mirror of
https://github.com/github/codeql.git
synced 2026-05-26 17:11:24 +02:00
Compare commits
1 Commits
oscarsj/te
...
redsun82/f
| Author | SHA1 | Date | |
|---|---|---|---|
|
784906315e |
4
.bazelrc
4
.bazelrc
@@ -12,9 +12,6 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
|
||||
|
||||
build --repo_env=CC=clang --repo_env=CXX=clang++
|
||||
|
||||
# print test output, like sembuild does.
|
||||
# Set to `errors` if this is too verbose.
|
||||
test --test_output all
|
||||
# we use transitions that break builds of `...`, so for `test` to work with that we need the following
|
||||
test --build_tests_only
|
||||
|
||||
@@ -37,6 +34,5 @@ build --java_language_version=17
|
||||
build --tool_java_language_version=17
|
||||
build --tool_java_runtime_version=remotejdk_17
|
||||
build --java_runtime_version=remotejdk_17
|
||||
build --@rules_python//python/config_settings:python_version=3.12
|
||||
|
||||
try-import %workspace%/local.bazelrc
|
||||
|
||||
@@ -8,5 +8,3 @@ common --registry=https://bcr.bazel.build
|
||||
# its implementation packages without providing any code itself.
|
||||
# We either can depend on internal implementation details, or turn of strict deps.
|
||||
common --@rules_dotnet//dotnet/settings:strict_deps=false
|
||||
|
||||
build --@rules_python//python/config_settings:python_version=3.12
|
||||
|
||||
@@ -1 +1 @@
|
||||
8.1.1
|
||||
8.0.0
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
|
||||
|
||||
USER root
|
||||
# Install needed packages according to https://codeql.github.com/docs/codeql-overview/system-requirements/
|
||||
# most come from the base image, but we need to install some additional ones
|
||||
RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y sudo man-db python3.12 npm unminimize
|
||||
RUN yes | unminimize
|
||||
@@ -1,4 +1,5 @@
|
||||
{
|
||||
"image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
|
||||
"extensions": [
|
||||
"rust-lang.rust-analyzer",
|
||||
"bungcip.better-toml",
|
||||
@@ -7,10 +8,6 @@
|
||||
"ms-vscode.test-adapter-converter",
|
||||
"slevesque.vscode-zipexplorer"
|
||||
],
|
||||
"build": {
|
||||
// Path is relative to the devcontainer.json file.
|
||||
"dockerfile": "Dockerfile.codespaces"
|
||||
},
|
||||
"settings": {
|
||||
"files.watcherExclude": {
|
||||
"**/target/**": true
|
||||
|
||||
4
.github/codeql/codeql-config.yml
vendored
4
.github/codeql/codeql-config.yml
vendored
@@ -4,13 +4,9 @@ queries:
|
||||
- uses: security-and-quality
|
||||
|
||||
paths-ignore:
|
||||
- '/actions/ql/test'
|
||||
- '/cpp/'
|
||||
- '/java/'
|
||||
- '/python/'
|
||||
- '/javascript/ql/test'
|
||||
- '/javascript/ql/integration-tests'
|
||||
- '/javascript/extractor/tests'
|
||||
- '/javascript/extractor/parser-tests'
|
||||
- '/javascript/ql/src/'
|
||||
- '/rust/ql'
|
||||
|
||||
2
.github/workflows/build-ripunzip.yml
vendored
2
.github/workflows/build-ripunzip.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os: [ubuntu-22.04, macos-13, windows-2019]
|
||||
os: [ubuntu-20.04, macos-13, windows-2019]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
34
.github/workflows/codegen.yml
vendored
34
.github/workflows/codegen.yml
vendored
@@ -1,34 +0,0 @@
|
||||
name: Codegen
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
paths:
|
||||
- "misc/bazel/**"
|
||||
- "misc/codegen/**"
|
||||
- "*.bazel*"
|
||||
- .github/workflows/codegen.yml
|
||||
- .pre-commit-config.yaml
|
||||
branches:
|
||||
- main
|
||||
- rc/*
|
||||
- codeql-cli-*
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
codegen:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-python@v4
|
||||
with:
|
||||
python-version-file: 'misc/codegen/.python-version'
|
||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||
name: Check that python code is properly formatted
|
||||
with:
|
||||
extra_args: autopep8 --all-files
|
||||
- name: Run codegen tests
|
||||
shell: bash
|
||||
run: |
|
||||
bazel test //misc/codegen/...
|
||||
7
.github/workflows/codeql-analysis.yml
vendored
7
.github/workflows/codeql-analysis.yml
vendored
@@ -18,10 +18,6 @@ on:
|
||||
|
||||
jobs:
|
||||
CodeQL-Build:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: ['actions', 'csharp']
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
@@ -42,8 +38,9 @@ jobs:
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@main
|
||||
# Override language selection by uncommenting this and choosing your languages
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
languages: csharp
|
||||
config-file: ./.github/codeql/codeql-config.yml
|
||||
|
||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||
|
||||
41
.github/workflows/first-responder-inbox.yml
vendored
Normal file
41
.github/workflows/first-responder-inbox.yml
vendored
Normal file
@@ -0,0 +1,41 @@
|
||||
name: Move first responder issues back to inbox
|
||||
|
||||
on:
|
||||
issue_comment:
|
||||
types: [created]
|
||||
env:
|
||||
PROJECT_ID: PVT_kwDNJr_OAFvZxw
|
||||
STATUS_FIELD_ID: PVTSSF_lADNJr_OAFvZx84Dq1CE
|
||||
INBOX_STATUS_ID: 8e29517d
|
||||
|
||||
# requires secrets.CODEQL_FIRST_RESPONDER_BOARD_TOKEN to have `repo`, `read:org` and `projects` scopes
|
||||
|
||||
jobs:
|
||||
inbox:
|
||||
if: ${{ !github.event.issue.pull_request && github.event.issue.state == 'open' && github.event.comment.user.login != 'github-actions' }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Dump environment
|
||||
run: env | sort
