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
       - id: clob2
         run: |
           # VULNERABLE
           cat pr-number
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
       - id: clob3
         run: |
           # VULNERABLE
           echo "::set-output name=OUTPUT::SAFE"
-          ls *.txt # $ Alert
+          ls *.txt
       - id: clob4
         run: |
           # VULNERABLE
           CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
           echo "$CURRENT_VERSION"
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"

actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected

@@ -1,12 +1,3 @@
-#select
-| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
-| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
-| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
-| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
-| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
-| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
-| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
-| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
 edges
 | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config |
 | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance | Config |
@@ -31,3 +22,12 @@ nodes
 | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
 | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
 subpaths
+#select
+| .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
+| .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
+| .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
+| .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
+| .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
+| .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
+| .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
+| .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |

actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-074/OutputClobberingHigh.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-074/OutputClobberingHigh.ql

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml

@@ -12,9 +12,9 @@ jobs:
     steps:
       - run: |
           gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
         run: |
           unzip artifact_name.zip -d foo
       - name: Env Var Injection
         run: |
-          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml

@@ -12,14 +12,14 @@ jobs:
     steps:
       - run: |
           gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
         run: |
           unzip artifact_name.zip -d foo
       - name: Env Var Injection
         run: |
           echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
           cat foo >> "$GITHUB_ENV"
-          echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> "${GITHUB_ENV}"
 
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - run: |
           gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
         run: |
           unzip artifact_name.zip -d foo
       - run: |
@@ -20,7 +20,7 @@ jobs:
             echo 'JSON_RESPONSE<<EOF'
             cat foo
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
 
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml

@@ -10,23 +10,23 @@ jobs:
 
       - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH
       - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo $(echo "$PATHINJ") >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
+        run: echo $(echo "$PATHINJ") >> $GITHUB_PATH
       - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo $PATHINJ >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
+        run: echo $PATHINJ >> $GITHUB_PATH
       - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo ${PATHINJ} >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
+        run: echo ${PATHINJ} >> $GITHUB_PATH
       - uses: dawidd6/action-download-artifact@v2
         with:
           name: artifact_name
           path: foo
-      - run: echo "$(cat foo/bar)" >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] Source[actions/envpath-injection/critical]
+      - run: echo "$(cat foo/bar)" >> $GITHUB_PATH
       - env:
           ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
-        run: echo "::add-path::$PATHINJ" # $ Alert[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
+        run: echo "::add-path::$PATHINJ"
 
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml

@@ -23,6 +23,6 @@ jobs:
           ref: ${{steps.decide-ref.outputs.ref}}
           path: "foo"
 
-      - name: Read Java Config # $ Source[actions/envvar-injection/critical]
-        run: cat foo/.github/java-config.env >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+      - name: Read Java Config
+        run: cat foo/.github/java-config.env >> $GITHUB_ENV
   

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml

@@ -18,11 +18,11 @@ jobs:
           run_id: ${{ github.event.workflow_run.id }}
           name: runtime-versions.md
 
-      - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put runtime versions on the environment"
         id: runtime_versions
         run: |
           {
             echo 'RUNTIME_VERSIONS<<EOF'
             cat runtime-versions.md
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml

@@ -43,14 +43,14 @@ jobs:
           run_id: ${{ github.event.workflow_run.id }}
           name: runtime-versions.md
 
-      - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put runtime versions on the environment"
         id: runtime_versions
         run: |
           {
             echo 'RUNTIME_VERSIONS<<EOF'
             cat runtime-versions.md
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
 
       - name: "Download pre-release report"
         uses: dawidd6/action-download-artifact@v2
@@ -58,14 +58,14 @@ jobs:
           run_id: ${{ github.event.workflow_run.id }}
           name: prerelease-report.md
 
-      - name: "Put pre-release report on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put pre-release report on the environment"
         id: prerelease_report
         run: |
           {
             echo 'PRERELEASE_REPORT<<EOF'
             cat prerelease-report.md
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
 
       - name: "Comment on PR with Wrangler link"
         uses: marocchino/sticky-pull-request-comment@v2

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Get commit message
         run: |
           COMMIT_MESSAGE=$(git log --format=%s)
-          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
       - name: Get commit message
         run: |
-          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml

@@ -12,7 +12,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
       - id: changed-files
         run: |
-          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"
       - run: echo "${{ env.CHANGED-FILES }}"
   test2:
     runs-on: ubuntu-latest
@@ -23,7 +23,7 @@ jobs:
       - id: changed-files
         run: |
           FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)
-          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"
       - run: echo "${{ env.CHANGED-FILES }}"
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - id: title 
         run: |
-          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"
       - run: echo "$TITLE"
   test2:
     runs-on: ubuntu-latest
@@ -17,7 +17,7 @@ jobs:
       - id: title 
         run: |
           PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})
-          echo "BODY=$PR_BODY" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "BODY=$PR_BODY" >> "$GITHUB_ENV"
       - run: echo "$TITLE"
   test3:
     runs-on: ubuntu-latest

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml

@@ -12,12 +12,12 @@ jobs:
         with:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           name: pr_metadata
-      - run: | # $ Source[actions/envvar-injection/critical]
-          # VULNERABLE
-          echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
       - run: |
           # VULNERABLE
-          echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
+      - run: |
+          # VULNERABLE
+          echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV
       - run: |
           # NOT VULNERABLE
           echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml

@@ -38,6 +38,6 @@ jobs:
             });
             var fs = require('fs');
             fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
-      - run: | # $ Source[actions/envvar-injection/critical]
+      - run: |
           unzip pr.zip
-          echo "pr_number=$(cat NR)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "pr_number=$(cat NR)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml

@@ -17,7 +17,7 @@ jobs:
         workflow_conclusion: ''
         name: pr_metadata
         if_no_artifact_found: 'ignore'
-    - run: | # $ Source[actions/envvar-injection/critical]
+    - run: |
          echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
          echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
-         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml

@@ -8,43 +8,43 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           echo "PR_TITLE<<EOF" >> $GITHUB_ENV
           echo "$TITLE" >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
           echo "$TITLE" >> "${GITHUB_ENV}"
-          echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> "${GITHUB_ENV}"
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           {
             echo 'JSON_RESPONSE<<EOF'
             echo "$TITLE"
             echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           cat <<-EOF >> "$GITHUB_ENV"
           FOO=$TITLE
-          EOF # $ Alert[actions/envvar-injection/critical]
+          EOF
       - env:
           TITLE: ${{ github.event.pull_request.head.ref }}
         run: |
@@ -52,12 +52,12 @@ jobs:
       - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
         env:
           TARGET_BRANCH: ${{ github.head_ref }}
-      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
         env:
-          TARGET_BRANCH: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
-      - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          TARGET_BRANCH: ${{ github.event.pull_request.title }}
+      - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV
         env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
       - env:
           TITLE: |-
             ${{ github.event.pull_request.title }}

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml

@@ -27,10 +27,10 @@ jobs:
             });
             let fs = require('fs');
             fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data));
-      - name: 'Unzip code coverage' # $ Source[actions/envvar-injection/critical]
+      - name: 'Unzip code coverage'
         run: unzip oc-code-coverage.zip -d coverage
       - name: set env vars 
         run: | 
           echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV
           echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV
-          echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml

@@ -8,20 +8,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           FOO=${TITLE##*/}
-          echo PR_TITLE=${FOO} >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=${FOO} >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           FOO=$TITLE+
-          echo PR_TITLE=$FOO >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=$FOO >> $GITHUB_ENV
       - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
         run: |
           venv="$(echo $TITLE)')"
-          echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV
 
 
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml

@@ -13,7 +13,7 @@ jobs:
             run_id: ${{github.event.workflow_run.id}}
             name: artifact
 
-      - name: Load .env file # $ Source[actions/envvar-injection/critical]
+      - name: Load .env file
         uses: aarcangeli/load-dotenv@v1.0.0
         with:
           path: 'backend/new'
@@ -21,5 +21,5 @@ jobs:
             .env
             .env.test
           quiet: false
-          if-file-not-found: error # $ Alert[actions/envvar-injection/critical]
+          if-file-not-found: error
 

