mirror of
https://github.com/github/codeql.git
synced 2026-07-01 17:45:36 +02:00
Compare commits
61 Commits
nickrolfe/
...
codeql-cli
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
b12c67f231 | ||
|
|
f251a572e1 | ||
|
|
7c73de0e3c | ||
|
|
237c5639e2 | ||
|
|
73ad826d44 | ||
|
|
cc83856c5e | ||
|
|
0fbab225ce | ||
|
|
ca09327384 | ||
|
|
969ab78225 | ||
|
|
b67644c127 | ||
|
|
20b4cbe72e | ||
|
|
b582844f96 | ||
|
|
b9a132dac6 | ||
|
|
89cd6770ae | ||
|
|
9b2e6077f1 | ||
|
|
929fa1e977 | ||
|
|
3324d07985 | ||
|
|
f6b3d1eade | ||
|
|
402c0f89bc | ||
|
|
af11f6e618 | ||
|
|
7fc4b4856e | ||
|
|
4b8cb3ffac | ||
|
|
31f6e713c5 | ||
|
|
e2347a5c7d | ||
|
|
66c1f037f5 | ||
|
|
2675070291 | ||
|
|
c01264d05c | ||
|
|
63e1cc90e9 | ||
|
|
2182265120 | ||
|
|
0b666d47db | ||
|
|
142ac47166 | ||
|
|
2470c1388a | ||
|
|
fa98557dd9 | ||
|
|
1e167dfa6b | ||
|
|
f362707493 | ||
|
|
15208b70aa | ||
|
|
3522f35ab2 | ||
|
|
938396a751 | ||
|
|
790d4f11be | ||
|
|
8f747a355c | ||
|
|
d17fd2d964 | ||
|
|
4e9c3fb436 | ||
|
|
0e9d17b59c | ||
|
|
6c74cd31e4 | ||
|
|
166406acbb | ||
|
|
b40cb5dedd | ||
|
|
6dd7dedc19 | ||
|
|
7f16853715 | ||
|
|
2d6feb1255 | ||
|
|
1d8e682e5f | ||
|
|
0baa126473 | ||
|
|
d11b428292 | ||
|
|
ddc9516e92 | ||
|
|
00068948c1 | ||
|
|
28c879f58c | ||
|
|
d51a9a3e1a | ||
|
|
048884bb78 | ||
|
|
2eed6c1736 | ||
|
|
2a8f295a65 | ||
|
|
b8501f1ec5 | ||
|
|
3214253adb |
@@ -1,3 +1,10 @@
|
|||||||
|
## 0.4.38
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
||||||
|
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||||
|
|
||||||
## 0.4.37
|
## 0.4.37
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
### Minor Analysis Improvements
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: fix
|
|
||||||
---
|
|
||||||
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
|
||||||
6
actions/ql/lib/change-notes/released/0.4.38.md
Normal file
6
actions/ql/lib/change-notes/released/0.4.38.md
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
## 0.4.38
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
|
||||||
|
* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.4.37
|
lastReleaseVersion: 0.4.38
|
||||||
|
|||||||
@@ -42,6 +42,15 @@ string actor_not_attacker_event() {
|
|||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets the outer caller of `ej`, i.e. the `ExternalJob` that calls the
|
||||||
|
* reusable workflow containing `ej`. Used with transitive closure to
|
||||||
|
* walk up nested reusable workflow chains.
|
||||||
|
*/
|
||||||
|
private ExternalJob getAnOuterCaller(ExternalJob ej) {
|
||||||
|
result = ej.getEnclosingWorkflow().(ReusableWorkflow).getACaller()
|
||||||
|
}
|
||||||
|
|
||||||
/** An If node that contains an actor, user or label check */
|
/** An If node that contains an actor, user or label check */
|
||||||
abstract class ControlCheck extends AstNode {
|
abstract class ControlCheck extends AstNode {
|
||||||
ControlCheck() {
|
ControlCheck() {
|
||||||
@@ -53,43 +62,170 @@ abstract class ControlCheck extends AstNode {
|
|||||||
|
|
||||||
predicate protects(AstNode node, Event event, string category) {
|
predicate protects(AstNode node, Event event, string category) {
|
||||||
// The check dominates the step it should protect
|
// The check dominates the step it should protect
|
||||||
this.dominates(node) and
|
this.dominates(node, event) and
|
||||||
// The check is effective against the event and category
|
// The check is effective against the event and category
|
||||||
this.protectsCategoryAndEvent(category, event.getName()) and
|
this.protectsCategoryAndEvent(category, event.getName()) and
|
||||||
// The check can be triggered by the event
|
// The check can be triggered by the event
|
||||||
this.getATriggerEvent() = event
|
this.getATriggerEvent() = event and
|
||||||
|
// For reusable workflows, there must be no unprotected caller chain for this event.
|
||||||
|
(
|
||||||
|
not node.getEnclosingWorkflow() instanceof ReusableWorkflow
|
||||||
|
or
|
||||||
|
this.dominatesSameWorkflow(node, event)
|
||||||
|
or
|
||||||
|
not exists(ExternalJob directCaller |
|
||||||
|
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
||||||
|
unprotectedCallerChain(directCaller, event, category)
|
||||||
|
)
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate dominates(AstNode node) {
|
/**
|
||||||
|
* Holds if this control check must execute and pass before `node` can run.