|
||||
shell: bash
|
||||
- name: Dump GitHub context
|
||||
run: echo "$GITHUB_CONTEXT"
|
||||
env:
|
||||
GITHUB_CONTEXT: ${{ toJSON(github) }}
|
||||
shell: bash
|
||||
- name: Get project item id
|
||||
uses: monry/actions-get-project-item-id@f43df35cd6ab6da4e2cf3b2806342767d440d157
|
||||
continue-on-error: true
|
||||
id: get-id
|
||||
with:
|
||||
github-token: ${{ secrets.CODEQL_FIRST_RESPONDER_BOARD_TOKEN }}
|
||||
project-id: ${{ env.PROJECT_ID }}
|
||||
issue-id: ${{ github.event.issue.node_id }}
|
||||
- name: Move to inbox
|
||||
if: steps.get-id.outputs.project-item-id
|
||||
shell: bash
|
||||
run: |
|
||||
gh project item-edit --project-id $PROJECT_ID --id $ITEM_ID --field-id $STATUS_FIELD_ID --single-select-option-id $INBOX_STATUS_ID
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.CODEQL_FIRST_RESPONDER_BOARD_TOKEN }}
|
||||
ITEM_ID: ${{ steps.get-id.outputs.project-item-id }}
|
||||
1
.github/workflows/go-tests-other-os.yml
vendored
1
.github/workflows/go-tests-other-os.yml
vendored
@@ -3,7 +3,6 @@ on:
|
||||
pull_request:
|
||||
paths:
|
||||
- "go/**"
|
||||
- "!go/documentation/**"
|
||||
- "!go/ql/**" # don't run other-os if only ql/ files changed
|
||||
- .github/workflows/go-tests-other-os.yml
|
||||
- .github/actions/**
|
||||
|
||||
22
.github/workflows/go-tests-rtjo.yml
vendored
22
.github/workflows/go-tests-rtjo.yml
vendored
@@ -1,22 +0,0 @@
|
||||
name: "Go: Run RTJO Tests"
|
||||
on:
|
||||
pull_request:
|
||||
types:
|
||||
- labeled
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
test-linux:
|
||||
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
|
||||
name: RTJO Test Linux (Ubuntu)
|
||||
runs-on: ubuntu-latest-xl
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
- name: Run tests
|
||||
uses: ./go/actions/test
|
||||
with:
|
||||
run-code-checks: true
|
||||
dynamic-join-order-mode: all
|
||||
2
.github/workflows/go-tests.yml
vendored
2
.github/workflows/go-tests.yml
vendored
@@ -3,7 +3,6 @@ on:
|
||||
push:
|
||||
paths:
|
||||
- "go/**"
|
||||
- "!go/documentation/**"
|
||||
- "shared/**"
|
||||
- .github/workflows/go-tests.yml
|
||||
- .github/actions/**
|
||||
@@ -14,7 +13,6 @@ on:
|
||||
pull_request:
|
||||
paths:
|
||||
- "go/**"
|
||||
- "!go/documentation/**"
|
||||
- "shared/**"
|
||||
- .github/workflows/go-tests.yml
|
||||
- .github/actions/**
|
||||
|
||||
40
.github/workflows/ruby-qltest-rtjo.yml
vendored
40
.github/workflows/ruby-qltest-rtjo.yml
vendored
@@ -1,40 +0,0 @@
|
||||
name: "Ruby: Run RTJO Language Tests"
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
- synchronize
|
||||
- reopened
|
||||
- labeled
|
||||
|
||||
env:
|
||||
CARGO_TERM_COLOR: always
|
||||
|
||||
defaults:
|
||||
run:
|
||||
working-directory: ruby
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
qltest-rtjo:
|
||||
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
|
||||
runs-on: ubuntu-latest-xl
|
||||
strategy:
|
||||
fail-fast: false
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: ./.github/actions/fetch-codeql
|
||||
- uses: ./ruby/actions/create-extractor-pack
|
||||
- name: Cache compilation cache
|
||||
id: query-cache
|
||||
uses: ./.github/actions/cache-query-compilation
|
||||
with:
|
||||
key: ruby-qltest
|
||||
- name: Run QL tests
|
||||
run: |
|
||||
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
79
.github/workflows/swift.yml
vendored
79
.github/workflows/swift.yml
vendored
@@ -18,39 +18,45 @@ on:
|
||||
- main
|
||||
- rc/*
|
||||
- codeql-cli-*
|
||||
push:
|
||||
paths:
|
||||
- "swift/**"
|
||||
- "misc/bazel/**"
|
||||
- "misc/codegen/**"
|
||||
- "shared/**"
|
||||
- "*.bazel*"
|
||||
- .github/workflows/swift.yml
|
||||
- .github/actions/**
|
||||
- codeql-workspace.yml
|
||||
- .pre-commit-config.yaml
|
||||
- "!**/*.md"
|
||||
- "!**/*.qhelp"
|
||||
branches:
|
||||
- main
|
||||
- rc/*
|
||||
- codeql-cli-*
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
defaults:
|
||||
run:
|
||||
shell: bash
|
||||
working-directory: swift
|
||||
|
||||
jobs:
|
||||
build-and-test:
|
||||
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
|
||||
# without waiting for the macOS build
|
||||
build-and-test-macos:
|
||||
if: github.repository_owner == 'github'
|
||||
strategy:
|
||||
matrix:
|
||||
runner: [ubuntu-latest, macos-13-xlarge]
|
||||
fail-fast: false
|
||||
runs-on: ${{ matrix.runner }}
|
||||
runs-on: macos-13-xlarge
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Setup (Linux)
|
||||
if: runner.os == 'Linux'
|
||||
run: |
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y uuid-dev zlib1g-dev
|
||||
- name: Build Swift extractor
|
||||
shell: bash
|
||||
run: |
|
||||
bazel run :install
|
||||
- name: Run Swift tests
|
||||
shell: bash
|
||||
run: |
|
||||
bazel test ... --test_tag_filters=-override --test_output=errors
|
||||
- uses: ./swift/actions/build-and-test
|
||||
qltests-macos:
|
||||
if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
|
||||
needs: build-and-test-macos
|
||||
runs-on: macos-13-xlarge
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: ./swift/actions/run-ql-tests
|
||||
clang-format:
|
||||
if : ${{ github.event_name == 'pull_request' }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
@@ -59,9 +65,18 @@ jobs:
|
||||
with:
|
||||
extra_args: clang-format --all-files
|
||||
codegen:
|
||||
if : ${{ github.event_name == 'pull_request' }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: bazelbuild/setup-bazelisk@v2
