Python: simplify TBlockStmt char pred via exclusion list

Replace the 14-disjunct allow-list with a 2-conjunct exclusion list. Of the 17 Py::StmtList getters in AstGenerated.qll, only Try.getHandlers() and MatchStmt.getCases() should not be wrapped as BlockStmts (they are iterated individually by the shared library's Try/Switch logic via getCatch(int) and getCase(int)). All other StmtLists are imperative block bodies. No behaviour change: all 24 NewCfg evaluation-order tests pass; all 11 shared-CFG consistency queries report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Python: introduce TStmt union via newtype-branch alias
2026-06-10 23:41:09 +02:00 · 2026-05-07 17:13:50 +00:00 · 2026-05-07 17:08:10 +00:00 · 2026-05-07 16:58:43 +00:00 · 2026-05-07 14:14:16 +00:00 · 2026-05-07 12:54:02 +00:00
3222 changed files with 27101 additions and 102318 deletions
--- a/.github/workflows/go-version-update.yml
+++ b/.github/workflows/go-version-update.yml
@@ -1,208 +0,0 @@
 name: Update Go version
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
 permissions:
  contents: write
  pull-requests: write
 jobs:
  update-go-version:
    name: Check and update Go version
    if: github.repository == 'github/codeql'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v5
        with:
          fetch-depth: 0
      - name: Set up Git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
      - name: Fetch latest Go version
        id: fetch-version
        run: |
          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
            echo "Error: Failed to fetch latest Go version from go.dev"
            exit 1
          fi
          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
      - name: Check current Go version
        id: current-version
        run: |
          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
          if [ -z "$CURRENT_VERSION" ]; then
            echo "Error: Could not extract Go version from MODULE.bazel"
            exit 1
          fi
          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
          # Extract major.minor version
          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
      - name: Compare versions
        id: compare
        run: |
          LATEST="${{ steps.fetch-version.outputs.version_num }}"
          CURRENT="${{ steps.current-version.outputs.version }}"
          echo "Latest: $LATEST"
          echo "Current: $CURRENT"
          if [ "$LATEST" = "$CURRENT" ]; then
            echo "Go version is up to date"
            echo "needs_update=false" >> $GITHUB_OUTPUT
          else
            echo "Go version needs update from $CURRENT to $LATEST"
            echo "needs_update=true" >> $GITHUB_OUTPUT
          fi
      - name: Update Go version in files
        if: steps.compare.outputs.needs_update == 'true'
        run: |
          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
          # Escape dots in current version strings for use in sed patterns
          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
          # Update MODULE.bazel
          sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
          if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
            echo "Error: Failed to update MODULE.bazel"
            exit 1
          fi
          # Update go/extractor/go.mod
          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
            echo "Warning: Failed to update go directive in go.mod"
          fi
          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
            echo "Warning: Failed to update toolchain in go.mod"
          fi
          # Update go/extractor/autobuilder/build-environment.go
          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
            echo "Warning: Failed to update build-environment.go"
          fi
          # Update go/actions/test/action.yml
          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
            echo "Warning: Failed to update action.yml"
          fi
          # Show what changed
          git diff
      - name: Check for changes
        id: check-changes
        if: steps.compare.outputs.needs_update == 'true'
        run: |
          if git diff --quiet; then
            echo "No changes detected"
            echo "has_changes=false" >> $GITHUB_OUTPUT
          else
            echo "Changes detected"
            echo "has_changes=true" >> $GITHUB_OUTPUT
          fi
      - name: Check for existing PR
        if: steps.check-changes.outputs.has_changes == 'true'
        id: check-pr
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          BRANCH_NAME="workflow/go-version-update"
          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
          if [ -n "$PR_NUMBER" ]; then
            echo "Existing PR found: #$PR_NUMBER"
            echo "pr_exists=true" >> $GITHUB_OUTPUT
            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
          else
            echo "No existing PR found"
            echo "pr_exists=false" >> $GITHUB_OUTPUT
          fi
      - name: Commit and push changes
        if: steps.check-changes.outputs.has_changes == 'true'
        run: |
          BRANCH_NAME="workflow/go-version-update"
          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
          # Create or switch to branch
          git checkout -B "$BRANCH_NAME"
          # Stage and commit changes
          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
          git commit -m "Go: Update to $LATEST_VERSION_NUM"
          # Push changes
          git push --force-with-lease origin "$BRANCH_NAME"
      - name: Create or update PR
        if: steps.check-changes.outputs.has_changes == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          BRANCH_NAME="workflow/go-version-update"
          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
          PR_BODY=$(cat <<EOF
          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
          Updated files:
          - \`MODULE.bazel\` - go_sdk.download version
          - \`go/extractor/go.mod\` - go directive and toolchain
          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
          - \`go/actions/test/action.yml\` - default go-test-version
          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
          EOF
          )
          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
          else
            echo "Creating new PR"
            gh pr create \
              --title "$PR_TITLE" \
              --body "$PR_BODY" \
              --base main \
              --head "$BRANCH_NAME" \
              --label "Go"
          fi
--- a/.github/workflows/mad_modelDiff.yml
+++ b/.github/workflows/mad_modelDiff.yml
@@ -70,7 +70,7 @@ jobs:
            SHORTNAME=`basename $DATABASE`
            python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
            mkdir -p $MODELS/$SHORTNAME
-            mv java/ql/lib/ext/generated/modelgenerator/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
+            mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
            cd ..
          }
--- a/.github/workflows/python-tooling.yml
+++ b/.github/workflows/python-tooling.yml
@@ -5,7 +5,7 @@ on:
    paths:
      - "misc/bazel/**"
      - "misc/codegen/**"
-      - "misc/scripts/models-as-data/*.py"
+      - "misc/scripts/models-as-data/bulk_generate_mad.py"
      - "*.bazel*"
      - .github/workflows/codegen.yml
      - .pre-commit-config.yaml
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -140,26 +140,6 @@ version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 [[package]]
 name = "bindgen"
 version = "0.72.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895"
 dependencies = [
 "bitflags 2.9.4",
 "cexpr",
 "clang-sys",
 "itertools 0.12.1",
 "log 0.4.28",
 "prettyplease",
 "proc-macro2",
 "quote",
 "regex",
 "rustc-hash 2.1.1",
 "shlex",
 "syn",
 ]
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -260,9 +240,9 @@ dependencies = [
 [[package]]
 name = "cc"
-version = "1.2.61"
+version = "1.2.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d"
+checksum = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@@ -270,15 +250,6 @@ dependencies = [
 "shlex",
 ]
 [[package]]
 name = "cexpr"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
 dependencies = [
 "nom",
 ]
 [[package]]
 name = "cfg-if"
 version = "1.0.3"
@@ -357,7 +328,7 @@ dependencies = [
 "chalk-derive 0.103.0",
 "chalk-ir 0.103.0",
 "ena",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.12.1",
 "petgraph",
 "rustc-hash 1.1.0",
@@ -378,17 +349,6 @@ dependencies = [
 "windows-link 0.2.0",
 ]
 [[package]]
 name = "clang-sys"
 version = "1.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
 dependencies = [
 "glob",
 "libc",
 "libloading",
 ]
 [[package]]
 name = "clap"
 version = "4.5.48"
@@ -456,7 +416,6 @@ dependencies = [
 "tree-sitter",
 "tree-sitter-json",
 "tree-sitter-ql",
 "yeast",
 "zstd",
 ]
@@ -478,25 +437,6 @@ dependencies = [
 "tree-sitter-ruby",
 ]
 [[package]]
 name = "codeql-extractor-unified"
 version = "0.1.0"
 dependencies = [
 "clap",
 "codeql-extractor",
 "encoding",
 "lazy_static",
 "rayon",
 "regex",
 "serde_json",
 "tracing",
 "tracing-subscriber",
 "tree-sitter",
 "tree-sitter-embedded-template",
 "tree-sitter-swift",
 "yeast",
 ]
 [[package]]
 name = "codeql-rust"
 version = "0.1.0"
@@ -545,15 +485,6 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
 [[package]]
 name = "convert_case"
 version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baaaa0ecca5b51987b9423ccdc971514dd8b0bb7b4060b983d3664dad3f1f89f"
 dependencies = [
 "unicode-segmentation",
 ]
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -807,12 +738,6 @@ dependencies = [
 "typeid",
 ]
 [[package]]
 name = "fastrand"
 version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
 [[package]]
 name = "figment"
 version = "0.10.19"
@@ -829,9 +754,9 @@ dependencies = [
 [[package]]
 name = "find-msvc-tools"
-version = "0.1.9"
+version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
+checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d"
 [[package]]
 name = "fixedbitset"
@@ -861,12 +786,6 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
 [[package]]
 name = "foldhash"
 version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -951,26 +870,9 @@ checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
 dependencies = [
 "allocator-api2",
 "equivalent",
- "foldhash 0.1.5",
+ "foldhash",
 ]
 [[package]]
 name = "hashbrown"
 version = "0.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
 dependencies = [
 "allocator-api2",
 "equivalent",
 "foldhash 0.2.0",
 ]
 [[package]]
 name = "hashbrown"
 version = "0.17.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a"
 [[package]]
 name = "hashlink"
 version = "0.10.0"
@@ -1157,25 +1059,16 @@ dependencies = [
 [[package]]
 name = "indexmap"
-version = "2.14.0"
+version = "2.11.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
+checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
 dependencies = [
 "equivalent",
- "hashbrown 0.17.1",
+ "hashbrown 0.15.5",
 "serde",
 "serde_core",
 ]
 [[package]]
 name = "indoc"
 version = "2.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "79cf5c93f93228cf8efb3ba362535fb11199ac548a09ce117c9b1adc3030d706"
 dependencies = [
 "rustversion",
 ]
 [[package]]
 name = "inlinable_string"
 version = "0.1.15"
@@ -1305,16 +1198,6 @@ version = "0.2.175"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a82ae493e598baaea5209805c49bbf2ea7de956d50d7da0da1164f9c6d28543"
 [[package]]
 name = "libloading"
 version = "0.8.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d7c4b02199fee7c5d21a5ae7d8cfa79a6ef5bb2fc834d6e9058e89c825efdc55"
 dependencies = [
 "cfg-if",
 "windows-link 0.2.0",
 ]
 [[package]]
 name = "line-index"
 version = "0.1.2"
@@ -1380,12 +1263,6 @@ dependencies = [
 "autocfg",
 ]
 [[package]]
 name = "minimal-lexical"
 version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
 [[package]]
 name = "miniz_oxide"
 version = "0.8.9"
@@ -1432,16 +1309,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451"
 [[package]]
 name = "nom"
 version = "7.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
 dependencies = [
 "memchr",
 "minimal-lexical",
 ]
 [[package]]
 name = "notify"
 version = "8.2.0"
@@ -1569,12 +1436,6 @@ dependencies = [
 "windows-targets 0.52.6",
 ]
 [[package]]
 name = "pathdiff"
 version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3"