|
||||||
|
*/
|
||||||
|
predicate dominates(AstNode node, Event event) {
|
||||||
|
this.dominatesSameWorkflow(node, event)
|
||||||
|
or
|
||||||
|
// When the node is inside a reusable workflow,
|
||||||
|
// this check dominates via at least one caller chain.
|
||||||
|
this.dominatesViaCaller(node, event, _)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if this control check dominates `node` within the same workflow.
|
||||||
|
*/
|
||||||
|
predicate dominatesSameWorkflow(AstNode node, Event event) {
|
||||||
|
this.getATriggerEvent() = event and
|
||||||
|
(
|
||||||
|
// Step-level: the check is an `if:` on the step containing `node`,
|
||||||
|
// or on the enclosing job, or on a needed job/step.
|
||||||
|
this instanceof If and
|
||||||
|
(
|
||||||
|
node.getEnclosingStep().getIf() = this or
|
||||||
|
node.getEnclosingJob().getIf() = this or
|
||||||
|
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
||||||
|
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Job-level: the check is an environment on the enclosing job or a needed job.
|
||||||
|
this instanceof Environment and
|
||||||
|
(
|
||||||
|
node.getEnclosingJob().getEnvironment() = this
|
||||||
|
or
|
||||||
|
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
||||||
|
)
|
||||||
|
or
|
||||||
|
// Step-level: the check is a Run/UsesStep that precedes `node`'s step
|
||||||
|
// in the same job, or is a step in a needed job.
|
||||||
|
(
|
||||||
|
this instanceof Run or
|
||||||
|
this instanceof UsesStep
|
||||||
|
) and
|
||||||
|
(
|
||||||
|
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
||||||
|
or
|
||||||
|
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this
|
||||||
|
)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if this control check dominates `node` in a reusable workflow
|
||||||
|
* via the caller chain starting at `directCaller`.
|
||||||
|
*/
|
||||||
|
predicate dominatesViaCaller(AstNode node, Event event, ExternalJob directCaller) {
|
||||||
|
directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
|
||||||
|
directCaller.getATriggerEvent() = event and
|
||||||
|
exists(ExternalJob caller |
|
||||||
|
caller = getAnOuterCaller*(directCaller) and
|
||||||
|
this.dominatesCaller(caller)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if this control check directly dominates `caller`.
|
||||||
|
*/
|
||||||
|
predicate dominatesCaller(ExternalJob caller) {
|
||||||
this instanceof If and
|
this instanceof If and
|
||||||
(
|
(
|
||||||
node.getEnclosingStep().getIf() = this or
|
caller.getIf() = this or
|
||||||
node.getEnclosingJob().getIf() = this or
|
caller.getANeededJob().(LocalJob).getIf() = this or
|
||||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
|
caller.getANeededJob().(LocalJob).getAStep().getIf() = this
|
||||||
node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
|
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
this instanceof Environment and
|
this instanceof Environment and
|
||||||
(
|
(
|
||||||
node.getEnclosingJob().getEnvironment() = this
|
caller.getEnvironment() = this or
|
||||||
or
|
caller.getANeededJob().getEnvironment() = this
|
||||||
node.getEnclosingJob().getANeededJob().getEnvironment() = this
|
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
(
|
(this instanceof Run or this instanceof UsesStep) and
|
||||||
this instanceof Run or
|
caller.getANeededJob().(LocalJob).getAStep() = this
|
||||||
this instanceof UsesStep
|
|
||||||
) and
|
|
||||||
(
|
|
||||||
this.(Step).getAFollowingStep() = node.getEnclosingStep()
|
|
||||||
or
|
|
||||||
node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
abstract predicate protectsCategoryAndEvent(string category, string event);
|
abstract predicate protectsCategoryAndEvent(string category, string event);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if this control check directly protects `caller`.
|
||||||
|
*/
|
||||||
|
bindingset[caller, event, category]
|
||||||
|
private predicate protectedCaller(ExternalJob caller, Event event, string category) {
|
||||||
|
exists(ControlCheck check |
|
||||||
|
check.protectsCategoryAndEvent(category, event.getName()) and
|
||||||
|
check.getATriggerEvent() = event and
|
||||||
|
check.dominatesCaller(caller)
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
cached
|
||||||
|
private newtype TCallerState =
|
||||||
|
MkCallerState(ExternalJob caller, Event event, string category) {
|
||||||
|
caller.getATriggerEvent() = event and
|
||||||
|
category = any_category()
|
||||||
|
}
|
||||||
|
|
||||||
|
private class CallerState extends TCallerState, MkCallerState {
|
||||||
|
ExternalJob caller;
|
||||||
|
Event event;
|
||||||
|
string category;
|
||||||
|
|
||||||
|
CallerState() { this = MkCallerState(caller, event, category) }
|
||||||
|
|
||||||
|
ExternalJob getCaller() { result = caller }
|
||||||
|
|
||||||
|
Event getEvent() { result = event }
|
||||||
|
|
||||||
|
string getCategory() { result = category }
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets an outer caller state if this caller is not protected.