|
||||
- uses: actions/setup-python@v4
|
||||
with:
|
||||
python-version-file: 'swift/.python-version'
|
||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||
name: Check that python code is properly formatted
|
||||
with:
|
||||
extra_args: autopep8 --all-files
|
||||
- uses: ./.github/actions/fetch-codeql
|
||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||
name: Check that QL generated code was checked in
|
||||
@@ -69,14 +84,22 @@ jobs:
|
||||
extra_args: swift-codegen --all-files
|
||||
- name: Generate C++ files
|
||||
run: |
|
||||
bazel run codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
|
||||
bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
|
||||
- uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: swift-generated-cpp-files
|
||||
path: generated-cpp-files/**
|
||||
check-no-override:
|
||||
database-upgrade-scripts:
|
||||
if : ${{ github.event_name == 'pull_request' }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Check that no override is present in load.bzl
|
||||
run: bazel test ... --test_tag_filters=override --test_output=errors
|
||||
- uses: ./.github/actions/fetch-codeql
|
||||
- uses: ./swift/actions/database-upgrade-scripts
|
||||
check-no-override:
|
||||
if : github.event_name == 'pull_request'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- shell: bash
|
||||
run: bazel test //swift/... --test_tag_filters=override --test_output=errors
|
||||
|
||||
@@ -72,7 +72,7 @@ repos:
|
||||
|
||||
- id: rust-codegen
|
||||
name: Run Rust checked in code generation
|
||||
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list|ast-generator/)
|
||||
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
|
||||
language: system
|
||||
entry: bazel run //rust/codegen -- --quiet
|
||||
pass_filenames: false
|
||||
|
||||
10
.vscode/tasks.json
vendored
10
.vscode/tasks.json
vendored
@@ -50,11 +50,6 @@
|
||||
"${input:name}",
|
||||
"${input:categoryQuery}"
|
||||
],
|
||||
"options": {
|
||||
"env": {
|
||||
"EDITOR": "code -r",
|
||||
}
|
||||
},
|
||||
"presentation": {
|
||||
"reveal": "never",
|
||||
"close": true
|
||||
@@ -72,11 +67,6 @@
|
||||
"${input:name}",
|
||||
"${input:categoryLibrary}"
|
||||
],
|
||||
"options": {
|
||||
"env": {
|
||||
"EDITOR": "code -r"
|
||||
}
|
||||
},
|
||||
"presentation": {
|
||||
"reveal": "never",
|
||||
"close": true
|
||||
|
||||
@@ -14,9 +14,6 @@
|
||||
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
||||
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
||||
|
||||
# Experimental CodeQL cryptography
|
||||
**/experimental/quantum/ @github/ps-codeql
|
||||
|
||||
# CodeQL tools and associated docs
|
||||
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
||||
/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
|
||||
|
||||
763
Cargo.lock
generated
763
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
2
LICENSE
2
LICENSE
@@ -1,6 +1,6 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2006-2025 GitHub, Inc.
|
||||
Copyright (c) 2006-2020 GitHub, Inc.
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
||||
141
MODULE.bazel
141
MODULE.bazel
@@ -14,7 +14,7 @@ local_path_override(
|
||||
|
||||
# see https://registry.bazel.build/ for a list of available packages
|
||||
|
||||
bazel_dep(name = "platforms", version = "0.0.11")
|
||||
bazel_dep(name = "platforms", version = "0.0.10")
|
||||
bazel_dep(name = "rules_go", version = "0.50.1")
|
||||
bazel_dep(name = "rules_pkg", version = "1.0.1")
|
||||
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
|
||||
@@ -28,16 +28,16 @@ bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
|
||||
bazel_dep(name = "gazelle", version = "0.40.0")
|
||||
bazel_dep(name = "rules_dotnet", version = "0.17.4")
|
||||
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
||||
bazel_dep(name = "rules_rust", version = "0.58.0")
|
||||
bazel_dep(name = "rules_rust", version = "0.52.2")
|
||||
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
|
||||
|
||||
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
|
||||
|
||||
# Keep edition and version approximately in sync with internal repo.
|
||||
# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
|
||||
RUST_EDITION = "2024"
|
||||
RUST_EDITION = "2021"
|
||||
|
||||
RUST_VERSION = "1.85.0"
|
||||
RUST_VERSION = "1.82.0"
|
||||
|
||||
rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
|
||||
rust.toolchain(
|
||||
@@ -53,17 +53,29 @@ use_repo(rust, "rust_toolchains")
|
||||
|
||||
register_toolchains("@rust_toolchains//:all")
|
||||
|
||||
rust_host_tools = use_extension("@rules_rust//rust:extensions.bzl", "rust_host_tools")
|
||||
|
||||
# Don't download a second toolchain as host toolchain, make sure this is the same version as above
|
||||
# The host toolchain is used for vendoring dependencies.
|
||||
rust_host_tools.host_tools(
|
||||
edition = RUST_EDITION,
|
||||
version = RUST_VERSION,
|
||||
)
|
||||
|
||||
# deps for python extractor
|
||||
# keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
|
||||
py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
|
||||
use_repo(
|
||||
py_deps,
|
||||
"vendor_py__anyhow-1.0.95",
|
||||
"vendor_py__cc-1.2.14",
|
||||
"vendor_py__clap-4.5.30",
|
||||
"vendor_py__regex-1.11.1",
|
||||
"vendor_py__tree-sitter-0.20.4",
|
||||
"vendor_py__tree-sitter-graph-0.7.0",
|
||||
"vendor__anyhow-1.0.44",
