mirror of
https://github.com/github/codeql.git
synced 2026-05-26 17:11:24 +02:00
Compare commits
1 Commits
redsun82/r
...
ginsbach/E
| Author | SHA1 | Date | |
|---|---|---|---|
|
dff1424f55 |
1
.bazelrc
1
.bazelrc
@@ -37,6 +37,5 @@ build --java_language_version=17
|
||||
build --tool_java_language_version=17
|
||||
build --tool_java_runtime_version=remotejdk_17
|
||||
build --java_runtime_version=remotejdk_17
|
||||
build --@rules_python//python/config_settings:python_version=3.12
|
||||
|
||||
try-import %workspace%/local.bazelrc
|
||||
|
||||
@@ -8,5 +8,3 @@ common --registry=https://bcr.bazel.build
|
||||
# its implementation packages without providing any code itself.
|
||||
# We either can depend on internal implementation details, or turn of strict deps.
|
||||
common --@rules_dotnet//dotnet/settings:strict_deps=false
|
||||
|
||||
build --@rules_python//python/config_settings:python_version=3.12
|
||||
|
||||
@@ -1 +1 @@
|
||||
8.1.1
|
||||
8.0.0
|
||||
|
||||
6
.github/workflows/build-ripunzip.yml
vendored
6
.github/workflows/build-ripunzip.yml
vendored
@@ -6,18 +6,18 @@ on:
|
||||
ripunzip-version:
|
||||
description: "what reference to checktout from google/runzip"
|
||||
required: false
|
||||
default: v2.0.2
|
||||
default: v1.2.1
|
||||
openssl-version:
|
||||
description: "what reference to checkout from openssl/openssl for Linux"
|
||||
required: false
|
||||
default: openssl-3.5.0
|
||||
default: openssl-3.3.0
|
||||
|
||||
jobs:
|
||||
build:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
os: [ubuntu-22.04, macos-13, windows-2022]
|
||||
os: [ubuntu-20.04, macos-13, windows-2019]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
4
.github/workflows/csharp-qltest.yml
vendored
4
.github/workflows/csharp-qltest.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
||||
unit-tests:
|
||||
strategy:
|
||||
matrix:
|
||||
os: [ubuntu-latest, windows-latest]
|
||||
os: [ubuntu-latest, windows-2019]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
@@ -66,6 +66,6 @@ jobs:
|
||||
# Update existing stubs in the repo with the freshly generated ones
|
||||
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
||||
git status
|
||||
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
||||
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
|
||||
3
.github/workflows/go-tests-other-os.yml
vendored
3
.github/workflows/go-tests-other-os.yml
vendored
@@ -26,8 +26,9 @@ jobs:
|
||||
uses: ./go/actions/test
|
||||
|
||||
test-win:
|
||||
if: github.repository_owner == 'github'
|
||||
name: Test Windows
|
||||
runs-on: windows-latest
|
||||
runs-on: windows-latest-xl
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
22
.github/workflows/go-tests-rtjo.yml
vendored
22
.github/workflows/go-tests-rtjo.yml
vendored
@@ -1,22 +0,0 @@
|
||||
name: "Go: Run RTJO Tests"
|
||||
on:
|
||||
pull_request:
|
||||
types:
|
||||
- labeled
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
test-linux:
|
||||
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
|
||||
name: RTJO Test Linux (Ubuntu)
|
||||
runs-on: ubuntu-latest-xl
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
- name: Run tests
|
||||
uses: ./go/actions/test
|
||||
with:
|
||||
run-code-checks: true
|
||||
dynamic-join-order-mode: all
|
||||
2
.github/workflows/mad_modelDiff.yml
vendored
2
.github/workflows/mad_modelDiff.yml
vendored
@@ -68,7 +68,7 @@ jobs:
|
||||
DATABASE=$2
|
||||
cd codeql-$QL_VARIANT
|
||||
SHORTNAME=`basename $DATABASE`
|
||||
python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
||||
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
||||
mkdir -p $MODELS/$SHORTNAME
|
||||
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
|
||||
cd ..