 [[package]]
 name = "pear"
 version = "0.2.9"
@@ -1630,36 +1491,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
 "fixedbitset",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 ]
 [[package]]
 name = "phf"
 version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1562dc717473dbaa4c1f85a36410e03c047b2e7df7f45ee938fbef64ae7fadf"
 dependencies = [
 "phf_shared",
 "serde",
 ]
 [[package]]
 name = "phf_generator"
 version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "135ace3a761e564ec88c03a77317a7c6b80bb7f7135ef2544dbe054243b89737"
 dependencies = [
 "fastrand",
 "phf_shared",
 ]
 [[package]]
 name = "phf_shared"
 version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e57fef6bc5981e38c2ce2d63bfa546861309f875b8a75f092d1d54ae2d64f266"
 dependencies = [
 "siphasher",
 ]
 [[package]]
@@ -1704,25 +1536,6 @@ dependencies = [
 "zerocopy",
 ]
 [[package]]
 name = "prettyplease"
 version = "0.2.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
 dependencies = [
 "proc-macro2",
 "syn",
 ]
 [[package]]
 name = "proc-macro-crate"
 version = "3.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
 dependencies = [
 "toml_edit 0.25.11+spec-1.1.0",
 ]
 [[package]]
 name = "proc-macro2"
 version = "1.0.101"
@@ -1854,7 +1667,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e876bb2c3e52a8d4e6684526a2d4e81f9d028b939ee4dc5dc775fe10deb44d59"
 dependencies = [
 "dashmap",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "la-arena",
 "ra_ap_cfg",
 "ra_ap_intern",
@@ -1896,7 +1709,7 @@ checksum = "ebffdc134eccabc17209d7760cfff7fd12ed18ab6e21188c5e084b97aa38504c"
 dependencies = [
 "arrayvec",
 "either",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "ra_ap_base_db",
 "ra_ap_cfg",
@@ -1926,7 +1739,7 @@ dependencies = [
 "drop_bomb",
 "either",
 "fst",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "la-arena",
 "ra-ap-rustc_abi",
@@ -1995,7 +1808,7 @@ dependencies = [
 "cov-mark",
 "either",
 "ena",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "la-arena",
 "oorandom",
@@ -2033,7 +1846,7 @@ dependencies = [
 "crossbeam-channel",
 "either",
 "fst",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "line-index",
 "memchr",
@@ -2135,7 +1948,7 @@ version = "0.0.301"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "45db9e2df587d56f0738afa89fb2c100ff7c1e9cbe49e07f6a8b62342832211b"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "ra_ap_intern",
 "ra_ap_paths",
 "ra_ap_span",
@@ -2294,7 +2107,7 @@ checksum = "6c174d6b9b7a7f54687df7e00c3e75ed6f082a7943a9afb1d54f33c0c12773de"
 dependencies = [
 "crossbeam-channel",
 "fst",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "nohash-hasher",
 "ra_ap_paths",
 "ra_ap_stdx",
@@ -2426,15 +2239,6 @@ version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "caf4aa5b0f434c91fe5c7f1ecb6a5ece2130b02ad2a590589dda5146df959001"
 [[package]]
 name = "relative-path"
 version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bca40a312222d8ba74837cb474edef44b37f561da5f773981007a10bbaa992b0"
 dependencies = [
 "serde",
 ]
 [[package]]
 name = "rowan"
 version = "0.15.15"
@@ -2448,57 +2252,6 @@ dependencies = [
 "text-size",
 ]
 [[package]]
 name = "rquickjs"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a135375fbac5ba723bb6a48f432a72f81539cedde422f0121a86c7c4e96d8e0d"
 dependencies = [
 "rquickjs-core",
 "rquickjs-macro",
 ]
 [[package]]
 name = "rquickjs-core"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bccb7121a123865c8ace4dea42e7ed84d78b90cbaf4ca32c59849d8d210c9672"
 dependencies = [
 "hashbrown 0.16.1",
 "phf",
 "relative-path",
 "rquickjs-sys",
 ]
 [[package]]
 name = "rquickjs-macro"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "89f93602cc3112c7f30bf5f29e722784232138692c7df4c52ebbac7e035d900d"
 dependencies = [
 "convert_case",
 "fnv",
 "ident_case",
 "indexmap 2.14.0",
 "phf_generator",
 "phf_shared",
 "proc-macro-crate",
 "proc-macro2",
 "quote",
 "rquickjs-core",
 "syn",
 ]
 [[package]]
 name = "rquickjs-sys"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "57b1b6528590d4d65dc86b5159eae2d0219709546644c66408b2441696d1d725"
 dependencies = [
 "bindgen",
 "cc",
 ]
 [[package]]
 name = "rust-extractor-macros"
 version = "0.1.0"
@@ -2564,7 +2317,7 @@ dependencies = [
 "crossbeam-utils",
 "hashbrown 0.15.5",
 "hashlink",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "intrusive-collections",
 "papaya",
 "parking_lot",
@@ -2653,12 +2406,11 @@ dependencies = [
 [[package]]
 name = "semver"
-version = "1.0.28"
+version = "1.0.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
+checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
 dependencies = [
 "serde",
 "serde_core",
 ]
 [[package]]
@@ -2718,7 +2470,7 @@ version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itoa",
 "memchr",
 "ryu",
@@ -2754,7 +2506,7 @@ dependencies = [
 "chrono",
 "hex",
 "indexmap 1.9.3",
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "schemars 0.9.0",
 "schemars 1.0.4",
 "serde",
@@ -2782,7 +2534,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "itoa",
 "ryu",
 "serde",
@@ -2804,18 +2556,6 @@ version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
 [[package]]
 name = "siphasher"
 version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ee5873ec9cce0195efcb7a4e9507a04cd49aec9c83d0389df45b1ef7ba2e649"
 [[package]]
 name = "smallbitvec"
 version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b0e903ee191d8f7a8fbf0d712c3a1699d19e04ceba5ad1eb673053c7d938a09"
 [[package]]
 name = "smallvec"
 version = "1.15.1"
@@ -2892,18 +2632,18 @@ checksum = "144f754d318415ac792f9d69fc87abbbfc043ce2ef041c60f16ad828f638717d"
 [[package]]
 name = "thiserror"
-version = "2.0.18"
+version = "2.0.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
 dependencies = [
 "thiserror-impl",
 ]
 [[package]]
 name = "thiserror-impl"
-version = "2.0.18"
+version = "2.0.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2968,7 +2708,7 @@ dependencies = [
 "serde",
 "serde_spanned 0.6.9",
 "toml_datetime 0.6.11",
- "toml_edit 0.22.27",
+ "toml_edit",
 ]
 [[package]]
@@ -2977,13 +2717,13 @@ version = "0.9.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "00e5e5d9bf2475ac9d4f0d9edab68cc573dc2fd644b0dba36b0c30a92dd9eaa0"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "serde_core",
 "serde_spanned 1.0.2",
 "toml_datetime 0.7.2",
 "toml_parser",
 "toml_writer",
- "winnow 0.7.13",
+ "winnow",
 ]
 [[package]]
@@ -3004,48 +2744,27 @@ dependencies = [
 "serde_core",
 ]
 [[package]]
 name = "toml_datetime"
 version = "1.1.1+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3165f65f62e28e0115a00b2ebdd37eb6f3b641855f9d636d3cd4103767159ad7"
 dependencies = [
 "serde_core",
 ]
 [[package]]
 name = "toml_edit"
 version = "0.22.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 dependencies = [
- "indexmap 2.14.0",
+ "indexmap 2.11.4",
 "serde",
 "serde_spanned 0.6.9",
 "toml_datetime 0.6.11",
 "toml_write",
- "winnow 0.7.13",
+ "winnow",
 ]
 [[package]]
 name = "toml_edit"
 version = "0.25.11+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b59c4d22ed448339746c59b905d24568fcbb3ab65a500494f7b8c3e97739f2b"
 dependencies = [
 "indexmap 2.14.0",
 "toml_datetime 1.1.1+spec-1.1.0",
 "toml_parser",
 "winnow 1.0.2",
 ]
 [[package]]
 name = "toml_parser"
-version = "1.1.2+spec-1.1.0"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2abe9b86193656635d2411dc43050282ca48aa31c2451210f4202550afb7526"
+checksum = "4cf893c33be71572e0e9aa6dd15e6677937abd686b066eac3f8cd3531688a627"
 dependencies = [
- "winnow 1.0.2",
+ "winnow",
 ]
 [[package]]
@@ -3060,12 +2779,6 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d163a63c116ce562a22cda521fcc4d79152e7aba014456fb5eb442f6d6a10109"
 [[package]]
 name = "topological-sort"
 version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ea68304e134ecd095ac6c3574494fc62b909f416c4fca77e440530221e549d3d"
 [[package]]
 name = "tracing"
 version = "0.1.41"
@@ -3140,9 +2853,9 @@ dependencies = [
 [[package]]
 name = "tree-sitter"
-version = "0.26.8"
+version = "0.25.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "887bd495d0582c5e3e0d8ece2233666169fa56a9644d172fc22ad179ab2d0538"
+checksum = "ccd2a058a86cfece0bf96f7cce1021efef9c8ed0e892ab74639173e5ed7a34fa"
 dependencies = [
 "cc",
 "regex",
@@ -3162,30 +2875,6 @@ dependencies = [
 "tree-sitter-language",
 ]
 [[package]]
 name = "tree-sitter-generate"
 version = "0.26.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c3fb2e1bdb1d5f9d23cd5fa68cf98b3bedbd223c92a2edd60bbcf30bcf7180a5"
 dependencies = [
 "bitflags 2.9.4",
 "dunce",
 "indexmap 2.14.0",
 "indoc",
 "log 0.4.28",
 "pathdiff",
 "regex",
 "regex-syntax",
 "rquickjs",
 "rustc-hash 2.1.1",
 "semver",
 "serde",
 "serde_json",
 "smallbitvec",
 "thiserror",
 "topological-sort",
 ]
 [[package]]
 name = "tree-sitter-json"
 version = "0.24.8"
@@ -3202,16 +2891,6 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4013970217383f67b18aef68f6fb2e8d409bc5755227092d32efb0422ba24b8"
 [[package]]
 name = "tree-sitter-python"
 version = "0.23.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d065aaa27f3aaceaf60c1f0e0ac09e1cb9eb8ed28e7bcdaa52129cffc7f4b04"
 dependencies = [
 "cc",
 "tree-sitter-language",
 ]
 [[package]]
 name = "tree-sitter-ql"
 version = "0.23.1"
@@ -3232,15 +2911,6 @@ dependencies = [
 "tree-sitter-language",
 ]
 [[package]]
 name = "tree-sitter-swift"
 version = "0.7.2"
 dependencies = [
 "cc",
 "tree-sitter-generate",
 "tree-sitter-language",
 ]
 [[package]]
 name = "triomphe"
 version = "0.1.14"
@@ -3290,12 +2960,6 @@ version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e70f2a8b45122e719eb623c01822704c4e0907e7e426a05927e1a1cfff5b75d0"
 [[package]]
 name = "unicode-segmentation"
 version = "1.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9629274872b2bfaf8d66f5f15725007f635594914870f65218920345aa11aa8c"
 [[package]]
 name = "unicode-xid"
 version = "0.2.6"
@@ -3685,15 +3349,6 @@ dependencies = [
 "memchr",
 ]
 [[package]]
 name = "winnow"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0"
 dependencies = [
 "memchr",
 ]
 [[package]]
 name = "wit-bindgen"
 version = "0.45.1"
@@ -3712,29 +3367,6 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
 [[package]]
 name = "yeast"
 version = "0.1.0"
 dependencies = [
 "clap",
 "serde",
 "serde_json",
 "serde_yaml",
 "tree-sitter",
 "tree-sitter-python",
 "tree-sitter-ruby",
 "yeast-macros",
 ]
 [[package]]
 name = "yeast-macros"
 version = "0.1.0"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "yoke"
 version = "0.8.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,11 +4,7 @@
 resolver = "2"
 members = [
    "shared/tree-sitter-extractor",
    "shared/yeast",
    "shared/yeast-macros",
    "ruby/extractor",
    "unified/extractor",
    "unified/extractor/tree-sitter-swift",
    "rust/extractor",
    "rust/extractor/macros",
    "rust/ast-generator",
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -102,7 +102,6 @@ use_repo(
    tree_sitter_extractors_deps,
    "vendor_ts__anyhow-1.0.100",
    "vendor_ts__argfile-0.2.1",
    "vendor_ts__cc-1.2.61",
    "vendor_ts__chalk-ir-0.104.0",
    "vendor_ts__chrono-0.4.42",
    "vendor_ts__clap-4.5.48",
@@ -142,18 +141,14 @@ use_repo(
    "vendor_ts__serde-1.0.228",
    "vendor_ts__serde_json-1.0.145",
    "vendor_ts__serde_with-3.14.1",
    "vendor_ts__serde_yaml-0.9.34-deprecated",
    "vendor_ts__syn-2.0.106",
    "vendor_ts__toml-0.9.7",
    "vendor_ts__tracing-0.1.41",
    "vendor_ts__tracing-flame-0.2.0",
    "vendor_ts__tracing-subscriber-0.3.20",
-    "vendor_ts__tree-sitter-0.26.8",
+    "vendor_ts__tree-sitter-0.25.9",
    "vendor_ts__tree-sitter-embedded-template-0.25.0",
    "vendor_ts__tree-sitter-generate-0.26.8",
    "vendor_ts__tree-sitter-json-0.24.8",
    "vendor_ts__tree-sitter-language-0.1.5",
    "vendor_ts__tree-sitter-python-0.23.6",
    "vendor_ts__tree-sitter-ql-0.23.1",
    "vendor_ts__tree-sitter-ruby-0.23.1",
    "vendor_ts__triomphe-0.1.14",
@@ -273,7 +268,7 @@ use_repo(
 )
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.4")
+go_sdk.download(version = "1.26.0")
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
--- a/actions/ql/examples/snippets/uses_pinned_sha.ql
+++ b/actions/ql/examples/snippets/uses_pinned_sha.ql
@@ -8,5 +8,5 @@
 import actions
 from UsesStep uses
-where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}([A-Fa-f0-9]{24})?$")
+where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
 select uses, "This 'uses' step has a pinned SHA version."