|
||||
"vendor__cc-1.0.70",
|
||||
"vendor__clap-2.33.3",
|
||||
"vendor__regex-1.5.5",
|
||||
"vendor__smallvec-1.6.1",
|
||||
"vendor__string-interner-0.12.2",
|
||||
"vendor__thiserror-1.0.29",
|
||||
"vendor__tree-sitter-0.20.4",
|
||||
"vendor__tree-sitter-graph-0.7.0",
|
||||
)
|
||||
|
||||
# deps for ruby+rust
|
||||
@@ -71,59 +83,58 @@ use_repo(
|
||||
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
|
||||
use_repo(
|
||||
tree_sitter_extractors_deps,
|
||||
"vendor_ts__anyhow-1.0.97",
|
||||
"vendor_ts__argfile-0.2.1",
|
||||
"vendor_ts__chalk-ir-0.100.0",
|
||||
"vendor_ts__chrono-0.4.40",
|
||||
"vendor_ts__clap-4.5.32",
|
||||
"vendor_ts__dunce-1.0.5",
|
||||
"vendor_ts__either-1.15.0",
|
||||
"vendor_ts__encoding-0.2.33",
|
||||
"vendor_ts__figment-0.10.19",
|
||||
"vendor_ts__flate2-1.1.0",
|
||||
"vendor_ts__glob-0.3.2",
|
||||
"vendor_ts__globset-0.4.15",
|
||||
"vendor_ts__itertools-0.14.0",
|
||||
"vendor_ts__lazy_static-1.5.0",
|
||||
"vendor_ts__mustache-0.9.0",
|
||||
"vendor_ts__num-traits-0.2.19",
|
||||
"vendor_ts__num_cpus-1.16.0",
|
||||
"vendor_ts__proc-macro2-1.0.94",
|
||||
"vendor_ts__quote-1.0.40",
|
||||
"vendor_ts__ra_ap_base_db-0.0.270",
|
||||
"vendor_ts__ra_ap_cfg-0.0.270",
|
||||
"vendor_ts__ra_ap_hir-0.0.270",
|
||||
"vendor_ts__ra_ap_hir_def-0.0.270",
|
||||
"vendor_ts__ra_ap_hir_expand-0.0.270",
|
||||
"vendor_ts__ra_ap_hir_ty-0.0.270",
|
||||
"vendor_ts__ra_ap_ide_db-0.0.270",
|
||||
"vendor_ts__ra_ap_intern-0.0.270",
|
||||
"vendor_ts__ra_ap_load-cargo-0.0.270",
|
||||
"vendor_ts__ra_ap_parser-0.0.270",
|
||||
"vendor_ts__ra_ap_paths-0.0.270",
|
||||
"vendor_ts__ra_ap_project_model-0.0.270",
|
||||
"vendor_ts__ra_ap_span-0.0.270",
|
||||
"vendor_ts__ra_ap_stdx-0.0.270",
|
||||
"vendor_ts__ra_ap_syntax-0.0.270",
|
||||
"vendor_ts__ra_ap_vfs-0.0.270",
|
||||
"vendor_ts__rand-0.9.0",
|
||||
"vendor_ts__rayon-1.10.0",
|
||||
"vendor_ts__regex-1.11.1",
|
||||
"vendor_ts__serde-1.0.219",
|
||||
"vendor_ts__serde_json-1.0.140",
|
||||
"vendor_ts__serde_with-3.12.0",
|
||||
"vendor_ts__syn-2.0.100",
|
||||
"vendor_ts__toml-0.8.20",
|
||||
"vendor_ts__tracing-0.1.41",
|
||||
"vendor_ts__tracing-flame-0.2.0",
|
||||
"vendor_ts__tracing-subscriber-0.3.19",
|
||||
"vendor_ts__tree-sitter-0.24.6",
|
||||
"vendor_ts__tree-sitter-embedded-template-0.23.2",
|
||||
"vendor_ts__tree-sitter-json-0.24.8",
|
||||
"vendor_ts__tree-sitter-ql-0.23.1",
|
||||
"vendor_ts__tree-sitter-ruby-0.23.1",
|
||||
"vendor_ts__triomphe-0.1.14",
|
||||
"vendor_ts__ungrammar-1.16.1",
|
||||
"vendor__anyhow-1.0.95",
|
||||
"vendor__argfile-0.2.1",
|
||||
"vendor__chrono-0.4.39",
|
||||
"vendor__clap-4.5.26",
|
||||
"vendor__dunce-1.0.5",
|
||||
"vendor__either-1.13.0",
|
||||
"vendor__encoding-0.2.33",
|
||||
"vendor__figment-0.10.19",
|
||||
"vendor__flate2-1.0.35",
|
||||
"vendor__glob-0.3.2",
|
||||
"vendor__globset-0.4.15",
|
||||
"vendor__itertools-0.14.0",
|
||||
"vendor__lazy_static-1.5.0",
|
||||
"vendor__log-0.4.22",
|
||||
"vendor__mustache-0.9.0",
|
||||
"vendor__num-traits-0.2.19",
|
||||
"vendor__num_cpus-1.16.0",
|
||||
"vendor__proc-macro2-1.0.93",
|
||||
"vendor__quote-1.0.38",
|
||||
"vendor__ra_ap_base_db-0.0.258",
|
||||
"vendor__ra_ap_cfg-0.0.258",
|
||||
"vendor__ra_ap_hir-0.0.258",
|
||||
"vendor__ra_ap_hir_def-0.0.258",
|
||||
"vendor__ra_ap_hir_expand-0.0.258",
|
||||
"vendor__ra_ap_ide_db-0.0.258",
|
||||
"vendor__ra_ap_intern-0.0.258",
|
||||
"vendor__ra_ap_load-cargo-0.0.258",
|
||||
"vendor__ra_ap_parser-0.0.258",
|
||||
"vendor__ra_ap_paths-0.0.258",
|
||||
"vendor__ra_ap_project_model-0.0.258",
|
||||
"vendor__ra_ap_span-0.0.258",
|
||||
"vendor__ra_ap_stdx-0.0.258",
|
||||
"vendor__ra_ap_syntax-0.0.258",
|
||||
"vendor__ra_ap_vfs-0.0.258",
|
||||
"vendor__rand-0.8.5",
|
||||
"vendor__rayon-1.10.0",
|
||||
"vendor__regex-1.11.1",
|
||||
"vendor__serde-1.0.217",
|
||||
"vendor__serde_json-1.0.135",
|
||||
"vendor__serde_with-3.12.0",
|
||||
"vendor__stderrlog-0.6.0",
|
||||
"vendor__syn-2.0.96",
|
||||
"vendor__toml-0.8.19",
|
||||
"vendor__tracing-0.1.41",
|
||||
"vendor__tracing-subscriber-0.3.19",
|
||||
"vendor__tree-sitter-0.24.6",
|
||||
"vendor__tree-sitter-embedded-template-0.23.2",
|
||||
"vendor__tree-sitter-json-0.24.8",
|
||||
"vendor__tree-sitter-ql-0.23.1",
|
||||
"vendor__tree-sitter-ruby-0.23.1",
|
||||
"vendor__triomphe-0.1.14",
|
||||
"vendor__ungrammar-1.16.1",
|
||||
)
|
||||
|
||||
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
||||
@@ -155,7 +166,7 @@ use_repo(csharp_main_extension, "paket.main")
|
||||
pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
|
||||
pip.parse(
|
||||
hub_name = "codegen_deps",
|
||||
python_version = "3.12",
|
||||
python_version = "3.11",
|
||||
requirements_lock = "//misc/codegen:requirements_lock.txt",
|
||||
)
|
||||
use_repo(pip, "codegen_deps")
|
||||
@@ -241,7 +252,7 @@ use_repo(
|
||||
)
|
||||
|
||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||
go_sdk.download(version = "1.24.0")
|
||||
go_sdk.download(version = "1.23.1")
|
||||
|
||||
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||
|
||||
@@ -4,9 +4,7 @@ codeql_pkg_files(
|
||||
name = "extractor",
|
||||
srcs = [
|
||||
"codeql-extractor.yml",
|
||||
"//:LICENSE",
|
||||
],
|
||||
exes = glob(["tools/**"]),
|
||||
] + glob(["tools/**"]),
|
||||
strip_prefix = strip_prefix.from_pkg(),
|
||||
visibility = ["//actions:__pkg__"],
|
||||
)