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml

@@ -27,13 +27,13 @@ jobs:
           run_id: ${{ github.event.workflow_run.id }}
           path: ./artifacts
 
-      - name: assignment # $ Source[actions/envvar-injection/critical]
+      - name: assignment
         run: |
           foo=$(cat ./artifacts/parent-artifacts/event.txt)
-          echo "foo=$foo" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$foo" >> $GITHUB_ENV
       - name: direct 1 
         run: |
-          echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
       - name: direct 2
         run: |
-          echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml

@@ -24,7 +24,7 @@ jobs:
           name: event_file
           path: artifacts/event_file
 
-      - name: Try to read PR number # $ Source[actions/envvar-injection/critical]
+      - name: Try to read PR number
         id: set-ref
         run: |
           pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)
@@ -38,4 +38,4 @@ jobs:
           fi
 
           echo "pr_num=$pr_num" >> $GITHUB_ENV
-          echo "ref=$ref" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "ref=$ref" >> $GITHUB_ENV

actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected

@@ -1,9 +1,3 @@
-#select
-| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 edges
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
 | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
@@ -22,3 +16,9 @@ nodes
 | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
 subpaths
+#select
+| .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |

actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref

@@ -1,2 +1 @@
-query: Security/CWE-077/EnvPathInjectionCritical.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Security/CWE-077/EnvPathInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected

@@ -1,4 +1,3 @@
-#select
 edges
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
 | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
@@ -17,3 +16,4 @@ nodes
 | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
 subpaths
+#select

actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref

@@ -1,2 +1 @@
-query: Security/CWE-077/EnvPathInjectionMedium.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Security/CWE-077/EnvPathInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected

@@ -1,40 +1,3 @@
-#select
-| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
-| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
-| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
-| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
 edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
@@ -129,3 +92,40 @@ nodes
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
 subpaths
+#select
+| .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
+| .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
+| .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
+| .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |

actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref

@@ -1,2 +1 @@
-query: Security/CWE-077/EnvVarInjectionCritical.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Security/CWE-077/EnvVarInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected

@@ -1,4 +1,3 @@
-#select
 edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
@@ -93,3 +92,4 @@ nodes
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
 subpaths
+#select

actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref

@@ -1,2 +1 @@
-query: Security/CWE-077/EnvVarInjectionMedium.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+Security/CWE-077/EnvVarInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml

@@ -6,4 +6,4 @@ jobs:
     steps:
       - uses: ruby/setup-ruby@v2
         with:
-          ruby-version: ${{ github.event.comment.body }} # $ Alert[actions/command-injection/critical]
+          ruby-version: ${{ github.event.comment.body }}

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected

@@ -1,6 +1,6 @@
-#select
-| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
+#select
+| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-078/CommandInjectionCritical.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-078/CommandInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected

@@ -1,5 +1,5 @@
-#select
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
+#select

actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-078/CommandInjectionMedium.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-078/CommandInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml

@@ -7,7 +7,7 @@ jobs:
   test1:
     runs-on: ubuntu-latest
     env:
-      TITLE: ${{github.event.pull_request.title}} # $ Source[actions/argument-injection/critical]
+      TITLE: ${{github.event.pull_request.title}}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -18,50 +18,50 @@ jobs:
           echo "s/FOO/$TITLE/g"
       - run: |
           # VULNERABLE
-          sed "s/FOO/$TITLE/g" # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$TITLE/g"
       - run: |
           # VULNERABLE
-          echo "foo" | sed "s/FOO/$TITLE/g" > bar # $ Alert[actions/argument-injection/critical]
+          echo "foo" | sed "s/FOO/$TITLE/g" > bar
       - run: |
           # VULNERABLE
-          echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) # $ Alert[actions/argument-injection/critical]
+          echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar)
       - run: |
           # VULNERABLE
-          awk "BEGIN {$TITLE}" # $ Alert[actions/argument-injection/critical]
+          awk "BEGIN {$TITLE}"
       - run: |
           # VULNERABLE
-          sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json # $ Alert[actions/argument-injection/critical]
+          sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json
       - run: |
           # VULNERABLE
-          sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # $ Alert[actions/argument-injection/critical]
+          sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json
       - run: |
           # VULNERABLE
           sed -e 's#<branch_to_sync>#${TITLE}#' \
               -e 's#<sot_repo>#${{ env.sot_repo }}#' \
               -e 's#<destination_repo>#TITLE#' \
-              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
+              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
       - run: |
           # VULNERABLE
           sed -e 's#<branch_to_sync>#TITLE#' \
               -e 's#<sot_repo>#${{ env.sot_repo }}#' \
               -e 's#<destination_repo>#${TITLE}#' \
-              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
+              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
       - run: |
           # VULNERABLE
           BODY=$(git log --format=%s)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
       - run: |
           # VULNERABLE
           BODY=$(git diff --name-only HEAD)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
       - run: |
           # VULNERABLE
           BODY=$(git diff --name-only HEAD )
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
       - run: |
           # VULNERABLE
           BODY=$(git diff --name-only HEAD^ | xargs)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
       - run: |
           # NOT VULNERABLE
           echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected

@@ -1,16 +1,3 @@
-#select
-| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 edges
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
@@ -33,3 +20,16 @@ nodes
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 subpaths
+#select
+| .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-088/ArgumentInjectionCritical.ql

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected

@@ -1,4 +1,3 @@
-#select
 edges
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
@@ -21,3 +20,4 @@ nodes
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 subpaths
+#select

actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref

@@ -1,2 +1 @@
-query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+experimental/Security/CWE-088/ArgumentInjectionMedium.ql

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml

@@ -4,4 +4,4 @@ runs:
   using: 'composite'
   steps:
     - shell: bash
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
+      run: echo '${{ github.event.pull_request.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml

@@ -6,4 +6,4 @@ runs:
     - shell: bash
       env:
         FOO: ${{ secrets.FOO}}
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
+      run: echo '${{ github.event.pull_request.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml

@@ -4,4 +4,4 @@ runs:
   using: 'composite'
   steps:
     - shell: bash
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
+      run: echo '${{ github.event.pull_request.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml

@@ -16,7 +16,7 @@ runs:
   using: 'composite'
   steps:
     - shell: bash
-      run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
+      run: echo '${{ github.event.issue.body }}'
     - name: Step
       id: step 
       env:
@@ -25,10 +25,10 @@ runs:
       run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
     - id: step2
       env:
-        FOO2: ${{ github.event.issue.body }} # $ Source[actions/code-injection/critical]
+        FOO2: ${{ github.event.issue.body }}
       shell: bash
       run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
     - name: Sink
       id: sink
       shell: bash
-      run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical]
+      run: echo "${{ inputs.taint }}"

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml

@@ -213,7 +213,7 @@ runs:
       run: |
         git config --global user.name "${{ inputs.github_username }}"
         git config --global user.email "${{ inputs.github_email }}"
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
+        git pull origin ${{ github.head_ref || github.ref }}
         git add .
         git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
         if ! git diff --staged --quiet; then

actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml

@@ -74,7 +74,7 @@ runs:
       #   pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
       run: |
         packages="ultralytics-actions"
-        if [ "${{ inputs.spelling }}" = "true" ]; then # $ Alert[actions/code-injection/medium]
+        if [ "${{ inputs.spelling }}" = "true" ]; then
           packages="$packages codespell tomli"
         fi
 
@@ -211,10 +211,10 @@ runs:
     - name: Commit and Push Changes
       if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
       run: |
-        git config --global user.name "${{ inputs.github_username }}" # $ Alert[actions/code-injection/medium]
-        git config --global user.email "${{ inputs.github_email }}" # $ Alert[actions/code-injection/medium]
+        git config --global user.name "${{ inputs.github_username }}"
+        git config --global user.email "${{ inputs.github_email }}"
         # this action is not called in the test
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/medium]
+        git pull origin ${{ github.head_ref || github.ref }}
         git add .
         git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
         if ! git diff --staged --quiet; then

actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml

@@ -19,7 +19,7 @@ runs:
   using: composite
   steps:
     - shell: bash
-      run: echo "${{ inputs.title }}" # $ Alert[actions/code-injection/critical]
+      run: echo "${{ inputs.title }}"
     - uses: frabert/replace-string-action@v2.5
       id: out 
       with:

actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml

@@ -93,7 +93,7 @@ runs:
       shell: bash
     - shell: bash
       run: |
-        echo "${{ inputs.body }}" # $ Alert[actions/code-injection/critical]
+        echo "${{ inputs.body }}"
 