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,19 +1,3 @@
 ## 0.4.37
 ### Minor Analysis Improvements
 * The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
 ## 0.4.36
 ### Minor Analysis Improvements
 * Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
 ## 0.4.35
 No user-facing changes.
 ## 0.4.34
 ### Minor Analysis Improvements
--- a/actions/ql/lib/change-notes/released/0.4.35.md
+++ b/actions/ql/lib/change-notes/released/0.4.35.md
@@ -1,3 +0,0 @@
 ## 0.4.35
 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.36.md
+++ b/actions/ql/lib/change-notes/released/0.4.36.md
@@ -1,5 +0,0 @@
 ## 0.4.36
 ### Minor Analysis Improvements
 * Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
--- a/actions/ql/lib/change-notes/released/0.4.37.md
+++ b/actions/ql/lib/change-notes/released/0.4.37.md
@@ -1,5 +0,0 @@
 ## 0.4.37
 ### Minor Analysis Improvements
 * The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.37
+lastReleaseVersion: 0.4.34
--- a/actions/ql/lib/codeql/actions/Bash.qll
+++ b/actions/ql/lib/codeql/actions/Bash.qll
@@ -785,22 +785,7 @@ module Bash {
  /**
   * Holds if the given regex is used to match an alphanumeric string
-   * eg: `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$`
+   * eg: `^[0-9a-zA-Z]{40}$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$`
   */
-  string alphaNumericRegex() {
+  string alphaNumericRegex() { result = "^\\^\\[([09azAZ_-]+)\\](\\+|\\{\\d+\\})\\$$" }
    exists(string r1, string r2, string r3, string r4 |
      // An alphanumeric character class
      r1 = "\\[([09azAZ_-]+)\\]" and
      // The same as above, followed by a quantifier like `+` or `{20}`
      r2 = r1 + "(\\+|\\{\\d+\\})" and
      // The same as above, possibly with parentheses around it
      r3 = "\\(?" + r2 + "\\)?" and
      // The same as above, possibly with a `?` after it
      r4 = r3 + "\\??"
    |
      // The same as above, repeated one or more times, and with `^` at the
      // beginning and `$` at the end
      result = "^\\^(" + r4 + ")+\\$$"
    )
  }
 }
--- a/actions/ql/lib/ext/config/poisonable_steps.yml
+++ b/actions/ql/lib/ext/config/poisonable_steps.yml
@@ -70,7 +70,7 @@ extensions:
      - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2]
      - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2]
      - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2]
      - ["(python[\\d\\.]*)\\s+-m\\s+([A-Za-z_][\\w\\.]*)\\b", 2] # eg: pythonX -m anything(dir or file)
      - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2]
-      - ["(go)\\s+(generate|run)(?:\\s+-[^\\s]+)*\\s+([^\\s]+)", 3]
+      - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3]
      - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2]
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.38-dev
+version: 0.4.35-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,40 +1,3 @@
 ## 0.6.29
 ### Query Metadata Changes
 * Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
 ### Major Analysis Improvements
 * Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
 ### Minor Analysis Improvements
 * Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
 * The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
 ### Bug Fixes
 * Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
 ## 0.6.28
 ### Query Metadata Changes
 * Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
 ### Minor Analysis Improvements
 * The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
 ### Bug Fixes
 * Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
 ## 0.6.27
 No user-facing changes.
 ## 0.6.26
 ### Major Analysis Improvements
@@ -210,7 +173,7 @@ No user-facing changes.
  * `actions/if-expression-always-true/critical`
  * `actions/if-expression-always-true/high`
  * `actions/unnecessary-use-of-advanced-config`
-  
+
 * The following query has been moved from the `code-scanning` suite to the `security-extended`
  suite. Any existing alerts for this query will be closed automatically unless the analysis is
  configured to use the `security-extended` suite.
--- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -1,5 +1,5 @@
 /**
- * @name Unpinned tag for a non-immutable Action in workflow or composite action
+ * @name Unpinned tag for a non-immutable Action in workflow
 * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
 * @kind problem
 * @security-severity 5.0
@@ -15,9 +15,7 @@ import actions
 import codeql.actions.security.UseOfUnversionedImmutableAction
 bindingset[version]
-private predicate isPinnedCommit(string version) {
+private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
  version.regexpMatch("^[A-Fa-f0-9]{40}([A-Fa-f0-9]{24})?$")
 }
 bindingset[nwo]
 private predicate isTrustedOwner(string nwo) {
@@ -33,26 +31,15 @@ private predicate isPinnedContainer(string version) {
 bindingset[nwo]
 private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
-private predicate getStepContainerName(UsesStep uses, string name) {
+from UsesStep uses, string nwo, string version, Workflow workflow, string name
  exists(Workflow workflow |
    uses.getEnclosingWorkflow() = workflow and
    (
      workflow.getName() = name
      or
      not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
    )
  )
  or
  exists(CompositeAction action |
    uses.getEnclosingCompositeAction() = action and
    name = action.getLocation().getFile().getBaseName()
  )
 }
 from UsesStep uses, string nwo, string version, string name
 where
  uses.getCallee() = nwo and
-  getStepContainerName(uses, name) and
+  uses.getEnclosingWorkflow() = workflow and
  (
    workflow.getName() = name
    or
    not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
  ) and
  uses.getVersion() = version and
  not isTrustedOwner(nwo) and
  not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
@@ -1,35 +1,6 @@
 ## Overview
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
 ## Workflow Security Model
 In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
 This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
 On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
  * Runs in the context of the base repository
  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
  * Has a read/write `GITHUB_TOKEN` by default
  * Can access private resources
 Certain triggers automatically grant a workflow elevated privileges:
  * `pull_request_target` as described above
  * `workflow_run`: Triggered when another workflow completes.
  * `issue_comment`: Triggered when a comment is made on an issue or PR.
 ## Attack Details
  * A repository has a privileged workflow
  * An attacker forks the repository and adds malicious code (e.g., in the build script)
  * The attacker opens a PR from the fork, and, if needed, comments on the PR
  * The workflow in the base repository checks out the forked code
  * The workflow runs the malicious code
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 ## Recommendation
@@ -41,8 +12,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
 ## Example
 ### Incorrect Usage
@@ -164,6 +133,3 @@ jobs:
 ## References
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
 - Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
@@ -51,6 +51,5 @@ where
  event.getName() = checkoutTriggers() and
  not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
  not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
-select checkout, checkout, poisonable,
+select poisonable, checkout, poisonable,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
+  "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName()
  event, event.getName()
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
@@ -1,35 +1,6 @@
 ## Overview
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
 ## Workflow Security Model
 In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
 This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
 On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
  * Runs in the context of the base repository
  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
  * Has a read/write `GITHUB_TOKEN` by default
  * Can access private resources
 Certain triggers automatically grant a workflow elevated privileges:
  * `pull_request_target` as described above
  * `workflow_run`: Triggered when another workflow completes.
  * `issue_comment`: Triggered when a comment is made on an issue or PR.
 ## Attack Details
  * A repository has a privileged workflow
  * An attacker forks the repository and adds malicious code (e.g., in the build script)
  * The attacker opens a PR from the fork, and, if needed, comments on the PR
  * The workflow in the base repository checks out the forked code
  * The workflow runs the malicious code
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 ## Recommendation
@@ -41,8 +12,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
 ## Example
 ### Incorrect Usage
@@ -164,6 +133,3 @@ jobs:
 ## References
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
 - Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a privileged context
+ * @name Checkout of untrusted code in trusted context
 * @description Privileged workflows have read/write access to the base repository and access to secrets.
 *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
 *              that is able to push to the base repository and to access secrets.
@@ -42,6 +42,5 @@ where
    not event.getName() = "issue_comment" and
    not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
  )
-select checkout,
+select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
+  event.getName()
  event, event.getName()
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
@@ -1,35 +1,6 @@
 ## Overview
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
 ## Workflow Security Model
 In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
 This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
 On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
  * Runs in the context of the base repository
  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
  * Has a read/write `GITHUB_TOKEN` by default
  * Can access private resources
 Certain triggers automatically grant a workflow elevated privileges:
  * `pull_request_target` as described above
  * `workflow_run`: Triggered when another workflow completes.
  * `issue_comment`: Triggered when a comment is made on an issue or PR.
 ## Attack Details
  * A repository has a privileged workflow
  * An attacker forks the repository and adds malicious code (e.g., in the build script)
  * The attacker opens a PR from the fork, and, if needed, comments on the PR
  * The workflow in the base repository checks out the forked code
  * The workflow runs the malicious code
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 ## Recommendation
@@ -41,8 +12,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
 ## Example
 ### Incorrect Usage
@@ -164,6 +133,3 @@ jobs:
 ## References
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
 - Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a trusted context
+ * @name Checkout of untrusted code in trusted context
 * @description Privileged workflows have read/write access to the base repository and access to secrets.
 *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
 *              that is able to push to the base repository and to access secrets.