|
||||||
|
*/
|
||||||
|
CallerState getUnprotectedOuterState() {
|
||||||
|
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
||||||
|
result = MkCallerState(getAnOuterCaller(this.getCaller()), this.getEvent(), this.getCategory())
|
||||||
|
}
|
||||||
|
|
||||||
|
predicate isUnprotectedOutermost() {
|
||||||
|
not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
|
||||||
|
not exists(getAnOuterCaller(this.getCaller()))
|
||||||
|
}
|
||||||
|
|
||||||
|
string toString() { result = caller + " / " + event + " / " + category }
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Holds if there is a caller path from `caller` to an outer workflow that has no protection.
|
||||||
|
*/
|
||||||
|
bindingset[caller, event, category]
|
||||||
|
private predicate unprotectedCallerChain(ExternalJob caller, Event event, string category) {
|
||||||
|
exists(CallerState start, CallerState outermost |
|
||||||
|
start = MkCallerState(caller, event, category) and
|
||||||
|
outermost = start.getUnprotectedOuterState*() and
|
||||||
|
outermost.isUnprotectedOutermost()
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
abstract class AssociationCheck extends ControlCheck {
|
abstract class AssociationCheck extends ControlCheck {
|
||||||
// Checks if the actor is a MEMBER/OWNER the repo
|
// Checks if the actor is a MEMBER/OWNER the repo
|
||||||
// - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR
|
// - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/actions-all
|
name: codeql/actions-all
|
||||||
version: 0.4.38-dev
|
version: 0.4.38
|
||||||
library: true
|
library: true
|
||||||
warnOnImplicitThis: true
|
warnOnImplicitThis: true
|
||||||
dependencies:
|
dependencies:
|
||||||
|
|||||||
@@ -1,3 +1,9 @@
|
|||||||
|
## 0.6.30
|
||||||
|
|
||||||
|
### Query Metadata Changes
|
||||||
|
|
||||||
|
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||||
|
|
||||||
## 0.6.29
|
## 0.6.29
|
||||||
|
|
||||||
### Query Metadata Changes
|
### Query Metadata Changes
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event even
|
|||||||
where
|
where
|
||||||
job.isPrivileged() and
|
job.isPrivileged() and
|
||||||
job.getAStep() = checkout and
|
job.getAStep() = checkout and
|
||||||
check.dominates(checkout) and
|
check.dominates(checkout, event) and
|
||||||
(
|
(
|
||||||
job.getATriggerEvent() = event and
|
job.getATriggerEvent() = event and
|
||||||
event.getName() = "pull_request_target" and
|
event.getName() = "pull_request_target" and
|
||||||
|
|||||||
@@ -34,8 +34,8 @@ where
|
|||||||
check instanceof AssociationCheck or
|
check instanceof AssociationCheck or
|
||||||
check instanceof PermissionCheck
|
check instanceof PermissionCheck
|
||||||
) and
|
) and
|
||||||
check.dominates(checkout) and
|
check.dominates(checkout, event) and
|
||||||
date_check.dominates(checkout)
|
date_check.dominates(checkout, event)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
// not issue_comment triggered workflows
|
// not issue_comment triggered workflows
|
||||||
|
|||||||
@@ -1,4 +1,5 @@
|
|||||||
---
|
## 0.6.30
|
||||||
category: queryMetadata
|
|
||||||
---
|
### Query Metadata Changes
|
||||||
|
|
||||||
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.6.29
|
lastReleaseVersion: 0.6.30
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/actions-queries
|
name: codeql/actions-queries
|
||||||
version: 0.6.30-dev
|
version: 0.6.30
|
||||||
library: false
|
library: false
|
||||||
warnOnImplicitThis: true
|
warnOnImplicitThis: true
|
||||||
groups: [actions, queries]
|
groups: [actions, queries]
|
||||||
|
|||||||
@@ -0,0 +1,17 @@
|
|||||||
|
on:
|
||||||
|
workflow_call:
|
||||||
|
inputs:
|
||||||
|
COMMIT_SHA:
|
||||||
|
type: string
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v6
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.COMMIT_SHA }}
|
||||||
|
- run: |
|
||||||
|
npm install
|
||||||
|
npm run lint
|
||||||
|
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
on:
|
||||||
|
workflow_call:
|
||||||
|
inputs:
|
||||||
|
COMMIT_SHA:
|
||||||
|
type: string
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||||
|
|
||||||
|
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
on:
|
||||||
|
workflow_call:
|
||||||
|
inputs:
|
||||||
|
COMMIT_SHA:
|
||||||
|
type: string
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
is-collaborator:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
build_safe:
|
||||||
|
needs: is-collaborator
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||||
|
build_unsafe:
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
|
||||||
31
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_no_needs.yml
vendored
Normal file
31
actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_no_needs.yml
vendored
Normal file
@@ -0,0 +1,31 @@
|
|||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
is-collaborator:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
#needs: is-collaborator Mistake, doesn't wait for the collaborator - no security check
|
||||||
|
steps:
|
||||||
|
- name: Checkout repo
|
||||||
|
uses: actions/checkout@4
|
||||||
|
with:
|
||||||
|
ref: ${{ github.event.pull_request.head.sha }} # should alert
|
||||||
|
fetch-depth: 2
|
||||||
|
- run: yarn test
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
is-collaborator:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
build:
|
||||||
|
needs: is-collaborator
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||||
@@ -0,0 +1,31 @@
|
|||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
is-collaborator:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
build_unsafe:
|
||||||
|
# needs: is-collaborator
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
||||||
|
build_safe:
|
||||||
|
needs: is-collaborator
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build_nested_branching.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
is-collaborator:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
build:
|
||||||
|
needs: is-collaborator
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
is-collaborator:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
build:
|
||||||
|
# needs: is-collaborator
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||||
@@ -0,0 +1,41 @@
|
|||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
is-collaborator:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
build:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
needs: is-collaborator
|
||||||
|
steps:
|
||||||
|
- name: Checkout repo
|
||||||
|
uses: actions/checkout@4
|
||||||
|
with:
|
||||||
|
ref: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
|
||||||
|
fetch-depth: 2
|
||||||
|
- run: yarn test
|
||||||
|
build_unsafe:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
# needs: is-collaborator
|
||||||
|
steps:
|
||||||
|
- name: Checkout repo
|
||||||
|
uses: actions/checkout@4
|
||||||
|
with:
|
||||||
|
ref: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
|
||||||
|
fetch-depth: 2
|
||||||
|
- run: yarn test
|
||||||
@@ -0,0 +1,48 @@
|
|||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
is-collaborator-a:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
caller-a:
|
||||||
|
needs: is-collaborator-a
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||||
|
is-collaborator-b:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Get User Permission
|
||||||
|
id: checkAccess
|
||||||
|
uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
|
||||||
|
with:
|
||||||
|
require: write
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check User Permission
|
||||||
|
if: steps.checkAccess.outputs.require-result == 'false'
|
||||||
|
run: |
|
||||||
|
echo "${{ github.actor }} does not have permissions on this repo."