|
||||
|
||||
40
.github/workflows/ruby-qltest-rtjo.yml
vendored
40
.github/workflows/ruby-qltest-rtjo.yml
vendored
@@ -1,40 +0,0 @@
|
||||
name: "Ruby: Run RTJO Language Tests"
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
types:
|
||||
- opened
|
||||
- synchronize
|
||||
- reopened
|
||||
- labeled
|
||||
|
||||
env:
|
||||
CARGO_TERM_COLOR: always
|
||||
|
||||
defaults:
|
||||
run:
|
||||
working-directory: ruby
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
qltest-rtjo:
|
||||
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
|
||||
runs-on: ubuntu-latest-xl
|
||||
strategy:
|
||||
fail-fast: false
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: ./.github/actions/fetch-codeql
|
||||
- uses: ./ruby/actions/create-extractor-pack
|
||||
- name: Cache compilation cache
|
||||
id: query-cache
|
||||
uses: ./.github/actions/cache-query-compilation
|
||||
with:
|
||||
key: ruby-qltest
|
||||
- name: Run QL tests
|
||||
run: |
|
||||
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
2
.github/workflows/ruby-qltest.yml
vendored
2
.github/workflows/ruby-qltest.yml
vendored
@@ -68,6 +68,6 @@ jobs:
|
||||
key: ruby-qltest
|
||||
- name: Run QL tests
|
||||
run: |
|
||||
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ github.token }}
|
||||
|
||||
2
.github/workflows/swift.yml
vendored
2
.github/workflows/swift.yml
vendored
@@ -32,7 +32,7 @@ jobs:
|
||||
if: github.repository_owner == 'github'
|
||||
strategy:
|
||||
matrix:
|
||||
runner: [ubuntu-latest, macos-15-xlarge]
|
||||
runner: [ubuntu-latest, macos-13-xlarge]
|
||||
fail-fast: false
|
||||
runs-on: ${{ matrix.runner }}
|
||||
steps:
|
||||
|
||||
5
.gitignore
vendored
5
.gitignore
vendored
@@ -62,7 +62,6 @@ node_modules/
|
||||
|
||||
# Temporary folders for working with generated models
|
||||
.model-temp
|
||||
/mad-generation-build
|
||||
|
||||
# bazel-built in-tree extractor packs
|
||||
/*/extractor-pack
|
||||
@@ -72,7 +71,3 @@ node_modules/
|
||||
|
||||
# cargo build directory
|
||||
/target
|
||||
|
||||
# some upgrade/downgrade checks create these files
|
||||
**/upgrades/*/*.dbscheme.stats
|
||||
**/downgrades/*/*.dbscheme.stats
|
||||
|
||||
@@ -72,7 +72,7 @@ repos:
|
||||
|
||||
- id: rust-codegen
|
||||
name: Run Rust checked in code generation
|
||||
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list|ast-generator/)
|
||||
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
|
||||
language: system
|
||||
entry: bazel run //rust/codegen -- --quiet
|
||||
pass_filenames: false
|
||||
|
||||
@@ -8,17 +8,12 @@
|
||||
/javascript/ @github/codeql-javascript
|
||||
/python/ @github/codeql-python
|
||||
/ruby/ @github/codeql-ruby
|
||||
/rust/ @github/codeql-rust
|
||||
/swift/ @github/codeql-swift
|
||||
/misc/codegen/ @github/codeql-swift
|
||||
/java/kotlin-extractor/ @github/codeql-kotlin
|
||||
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
||||
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
||||
|
||||
# Experimental CodeQL cryptography
|
||||
**/experimental/**/quantum/ @github/ps-codeql
|
||||
/shared/quantum/ @github/ps-codeql