--- a/actions/ql/src/change-notes/released/0.6.27.md
+++ b/actions/ql/src/change-notes/released/0.6.27.md
@@ -1,3 +0,0 @@
 ## 0.6.27
 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.28.md
+++ b/actions/ql/src/change-notes/released/0.6.28.md
@@ -1,13 +0,0 @@
 ## 0.6.28
 ### Query Metadata Changes
 * Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
 ### Minor Analysis Improvements
 * The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
 ### Bug Fixes
 * Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
--- a/actions/ql/src/change-notes/released/0.6.29.md
+++ b/actions/ql/src/change-notes/released/0.6.29.md
@@ -1,18 +0,0 @@
 ## 0.6.29
 ### Query Metadata Changes
 * Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
 ### Major Analysis Improvements
 * Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
 ### Minor Analysis Improvements
 * Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
 * The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
 ### Bug Fixes
 * Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.29
+lastReleaseVersion: 0.6.26
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.30-dev
+version: 0.6.27-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml
+++ b/actions/ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml
@@ -3,14 +3,14 @@ name: Reusable workflow example
 on:
  workflow_call:
    inputs:
-      config-path: # $ Source[actions/reusable-workflow-sinks] Source[actions/reusable-workflow-summaries]
+      config-path:
        required: true
        type: string
    outputs:
      workflow-output1:
-        value: ${{ jobs.job1.outputs.job-output1 }} # $ Alert[actions/reusable-workflow-summaries]
+        value: ${{ jobs.job1.outputs.job-output1 }}
      workflow-output2:
-        value: ${{ jobs.job1.outputs.job-output2 }} # $ Alert[actions/reusable-workflow-sources]
+        value: ${{ jobs.job1.outputs.job-output2 }}
    secrets:
      token:
        required: true
@@ -26,9 +26,9 @@ jobs:
        env:
          CONFIG_PATH: ${{ inputs.config-path }}
        run: |
-          echo ${{ inputs.config-path }} # $ Alert[actions/reusable-workflow-sinks]
+          echo ${{ inputs.config-path }}
          echo "::set-output name=step-output::$CONFIG_PATH"
      - name: Get changed files
        id: step2
-        uses: tj-actions/changed-files@v40 # $ Source[actions/reusable-workflow-sources]
+        uses: tj-actions/changed-files@v40
--- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.expected
@@ -1,6 +1,3 @@
 #select
 | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
 | action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
 edges
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:18:28:43 | inputs.who-to-greet | provenance |  |
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | provenance |  |
@@ -13,3 +10,6 @@ nodes
 | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | semmle.label | steps.replace.outputs.value |
 | action1/action.yml:35:25:35:50 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
 #select
 | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:18:32:51 | steps.replace.outputs.value | Sink |
 | action1/action.yml:35:25:35:50 | inputs.who-to-greet | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:25:35:50 | inputs.who-to-greet | Sink |
--- a/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSinks.qlref
@@ -1,2 +1 @@
-query: Models/CompositeActionsSinks.ql
+Models/CompositeActionsSinks.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Models/CompositeActionsSources.expected
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.expected
@@ -1,9 +1,3 @@
 #select
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 edges
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
 | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | provenance |  |
@@ -19,3 +13,9 @@ nodes
 | action1/action.yml:44:7:48:70 | Run Step: source [tainted] | semmle.label | Run Step: source [tainted] |
 | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
 subpaths
 #select
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:41:30:41:55 | inputs.who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:42:7:44:4 | Uses Step: changed-files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
 | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | action1/action.yml:48:19:48:70 | steps.changed-files.outputs.all_changed_files | action1/action.yml:14:13:14:46 | steps.source.outputs.tainted | Source |
--- a/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSources.qlref
@@ -1,2 +1,2 @@
-query: Models/CompositeActionsSources.ql
+Models/CompositeActionsSources.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+
--- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.expected
@@ -1,5 +1,3 @@
 #select
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
 edges
 | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:30:41:55 | inputs.who-to-greet | provenance |  |
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | provenance |  |
@@ -10,3 +8,5 @@ nodes
 | action1/action.yml:37:7:42:4 | Run Step: reflector [reflected] | semmle.label | Run Step: reflector [reflected] |
 | action1/action.yml:41:30:41:55 | inputs.who-to-greet | semmle.label | inputs.who-to-greet |
 subpaths
 #select
 | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:13:11:52 | steps.reflector.outputs.reflected | Summary |
--- a/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref
+++ b/actions/ql/test/query-tests/Models/CompositeActionsSummaries.qlref
@@ -1,2 +1,2 @@
-query: Models/CompositeActionsSummaries.ql
+Models/CompositeActionsSummaries.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.expected
@@ -1,5 +1,3 @@
 #select
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
 edges
 | .github/workflows/calling_workflow.yml:12:5:15:2 | Job: call2 [workflow-output1] | .github/workflows/calling_workflow.yml:35:20:35:62 | needs.call2.outputs.workflow-output1 | provenance |  |
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
@@ -22,3 +20,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
 #select
 | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:29:17:29:41 | inputs.config-path | Sink |
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref
@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSinks.ql
+Models/ReusableWorkflowsSinks.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.expected
@@ -1,5 +1,3 @@
 #select
 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
 edges
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | provenance |  |
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output2] | provenance |  |
@@ -10,3 +8,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:23:21:23:63 | steps.step2.outputs.all_changed_files | semmle.label | steps.step2.outputs.all_changed_files |
 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | semmle.label | Uses Step: step2 |
 subpaths
 #select
 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | .github/workflows/reusable_workflow.yml:31:9:33:43 | Uses Step: step2 | .github/workflows/reusable_workflow.yml:13:17:13:52 | jobs.job1.outputs.job-output2 | Source |
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSources.qlref
@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSources.ql
+Models/ReusableWorkflowsSources.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected
@@ -1,5 +1,3 @@
 #select
 | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
 edges
 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | provenance |  |
 | .github/workflows/reusable_workflow.yml:22:7:24:4 | Job outputs node [job-output1] | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | provenance |  |
@@ -14,3 +12,5 @@ nodes
 | .github/workflows/reusable_workflow.yml:25:9:31:6 | Run Step: step1 [step-output] | semmle.label | Run Step: step1 [step-output] |
 | .github/workflows/reusable_workflow.yml:27:25:27:49 | inputs.config-path | semmle.label | inputs.config-path |
 subpaths
 #select
 | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:17:11:52 | jobs.job1.outputs.job-output1 | Summary |
--- a/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref
+++ b/actions/ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref
@@ -1,2 +1,2 @@
-query: Models/ReusableWorkflowsSummaries.ql
+Models/ReusableWorkflowsSummaries.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql
+
--- a/actions/ql/test/query-tests/Models/action1/action.yml
+++ b/actions/ql/test/query-tests/Models/action1/action.yml
@@ -1,17 +1,17 @@
 name: 'Hello World'
 description: 'Greet someone'
 inputs:
-  who-to-greet:  # id of input # $ Source[actions/composite-action-sinks] Source[actions/composite-action-summaries]
+  who-to-greet:  # id of input
    description: 'Who to greet'
    required: true
    default: 'World'
 outputs:
  reflected:
    description: "Reflected input"
-    value: ${{ steps.reflector.outputs.reflected }} # $ Alert[actions/composite-action-sources] Alert[actions/composite-action-summaries]
+    value: ${{ steps.reflector.outputs.reflected }}
  tainted:
    description: "Reflected input"
-    value: ${{ steps.source.outputs.tainted}} # $ Alert[actions/composite-action-sources]
+    value: ${{ steps.source.outputs.tainted}}
 runs:
  using: "composite"
@@ -29,23 +29,23 @@ runs:
        find: 'foo'
        replace: ''
    - id: sink 
-      run: echo ${{ steps.replace.outputs.value }} # $ Alert[actions/composite-action-sinks]
+      run: echo ${{ steps.replace.outputs.value }}
      shell: bash
    - name: Vulnerable Set Greeting
-      run: echo "Hello ${{ inputs.who-to-greet }}." # $ Alert[actions/composite-action-sinks]
+      run: echo "Hello ${{ inputs.who-to-greet }}."
      shell: bash
    - id: reflector 
      run: echo "reflected=$(echo $INPUT_WHO_TO_GREET)" >> $GITHUB_OUTPUT
      shell: bash
      env:
-        INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }} # $ Source[actions/composite-action-sources]
+        INPUT_WHO_TO_GREET: ${{ inputs.who-to-greet }}
    - id: changed-files
      uses: tj-actions/changed-files@v40
-    - id: source # $ Source[actions/composite-action-sources]
+    - id: source
      run: echo "tainted=$(echo $TAINTED)" >> $GITHUB_OUTPUT
      shell: bash
      env:
-        TAINTED: ${{ steps.changed-files.outputs.all_changed_files }} # $ Source[actions/composite-action-sources]
+        TAINTED: ${{ steps.changed-files.outputs.all_changed_files }}
--- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output1.yml
@@ -6,11 +6,11 @@ jobs:
    steps:
      - id: clob1
        env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
        run: |
          # VULNERABLE
          echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
-          echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT # $ Alert
+          echo "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT
      - id: clob2
        run: |
          echo ${{ steps.clob1.outputs.OUTPUT_1 }}
@@ -32,8 +32,8 @@ jobs:
        with:
          run_id: ${{ github.event.workflow_run.id }}
          name: pr_number 
-      - id: clob1 # $ Source
+      - id: clob1
        run: |
          # VULNERABLE
          echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT
-          echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT # $ Alert
+          echo "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT
--- a/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml
+++ b/actions/ql/test/query-tests/Security/CWE-074/.github/workflows/output2.yml
@@ -6,18 +6,18 @@ jobs:
    steps:
      - id: clob1
        env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
        run: |
          # VULNERABLE
          echo $BODY
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
      - id: clob2
        env:
-          BODY: ${{ github.event.comment.body }} # $ Source
+          BODY: ${{ github.event.comment.body }}
        run: |
          # VULNERABLE
          echo "::set-output name=OUTPUT::SAFE"
-          echo $BODY # $ Alert
+          echo $BODY
      - id: clob3
        run: |
          echo ${{ steps.clob1.outputs.OUTPUT }}
@@ -38,25 +38,25 @@ jobs:
        with:
          run_id: ${{ github.event.workflow_run.id }}
          name: pr_number 
-      - id: clob1 # $ Source
+      - id: clob1
        run: |
          # VULNERABLE
          PR="$(<pr-number)"
          echo "$PR"
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
      - id: clob2
        run: |
          # VULNERABLE
          cat pr-number
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
      - id: clob3
        run: |
          # VULNERABLE
          echo "::set-output name=OUTPUT::SAFE"
-          ls *.txt # $ Alert
+          ls *.txt
      - id: clob4
        run: |
          # VULNERABLE
          CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
          echo "$CURRENT_VERSION"
-          echo "::set-output name=OUTPUT::SAFE" # $ Alert
+          echo "::set-output name=OUTPUT::SAFE"
--- a/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected
+++ b/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected
@@ -1,12 +1,3 @@
 #select
 | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
 | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
 | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
 | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
 | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
 edges
 | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config |
 | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance | Config |
@@ -31,3 +22,12 @@ nodes
 | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | semmle.label | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
 | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | semmle.label | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
 subpaths
 #select
 | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
 | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | Potential clobbering of a step output in $@. | .github/workflows/output1.yml:36:14:39:58 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n |
 | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n |
 | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n |
 | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n |
 | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | Potential clobbering of a step output in $@. | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n |
--- a/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref
@@ -1,2 +1 @@
-query: experimental/Security/CWE-074/OutputClobberingHigh.ql
+experimental/Security/CWE-074/OutputClobberingHigh.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning51.yml
@@ -12,9 +12,9 @@ jobs:
    steps:
      - run: |
          gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
        run: |
          unzip artifact_name.zip -d foo
      - name: Env Var Injection
        run: |
-          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning52.yml
@@ -12,14 +12,14 @@ jobs:
    steps:
      - run: |
          gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
        run: |
          unzip artifact_name.zip -d foo
      - name: Env Var Injection
        run: |
          echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
          cat foo >> "$GITHUB_ENV"
-          echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> "${GITHUB_ENV}"
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/artifactpoisoning53.yml
@@ -12,7 +12,7 @@ jobs:
    steps:
      - run: |