|
||||||
|
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
|
||||||
|
exit 1
|
||||||
|
caller-b:
|
||||||
|
needs: is-collaborator-b
|
||||||
|
uses: TestOrg/TestRepo/.github/workflows/build.yml@main
|
||||||
|
with:
|
||||||
|
COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
||||||
@@ -93,6 +93,8 @@ edges
|
|||||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
|
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
|
||||||
| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
|
| .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
|
||||||
| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
|
| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
|
||||||
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step |
|
||||||
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:11:9:19:6 | Uses Step: checkAccess | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:19:9:25:2 | Run Step |
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
|
||||||
@@ -334,6 +336,17 @@ edges
|
|||||||
| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
|
| .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
|
||||||
| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
|
| .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
|
||||||
| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
|
| .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_no_needs.yml:16:9:22:2 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_permission_check_reusable2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:16:9:22:2 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_permission_check_reusable.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable.yml:16:9:22:2 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:16:9:22:2 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:16:9:22:2 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_permissions_check.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permissions_check.yml:16:9:22:2 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_permissions_check.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:31:9:32:2 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:16:9:22:2 | Run Step |
|
||||||
|
| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:30:9:38:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:38:9:44:2 | Run Step |
|
||||||
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
|
| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
|
||||||
| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
|
| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
|
||||||
| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
|
| .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
|
||||||
@@ -344,6 +357,9 @@ edges
|
|||||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
|
||||||
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
|
| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
@@ -377,3 +393,5 @@ edges
|
|||||||
| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
|
| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
|
||||||
| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
|
| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
|
| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permissions_check.yml:2:3:2:21 | pull_request_target | pull_request_target |
|
||||||
|
|||||||
@@ -1,3 +1,20 @@
|
|||||||
|
## 11.0.0
|
||||||
|
|
||||||
|
### Breaking Changes
|
||||||
|
|
||||||
|
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||||
|
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||||
|
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||||
|
* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
|
||||||
|
* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
|
||||||
|
* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
|
||||||
|
* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
|
||||||
|
* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
|
||||||
|
* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
|
||||||
|
* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
|
||||||
|
* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
|
||||||
|
* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.
|
||||||
|
|
||||||
## 10.2.0
|
## 10.2.0
|
||||||
|
|
||||||
### Deprecated APIs
|
### Deprecated APIs
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
---
|
## 11.0.0
|
||||||
category: breaking
|
|
||||||
---
|
### Breaking Changes
|
||||||
|
|
||||||
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
|
||||||
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
|
||||||
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 10.2.0
|
lastReleaseVersion: 11.0.0
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/cpp-all
|
name: codeql/cpp-all
|
||||||
version: 10.2.1-dev
|
version: 11.0.0
|
||||||
groups: cpp
|
groups: cpp
|
||||||
dbscheme: semmlecode.cpp.dbscheme
|
dbscheme: semmlecode.cpp.dbscheme
|
||||||
extractor: cpp
|
extractor: cpp
|
||||||
|
|||||||
@@ -1,3 +1,7 @@
|
|||||||
|
## 1.6.5
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
|
|
||||||
## 1.6.4
|
## 1.6.4
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
3
cpp/ql/src/change-notes/released/1.6.5.md
Normal file
3
cpp/ql/src/change-notes/released/1.6.5.md
Normal file
@@ -0,0 +1,3 @@
|
|||||||
|
## 1.6.5
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.6.4
|
lastReleaseVersion: 1.6.5
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/cpp-queries
|
name: codeql/cpp-queries
|
||||||
version: 1.6.5-dev
|
version: 1.6.5
|
||||||
groups:
|
groups:
|
||||||
- cpp
|
- cpp
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,3 +1,7 @@
|
|||||||
|
## 1.7.69
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
|
|
||||||
## 1.7.68
|
## 1.7.68
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -0,0 +1,3 @@
|
|||||||
|
## 1.7.69
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.7.68
|
lastReleaseVersion: 1.7.69
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-solorigate-all
|
name: codeql/csharp-solorigate-all
|
||||||
version: 1.7.69-dev
|
version: 1.7.69
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- solorigate
|
- solorigate
|
||||||
|
|||||||
@@ -1,3 +1,7 @@
|
|||||||
|
## 1.7.69
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
|
|
||||||
## 1.7.68
|
## 1.7.68
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -0,0 +1,3 @@
|
|||||||
|
## 1.7.69
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.7.68
|
lastReleaseVersion: 1.7.69
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-solorigate-queries
|
name: codeql/csharp-solorigate-queries
|
||||||
version: 1.7.69-dev
|
version: 1.7.69
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- solorigate
|
- solorigate
|
||||||
|
|||||||
@@ -1,3 +1,19 @@
|
|||||||
|
## 7.0.0
|
||||||
|
|
||||||
|
### Breaking Changes
|
||||||
|
|
||||||
|
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||||
|
|
||||||
|
### Major Analysis Improvements
|
||||||
|
|
||||||
|
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||||
|
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||||
|
* Improved call target resolution for ref-return properties and indexers.