|
||||
|
||||
# CodeQL tools and associated docs
|
||||
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
||||
/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
|
||||
@@ -43,7 +38,6 @@ MODULE.bazel @github/codeql-ci-reviewers
|
||||
/.github/workflows/go-* @github/codeql-go
|
||||
/.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
|
||||
/.github/workflows/ruby-* @github/codeql-ruby
|
||||
/.github/workflows/rust.yml @github/codeql-rust
|
||||
/.github/workflows/swift.yml @github/codeql-swift
|
||||
|
||||
# Misc
|
||||
|
||||
648
Cargo.lock
generated
648
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
@@ -10,9 +10,8 @@ members = [
|
||||
"rust/ast-generator",
|
||||
"rust/autobuild",
|
||||
]
|
||||
exclude = ["mad-generation-build"]
|
||||
|
||||
[patch.crates-io]
|
||||
# patch for build script bug preventing bazel build
|
||||
# see https://github.com/rust-lang/rustc_apfloat/pull/17
|
||||
rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }
|
||||
rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }
|
||||
|
||||
72
MODULE.bazel
72
MODULE.bazel
@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
|
||||
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
|
||||
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
||||
bazel_dep(name = "fmt", version = "10.0.0")
|
||||
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
|
||||
bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
|
||||
bazel_dep(name = "gazelle", version = "0.40.0")
|
||||
bazel_dep(name = "rules_dotnet", version = "0.17.4")
|
||||
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
||||
@@ -71,13 +71,13 @@ use_repo(
|
||||
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
|
||||
use_repo(
|
||||
tree_sitter_extractors_deps,
|
||||
"vendor_ts__anyhow-1.0.97",
|
||||
"vendor_ts__anyhow-1.0.96",
|
||||
"vendor_ts__argfile-0.2.1",
|
||||
"vendor_ts__chalk-ir-0.100.0",
|
||||
"vendor_ts__chrono-0.4.40",
|
||||
"vendor_ts__clap-4.5.35",
|
||||
"vendor_ts__chalk-ir-0.99.0",
|
||||
"vendor_ts__chrono-0.4.39",
|
||||
"vendor_ts__clap-4.5.31",
|
||||
"vendor_ts__dunce-1.0.5",
|
||||
"vendor_ts__either-1.15.0",
|
||||
"vendor_ts__either-1.14.0",
|
||||
"vendor_ts__encoding-0.2.33",
|
||||
"vendor_ts__figment-0.10.19",
|
||||
"vendor_ts__flate2-1.1.0",
|
||||
@@ -88,31 +88,31 @@ use_repo(
|
||||
"vendor_ts__mustache-0.9.0",
|
||||
"vendor_ts__num-traits-0.2.19",
|
||||
"vendor_ts__num_cpus-1.16.0",
|
||||
"vendor_ts__proc-macro2-1.0.94",
|
||||
"vendor_ts__quote-1.0.40",
|
||||
"vendor_ts__ra_ap_base_db-0.0.273",
|
||||
"vendor_ts__ra_ap_cfg-0.0.273",
|
||||
"vendor_ts__ra_ap_hir-0.0.273",
|
||||
"vendor_ts__ra_ap_hir_def-0.0.273",
|
||||
"vendor_ts__ra_ap_hir_expand-0.0.273",
|
||||
"vendor_ts__ra_ap_hir_ty-0.0.273",
|
||||
"vendor_ts__ra_ap_ide_db-0.0.273",
|
||||
"vendor_ts__ra_ap_intern-0.0.273",
|
||||
"vendor_ts__ra_ap_load-cargo-0.0.273",
|
||||
"vendor_ts__ra_ap_parser-0.0.273",
|
||||
"vendor_ts__ra_ap_paths-0.0.273",
|
||||
"vendor_ts__ra_ap_project_model-0.0.273",
|
||||
"vendor_ts__ra_ap_span-0.0.273",
|
||||
"vendor_ts__ra_ap_stdx-0.0.273",