          gh run download "${{github.event.workflow_run.id}}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-      - name: Unzip # $ Source[actions/envvar-injection/critical]
+      - name: Unzip
        run: |
          unzip artifact_name.zip -d foo
      - run: |
@@ -20,7 +20,7 @@ jobs:
            echo 'JSON_RESPONSE<<EOF'
            cat foo
            echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/path1.yml
@@ -10,23 +10,23 @@ jobs:
      - run: echo "${{ github.event.pull_request.title }}" >> $GITHUB_PATH
      - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
-        run: echo $(echo "$PATHINJ") >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+        run: echo $(echo "$PATHINJ") >> $GITHUB_PATH
      - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
-        run: echo $PATHINJ >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+        run: echo $PATHINJ >> $GITHUB_PATH
      - env: 
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
-        run: echo ${PATHINJ} >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical]
+        run: echo ${PATHINJ} >> $GITHUB_PATH
      - uses: dawidd6/action-download-artifact@v2
        with:
          name: artifact_name
          path: foo
-      - run: echo "$(cat foo/bar)" >> $GITHUB_PATH # $ Alert[actions/envpath-injection/critical] Source[actions/envpath-injection/critical]
+      - run: echo "$(cat foo/bar)" >> $GITHUB_PATH
      - env:
          ACTIONS_ALLOW_UNSECURE_COMMANDS: true
-          PATHINJ: ${{ github.event.pull_request.title }} # $ Source[actions/envpath-injection/critical]
+          PATHINJ: ${{ github.event.pull_request.title }}
-        run: echo "::add-path::$PATHINJ" # $ Alert[actions/envpath-injection/critical]
+        run: echo "::add-path::$PATHINJ"
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test10.yml
@@ -23,6 +23,6 @@ jobs:
          ref: ${{steps.decide-ref.outputs.ref}}
          path: "foo"
-      - name: Read Java Config # $ Source[actions/envvar-injection/critical]
+      - name: Read Java Config
-        run: cat foo/.github/java-config.env >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+        run: cat foo/.github/java-config.env >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test11.yml
@@ -18,11 +18,11 @@ jobs:
          run_id: ${{ github.event.workflow_run.id }}
          name: runtime-versions.md
-      - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put runtime versions on the environment"
        id: runtime_versions
        run: |
          {
            echo 'RUNTIME_VERSIONS<<EOF'
            cat runtime-versions.md
            echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test12.yml
@@ -43,14 +43,14 @@ jobs:
          run_id: ${{ github.event.workflow_run.id }}
          name: runtime-versions.md
-      - name: "Put runtime versions on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put runtime versions on the environment"
        id: runtime_versions
        run: |
          {
            echo 'RUNTIME_VERSIONS<<EOF'
            cat runtime-versions.md
            echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
      - name: "Download pre-release report"
        uses: dawidd6/action-download-artifact@v2
@@ -58,14 +58,14 @@ jobs:
          run_id: ${{ github.event.workflow_run.id }}
          name: prerelease-report.md
-      - name: "Put pre-release report on the environment" # $ Source[actions/envvar-injection/critical]
+      - name: "Put pre-release report on the environment"
        id: prerelease_report
        run: |
          {
            echo 'PRERELEASE_REPORT<<EOF'
            cat prerelease-report.md
            echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
      - name: "Comment on PR with Wrangler link"
        uses: marocchino/sticky-pull-request-comment@v2
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml
@@ -17,7 +17,7 @@ jobs:
      - name: Get commit message
        run: |
          COMMIT_MESSAGE=$(git log --format=%s)
-          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
      - name: Get commit message
        run: |
-          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml
@@ -12,7 +12,7 @@ jobs:
          ref: ${{ github.event.pull_request.head.sha }}
      - id: changed-files
        run: |
-          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"
      - run: echo "${{ env.CHANGED-FILES }}"
  test2:
    runs-on: ubuntu-latest
@@ -23,7 +23,7 @@ jobs:
      - id: changed-files
        run: |
          FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)
-          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"
      - run: echo "${{ env.CHANGED-FILES }}"
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml
@@ -9,7 +9,7 @@ jobs:
    steps:
      - id: title 
        run: |
-          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"
      - run: echo "$TITLE"
  test2:
    runs-on: ubuntu-latest
@@ -17,7 +17,7 @@ jobs:
      - id: title 
        run: |
          PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})
-          echo "BODY=$PR_BODY" >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          echo "BODY=$PR_BODY" >> "$GITHUB_ENV"
      - run: echo "$TITLE"
  test3:
    runs-on: ubuntu-latest
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test16.yml
@@ -12,12 +12,12 @@ jobs:
        with:
          workflow: ${{ github.event.workflow_run.workflow_id }}
          name: pr_metadata
      - run: | # $ Source[actions/envvar-injection/critical]
          # VULNERABLE
          echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
      - run: |
          # VULNERABLE
-          echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV
      - run: |
          # VULNERABLE
          echo "PR_NUMBER=$(cat pr_number.txt | tr ',' '\n')" >> $GITHUB_ENV
      - run: |
          # NOT VULNERABLE
          echo "PR_NUMBER=$(cat pr_number.txt | tr '\n' ' ')" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml
@@ -38,6 +38,6 @@ jobs:
            });
            var fs = require('fs');
            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
-      - run: | # $ Source[actions/envvar-injection/critical]
+      - run: |
          unzip pr.zip
-          echo "pr_number=$(cat NR)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "pr_number=$(cat NR)" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml
@@ -17,7 +17,7 @@ jobs:
        workflow_conclusion: ''
        name: pr_metadata
        if_no_artifact_found: 'ignore'
-    - run: | # $ Source[actions/envvar-injection/critical]
+    - run: |
         echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
         echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
-         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml
@@ -8,43 +8,43 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
-          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
-          echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
-          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
          echo "PR_TITLE<<EOF" >> $GITHUB_ENV
          echo "$TITLE" >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> $GITHUB_ENV
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
          echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"
          echo "$TITLE" >> "${GITHUB_ENV}"
-          echo "EOF" >> "${GITHUB_ENV}" # $ Alert[actions/envvar-injection/critical]
+          echo "EOF" >> "${GITHUB_ENV}"
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
          {
            echo 'JSON_RESPONSE<<EOF'
            echo "$TITLE"
            echo EOF
-          } >> "$GITHUB_ENV" # $ Alert[actions/envvar-injection/critical]
+          } >> "$GITHUB_ENV"
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
          cat <<-EOF >> "$GITHUB_ENV"
          FOO=$TITLE
-          EOF # $ Alert[actions/envvar-injection/critical]
+          EOF
      - env:
          TITLE: ${{ github.event.pull_request.head.ref }}
        run: |
@@ -52,12 +52,12 @@ jobs:
      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
        env:
          TARGET_BRANCH: ${{ github.head_ref }}
-      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
        env:
-          TARGET_BRANCH: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TARGET_BRANCH: ${{ github.event.pull_request.title }}
-      - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+      - run: echo ISSUE_KEY=$(echo "${TITLE}" | grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV
        env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
      - env:
          TITLE: |-
            ${{ github.event.pull_request.title }}
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test5.yml
@@ -27,10 +27,10 @@ jobs:
            });
            let fs = require('fs');
            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/oc-code-coverage.zip`, Buffer.from(download.data));
-      - name: 'Unzip code coverage' # $ Source[actions/envvar-injection/critical]
+      - name: 'Unzip code coverage'
        run: unzip oc-code-coverage.zip -d coverage
      - name: set env vars 
        run: | 
          echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV
          echo "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV
-          echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test6.yml
@@ -8,20 +8,20 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
          FOO=${TITLE##*/}
-          echo PR_TITLE=${FOO} >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=${FOO} >> $GITHUB_ENV
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
          FOO=$TITLE+
-          echo PR_TITLE=$FOO >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo PR_TITLE=$FOO >> $GITHUB_ENV
      - env:
-          TITLE: ${{ github.event.pull_request.title }} # $ Source[actions/envvar-injection/critical]
+          TITLE: ${{ github.event.pull_request.title }}
        run: |
          venv="$(echo $TITLE)')"
-          echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test7.yml
@@ -13,7 +13,7 @@ jobs:
            run_id: ${{github.event.workflow_run.id}}
            name: artifact
-      - name: Load .env file # $ Source[actions/envvar-injection/critical]
+      - name: Load .env file
        uses: aarcangeli/load-dotenv@v1.0.0
        with:
          path: 'backend/new'
@@ -21,5 +21,5 @@ jobs:
            .env
            .env.test
          quiet: false
-          if-file-not-found: error # $ Alert[actions/envvar-injection/critical]
+          if-file-not-found: error
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml
@@ -27,13 +27,13 @@ jobs:
          run_id: ${{ github.event.workflow_run.id }}
          path: ./artifacts
-      - name: assignment # $ Source[actions/envvar-injection/critical]
+      - name: assignment
        run: |
          foo=$(cat ./artifacts/parent-artifacts/event.txt)
-          echo "foo=$foo" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$foo" >> $GITHUB_ENV
      - name: direct 1 
        run: |
-          echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
      - name: direct 2
        run: |
-          echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml
+++ b/actions/ql/test/query-tests/Security/CWE-077/.github/workflows/test9.yml
@@ -24,7 +24,7 @@ jobs:
          name: event_file
          path: artifacts/event_file
-      - name: Try to read PR number # $ Source[actions/envvar-injection/critical]
+      - name: Try to read PR number
        id: set-ref
        run: |
          pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)
@@ -38,4 +38,4 @@ jobs:
          fi
          echo "pr_num=$pr_num" >> $GITHUB_ENV
-          echo "ref=$ref" >> $GITHUB_ENV # $ Alert[actions/envvar-injection/critical]
+          echo "ref=$ref" >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
@@ -1,9 +1,3 @@
 #select
 | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 edges
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
 | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
@@ -22,3 +16,9 @@ nodes
 | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
 subpaths
 #select
 | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | echo $(echo "$PATHINJ") >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | echo $PATHINJ >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | echo ${PATHINJ} >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | echo "$(cat foo/bar)" >> $GITHUB_PATH | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | Potential PATH environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | echo "::add-path::$PATHINJ" | .github/workflows/path1.yml:4:3:4:21 | pull_request_target | pull_request_target |
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.qlref
@@ -1,2 +1 @@
-query: Security/CWE-077/EnvPathInjectionCritical.ql
+Security/CWE-077/EnvPathInjectionCritical.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
@@ -1,4 +1,3 @@
 #select
 edges
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
 | .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
@@ -17,3 +16,4 @@ nodes
 | .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | semmle.label | echo "::add-path::$PATHINJ" |
 subpaths
 #select
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.qlref
@@ -1,2 +1 @@
-query: Security/CWE-077/EnvPathInjectionMedium.ql
+Security/CWE-077/EnvPathInjectionMedium.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.expected
@@ -1,40 +1,3 @@
 #select
 | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
 edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
@@ -129,3 +92,40 @@ nodes
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
 subpaths
 #select
 | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | .github/workflows/artifactpoisoning51.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/artifactpoisoning52.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  cat foo\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:12:9:41:6 | Uses Step | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test2.yml:41:14:43:52 | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | unzip pr.zip\necho "pr_number=$(cat NR)" >> $GITHUB_ENV\n | .github/workflows/test2.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:13:7:20:4 | Uses Step | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test3.yml:20:12:23:77 | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | echo "PR_NUMBER=$(cat pr_number.txt \| jq -r .)" >> $GITHUB_ENV\necho "PR_HEAD_REPO=$(cat pr_head_repo.txt \| jq -Rr .)" >> $GITHUB_ENV\necho "PR_HEAD_REF=$(cat pr_head_ref.txt \| jq -Rr .)" >> $GITHUB_ENV\n | .github/workflows/test3.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:12:14:13:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:15:19:15:56 | github.event.pull_request.title | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:16:14:17:50 | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | echo "PR_TITLE=${TITLE}" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:19:19:19:56 | github.event.pull_request.title | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:20:14:21:54 | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | echo PR_TITLE=$(echo $TITLE) >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\nFOO=$TITLE\nEOF\n | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:60:19:60:56 | github.event.pull_request.title | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test4.yml:58:14:58:94 | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | echo ISSUE_KEY=$(echo "${TITLE}" \| grep -oP 'ISPN-(?P<id>[0-9]+)') >> $GITHUB_ENV | .github/workflows/test4.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:3:3:3:14 | workflow_run | workflow_run |
 | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:11:19:11:56 | github.event.pull_request.title | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:12:14:14:46 | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | FOO=${TITLE##*/}\necho PR_TITLE=${FOO} >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:16:19:16:56 | github.event.pull_request.title | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:17:14:19:44 | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | FOO=$TITLE+\necho PR_TITLE=$FOO >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:21:19:21:56 | github.event.pull_request.title | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test6.yml:22:14:24:52 | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | venv="$(echo $TITLE)')"\necho "VIRTUAL_ENV=${venv}" >> $GITHUB_ENV\n | .github/workflows/test6.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test7.yml:16:9:24:35 | Uses Step | .github/workflows/test7.yml:9:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test7.yml:16:9:24:35 | Uses Step | Uses Step | .github/workflows/test7.yml:4:5:4:16 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:31:14:33:41 | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | foo=$(cat ./artifacts/parent-artifacts/event.txt)\necho "foo=$foo" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:35:14:36:82 | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(cat ./artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:24:9:30:6 | Uses Step | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test8.yml:38:14:39:79 | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | echo "foo=$(< /artifacts/parent-artifacts/event.txt)" >> $GITHUB_ENV\n | .github/workflows/test8.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:19:9:27:6 | Uses Step | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test9.yml:29:14:41:41 | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | pr_num=$(jq -r '.pull_request.number' artifacts/event_file/event.json)\nif [ -z "$pr_num" ] \|\| [ "$pr_num" == "null" ]; then\n  pr_num=""\nfi\n\nref=$pr_num\nif [ -z "$ref" ] \|\| [ "$ref" == "null" ]; then\n  ref=${{ github.ref }}\nfi\n\necho "pr_num=$pr_num" >> $GITHUB_ENV\necho "ref=$ref" >> $GITHUB_ENV\n | .github/workflows/test9.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:20:9:26:6 | Uses Step | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test10.yml:27:14:27:59 | cat foo/.github/java-config.env >> $GITHUB_ENV | cat foo/.github/java-config.env >> $GITHUB_ENV | .github/workflows/test10.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:15:9:21:6 | Uses Step | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test11.yml:23:14:28:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test11.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:48:14:53:29 | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'RUNTIME_VERSIONS<<EOF'\n  cat runtime-versions.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:38:9:46:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:55:9:61:6 | Uses Step | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test12.yml:63:14:68:29 | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'PRERELEASE_REPORT<<EOF'\n  cat prerelease-report.md\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test12.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:18:14:20:65 | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | COMMIT_MESSAGE=$(git log --format=%s)\necho "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test13.yml:22:14:23:70 | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV\n | .github/workflows/test13.yml:3:3:3:21 | pull_request_target | pull_request_target |
 | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:14:14:15:122 | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test14.yml:24:14:26:57 | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)\necho "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"\n | .github/workflows/test14.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:11:14:12:98 | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test15.yml:18:14:20:48 | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})\necho "BODY=$PR_BODY" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:10:9:15:6 | Uses Step | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | Potential environment variable injection in $@, which may be controlled by an external user ($@). | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | .github/workflows/test16.yml:4:3:4:14 | workflow_run | workflow_run |
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionCritical.qlref
@@ -1,2 +1 @@
-query: Security/CWE-077/EnvVarInjectionCritical.ql
+Security/CWE-077/EnvVarInjectionCritical.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.expected
@@ -1,4 +1,3 @@
 #select
 edges
 | .github/workflows/artifactpoisoning51.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning51.yml:19:14:20:57 | echo "pr_number=$(cat foo/bar)" >> $GITHUB_ENV\n | provenance | Config |
 | .github/workflows/artifactpoisoning52.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning52.yml:19:14:22:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\ncat foo >> "$GITHUB_ENV"\necho "EOF" >> "${GITHUB_ENV}"\n | provenance | Config |
@@ -93,3 +92,4 @@ nodes
 | .github/workflows/test16.yml:15:14:17:63 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt)" >> $GITHUB_ENV\n |
 | .github/workflows/test16.yml:18:14:20:77 | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n | semmle.label | # VULNERABLE\necho "PR_NUMBER=$(cat pr_number.txt \| tr ',' '\\n')" >> $GITHUB_ENV\n |
 subpaths
 #select
--- a/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-077/EnvVarInjectionMedium.qlref
@@ -1,2 +1 @@
-query: Security/CWE-077/EnvVarInjectionMedium.ql
+Security/CWE-077/EnvVarInjectionMedium.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml
+++ b/actions/ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml
@@ -6,4 +6,4 @@ jobs:
    steps:
      - uses: ruby/setup-ruby@v2
        with:
-          ruby-version: ${{ github.event.comment.body }} # $ Alert[actions/command-injection/critical]
+          ruby-version: ${{ github.event.comment.body }}
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected
@@ -1,6 +1,6 @@
 #select
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
 #select
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user ($@). | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} | .github/workflows/comment_issue.yml:1:5:1:17 | issue_comment | issue_comment |
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.qlref
@@ -1,2 +1 @@
-query: experimental/Security/CWE-078/CommandInjectionCritical.ql
+experimental/Security/CWE-078/CommandInjectionCritical.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected
@@ -1,5 +1,5 @@
 #select
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
 #select
--- a/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.qlref
@@ -1,2 +1 @@
-query: experimental/Security/CWE-078/CommandInjectionMedium.ql
+experimental/Security/CWE-078/CommandInjectionMedium.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml
+++ b/actions/ql/test/query-tests/Security/CWE-088/.github/workflows/arg_injection.yml
@@ -7,7 +7,7 @@ jobs:
  test1:
    runs-on: ubuntu-latest
    env:
-      TITLE: ${{github.event.pull_request.title}} # $ Source[actions/argument-injection/critical]
+      TITLE: ${{github.event.pull_request.title}}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -18,50 +18,50 @@ jobs:
          echo "s/FOO/$TITLE/g"
      - run: |
          # VULNERABLE
-          sed "s/FOO/$TITLE/g" # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$TITLE/g"
      - run: |
          # VULNERABLE
-          echo "foo" | sed "s/FOO/$TITLE/g" > bar # $ Alert[actions/argument-injection/critical]
+          echo "foo" | sed "s/FOO/$TITLE/g" > bar
      - run: |
          # VULNERABLE
-          echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar) # $ Alert[actions/argument-injection/critical]
+          echo $(echo "foo" | sed "s/FOO/$TITLE/g" > bar)
      - run: |
          # VULNERABLE
-          awk "BEGIN {$TITLE}" # $ Alert[actions/argument-injection/critical]
+          awk "BEGIN {$TITLE}"
      - run: |
          # VULNERABLE
-          sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json # $ Alert[actions/argument-injection/critical]
+          sed -i "s/git_branch = .*/git_branch = \"$GITHUB_HEAD_REF\"/" config.json
      - run: |
          # VULNERABLE
-          sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # $ Alert[actions/argument-injection/critical]
+          sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json
      - run: |
          # VULNERABLE
          sed -e 's#<branch_to_sync>#${TITLE}#' \
              -e 's#<sot_repo>#${{ env.sot_repo }}#' \
              -e 's#<destination_repo>#TITLE#' \
-              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
+              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
      - run: |
          # VULNERABLE
          sed -e 's#<branch_to_sync>#TITLE#' \
              -e 's#<sot_repo>#${{ env.sot_repo }}#' \
              -e 's#<destination_repo>#${TITLE}#' \
-              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky # $ Alert[actions/argument-injection/critical]
+              .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky
      - run: |
          # VULNERABLE
          BODY=$(git log --format=%s)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
      - run: |
          # VULNERABLE
          BODY=$(git diff --name-only HEAD)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
      - run: |
          # VULNERABLE
          BODY=$(git diff --name-only HEAD )
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
      - run: |
          # VULNERABLE
          BODY=$(git diff --name-only HEAD^ | xargs)
-          sed "s/FOO/$BODY/g" > /tmp/foo # $ Alert[actions/argument-injection/critical]
+          sed "s/FOO/$BODY/g" > /tmp/foo
      - run: |
          # NOT VULNERABLE
          echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.expected
@@ -1,16 +1,3 @@
 #select
 | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 edges
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
@@ -33,3 +20,16 @@ nodes
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 subpaths
 #select
 | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:25:14:27:58 | # VULNERABLE\necho $(echo "foo" \| sed "s/FOO/$TITLE/g" > bar)\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:28:14:30:31 | # VULNERABLE\nawk "BEGIN {$TITLE}"\n | awk | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:31:14:33:84 | # VULNERABLE\nsed -i "s/git_branch = .*/git_branch = \\"$GITHUB_HEAD_REF\\"/" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:34:14:36:84 | # VULNERABLE\nsed -i "s\|git_branch = .*\|git_branch = \\"$GITHUB_HEAD_REF\\"\|" config.json\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:37:14:42:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#${TITLE}#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#TITLE#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:43:14:48:111 | # VULNERABLE\nsed -e 's#<branch_to_sync>#TITLE#' \\\n    -e 's#<sot_repo>#${{ env.sot_repo }}#' \\\n    -e 's#<destination_repo>#${TITLE}#' \\\n    .github/workflows/common-copybara.bara.sky.template > .github/workflows/common-copybara.bara.sky\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:49:14:52:41 | # VULNERABLE\nBODY=$(git log --format=%s)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:53:14:56:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | Potential argument injection in $@ command, which may be controlled by an external user ($@). | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | sed | .github/workflows/arg_injection.yml:4:3:4:21 | pull_request_target | pull_request_target |
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionCritical.qlref
@@ -1,2 +1 @@
-query: experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+experimental/Security/CWE-088/ArgumentInjectionCritical.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.expected
@@ -1,4 +1,3 @@
 #select
 edges
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:19:14:21:31 | # VULNERABLE\nsed "s/FOO/$TITLE/g"\n | provenance | Config |
 | .github/workflows/arg_injection.yml:10:15:10:50 | github.event.pull_request.title | .github/workflows/arg_injection.yml:22:14:24:50 | # VULNERABLE\necho "foo" \| sed "s/FOO/$TITLE/g" > bar\n | provenance | Config |
@@ -21,3 +20,4 @@ nodes
 | .github/workflows/arg_injection.yml:57:14:60:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD )\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 | .github/workflows/arg_injection.yml:61:14:64:41 | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n | semmle.label | # VULNERABLE\nBODY=$(git diff --name-only HEAD^ \| xargs)\nsed "s/FOO/$BODY/g" > /tmp/foo\n |
 subpaths
 #select
--- a/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref
+++ b/actions/ql/test/query-tests/Security/CWE-088/ArgumentInjectionMedium.qlref
@@ -1,2 +1 @@
-query: experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+experimental/Security/CWE-088/ArgumentInjectionMedium.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action1/action.yml
@@ -4,4 +4,4 @@ runs:
  using: 'composite'
  steps:
    - shell: bash
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/critical]
+      run: echo '${{ github.event.pull_request.body }}'
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action3/action.yml
@@ -6,4 +6,4 @@ runs:
    - shell: bash
      env:
        FOO: ${{ secrets.FOO}}
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
+      run: echo '${{ github.event.pull_request.body }}'
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action4/action.yml
@@ -4,4 +4,4 @@ runs:
  using: 'composite'
  steps:
    - shell: bash
-      run: echo '${{ github.event.pull_request.body }}' # $ Alert[actions/code-injection/medium]
+      run: echo '${{ github.event.pull_request.body }}'
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml
@@ -16,7 +16,7 @@ runs:
  using: 'composite'
  steps:
    - shell: bash
-      run: echo '${{ github.event.issue.body }}' # $ Alert[actions/code-injection/critical]
+      run: echo '${{ github.event.issue.body }}'
    - name: Step
      id: step 
      env:
@@ -25,10 +25,10 @@ runs:
      run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
    - id: step2
      env:
-        FOO2: ${{ github.event.issue.body }} # $ Source[actions/code-injection/critical]
+        FOO2: ${{ github.event.issue.body }}
      shell: bash
      run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
    - name: Sink
      id: sink
      shell: bash
-      run: echo "${{ inputs.taint }}" # $ Alert[actions/code-injection/critical]
+      run: echo "${{ inputs.taint }}"
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action6/action.yml
@@ -213,7 +213,7 @@ runs:
      run: |
        git config --global user.name "${{ inputs.github_username }}"
        git config --global user.email "${{ inputs.github_email }}"
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
+        git pull origin ${{ github.head_ref || github.ref }}
        git add .