|
||||
|
||||
@@ -1,34 +1,27 @@
|
||||
# Note: We're adding the `reusable_workflows` subdirectories to proactively
|
||||
# record workflows that were called cross-repo, check them out locally,
|
||||
# and enable an interprocedural analysis across the workflow files.
|
||||
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
|
||||
$DefaultPathFilters = @(
|
||||
'exclude:**/*',
|
||||
'include:.github/workflows/*.yml',
|
||||
'include:.github/workflows/*.yaml',
|
||||
'include:.github/reusable_workflows/**/*.yml',
|
||||
'include:.github/reusable_workflows/**/*.yaml',
|
||||
'include:**/action.yml',
|
||||
'include:**/action.yaml'
|
||||
)
|
||||
|
||||
if ($null -ne $env:LGTM_INDEX_FILTERS) {
|
||||
Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
|
||||
# Begin with the default path inclusions only,
|
||||
# followed by the user-provided filters.
|
||||
# If the user provided `paths`, those patterns override the default inclusions
|
||||
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
|
||||
# If the user provided `paths-ignore`, those patterns are excluded.
|
||||
$PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
|
||||
$env:LGTM_INDEX_FILTERS = $PathFilters
|
||||
if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
|
||||
Write-Output 'Path filters set. Passing them through to the JavaScript extractor.'
|
||||
} else {
|
||||
Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
|
||||
Write-Output 'No path filters set. Using the default filters.'
|
||||
# Note: We're adding the `reusable_workflows` subdirectories to proactively
|
||||
# record workflows that were called cross-repo, check them out locally,
|
||||
# and enable an interprocedural analysis across the workflow files.
|
||||
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
|
||||
$DefaultPathFilters = @(
|
||||
'exclude:**/*',
|
||||
'include:.github/workflows/*.yml',
|
||||
'include:.github/workflows/*.yaml',
|
||||
'include:.github/reusable_workflows/**/*.yml',
|
||||
'include:.github/reusable_workflows/**/*.yaml',
|
||||
'include:**/action.yml',
|
||||
'include:**/action.yaml'
|
||||
)
|
||||
|
||||
$env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
|
||||
}
|
||||
|
||||
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
||||
$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
throw 'Failed to resolve JavaScript extractor.'
|
||||
}
|
||||
@@ -47,7 +40,7 @@ $env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTI
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
|
||||
|
||||
&"$JavaScriptAutoBuild"
|
||||
&$JavaScriptAutoBuild
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
throw "JavaScript autobuilder failed."
|
||||
}
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
@echo off
|
||||
rem All of the work is done in the PowerShell script
|
||||
echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
|
||||
powershell.exe -File "%~dp0autobuild-impl.ps1"
|
||||
powershell.exe %~dp0autobuild-impl.ps1
|
||||
|
||||
@@ -17,28 +17,16 @@ include:**/action.yaml
|
||||
END
|
||||
)
|
||||
|
||||
if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
|
||||
echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
|
||||
# Begin with the default path inclusions only,
|
||||
# followed by the user-provided filters.
|
||||
# If the user provided `paths`, those patterns override the default inclusions
|
||||
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
|
||||
# If the user provided `paths-ignore`, those patterns are excluded.
|
||||
PATH_FILTERS="$(cat << END
|
||||
${DEFAULT_PATH_FILTERS}
|
||||
${LGTM_INDEX_FILTERS}
|
||||
END
|
||||
)"
|
||||
LGTM_INDEX_FILTERS="${PATH_FILTERS}"
|
||||
export LGTM_INDEX_FILTERS
|
||||
if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
|
||||
echo "Path filters set. Passing them through to the JavaScript extractor."
|
||||
else
|
||||
echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
|
||||
echo "No path filters set. Using the default filters."
|
||||
LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
|
||||
export LGTM_INDEX_FILTERS
|
||||
fi
|
||||
|
||||
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
|
||||
export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
|
||||
|
||||
echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
|
||||
@@ -54,4 +42,4 @@ env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGN
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
|
||||
"${JAVASCRIPT_AUTO_BUILD}"
|
||||
${JAVASCRIPT_AUTO_BUILD}
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: immutableActionsDataModel
|
||||
data:
|
||||
- ["actions/checkout"]
|
||||
- ["actions/cache"]
|
||||
- ["actions/setup-node"]
|
||||
- ["actions/upload-artifact"]
|
||||
- ["actions/setup-python"]
|
||||
- ["actions/download-artifact"]
|
||||
- ["actions/github-script"]
|
||||
- ["actions/setup-java"]
|
||||
- ["actions/setup-go"]
|
||||
- ["actions/upload-pages-artifact"]
|
||||
- ["actions/deploy-pages"]
|
||||
- ["actions/setup-dotnet"]
|
||||
- ["actions/stale"]
|
||||
- ["actions/labeler"]
|
||||
- ["actions/create-github-app-token"]
|
||||
- ["actions/configure-pages"]
|
||||
- ["github/codeql-action/analyze"]
|
||||
- ["github/codeql-action/autobuild"]
|
||||
- ["github/codeql-action/init"]
|
||||
- ["github/codeql-action/resolve-environment"]
|
||||
- ["github/codeql-action/start-proxy"]
|
||||
- ["github/codeql-action/upload-sarif"]
|
||||
- ["octokit/request-action"]
|
||||
@@ -1,14 +0,0 @@
|
||||
# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
|
||||
# yet released, so this pack will only be used within GitHub. Once the feature is available to
|
||||
# customers, we will move the contents of this pack back into the standard library pack.
|
||||
name: codeql/immutable-actions-list
|
||||
version: 0.0.1-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
extensionTargets:
|
||||
# We expect to need this model pack even after GA of Actions analysis, so make it compatible with
|
||||
# all future prereleases plus 1.x.x. We should be able to remove this back before we need to
|
||||
# bump the major version to 2.
|
||||
codeql/actions-all: ">=0.4.3 <2.0.0"
|
||||
dataExtensions:
|
||||
- ext/**/*.yml
|
||||
@@ -1,5 +0,0 @@
|
||||
import actions
|
||||
|
||||
from AstNode n
|
||||
where n instanceof Workflow or n instanceof CompositeAction
|
||||
select n
|
||||
@@ -1,6 +0,0 @@
|
||||
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
|
||||
| src/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
@@ -1,2 +0,0 @@
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
|
||||
@@ -1,5 +0,0 @@
|
||||
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
|
||||
| src/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
@@ -1,2 +0,0 @@
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
|
||||
@@ -1,5 +0,0 @@
|
||||
import actions
|
||||
|
||||
from AstNode n
|
||||
where n instanceof Workflow or n instanceof CompositeAction
|
||||
select n
|
||||
@@ -1,4 +0,0 @@
|
||||
paths:
|
||||
- 'included'
|
||||
paths-ignore:
|
||||
- 'excluded'
|
||||
@@ -1,2 +0,0 @@
|
||||
paths-ignore:
|
||||
- 'excluded'
|
||||
@@ -1,2 +0,0 @@
|
||||
paths:
|
||||
- 'included'
|
||||
@@ -1,6 +0,0 @@
|
||||
src/.github/action.yaml
|
||||
src/.github/actions/action-name/action.yml
|
||||
src/.github/workflows/workflow.yml
|
||||
src/action.yml
|
||||
src/excluded/action.yml
|
||||
src/included/action.yml
|
||||
@@ -1,3 +0,0 @@
|
||||
src/included/action.yml
|
||||
src/included/not-an-action.yml
|
||||
src/included/unreachable-workflow.yml
|
||||
@@ -1,5 +0,0 @@
|
||||
src/.github/action.yaml
|
||||
src/.github/actions/action-name/action.yml
|
||||
src/.github/workflows/workflow.yml
|
||||
src/action.yml
|
||||
src/included/action.yml
|
||||
@@ -1,3 +0,0 @@
|
||||
src/included/action.yml
|
||||
src/included/not-an-action.yml
|
||||
src/included/unreachable-workflow.yml
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: A workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1 +0,0 @@
|
||||
name: 'Not an action, just a YAML file'
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,18 +0,0 @@
|
||||
import pytest
|
||||
|
||||
@pytest.mark.ql_test(expected=".default-filters.expected")
|
||||
def test_default_filters(codeql, actions, check_source_archive):
|
||||
check_source_archive.expected_suffix = ".default-filters.expected"
|
||||
codeql.database.create(source_root="src")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-only.expected")
|
||||
def test_config_paths_only(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-only.yml")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-ignore-only.expected")
|
||||
def test_config_paths_ignore_only(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-ignore-only.yml")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-and-paths-ignore.expected")
|
||||
def test_config_paths_and_paths_ignore(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-and-paths-ignore.yml")
|
||||
@@ -1,24 +1,3 @@
|
||||
## 0.4.6
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The query `actions/code-injection/medium` now produces alerts for injection
|
||||
vulnerabilities on `pull_request` events.
|
||||
|
||||
## 0.4.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.4
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.3
|
||||
|
||||
### New Features
|
||||
|
||||
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
|
||||
|
||||
## 0.4.2
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
## 0.4.3
|
||||
|
||||
### New Features
|
||||
|
||||
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.4.4
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.4.5
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,6 +0,0 @@
|
||||
## 0.4.6
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The query `actions/code-injection/medium` now produces alerts for injection
|
||||
vulnerabilities on `pull_request` events.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.6
|
||||
lastReleaseVersion: 0.4.2
|
||||
|
||||
@@ -126,15 +126,6 @@ predicate vulnerableActionsDataModel(
|
||||
*/
|
||||
predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
|
||||
|
||||
/**
|
||||
* MaD models for trusted actions owners
|
||||
* Fields:
|
||||
* - owner: owner name
|
||||
*/
|
||||
predicate trustedActionsOwnerDataModel(string owner) {
|
||||
Extensions::trustedActionsOwnerDataModel(owner)
|
||||
}
|
||||
|
||||
/**
|
||||
* MaD models for untrusted git commands
|
||||
* Fields:
|
||||
@@ -154,13 +145,3 @@ predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
|
||||
predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
|
||||
Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
|
||||
}
|
||||
|
||||
/**
|
||||
* MaD models for permissions needed by actions
|
||||
* Fields:
|
||||
* - action: action name, e.g. `actions/checkout`
|
||||
* - permission: permission name, e.g. `contents: read`
|
||||
*/
|
||||
predicate actionsPermissionsDataModel(string action, string permission) {
|
||||
Extensions::actionsPermissionsDataModel(action, permission)
|
||||
}
|
||||
|
||||
@@ -63,11 +63,6 @@ extensible predicate vulnerableActionsDataModel(
|
||||
*/
|
||||
extensible predicate immutableActionsDataModel(string action);
|
||||
|
||||
/**
|
||||
* Holds for trusted Actions owners.
|
||||
*/
|
||||
extensible predicate trustedActionsOwnerDataModel(string owner);
|
||||
|
||||
/**
|
||||
* Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
|
||||
*/
|
||||
@@ -77,14 +72,3 @@ extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag)
|
||||
* Holds for gh commands that may introduce untrusted data
|
||||
*/
|
||||
extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
|
||||
|
||||
/**
|
||||
* Holds if `action` needs `permission` to run.
|
||||
* - 'action' is the name of the action without any version information.
|
||||
* E.g. for the action selector `actions/checkout@v2`, `action` is `actions/checkout`.
|
||||
* - `permission` is of the form `scope-name: read|write`, for example `contents: read`.
|
||||
* - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions
|
||||
* for an example of recommended permissions.