|
||||
"vendor_ts__ra_ap_syntax-0.0.273",
|
||||
"vendor_ts__ra_ap_vfs-0.0.273",
|
||||
"vendor_ts__proc-macro2-1.0.93",
|
||||
"vendor_ts__quote-1.0.38",
|
||||
"vendor_ts__ra_ap_base_db-0.0.266",
|
||||
"vendor_ts__ra_ap_cfg-0.0.266",
|
||||
"vendor_ts__ra_ap_hir-0.0.266",
|
||||
"vendor_ts__ra_ap_hir_def-0.0.266",
|
||||
"vendor_ts__ra_ap_hir_expand-0.0.266",
|
||||
"vendor_ts__ra_ap_hir_ty-0.0.266",
|
||||
"vendor_ts__ra_ap_ide_db-0.0.266",
|
||||
"vendor_ts__ra_ap_intern-0.0.266",
|
||||
"vendor_ts__ra_ap_load-cargo-0.0.266",
|
||||
"vendor_ts__ra_ap_parser-0.0.266",
|
||||
"vendor_ts__ra_ap_paths-0.0.266",
|
||||
"vendor_ts__ra_ap_project_model-0.0.266",
|
||||
"vendor_ts__ra_ap_span-0.0.266",
|
||||
"vendor_ts__ra_ap_stdx-0.0.266",
|
||||
"vendor_ts__ra_ap_syntax-0.0.266",
|
||||
"vendor_ts__ra_ap_vfs-0.0.266",
|
||||
"vendor_ts__rand-0.9.0",
|
||||
"vendor_ts__rayon-1.10.0",
|
||||
"vendor_ts__regex-1.11.1",
|
||||
"vendor_ts__serde-1.0.219",
|
||||
"vendor_ts__serde_json-1.0.140",
|
||||
"vendor_ts__serde-1.0.218",
|
||||
"vendor_ts__serde_json-1.0.139",
|
||||
"vendor_ts__serde_with-3.12.0",
|
||||
"vendor_ts__syn-2.0.100",
|
||||
"vendor_ts__syn-2.0.98",
|
||||
"vendor_ts__toml-0.8.20",
|
||||
"vendor_ts__tracing-0.1.41",
|
||||
"vendor_ts__tracing-flame-0.2.0",
|
||||
@@ -124,7 +124,6 @@ use_repo(
|
||||
"vendor_ts__tree-sitter-ruby-0.23.1",
|
||||
"vendor_ts__triomphe-0.1.14",
|
||||
"vendor_ts__ungrammar-1.16.1",
|
||||
"vendor_ts__zstd-0.13.3",
|
||||
)
|
||||
|
||||
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
||||
@@ -156,7 +155,7 @@ use_repo(csharp_main_extension, "paket.main")
|
||||
pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
|
||||
pip.parse(
|
||||
hub_name = "codegen_deps",
|
||||
python_version = "3.12",
|
||||
python_version = "3.11",
|
||||
requirements_lock = "//misc/codegen:requirements_lock.txt",
|
||||
)
|
||||
use_repo(pip, "codegen_deps")
|
||||
@@ -194,6 +193,10 @@ use_repo(
|
||||
kotlin_extractor_deps,
|
||||
"codeql_kotlin_defaults",
|
||||
"codeql_kotlin_embeddable",
|
||||
"kotlin-compiler-1.5.0",
|
||||
"kotlin-compiler-1.5.10",
|
||||
"kotlin-compiler-1.5.20",
|
||||
"kotlin-compiler-1.5.30",
|
||||
"kotlin-compiler-1.6.0",
|
||||
"kotlin-compiler-1.6.20",
|
||||
"kotlin-compiler-1.7.0",
|
||||
@@ -205,7 +208,10 @@ use_repo(
|
||||
"kotlin-compiler-2.0.20-Beta2",
|
||||
"kotlin-compiler-2.1.0-Beta1",
|
||||
"kotlin-compiler-2.1.20-Beta1",
|
||||
"kotlin-compiler-2.2.0-Beta1",
|
||||
"kotlin-compiler-embeddable-1.5.0",
|
||||
"kotlin-compiler-embeddable-1.5.10",
|
||||
"kotlin-compiler-embeddable-1.5.20",
|
||||
"kotlin-compiler-embeddable-1.5.30",
|
||||
"kotlin-compiler-embeddable-1.6.0",
|
||||
"kotlin-compiler-embeddable-1.6.20",
|
||||
"kotlin-compiler-embeddable-1.7.0",
|
||||
@@ -217,7 +223,10 @@ use_repo(
|
||||
"kotlin-compiler-embeddable-2.0.20-Beta2",
|
||||
"kotlin-compiler-embeddable-2.1.0-Beta1",
|
||||
"kotlin-compiler-embeddable-2.1.20-Beta1",
|
||||
"kotlin-compiler-embeddable-2.2.0-Beta1",
|
||||
"kotlin-stdlib-1.5.0",
|
||||
"kotlin-stdlib-1.5.10",
|
||||
"kotlin-stdlib-1.5.20",