|
||||||
|
|
||||||
## 6.0.2
|
## 6.0.2
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
### Minor Analysis Improvements
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Improved call target resolution for ref-return properties and indexers.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: majorAnalysis
|
|
||||||
---
|
|
||||||
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: breaking
|
|
||||||
---
|
|
||||||
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
|
||||||
15
csharp/ql/lib/change-notes/released/7.0.0.md
Normal file
15
csharp/ql/lib/change-notes/released/7.0.0.md
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
## 7.0.0
|
||||||
|
|
||||||
|
### Breaking Changes
|
||||||
|
|
||||||
|
* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
|
||||||
|
|
||||||
|
### Major Analysis Improvements
|
||||||
|
|
||||||
|
* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* Improved property and indexer call target resolution for partially overridden properties and indexers.
|
||||||
|
* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
|
||||||
|
* Improved call target resolution for ref-return properties and indexers.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 6.0.2
|
lastReleaseVersion: 7.0.0
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-all
|
name: codeql/csharp-all
|
||||||
version: 6.0.3-dev
|
version: 7.0.0
|
||||||
groups: csharp
|
groups: csharp
|
||||||
dbscheme: semmlecode.csharp.dbscheme
|
dbscheme: semmlecode.csharp.dbscheme
|
||||||
extractor: csharp
|
extractor: csharp
|
||||||
|
|||||||
@@ -1,3 +1,7 @@
|
|||||||
|
## 1.7.5
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
|
|
||||||
## 1.7.4
|
## 1.7.4
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -14,54 +14,6 @@
|
|||||||
|
|
||||||
import csharp
|
import csharp
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets a callable that either directly captures local variable `v`, or which
|
|
||||||
* is enclosed by the callable that declares `v` and encloses a callable that
|
|
||||||
* captures `v`.
|
|
||||||
*/
|
|
||||||
Callable getACapturingCallableAncestor(LocalVariable v) {
|
|
||||||
result = v.getACapturingCallable()
|
|
||||||
or
|
|
||||||
exists(Callable mid | mid = getACapturingCallableAncestor(v) |
|
|
||||||
result = mid.getEnclosingCallable() and
|
|
||||||
not v.getEnclosingCallable() = result
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
Expr getADelegateExpr(Callable c) {
|
|
||||||
c = result.(CallableAccess).getTarget()
|
|
||||||
or
|
|
||||||
result = c.(AnonymousFunctionExpr)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if `c` is a call where any delegate argument is evaluated immediately.
|
|
||||||
*/
|
|
||||||
predicate nonEscapingCall(Call c) {
|
|
||||||
exists(string name | c.getTarget().hasName(name) |
|
|
||||||
name =
|
|
||||||
[
|
|
||||||
"ForEach", "Count", "Any", "All", "Average", "Aggregate", "First", "Last", "FirstOrDefault",
|
|
||||||
"LastOrDefault", "LongCount", "Max", "Single", "SingleOrDefault", "Sum"
|
|
||||||
]
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if `v` is a captured local variable, and one of the callables capturing
|
|
||||||
* `v` may escape the local scope.