|
||||
* - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
|
||||
*/
|
||||
extensible predicate actionsPermissionsDataModel(string action, string permission);
|
||||
|
||||
@@ -1,37 +0,0 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: actionsPermissionsDataModel
|
||||
data:
|
||||
- ["actions/checkout", "contents: read"]
|
||||
- ["actions/setup-node", "contents: read"]
|
||||
- ["actions/setup-python", "contents: read"]
|
||||
- ["actions/setup-java", "contents: read"]
|
||||
- ["actions/setup-go", "contents: read"]
|
||||
- ["actions/setup-dotnet", "contents: read"]
|
||||
- ["actions/labeler", "contents: read"]
|
||||
- ["actions/labeler", "pull-requests: write"]
|
||||
- ["actions/attest", "id-token: write"]
|
||||
- ["actions/attest", "attestations: write"]
|
||||
# No permissions needed for actions/add-to-project
|
||||
- ["actions/dependency-review-action", "contents: read"]
|
||||
- ["actions/attest-sbom", "id-token: write"]
|
||||
- ["actions/attest-sbom", "attestations: write"]
|
||||
- ["actions/stale", "contents: write"]
|
||||
- ["actions/stale", "issues: write"]
|
||||
- ["actions/stale", "pull-requests: write"]
|
||||
- ["actions/attest-build-provenance", "id-token: write"]
|
||||
- ["actions/attest-build-provenance", "attestations: write"]
|
||||
- ["actions/jekyll-build-pages", "contents: read"]
|
||||
- ["actions/jekyll-build-pages", "pages: write"]
|
||||
- ["actions/jekyll-build-pages", "id-token: write"]
|
||||
- ["actions/publish-action", "contents: write"]
|
||||
- ["actions/versions-package-tools", "contents: read"]
|
||||
- ["actions/versions-package-tools", "actions: read"]
|
||||
- ["actions/reusable-workflows", "contents: read"]
|
||||
- ["actions/reusable-workflows", "actions: read"]
|
||||
# TODO: Add permissions for actions/download-artifact
|
||||
# TODO: Add permissions for actions/upload-artifact
|
||||
# TODO: Add permissions for actions/cache
|
||||
|
||||
|
||||
@@ -30,9 +30,6 @@ extensions:
|
||||
- ["pull_request_review_comment", "github.event.review"]
|
||||
- ["pull_request_review_comment", "github.head_ref"]
|
||||
- ["pull_request_review_comment", "github.event.changes"]
|
||||
- ["pull_request", "github.event.pull_request"]
|
||||
- ["pull_request", "github.head_ref"]
|
||||
- ["pull_request", "github.event.changes"]
|
||||
- ["pull_request_target", "github.event.pull_request"]
|
||||
- ["pull_request_target", "github.head_ref"]
|
||||
- ["pull_request_target", "github.event.changes"]
|
||||
|
||||
@@ -12,7 +12,6 @@ extensions:
|
||||
- ["pull_request_comment"]
|
||||
- ["pull_request_review"]
|
||||
- ["pull_request_review_comment"]
|
||||
- ["pull_request"]
|
||||
- ["pull_request_target"]
|
||||
- ["workflow_run"] # depending on branch filter
|
||||
- ["workflow_call"] # depending on caller
|
||||
|
||||
@@ -2,9 +2,21 @@ extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: immutableActionsDataModel
|
||||
# Since the Immutable Actions feature is not yet available to customers, we won't alert about
|
||||
# any unversioned immutable action references for now. Within GitHub, we'll include the
|
||||
# `codeql/immutable-actions-list` model pack, which will provide the necessary list of actions
|
||||
# for internal use. Once the feature is available to customers, we'll move that list back into
|
||||
# this file.
|
||||
data: []
|
||||
data:
|
||||
- ["actions/checkout"]
|
||||
- ["actions/cache"]
|
||||
- ["actions/setup-node"]
|
||||
- ["actions/upload-artifact"]
|
||||
- ["actions/setup-python"]
|
||||
- ["actions/download-artifact"]
|
||||
- ["actions/github-script"]
|
||||
- ["actions/setup-java"]
|
||||
- ["actions/setup-go"]
|
||||
- ["actions/upload-pages-artifact"]
|
||||
- ["actions/deploy-pages"]
|
||||
- ["actions/setup-dotnet"]
|
||||
- ["actions/stale"]
|
||||
- ["actions/labeler"]
|
||||
- ["actions/create-github-app-token"]
|
||||
- ["actions/configure-pages"]
|
||||
- ["octokit/request-action"]
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: trustedActionsOwnerDataModel
|
||||
data:
|
||||
- ["actions"]
|
||||
- ["github"]
|
||||
- ["advanced-security"]
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.7-dev
|
||||
version: 0.4.3-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,51 +1,3 @@
|
||||
## 0.5.3
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed typos in the query and alert titles for the queries
|
||||
`actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
|
||||
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
|
||||
|
||||
## 0.5.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.5.1
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
|
||||
Immutable Actions feature is not yet available for customer use. The query has also been moved
|
||||
to the experimental folder and will not be used in code scanning unless it is explicitly added
|
||||
to a code scanning configuration. Once the Immutable Actions feature is available, the query will
|
||||
be updated to report alerts again.
|
||||
|
||||
## 0.5.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
|
||||
Any existing alerts for these queries will be closed automatically.
|
||||
* `actions/if-expression-always-true/critical`
|
||||
* `actions/if-expression-always-true/high`
|
||||
* `actions/unnecessary-use-of-advanced-config`
|
||||
|
||||
* The following query has been moved from the `code-scanning` suite to the `security-extended`
|
||||
suite. Any existing alerts for this query will be closed automatically unless the analysis is
|
||||
configured to use the `security-extended` suite.
|
||||
* `actions/unpinned-tag`
|
||||
* The following queries have been added to the `security-extended` suite.
|
||||
* `actions/unversioned-immutable-action`
|
||||
* `actions/envpath-injection/medium`
|
||||
* `actions/envvar-injection/medium`
|
||||
* `actions/code-injection/medium`
|
||||
* `actions/artifact-poisoning/medium`
|
||||
* `actions/untrusted-checkout/medium`
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
|
||||
|
||||
## 0.4.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* @name PATH environment variable built from user-controlled sources
|
||||
* @name PATH Enviroment Variable built from user-controlled sources
|
||||
* @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
/**
|
||||
* @name PATH environment variable built from user-controlled sources
|
||||
* @name PATH Enviroment Variable built from user-controlled sources
|
||||
* @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.0
|
||||
* @precision medium
|
||||
* @precision high
|
||||
* @id actions/envpath-injection/medium
|
||||
* @tags actions
|
||||
* security
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* @name Environment variable built from user-controlled sources
|
||||
* @name Enviroment Variable built from user-controlled sources
|
||||
* @description Building an environment variable from user-controlled sources may alter the execution of following system commands
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
/**
|
||||
* @name Environment variable built from user-controlled sources
|
||||
* @name Enviroment Variable built from user-controlled sources
|
||||
* @description Building an environment variable from user-controlled sources may alter the execution of following system commands
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @problem.severity warning
|
||||
* @security-severity 5.0
|
||||
* @precision medium
|
||||
* @precision high
|
||||
* @id actions/envvar-injection/medium
|
||||
* @tags actions
|
||||
* security
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* @name Use of a known vulnerable action
|
||||
* @name Use of a known vulnerable action.