|
||||
"kotlin-stdlib-1.5.30",
|
||||
"kotlin-stdlib-1.6.0",
|
||||
"kotlin-stdlib-1.6.20",
|
||||
"kotlin-stdlib-1.7.0",
|
||||
@@ -229,7 +238,6 @@ use_repo(
|
||||
"kotlin-stdlib-2.0.20-Beta2",
|
||||
"kotlin-stdlib-2.1.0-Beta1",
|
||||
"kotlin-stdlib-2.1.20-Beta1",
|
||||
"kotlin-stdlib-2.2.0-Beta1",
|
||||
)
|
||||
|
||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||
|
||||
@@ -1,34 +1,27 @@
|
||||
# Note: We're adding the `reusable_workflows` subdirectories to proactively
|
||||
# record workflows that were called cross-repo, check them out locally,
|
||||
# and enable an interprocedural analysis across the workflow files.
|
||||
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
|
||||
$DefaultPathFilters = @(
|
||||
'exclude:**/*',
|
||||
'include:.github/workflows/*.yml',
|
||||
'include:.github/workflows/*.yaml',
|
||||
'include:.github/reusable_workflows/**/*.yml',
|
||||
'include:.github/reusable_workflows/**/*.yaml',
|
||||
'include:**/action.yml',
|
||||
'include:**/action.yaml'
|
||||
)
|
||||
|
||||
if ($null -ne $env:LGTM_INDEX_FILTERS) {
|
||||
Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
|
||||
# Begin with the default path inclusions only,
|
||||
# followed by the user-provided filters.
|
||||
# If the user provided `paths`, those patterns override the default inclusions
|
||||
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
|
||||
# If the user provided `paths-ignore`, those patterns are excluded.
|
||||
$PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
|
||||
$env:LGTM_INDEX_FILTERS = $PathFilters
|
||||
if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
|
||||
Write-Output 'Path filters set. Passing them through to the JavaScript extractor.'
|
||||
} else {
|
||||
Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
|
||||
Write-Output 'No path filters set. Using the default filters.'
|
||||
# Note: We're adding the `reusable_workflows` subdirectories to proactively
|
||||
# record workflows that were called cross-repo, check them out locally,
|
||||
# and enable an interprocedural analysis across the workflow files.
|
||||
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
|
||||
$DefaultPathFilters = @(
|
||||
'exclude:**/*',
|
||||
'include:.github/workflows/*.yml',
|
||||
'include:.github/workflows/*.yaml',
|
||||
'include:.github/reusable_workflows/**/*.yml',
|
||||
'include:.github/reusable_workflows/**/*.yaml',
|
||||
'include:**/action.yml',
|
||||
'include:**/action.yaml'
|
||||
)
|
||||
|
||||
$env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
|
||||
}
|
||||
|
||||
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
||||
$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
throw 'Failed to resolve JavaScript extractor.'
|
||||
}
|
||||
@@ -47,7 +40,7 @@ $env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTI
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
|
||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
|
||||
|
||||
&"$JavaScriptAutoBuild"
|
||||
&$JavaScriptAutoBuild
|
||||
if ($LASTEXITCODE -ne 0) {
|
||||
throw "JavaScript autobuilder failed."