|
|
||||||
*/
|
|
||||||
predicate mayEscape(LocalVariable v) {
|
|
||||||
exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
|
|
||||||
e = getADelegateExpr(c) and
|
|
||||||
DataFlow::localExprFlow(e, succ) and
|
|
||||||
not succ = any(DelegateCall dc).getExpr() and
|
|
||||||
not succ = any(Cast cast).getExpr() and
|
|
||||||
not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
|
|
||||||
not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
class RelevantDefinition extends AssignableDefinition {
|
class RelevantDefinition extends AssignableDefinition {
|
||||||
RelevantDefinition() {
|
RelevantDefinition() {
|
||||||
this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
|
this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
|
||||||
@@ -94,8 +46,6 @@ class RelevantDefinition extends AssignableDefinition {
|
|||||||
// SSA definitions are only created for live variables
|
// SSA definitions are only created for live variables
|
||||||
this = any(SsaExplicitWrite ssaDef).getDefinition()
|
this = any(SsaExplicitWrite ssaDef).getDefinition()
|
||||||
or
|
or
|
||||||
mayEscape(v)
|
|
||||||
or
|
|
||||||
v.isCaptured()
|
v.isCaptured()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
3
csharp/ql/src/change-notes/released/1.7.5.md
Normal file
3
csharp/ql/src/change-notes/released/1.7.5.md
Normal file
@@ -0,0 +1,3 @@
|
|||||||
|
## 1.7.5
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.7.4
|
lastReleaseVersion: 1.7.5
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-queries
|
name: codeql/csharp-queries
|
||||||
version: 1.7.5-dev
|
version: 1.7.5
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,3 +1,7 @@
|
|||||||
|
## 1.0.52
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
|
|
||||||
## 1.0.51
|
## 1.0.51
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -0,0 +1,3 @@
|
|||||||
|
## 1.0.52
|
||||||
|
|
||||||
|
No user-facing changes.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.0.51
|
lastReleaseVersion: 1.0.52
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql-go-consistency-queries
|
name: codeql-go-consistency-queries
|
||||||
version: 1.0.52-dev
|
version: 1.0.52
|
||||||
groups:
|
groups:
|
||||||
- go
|
- go
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,3 +1,20 @@
|
|||||||
|
## 7.2.0
|
||||||
|
|
||||||
|
### Deprecated APIs
|
||||||
|
|
||||||
|
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||||
|
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||||
|
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||||
|
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||||
|
through `slog`.
|
||||||
|
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||||
|
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||||
|
* More logging functions are now recognized as not returning or panicking.
|
||||||
|
|
||||||
## 7.1.2
|
## 7.1.2
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* More logging functions are now recognized as not returning or panicking.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: deprecated
|
|
||||||
---
|
|
||||||
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
|
||||||
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
|
||||||
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
|
||||||
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
|
||||||
through `slog`.
|
|
||||||
16
go/ql/lib/change-notes/released/7.2.0.md
Normal file
16
go/ql/lib/change-notes/released/7.2.0.md
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
## 7.2.0
|
||||||
|
|
||||||
|
### Deprecated APIs
|
||||||
|
|
||||||
|
* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
|
||||||
|
`*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
|
||||||
|
variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
|
||||||
|
`go/log-injection` and `go/clear-text-logging` queries cover code that logs
|
||||||
|
through `slog`.
|
||||||
|
* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
|
||||||
|
* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
|
||||||
|
* More logging functions are now recognized as not returning or panicking.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 7.1.2
|
lastReleaseVersion: 7.2.0
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/go-all
|
name: codeql/go-all
|
||||||
version: 7.1.3-dev
|
version: 7.2.0
|
||||||
groups: go
|
groups: go
|
||||||
dbscheme: go.dbscheme
|
dbscheme: go.dbscheme
|
||||||
extractor: go
|
extractor: go
|
||||||
|
|||||||
@@ -1,3 +1,9 @@
|
|||||||
|
## 1.6.5
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
||||||
|
|
||||||
## 1.6.4
|
## 1.6.4
|
||||||
|
|
||||||
No user-facing changes.
|
No user-facing changes.
|
||||||
|
|||||||
@@ -1,4 +1,5 @@
|
|||||||
---
|
## 1.6.5
|
||||||
category: minorAnalysis
|
|
||||||
---
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.6.4
|
lastReleaseVersion: 1.6.5
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/go-queries
|
name: codeql/go-queries
|
||||||
version: 1.6.5-dev
|
version: 1.6.5
|
||||||
groups:
|
groups:
|
||||||
- go
|
- go
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
<settings>
|
||||||
|
<mirrors>
|
||||||
|
<mirror>
|
||||||
|
<id>google-maven-central</id>
|
||||||
|
<name>GCS Maven Central mirror</name>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<mirrorOf>central</mirrorOf>
|
||||||
|
</mirror>
|
||||||
|
</mirrors>
|
||||||
|
</settings>
|
||||||
@@ -21,6 +21,7 @@ def test(codeql, java, cwd, check_diagnostics_java):
|
|||||||
_env={
|
_env={
|
||||||
"MAVEN_OPTS": maven_opts,
|
"MAVEN_OPTS": maven_opts,
|
||||||
"CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH": str(certspath),
|
"CODEQL_JAVA_EXTRACTOR_TRUST_STORE_PATH": str(certspath),
|
||||||
|
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
finally:
|
finally:
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
|
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.249/jenkins-war-2.249.war
|
https://repo.jenkins-ci.org/releases/org/jenkins-ci/main/jenkins-war/2.249/jenkins-war-2.249.war
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
@@ -10,9 +12,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
<settings>
|
||||||
|
<mirrors>
|
||||||
|
<mirror>
|
||||||
|
<id>google-maven-central</id>
|
||||||
|
<name>GCS Maven Central mirror</name>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<mirrorOf>central</mirrorOf>
|
||||||
|
</mirror>
|
||||||
|
</mirrors>
|
||||||
|
</settings>
|
||||||
@@ -1,4 +1,5 @@
|
|||||||
pom.xml
|
pom.xml
|
||||||
|
settings.xml
|
||||||
src/main/java/com/example/App.java
|
src/main/java/com/example/App.java
|
||||||
src/main/resources/my-app.properties
|
src/main/resources/my-app.properties
|
||||||
src/main/resources/page.xml
|
src/main/resources/page.xml
|
||||||
|
|||||||
@@ -1,7 +1,10 @@
|
|||||||
|
import os
|
||||||
|
|
||||||
def test(codeql, java, check_diagnostics_java):
|
def test(codeql, java, check_diagnostics_java):
|
||||||
codeql.database.create(
|
codeql.database.create(
|
||||||
_env={
|
_env={
|