|
||||
* @description The workflow is using an action with known vulnerabilities.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
|
||||
@@ -3,30 +3,17 @@
|
||||
* @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
|
||||
* @kind problem
|
||||
* @security-severity 5.0
|
||||
* @problem.severity warning
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id actions/missing-workflow-permissions
|
||||
* @tags actions
|
||||
* maintainability
|
||||
* security
|
||||
* external/cwe/cwe-275
|
||||
*/
|
||||
|
||||
import actions
|
||||
|
||||
Step stepInJob(Job job) { result = job.(LocalJob).getAStep() }
|
||||
|
||||
string jobNeedsPermission(Job job) {
|
||||
actionsPermissionsDataModel(stepInJob(job).(UsesStep).getCallee(), result)
|
||||
}
|
||||
|
||||
/** Gets a suggestion for the minimal token permissions for `job`, as a JSON string. */
|
||||
string permissionsForJob(Job job) {
|
||||
result =
|
||||
"{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
|
||||
}
|
||||
|
||||
from Job job, string permissions
|
||||
from Job job
|
||||
where
|
||||
not exists(job.getPermissions()) and
|
||||
not exists(job.getEnclosingWorkflow().getPermissions()) and
|
||||
@@ -34,8 +21,5 @@ where
|
||||
exists(Event e |
|
||||
e = job.getATriggerEvent() and
|
||||
not e.getName() = "workflow_call"
|
||||
) and
|
||||
permissions = permissionsForJob(job)
|
||||
select job,
|
||||
"Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: "
|
||||
+ permissions
|
||||
)
|
||||
select job, "Actions Job or Workflow does not set permissions"
|
||||
|
||||
@@ -2,8 +2,7 @@
|
||||
* @name Excessive Secrets Exposure
|
||||
* @description All organization and repository secrets are passed to the workflow runner.
|
||||
* @kind problem
|
||||
* @precision high
|
||||
* @problem.severity warning
|
||||
* @problem.severity recommendation
|
||||
* @id actions/excessive-secrets-exposure
|
||||
* @tags actions
|
||||
* security
|
||||
|
||||
@@ -43,7 +43,7 @@ jobs:
|
||||
The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
|
||||
|
||||
```yaml
|
||||
name: Secure Workflow
|
||||
name: Insecure Workflow
|
||||
|
||||
on:
|
||||
workflow_run:
|
||||
|
||||
@@ -43,7 +43,7 @@ jobs:
|
||||
The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
|
||||
|
||||
```yaml
|
||||
name: Secure Workflow
|
||||
name: Insecure Workflow
|
||||
|
||||
on:
|
||||
workflow_run:
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
* @name Artifact poisoning
|
||||
* @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
|
||||
* @kind path-problem
|
||||
* @problem.severity error
|
||||
* @precision medium
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @security-severity 5.0
|
||||
* @id actions/artifact-poisoning/medium
|
||||
* @tags actions
|
||||
|
||||
@@ -24,4 +24,4 @@ Pinning an action to a full length commit SHA is currently the only way to use a
|
||||
|
||||
## References
|
||||
|
||||
- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
|
||||
- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
|
||||
|
||||
@@ -3,8 +3,8 @@
|
||||
* @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
|
||||
* @kind problem
|
||||
* @security-severity 5.0
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id actions/unpinned-tag
|
||||
* @tags security
|
||||
* actions
|
||||
@@ -17,23 +17,14 @@ import codeql.actions.security.UseOfUnversionedImmutableAction
|
||||
bindingset[version]
|
||||
private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
|
||||
|
||||
bindingset[nwo]
|
||||
private predicate isTrustedOwner(string nwo) {
|
||||
// Gets the segment before the first '/' in the name with owner(nwo) string
|
||||
trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
|
||||
bindingset[repo]
|
||||
private predicate isTrustedOrg(string repo) {
|
||||
repo.matches(["actions", "github", "advanced-security"] + "/%")
|
||||
}
|
||||
|
||||
bindingset[version]
|
||||
private predicate isPinnedContainer(string version) {
|
||||
version.regexpMatch("^sha256:[A-Fa-f0-9]{64}$")
|
||||
}
|
||||
|
||||
bindingset[nwo]
|
||||
private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
|
||||
|
||||
from UsesStep uses, string nwo, string version, Workflow workflow, string name
|
||||
from UsesStep uses, string repo, string version, Workflow workflow, string name
|
||||
where
|
||||
uses.getCallee() = nwo and
|
||||
uses.getCallee() = repo and
|
||||
uses.getEnclosingWorkflow() = workflow and
|
||||
(
|
||||
workflow.getName() = name
|
||||
@@ -41,9 +32,9 @@ where
|
||||
not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
|
||||
) and
|
||||
uses.getVersion() = version and
|
||||
not isTrustedOwner(nwo) and
|
||||
not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
|
||||
not isImmutableAction(uses, nwo)
|
||||
not isTrustedOrg(repo) and
|
||||
not isPinnedCommit(version) and
|
||||
not isImmutableAction(uses, repo)
|
||||
select uses.getCalleeNode(),
|
||||
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
|
||||
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
|
||||
"', not a pinned commit hash", uses, uses.toString()
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* @name Checkout of untrusted code in a privileged context
|
||||
* @name Checkout of untrusted code in trusted context
|
||||
* @description Privileged workflows have read/write access to the base repository and access to secrets.
|
||||
* By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
|
||||
* that is able to push to the base repository and to access secrets.
|
||||
|
||||
@@ -8,7 +8,6 @@
|
||||
* @tags security
|
||||
* actions
|
||||
* internal
|
||||
* experimental
|
||||
* external/cwe/cwe-829
|
||||
*/
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
|
||||
@@ -1,25 +0,0 @@
|
||||
## 0.5.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
|
||||
Any existing alerts for these queries will be closed automatically.
|
||||
* `actions/if-expression-always-true/critical`
|
||||
* `actions/if-expression-always-true/high`
|
||||
* `actions/unnecessary-use-of-advanced-config`
|
||||
|
||||
* The following query has been moved from the `code-scanning` suite to the `security-extended`
|
||||
suite. Any existing alerts for this query will be closed automatically unless the analysis is
|
||||
configured to use the `security-extended` suite.
|
||||
* `actions/unpinned-tag`
|
||||
* The following queries have been added to the `security-extended` suite.
|
||||
* `actions/unversioned-immutable-action`
|
||||
* `actions/envpath-injection/medium`
|
||||
* `actions/envvar-injection/medium`
|
||||
* `actions/code-injection/medium`
|
||||
* `actions/artifact-poisoning/medium`
|
||||
* `actions/untrusted-checkout/medium`
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
|
||||
@@ -1,9 +0,0 @@
|
||||
## 0.5.1
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
|
||||
Immutable Actions feature is not yet available for customer use. The query has also been moved
|
||||
to the experimental folder and will not be used in code scanning unless it is explicitly added
|
||||
to a code scanning configuration. Once the Immutable Actions feature is available, the query will
|
||||
be updated to report alerts again.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.5.2
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,7 +0,0 @@
|
||||
## 0.5.3
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed typos in the query and alert titles for the queries
|
||||
`actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
|
||||
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.5.3
|
||||
lastReleaseVersion: 0.4.2
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user