        git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
        if ! git diff --staged --quiet; then
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/action7/action.yml
@@ -74,7 +74,7 @@ runs:
      #   pip install -q git+https://github.com/ultralytics/actions@main codespell tomli
      run: |
        packages="ultralytics-actions"
-        if [ "${{ inputs.spelling }}" = "true" ]; then # $ Alert[actions/code-injection/medium]
+        if [ "${{ inputs.spelling }}" = "true" ]; then
          packages="$packages codespell tomli"
        fi
@@ -211,10 +211,10 @@ runs:
    - name: Commit and Push Changes
      if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && github.event.action != 'closed'
      run: |
-        git config --global user.name "${{ inputs.github_username }}" # $ Alert[actions/code-injection/medium]
+        git config --global user.name "${{ inputs.github_username }}"
-        git config --global user.email "${{ inputs.github_email }}" # $ Alert[actions/code-injection/medium]
+        git config --global user.email "${{ inputs.github_email }}"
        # this action is not called in the test
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/medium]
+        git pull origin ${{ github.head_ref || github.ref }}
        git add .
        git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
        if ! git diff --staged --quiet; then
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml
@@ -19,7 +19,7 @@ runs:
  using: composite
  steps:
    - shell: bash
-      run: echo "${{ inputs.title }}" # $ Alert[actions/code-injection/critical]
+      run: echo "${{ inputs.title }}"
    - uses: frabert/replace-string-action@v2.5
      id: out 
      with:
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/actions/external/ultralytics/actions/action.yaml
@@ -93,7 +93,7 @@ runs:
      shell: bash
    - shell: bash
      run: |
-        echo "${{ inputs.body }}" # $ Alert[actions/code-injection/critical]
+        echo "${{ inputs.body }}"
    # Checkout Repository ----------------------------------------------------------------------------------------------
    - name: Checkout Repository
@@ -220,7 +220,7 @@ runs:
      run: |
        git config --global user.name "${{ inputs.github_username }}"
        git config --global user.email "${{ inputs.github_email }}"
-        git pull origin ${{ github.head_ref || github.ref }} # $ Alert[actions/code-injection/critical]
+        git pull origin ${{ github.head_ref || github.ref }}
        git add .
        git reset HEAD -- .github/workflows/  # workflow changes are not permitted with default token
        if ! git diff --staged --quiet; then
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/argus_case_study.yml
@@ -14,7 +14,7 @@ jobs:
      - uses: actions/checkout@v2
      - name: Remove conflicting chars
        env:
-          ISSUE_TITLE: ${{github.event.issue.title}} # $ Source[actions/code-injection/critical]
+          ISSUE_TITLE: ${{github.event.issue.title}}
        uses: frabert/replace-string-action@1.2
        id: remove_quotations
        with:
@@ -24,6 +24,6 @@ jobs:
      - name: Check info
        id: check-info
        run: |
-          echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV # $ Alert[actions/code-injection/critical]
+          echo "foo $(pwsh bar ${{steps.remove_quotations.outputs.replaced}}) " >> $GITHUB_ENV
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning1.yml
@@ -17,12 +17,12 @@ jobs:
          workflow: ${{ github.event.workflow_run.workflow_id }}
          name: pr
-      - name: save PR id # $ Source[actions/code-injection/critical]
+      - name: save PR id
        id: pr
        run: echo "::set-output name=id::$(<pr-id.txt)"
      - name: upload surge service
        id: deploy
        run: |
-          export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh # $ Alert[actions/code-injection/critical]
+          export DEPLOY_DOMAIN=https://ant-design-pro-preview-pr-${{ steps.pr.outputs.id }}.surge.sh
          npx surge --project ./ --domain $DEPLOY_DOMAIN --token ${{ secrets.SURGE_TOKEN }}
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning2.yml
@@ -16,8 +16,8 @@ jobs:
        with:
          name: README
-      - name: upload surge service # $ Source[actions/code-injection/critical]
+      - name: upload surge service
        id: deploy
        run: |
-          echo ${{ steps.pr.outputs.id }} # $ Alert[actions/code-injection/critical]
+          echo ${{ steps.pr.outputs.id }}
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning3.yml
@@ -38,7 +38,7 @@ jobs:
            });
            var fs = require('fs');
            fs.writeFileSync('${{github.workspace}}/input.zip', Buffer.from(download.data));
-      - name: Set needed env vars in outputs # $ Source[actions/code-injection/critical]
+      - name: Set needed env vars in outputs
        id: prepare
        run: |
          unzip input.zip
@@ -50,4 +50,4 @@ jobs:
          echo "PR: ${tmp}"
          echo "pr=${tmp}" >> $GITHUB_OUTPUT
-      - run: echo ${{ steps.prepare.outputs.pr }} # $ Alert[actions/code-injection/critical]
+      - run: echo ${{ steps.prepare.outputs.pr }}
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning4.yml
@@ -14,9 +14,9 @@ jobs:
            name: artifact
      # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
        id: artifact
        run: echo "::set-output name=id::$(<artifact.txt)"
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.id }} 
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml
@@ -13,11 +13,11 @@ jobs:
            name: artifact
      # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
        id: artifact
        uses: juliangruber/read-file-action@v1
        with:
          path: ./artifact.txt
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.content }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.content }} 
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning6.yml
@@ -12,13 +12,13 @@ jobs:
            run_id: ${{github.event.workflow_run.id}}
            name: artifact
-      - id: artifact # $ Source[actions/code-injection/critical]
+      - id: artifact
        run: |
          echo "::set-output name=pr_number::$(<artifact.txt)"
          mkdir firebase-android
          unzip firebase-android.zip -d firebase-android
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.pr_number }} 
      - id: artifact2
        run: |
@@ -26,5 +26,5 @@ jobs:
          mkdir firebase-android
          unzip firebase-android.zip -d firebase-android
      - name: Use artifact
-        run: echo ${{ steps.artifact2.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact2.outputs.pr_number }} 
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml
@@ -12,7 +12,7 @@ jobs:
            run_id: ${{github.event.workflow_run.id}}
            name: artifact
-      - id: artifact # $ Source[actions/code-injection/critical]
+      - id: artifact
        run: |
          set -eou pipefail
          pr_number=$(cat -e artifact.txt)
@@ -27,5 +27,5 @@ jobs:
          mkdir firebase-android
          unzip firebase-android.zip -d firebase-android
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.pr_number }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.pr_number }} 
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning8.yml
@@ -14,9 +14,9 @@ jobs:
            name: artifact
      # Save PR id to output
-      - name: Save artifact data # $ Source[actions/code-injection/critical]
+      - name: Save artifact data
        id: artifact
        run: echo "::set-output name=id::$(<artifact.txt)"
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.id }}  # $ Alert[actions/code-injection/critical]
+        run: echo ${{ steps.artifact.outputs.id }} 
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Copilot	b682877968	Python: simplify TBlockStmt char pred via exclusion list Replace the 14-disjunct allow-list with a 2-conjunct exclusion list. Of the 17 Py::StmtList getters in AstGenerated.qll, only Try.getHandlers() and MatchStmt.getCases() should not be wrapped as BlockStmts (they are iterated individually by the shared library's Try/Switch logic via getCatch(int) and getCase(int)). All other StmtLists are imperative block bodies. No behaviour change: all 24 NewCfg evaluation-order tests pass; all 11 shared-CFG consistency queries report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-07 17:13:50 +00:00
Copilot	c9445f74c2	Python: introduce TStmt union via newtype-branch alias Rename the TStmt newtype branch to TPyStmt, and add a private union type alias private class TStmt = TPyStmt or TBlockStmt; This lets the public Stmt class use TStmt directly in its extends clause: class Stmt extends AstNodeImpl, TStmt { ... } instead of the previous class Stmt extends AstNodeImpl { Stmt() { this instanceof TStmt or this instanceof TBlockStmt } ... } The same pattern is used in cpp/.../TInstruction.qll and rust/.../Synth.qll. No behaviour change: all 24 NewCfg evaluation-order tests pass; all 11 shared-CFG consistency queries report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-07 17:08:10 +00:00
Copilot	ed1709eb4a	Python: use private-abstract + final-alias pattern for AstNode Convert AstNode from a concrete class with empty default predicates into a private abstract class plus a final alias, matching the pattern used in cpp/.../EdgeKind.qll and cpp/.../IRVariable.qll: abstract private class AstNodeImpl extends TAstNode { abstract string toString(); abstract Py::Location getLocation(); abstract Callable getEnclosingCallable(); ... } final class AstNode = AstNodeImpl; This makes the compiler enforce that every concrete subclass implements toString/getLocation/getEnclosingCallable, replacing the brittle 'empty default + per-branch override' arrangement. Sister classes inside the module now extend AstNodeImpl instead of AstNode (which is final and cannot be extended). The empty Parameter stub gains explicit none() overrides for the three abstract members, since QL requires them statically even when the class has no instances. No behaviour change: all 24 NewCfg evaluation-order tests pass; all 11 shared-CFG consistency queries report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-07 16:58:43 +00:00
Copilot	00c742f5ff	Python: document why Assignment subclasses are empty Explain that the shared library's Assignment / CompoundAssignment hierarchy extends BinaryExpr, so it cannot host Python's statement- level assignment forms (Assign, AugAssign), and that Python has no short-circuiting compound operators (&&=, \|\|=, ??=) so all subclasses remain empty. No behaviour change; doc comments only. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-07 14:14:16 +00:00
Copilot	06e9bbc3a6	Python: index TBlockStmt by Py::StmtList instead of (parent, slot) Replace the two-key TBlockStmt(Py::AstNode parent, string slot) newtype branch with the simpler TBlockStmt(Py::StmtList sl). Each Py::StmtList that represents an imperative block (function/class/module body, if/ while/for branch, try/except/finally body, case body, except/except* body) becomes one BlockStmt directly. The slot string disappears; toString just defers to Py::StmtList.toString() ('StmtList'). The newtype branch keeps an explicit characteristic predicate listing the slots that count as block bodies. This excludes Try.getHandlers(), which is a Py::StmtList of ExceptStmt items already iterated by the shared library's Try logic via getCatch(int) - including it would produce parallel CFG edges (verified: a permissive TBlockStmt(Py::StmtList sl) version regressed CPython to 1720 multipleSuccessors and 584 deadEnds before this restriction). Drops the getBodyStmtList helper. Caller sites now use the StmtList accessor directly: TBlockStmt(ifStmt.getBody()), TBlockStmt(tryStmt.getFinalbody()), etc. No behaviour change: all 24 NewCfg evaluation-order tests pass; all 11 shared-CFG consistency queries report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-07 12:54:02 +00:00
Copilot	250b63c216	Python: unify Py::BoolExpr handling via TBoolExprPair Previously a Py::BoolExpr appeared in two newtype branches: as TExpr(be) (the outermost pair) and TBoolExprPair(be, i) for inner pairs of 3+ operand expressions. This forced BinaryExpr/LogicalAndExpr/LogicalOrExpr to disjoin two cases, and the synthetic-pair handling spanned multiple layers. Restrict TExpr to non-BoolExpr Py::Expr, and extend TBoolExprPair to cover every operand pair (index 0..n-2). Now every Py::BoolExpr is represented uniformly as TBoolExprPair(_, 0) for the whole expression and TBoolExprPair(_, i) for inner pairs. Extend AstNode.asExpr() to also recover the underlying Py::BoolExpr from TBoolExprPair(_, 0). This makes asExpr() the inverse of construction: every 'result = TExpr(e)' turns into 'result.asExpr() = e', which works uniformly for BoolExprs and non-BoolExprs alike. Consequences: - BinaryExpr now extends TBoolExprPair directly with a single uniform rule for left/right operands. - LogicalAndExpr/LogicalOrExpr are one-line char preds via getBoolExpr(). - The private BoolExprPair wrapper class folds into BinaryExpr. - 60+ leaf wrappers now read 'result.asExpr() = py_expr' instead of 'result = TExpr(py_expr)'. No behaviour change: all 24 NewCfg evaluation-order tests pass; all 11 shared-CFG consistency queries report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-07 12:04:54 +00:00