     # Checkout Repository ----------------------------------------------------------------------------------------------
     - name: Checkout Repository
@@ -220,7 +220,7 @@ runs:
       run: |
         git config --global user.name "${{ inputs.github_username }}"
         git config --global user.email "${{ inputs.github_email }}"
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
+        git pull origin ${{ github.head_ref || github.ref }}
         git add .
         git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
         if ! git diff --staged --quiet; then

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - name: Remove conflicting chars
         env:
-          ISSUE_TITLE: ${{github.event.issue.title}} # $ Source[actions/code-injection/critical]
+          ISSUE_TITLE: ${{github.event.issue.title}}
         uses: frabert/replace-string-action@1.2
         id: remove_quotations
         with:
@@ -24,6 +24,6 @@ jobs:
       - name: Check info
         id: check-info
         run: |
-          echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV # $ Alert[actions/code-injection/critical]
+          echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV
 
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml

@@ -17,12 +17,12 @@ jobs:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           name: pr
 
-      - name: save PR id # $ Source[actions/code-injection/critical]
+      - name: save PR id
         id: pr
         run: echo "::set-output name=id::$(<pr-id.txt)"
 
       - name: upload surge service
         id: deploy
         run: |
-          export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh # $ Alert[actions/code-injection/critical]
+          export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
           npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml

@@ -16,8 +16,8 @@ jobs:
         with:
           name: README
 
-      - name: upload surge service # $ Source[actions/code-injection/critical]
+      - name: upload surge service
         id: deploy
         run: |
-          echo ${{ steps.pr.outputs.id }} # $ Alert[actions/code-injection/critical]
+          echo ${{ steps.pr.outputs.id }}
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml

@@ -38,7 +38,7 @@ jobs:
             });
             var fs = require('fs');
             fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data));
-      - name: Set needed env vars in outputs # $ Source[actions/code-injection/critical]
+      - name: Set needed env vars in outputs
         id: prepare
         run: |
           unzip input.zip
@@ -50,4 +50,4 @@ jobs:
           echo "PR: ${tmp}"
           echo "pr=${tmp}" >> $GITHUB_OUTPUT
 
-      - run: echo ${{ steps.prepare.outputs.pr }} # $ Alert[actions/code-injection/critical]
+      - run: echo ${{ steps.prepare.outputs.pr }}

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml

@@ -14,9 +14,9 @@ jobs:
             name: artifact
 
       # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
         id: artifact
         run: echo "::set-output name=id::$(<artifact.txt)"
 
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.id }} 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml

@@ -13,11 +13,11 @@ jobs:
             name: artifact
 
       # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
         id: artifact
         uses: juliangruber/read-file-action@v1
         with:
           path: ./artifact.txt
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.content }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.content }} 
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml

@@ -12,13 +12,13 @@ jobs:
             run_id: ${{github.event.workflow_run.id}}
             name: artifact
 
-      - id: artifact # $ Source[actions/code-injection/critical]
+      - id: artifact
         run: |
           echo "::set-output name=pr_number::$(<artifact.txt)"
           mkdir firebase-android
           unzip firebase-android.zip -d firebase-android
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.pr_number }} 
 
       - id: artifact2
         run: |
@@ -26,5 +26,5 @@ jobs:
           mkdir firebase-android
           unzip firebase-android.zip -d firebase-android
       - name: Use artifact
-        run: echo ${{ steps.artifact2.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact2.outputs.pr_number }} 
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml

@@ -12,7 +12,7 @@ jobs:
             run_id: ${{github.event.workflow_run.id}}
             name: artifact
 
-      - id: artifact # $ Source[actions/code-injection/critical]
+      - id: artifact
         run: |
           set -eou pipefail
           pr_number=$(cat -e artifact.txt)
@@ -27,5 +27,5 @@ jobs:
           mkdir firebase-android
           unzip firebase-android.zip -d firebase-android
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.pr_number }} 
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml

@@ -14,9 +14,9 @@ jobs:
             name: artifact
 
       # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
         id: artifact
         run: echo "::set-output name=id::$(<artifact.txt)"
 
       - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.id }} 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml

@@ -15,9 +15,9 @@ jobs:
       - name: Get changed files 1
         id: changed-files1
         uses: tj-actions/changed-files@v40
-      - name: List all changed files 1 # $ Source[actions/code-injection/medium]
+      - name: List all changed files 1
         run: |
-          for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
+          for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do
             echo "$file was changed"
           done
 
@@ -35,9 +35,9 @@ jobs:
         uses: tj-actions/changed-files@v41
         with:
           safe_output: false
-      - name: List all changed files 3 # $ Source[actions/code-injection/medium]
+      - name: List all changed files 3
         run: |
-          for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
+          for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do
             echo "$file was changed"
           done
 
@@ -53,8 +53,8 @@ jobs:
       - name: Get changed files 5
         id: changed-files5
         uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 # v39.2.3
-      - name: List all changed files 5 # $ Source[actions/code-injection/medium]
+      - name: List all changed files 5
         run: |
-          for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do # $ Alert[actions/code-injection/medium]
+          for file in ${{ steps.changed-files5.outputs.all_changed_files }}; do
             echo "$file was changed"
           done

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml

@@ -6,25 +6,25 @@ jobs:
     steps:
     - run: |
         Foo
-        echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
+        echo '${{ github.event.comment.body }}'
         Bar
 
   echo-chamber2:
     runs-on: ubuntu-latest
     steps:
-    - run: echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
-    - run: echo '${{ github.event.issue.title }}' # $ Alert[actions/code-injection/critical]
+    - run: echo '${{ github.event.comment.body }}'
+    - run: echo '${{ github.event.issue.body }}'
+    - run: echo '${{ github.event.issue.title }}'
 
   echo-chamber3:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/github-script@v3
       with:
-        script: console.log('${{ github.event.comment.body }}') # $ Alert[actions/code-injection/critical]
+        script: console.log('${{ github.event.comment.body }}')
     - uses: actions/github-script@v3
       with:
-        script: console.log('${{ github.event.issue.body }}') # $ Alert[actions/code-injection/critical]
+        script: console.log('${{ github.event.issue.body }}')
     - uses: actions/github-script@v3
       with:
-        script: console.log('${{ github.event.issue.title }}') # $ Alert[actions/code-injection/critical]
+        script: console.log('${{ github.event.issue.title }}')

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml

@@ -7,6 +7,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: |
-          LINE 1 echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
-          LINE 2 echo '${{github.event.issue.body}}' # $ Alert[actions/code-injection/critical]
-          LINE 3 echo '${{ github.event.comment.body }}' # $ Alert[actions/code-injection/critical]
+          LINE 1 echo '${{ github.event.comment.body }}'
+          LINE 2 echo '${{github.event.issue.body}}'
+          LINE 3 echo '${{ github.event.comment.body }}'

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml

@@ -9,7 +9,7 @@ jobs:
       - uses: .github/actions/action5
         id: foo
         with:
-          taint: ${{ github.event.comment.body }} # $ Source[actions/code-injection/critical]
-      - run: echo "${{ steps.foo.outputs.result }}" # $ Alert[actions/code-injection/critical]
-      - run: echo "${{ steps.foo.outputs.result2 }}" # $ Alert[actions/code-injection/critical]
+          taint: ${{ github.event.comment.body }}
+      - run: echo "${{ steps.foo.outputs.result }}"
+      - run: echo "${{ steps.foo.outputs.result2 }}"
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml

@@ -11,8 +11,8 @@ jobs:
         id: clone
         uses: TestOrg/TestRepo/.github/actions/clone-repo@main
         with:
-          title: ${{ github.event.pull_request.title }} # $ Source[actions/code-injection/critical]
+          title: ${{ github.event.pull_request.title }}
           forked-pr: true
           fetch-depth: 2
-      - run: echo "${{ steps.clone.outputs.result }}" # $ Alert[actions/code-injection/critical]
+      - run: echo "${{ steps.clone.outputs.result }}"