||||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
||||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
||||||
|
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
|
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
|
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
|
||||||
Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
||||||
Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
|
||||||
|
|||||||
@@ -111,4 +111,30 @@
|
|||||||
</plugins>
|
</plugins>
|
||||||
</pluginManagement>
|
</pluginManagement>
|
||||||
</build>
|
</build>
|
||||||
|
|
||||||
|
<!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
|
||||||
|
<repositories>
|
||||||
|
<repository>
|
||||||
|
<id>central</id>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<snapshots>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</snapshots>
|
||||||
|
<releases>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</releases>
|
||||||
|
</repository>
|
||||||
|
</repositories>
|
||||||
|
<pluginRepositories>
|
||||||
|
<pluginRepository>
|
||||||
|
<id>central</id>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<snapshots>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</snapshots>
|
||||||
|
<releases>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</releases>
|
||||||
|
</pluginRepository>
|
||||||
|
</pluginRepositories>
|
||||||
</project>
|
</project>
|
||||||
@@ -1,3 +1,5 @@
|
|||||||
|
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
|
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -22,5 +24,3 @@ https://repo.maven.apache.org/maven2/org/minijax/minijax-example-websocket/0.5.1
|
|||||||
https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
|
https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
|
||||||
https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
|
https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
|
https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
|
||||||
https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
|
|||||||
@@ -73,6 +73,6 @@ Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferst
|
|||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom
|
||||||
Downloaded from mirror-force-central: https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.pom
|
Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
|
||||||
Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
||||||
Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
Downloaded from google-maven-central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
||||||
|
|||||||
@@ -111,4 +111,30 @@
|
|||||||
</plugins>
|
</plugins>
|
||||||
</pluginManagement>
|
</pluginManagement>
|
||||||
</build>
|
</build>
|
||||||
|
|
||||||
|
<!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
|
||||||
|
<repositories>
|
||||||
|
<repository>
|
||||||
|
<id>central</id>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<snapshots>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</snapshots>
|
||||||
|
<releases>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</releases>
|
||||||
|
</repository>
|
||||||
|
</repositories>
|
||||||
|
<pluginRepositories>
|
||||||
|
<pluginRepository>
|
||||||
|
<id>central</id>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<snapshots>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</snapshots>
|
||||||
|
<releases>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</releases>
|
||||||
|
</pluginRepository>
|
||||||
|
</pluginRepositories>
|
||||||
</project>
|
</project>
|
||||||
@@ -5,11 +5,11 @@
|
|||||||
|
|
||||||
<mirror>
|
<mirror>
|
||||||
|
|
||||||
<id>mirror-force-central</id>
|
<id>google-maven-central</id>
|
||||||
|
|
||||||
<name>Mirror Repository</name>
|
<name>GCS Maven Central mirror</name>
|
||||||
|
|
||||||
<url>https://repo1.maven.org/maven2</url>
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
|
||||||
<mirrorOf>*,!codeql-depgraph-plugin-repo</mirrorOf>
|
<mirrorOf>*,!codeql-depgraph-plugin-repo</mirrorOf>
|
||||||
|
|
||||||
|
|||||||
@@ -1,9 +1,9 @@
|
|||||||
<settings>
|
<settings>
|
||||||
<mirrors>
|
<mirrors>
|
||||||
<mirror>
|
<mirror>
|
||||||
<id>mirror-force-central</id>
|
<id>google-maven-central</id>
|
||||||
<name>Mirror Repository</name>
|
<name>GCS Maven Central mirror</name>
|
||||||
<url>https://repo1.maven.org/maven2</url>
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
<mirrorOf>*</mirrorOf>
|
<mirrorOf>*</mirrorOf>
|
||||||
</mirror>
|
</mirror>
|
||||||
</mirrors>
|
</mirrors>
|
||||||
|
|||||||
@@ -1,3 +1,6 @@
|
|||||||
|
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
|
https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
|
||||||
|
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -9,10 +12,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar
|
|
||||||
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
<settings>
|
||||||
|
<mirrors>
|
||||||
|
<mirror>
|
||||||
|
<id>google-maven-central</id>
|
||||||
|
<name>GCS Maven Central mirror</name>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<mirrorOf>central</mirrorOf>
|
||||||
|
</mirror>
|
||||||
|
</mirrors>
|
||||||
|
</settings>
|
||||||
@@ -1,4 +1,5 @@
|
|||||||
pom.xml
|
pom.xml
|
||||||
|
settings.xml
|
||||||
submod1/pom.xml
|
submod1/pom.xml
|
||||||
submod1/src/main/java/com/example/App.java
|
submod1/src/main/java/com/example/App.java
|
||||||
submod1/src/main/resources/my-app.properties
|
submod1/src/main/resources/my-app.properties
|
||||||
|
|||||||
@@ -1,7 +1,10 @@
|
|||||||
|
import os
|
||||||
|
|
||||||
def test(codeql, java, check_diagnostics_java):
|
def test(codeql, java, check_diagnostics_java):
|
||||||
codeql.database.create(
|
codeql.database.create(
|
||||||
_env={
|
_env={
|
||||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
|
||||||
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
"CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
|
||||||
|
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
<settings>
|
||||||
|
<mirrors>
|
||||||
|
<mirror>
|
||||||
|
<id>google-maven-central</id>
|
||||||
|
<name>GCS Maven Central mirror</name>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<mirrorOf>central</mirrorOf>
|
||||||
|
</mirror>
|
||||||
|
</mirrors>
|
||||||
|
</settings>
|
||||||
@@ -1,5 +1,6 @@
|
|||||||
.mvn/wrapper/maven-wrapper.properties
|
.mvn/wrapper/maven-wrapper.properties
|
||||||
pom.xml
|
pom.xml
|
||||||
|
settings.xml
|
||||||
src/main/java/com/example/App.java
|
src/main/java/com/example/App.java
|
||||||
src/main/resources/my-app.properties
|
src/main/resources/my-app.properties
|
||||||
src/main/resources/page.xml
|
src/main/resources/page.xml
|
||||||
|
|||||||
@@ -1,6 +1,11 @@
|
|||||||
|
import os
|
||||||
|
|
||||||
def test(codeql, java, check_diagnostics_java):
|
def test(codeql, java, check_diagnostics_java):
|
||||||
# mvnw has been rigged to stall for a long time by trying to fetch from a black-hole IP. We should find the timeout logic fires and buildless aborts the Maven run quickly.