Copilot	77e36d3cfa	Python: merge T*AstNode wrappers into matching public classes Five of the six per-newtype-branch wrapper classes had a natural public class corresponding to that branch: TStmtAstNode -> Stmt (TStmt subset; BlockStmt overrides for TBlockStmt) TExprAstNode -> Expr (TExpr subset; BoolExprPair overrides for TBoolExprPair) TScopeAstNode -> Callable (= TScope exactly) TPatternAstNode -> Pattern (= TPattern exactly) TBlockStmtAstNode -> BlockStmt (= TBlockStmt exactly) Move toString/getLocation/getEnclosingCallable onto these classes and delete the wrappers. The sixth wrapper (TBoolExprPair) has no exact public counterpart - BinaryExpr is broader, including TExpr-branch BoolExprs - so it remains as a small private class, renamed BoolExprPair. No behaviour change: all 24 NewCfg evaluation-order tests pass; all 11 shared-CFG consistency queries report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-07 11:31:07 +00:00
Copilot	f2151fe232	Python: dispatch toString/getLocation/getEnclosingCallable per branch Replace the three big disjunctive predicates on AstNode with empty defaults plus per-newtype-branch override classes: AstNode.toString() { none() } AstNode.getLocation() { none() } AstNode.getEnclosingCallable() { none() } Six private subclasses (one per newtype branch — TStmt, TExpr, TScope, TPattern, TBoolExprPair, TBlockStmt) override these with the branch-specific implementation. This mirrors the per-class dispatch already used for getChild. No behaviour change: all 24 NewCfg evaluation-order tests pass and all 11 shared-CFG consistency queries still report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-07 11:06:40 +00:00
Copilot	9781ee8d66	Python: adapt to new shared CFG signature Main added two new requirements to AstSig: - A 'Parameter' class with a 'getDefaultValue()' method, plus a 'callableGetParameter(Callable, int)' predicate. - A 'CallableContext' class in InputSig1, replacing the previous 'CallableBodyPartContext'. Add stub implementations: 'Parameter' is empty (none()) and 'callableGetParameter' returns nothing, mirroring Java's TODO. Rename 'CallableBodyPartContext = Void' to 'CallableContext = Void' in the Python Input module. NewCfg evaluation-order tests still pass at the 22/24 baseline; all 11 shared-CFG consistency queries still report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-05 15:26:20 +00:00
Copilot	03b8e8fdde	Python: refactor getChild into per-class OO dispatch Replace the single ~240-line top-level getChild predicate with one override per AST class. AstNode declares a default AstNode getChild(int index) { none() } and each subclass with children overrides it (41 classes total). The top-level predicate becomes a one-line dispatch: AstNode getChild(AstNode n, int index) { result = n.getChild(index) } No behavioral change: NewCfg evaluation-order tests still pass at the same 22/24 baseline, and all 11 shared-CFG consistency queries still report 0 violations on CPython. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-05 15:21:43 +00:00
Copilot	93112b2b75	Python: include try-else in getChild for completion propagation The shared CFG library propagates abrupt completions from child to parent via getChild(parent, _) = child. Python's try.getElse() was wired into normal step rules but not listed in getChild(TryStmt, ...), so return/break/continue/raise statements occurring inside a try-else block had no parent path and ended up as dead-end CFG nodes. Add the else block at index -2 (alongside finally at -1). This affects only completion propagation; the normal-flow CFG is unchanged because TryStmt has explicit step rules. Verified on a CPython database: all 11 shared-CFG consistency queries now pass with 0 violations (deadEnd: 244 -> 0). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-05 15:21:43 +00:00
Copilot	76724c5391	Shared CFG: support for-else and while-else loops Add two default predicates to AstSig: default AstNode getWhileElse(WhileStmt loop) { none() } default AstNode getForeachElse(ForeachStmt loop) { none() } When defined, the explicit-step rules for While/Do and Foreach route the loop's normal-completion exits through the else block before reaching the after-loop node: - WhileStmt: after-false condition -> before-else -> after-while (instead of directly after-while). - ForeachStmt: after-collection [empty] and the LoopHeader exit are both routed through before-else -> after-foreach. Python's Ast module overrides the predicates to return the synthetic BlockStmt for the orelse slot, replacing the previous customisations in Input::step. This eliminates parallel direct successors emitted by the previous Python-side step additions (verified: multipleSuccessors on a CPython database goes from 1340 to 0). Java and C# CFG tests are unaffected. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-05 15:21:43 +00:00
Copilot	edfe91832b	Python: compact-renumber FunctionExpr/Lambda defaults `Args.getDefault(int)` and `Args.getKwDefault(int)` are indexed by argument position (with gaps for args without defaults), not by default position. The CFG `getChild` predicate for FunctionDefExpr and LambdaExpr therefore had gaps at low indices and collisions where defaults and kwdefaults overlapped, producing parallel edges before the FunctionExpr. Use `rank` to compact-renumber `getDefault(n)` and `getKwDefault(n)` in source order. Verified on a CPython database: removes ~536 `multipleSuccessors` consistency results (1340 -> 804); the rest are `for/else` and `while/else`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-05 15:21:43 +00:00
Copilot	58cda914db	Python: collapse two-layer AstNodeImpl into a single Ast module Merge the previous `Ast` and `AstSigImpl` modules into a single `module Ast implements AstSig<Py::Location>`. Classes now use the signature names (IfStmt, WhileStmt, ForeachStmt, etc.) and signature predicates (getCondition, getThen, getElse, etc.) directly, with no intermediate renaming layer. Drop the TStmtListNode newtype branch entirely. Replace it with a synthetic TBlockStmt(parent, slot) keyed by a parent AST node and a slot label string ('body', 'orelse', 'finally'). Py::StmtList no longer appears in the newtype; the BlockStmt class provides indexed access to the underlying body items via getStmt(n). All 22 of 24 evaluation-order tests still pass; the same 2 comprehension-related failures predate this refactor. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-05 15:21:43 +00:00
yoff	0b4a24884f	python: add consistency checks Co-authored-by: aschackmull <aschackmull@github.com>	2026-05-05 15:21:42 +00:00
yoff	3b0abad701	Python: add pattern nodes Co-authored-by: Copilot <copilot@github.com>	2026-05-05 15:21:42 +00:00
Taus	68b3d57563	Cleanup, printCFG Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:42 +00:00
Taus	a33b49a3f3	WIP2	2026-05-05 15:21:42 +00:00
Taus	1af415bec3	WIP	2026-05-05 15:21:42 +00:00
Taus	e3155ea544	Python: Handle dict unpacking in calls Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:42 +00:00
Taus	04b8c4bc7e	Python: Fix exception issue Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:42 +00:00
Taus	f85b532bb3	Python: Fix match Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:42 +00:00
Taus	0e1f1d9f09	Python: Support `match` Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:42 +00:00
Taus	53da31bd15	Python: More nodes Not entirely sure about the `else:` blocks. Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:42 +00:00
Taus	1f82dbc583	Python: Comprehensions Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	b229066891	Python: Add `with` Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	0acbb12fb9	Python: More simple statements Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	542efce4a6	Python: assignments Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	2db400aebd	Python: Attributes Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	66bbb60614	Python: Function calls Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	971beb2d89	Python: Assert statements Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	ea204ac75f	Python: Support various literals Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	3be562929a	Python: Ignore synthetic CFG nodes We can only annotate the ones that correspond directly to AST nodes anyway. Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	dc0344e2fc	Python: More AstNodeImpl improvements Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:41 +00:00
Taus	2ed75e7ca7	Python: Instantiate CFG tests with new CFG library Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:40 +00:00
Taus	9974584102	Python: Instantiate CFG module fully Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:40 +00:00
Taus	6086b999f6	Python: Use fields everywhere in new AST classes Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:40 +00:00
Taus	d62e116fc2	Python: First stab at shared control-flow	2026-05-05 15:21:40 +00:00
Taus	4582855de1	Python: Make CFG tests parameterised Currently we only instantiate them with the old CFG library, but in the future we'll want to do this with the new library as well. Co-authored-by: yoff <yoff@github.com>	2026-05-05 15:21:40 +00:00
Taus	ba29e7e34d	Python: Add ConsecutiveTimestamps test This one is potentially a bit iffy -- it checks for a very powerful propetry (that implies many of the other queries), but as the test results show, it can produce false positives when there is in fact no problem. We may want to get rid of it entirely, if it becomes too noisy.	2026-05-05 15:21:40 +00:00
Taus	f97bf38f3b	Python: Add NeverReachable test This looks for nodes annotated with `t.never` in the test that are reachable in the CFG. This should not happen (it messes with various queries, e.g. the "mixed returns" query), but the test shows that in a few particular cases (involving the `match` statement where all cases contain `return`s), we _do_ have reachable nodes that shouldn't be.	2026-05-05 15:21:40 +00:00
Taus	a8d136d3d6	Python: Add BasicBlockOrdering test This one demonstrates a bug in the current CFG. In a dictionary comprehension `{k: v for k, v in d.items()}`, we evaluate the value before the key, which is incorrect. (A fix for this bug has been implemented in a separate PR.)	2026-05-05 15:21:40 +00:00
Taus	710a43ac7f	Python: Add some CFG-validation queries These use the annotated, self-verifying test files to check various consistency requirements. Some of these may be expressing the same thing in different ways, but it's fairly cheap to keep them around, so I have not attempted to produce a minimal set of queries for this.	2026-05-05 15:21:40 +00:00
Taus	3402d0eaeb	Python: Add self-validating CFG tests These tests consist of various Python constructions (hopefully a somewhat comprehensive set) with specific timestamp annotations scattered throughout. When the tests are run using the Python 3 interpreter, these annotations are checked and compared to the "current timestamp" to see that they are in agreement. This is what makes the tests "self-validating". There are a few different kinds of annotations: the basic `t[4]` style (meaning this is executed at timestamp 4), the `t.dead[4]` variant (meaning this _would_ happen at timestamp 4, but it is in a dead branch), and `t.never` (meaning this is never executed at all). In addition to this, there is a query, MissingAnnotations, which checks whether we have applied these annotations maximally. Many expression nodes are not actually annotatable, so there is a sizeable list of excluded nodes for that query.	2026-05-05 15:21:39 +00:00
`@@ -1,2 +1,2 @@`
	`---`	`---`
	`lastReleaseVersion: 0.4.37`	`lastReleaseVersion: 0.4.34`
`@@ -1,2 +1 @@`
	`query: Models/CompositeActionsSinks.ql`	`Models/CompositeActionsSinks.ql`
	`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`query: Models/CompositeActionsSources.ql`	`Models/CompositeActionsSources.ql`
	`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`query: Models/CompositeActionsSummaries.ql`	`Models/CompositeActionsSummaries.ql`
	`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`query: Models/ReusableWorkflowsSinks.ql`	`Models/ReusableWorkflowsSinks.ql`
	`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`query: Models/ReusableWorkflowsSources.ql`	`Models/ReusableWorkflowsSources.ql`
	`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1,2 @@`
	`query: Models/ReusableWorkflowsSummaries.ql`	`Models/ReusableWorkflowsSummaries.ql`
	`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1 @@`
	`query: experimental/Security/CWE-074/OutputClobberingHigh.ql`	`experimental/Security/CWE-074/OutputClobberingHigh.ql`
	`postprocess: utils/test/InlineExpectationsTestQuery.ql`
`@@ -1,2 +1 @@`
	`query: Security/CWE-077/EnvPathInjectionCritical.ql`	`Security/CWE-077/EnvPathInjectionCritical.ql`
	`postprocess: utils/test/InlineExpectationsTestQuery.ql`