|
# mvnw has been rigged to stall for a long time by trying to fetch from a black-hole IP. We should find the timeout logic fires and buildless aborts the Maven run quickly.
|
||||||
codeql.database.create(
|
codeql.database.create(
|
||||||
build_mode="none",
|
build_mode="none",
|
||||||
_env={"CODEQL_EXTRACTOR_JAVA_BUILDLESS_CHILD_PROCESS_IDLE_TIMEOUT": "5"},
|
_env={
|
||||||
|
"CODEQL_EXTRACTOR_JAVA_BUILDLESS_CHILD_PROCESS_IDLE_TIMEOUT": "5",
|
||||||
|
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
||||||
|
},
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
<settings>
|
||||||
|
<mirrors>
|
||||||
|
<mirror>
|
||||||
|
<id>google-maven-central</id>
|
||||||
|
<name>GCS Maven Central mirror</name>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<mirrorOf>central</mirrorOf>
|
||||||
|
</mirror>
|
||||||
|
</mirrors>
|
||||||
|
</settings>
|
||||||
@@ -1,4 +1,9 @@
|
|||||||
|
import os
|
||||||
|
|
||||||
def test(codeql, java, check_diagnostics_java):
|
def test(codeql, java, check_diagnostics_java):
|
||||||
codeql.database.create(
|
codeql.database.create(
|
||||||
build_mode="none",
|
build_mode="none",
|
||||||
|
_env={
|
||||||
|
"LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
|
||||||
|
}
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
|
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
Downloaded from central: https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.pom
|
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.pom
|
||||||
Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
|
||||||
Downloaded from central: https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
Downloaded from central: https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.jar
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.18.6/jackson-annotations-2.18.6.pom
|
||||||
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
|
Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.18.6/jackson-core-2.18.6.jar
|
||||||
|
|||||||
@@ -111,4 +111,30 @@
|
|||||||
</plugins>
|
</plugins>
|
||||||
</pluginManagement>
|
</pluginManagement>
|
||||||
</build>
|
</build>
|
||||||
|
|
||||||
|
<!-- Use the Google Cloud Storage mirror of Maven Central for better download speeds and reliability -->
|
||||||
|
<repositories>
|
||||||
|
<repository>
|
||||||
|
<id>central</id>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<snapshots>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</snapshots>
|
||||||
|
<releases>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</releases>
|
||||||
|
</repository>
|
||||||
|
</repositories>
|
||||||
|
<pluginRepositories>
|
||||||
|
<pluginRepository>
|
||||||
|
<id>central</id>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<snapshots>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</snapshots>
|
||||||
|
<releases>
|
||||||
|
<enabled>true</enabled>
|
||||||
|
</releases>
|
||||||
|
</pluginRepository>
|
||||||
|
</pluginRepositories>
|
||||||
</project>
|
</project>
|
||||||
@@ -1,3 +1,5 @@
|
|||||||
|
https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
|
||||||
|
https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
||||||
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
|
||||||
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
|
||||||
@@ -9,9 +11,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
|
|||||||
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
|
||||||
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
|
||||||
https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
|
|
||||||
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
|
||||||
https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
|
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
|
||||||
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
<settings>
|
||||||
|
<mirrors>
|
||||||
|
<mirror>
|
||||||
|
<id>google-maven-central</id>
|
||||||
|
<name>GCS Maven Central mirror</name>
|
||||||
|
<url>https://maven-central.storage-download.googleapis.com/maven2/</url>
|
||||||
|
<mirrorOf>central</mirrorOf>
|
||||||
|
</mirror>
|
||||||
|
</mirrors>
|
||||||
|
</settings>
|
||||||
@@ -1,4 +1,5 @@
|
|||||||
pom.xml
|
pom.xml
|
||||||
|
settings.xml
|
||||||
src/main/java/com/example/App.java
|
src/main/java/com/example/App.java
|
||||||
src/main/resources/my-app.properties
|
src/main/resources/my-app.properties
|
||||||
src/main/resources/page.xml
|
src/main/resources/page.xml
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user