|
||||
}
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
@echo off
|
||||
rem All of the work is done in the PowerShell script
|
||||
echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
|
||||
powershell.exe -File "%~dp0autobuild-impl.ps1"
|
||||
powershell.exe %~dp0autobuild-impl.ps1
|
||||
|
||||
@@ -17,28 +17,16 @@ include:**/action.yaml
|
||||
END
|
||||
)
|
||||
|
||||
if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
|
||||
echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
|
||||
# Begin with the default path inclusions only,
|
||||
# followed by the user-provided filters.
|
||||
# If the user provided `paths`, those patterns override the default inclusions
|
||||
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
|
||||
# If the user provided `paths-ignore`, those patterns are excluded.
|
||||
PATH_FILTERS="$(cat << END
|
||||
${DEFAULT_PATH_FILTERS}
|
||||
${LGTM_INDEX_FILTERS}
|
||||
END
|
||||
)"
|
||||
LGTM_INDEX_FILTERS="${PATH_FILTERS}"
|
||||
export LGTM_INDEX_FILTERS
|
||||
if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
|
||||
echo "Path filters set. Passing them through to the JavaScript extractor."
|
||||
else
|
||||
echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
|
||||
echo "No path filters set. Using the default filters."
|
||||
LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
|
||||
export LGTM_INDEX_FILTERS
|
||||
fi
|
||||
|
||||
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
|
||||
export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
|
||||
|
||||
echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
|
||||
@@ -54,4 +42,4 @@ env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGN
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
|
||||
CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
|
||||
"${JAVASCRIPT_AUTO_BUILD}"
|
||||
${JAVASCRIPT_AUTO_BUILD}
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
import actions
|
||||
|
||||
from AstNode n
|
||||
where n instanceof Workflow or n instanceof CompositeAction
|
||||
select n
|
||||
@@ -1,6 +0,0 @@
|
||||
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
|
||||
| src/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
@@ -1,2 +0,0 @@
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
|
||||
@@ -1,5 +0,0 @@
|
||||
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
|
||||
| src/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
@@ -1,2 +0,0 @@
|
||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
||||
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
|
||||
@@ -1,5 +0,0 @@
|
||||
import actions
|
||||
|
||||
from AstNode n
|
||||
where n instanceof Workflow or n instanceof CompositeAction
|
||||
select n
|
||||
@@ -1,4 +0,0 @@
|
||||
paths:
|
||||
- 'included'
|
||||
paths-ignore:
|
||||
- 'excluded'
|
||||
@@ -1,2 +0,0 @@
|
||||
paths-ignore:
|
||||
- 'excluded'
|
||||
@@ -1,2 +0,0 @@
|
||||
paths:
|
||||
- 'included'
|
||||
@@ -1,6 +0,0 @@
|
||||
src/.github/action.yaml
|
||||
src/.github/actions/action-name/action.yml
|
||||
src/.github/workflows/workflow.yml
|
||||
src/action.yml
|
||||
src/excluded/action.yml
|
||||
src/included/action.yml
|
||||
@@ -1,3 +0,0 @@
|
||||
src/included/action.yml
|
||||
src/included/not-an-action.yml
|
||||
src/included/unreachable-workflow.yml
|
||||
@@ -1,5 +0,0 @@
|
||||
src/.github/action.yaml
|
||||
src/.github/actions/action-name/action.yml
|
||||
src/.github/workflows/workflow.yml
|
||||
src/action.yml
|
||||
src/included/action.yml
|
||||
@@ -1,3 +0,0 @@
|
||||
src/included/action.yml
|
||||
src/included/not-an-action.yml
|
||||
src/included/unreachable-workflow.yml
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: A workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,11 +0,0 @@
|
||||
name: 'A composite action'
|
||||
description: 'Do something'
|
||||
runs:
|
||||
using: "composite"
|
||||
steps:
|
||||
- name: Print
|
||||
run: echo "Hello world"
|
||||
shell: bash
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
@@ -1 +0,0 @@
|
||||
name: 'Not an action, just a YAML file'
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,12 +0,0 @@
|
||||
name: An unreachable workflow
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
job:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
@@ -1,18 +0,0 @@
|
||||
import pytest
|
||||
|
||||
@pytest.mark.ql_test(expected=".default-filters.expected")
|
||||
def test_default_filters(codeql, actions, check_source_archive):
|
||||
check_source_archive.expected_suffix = ".default-filters.expected"
|
||||
codeql.database.create(source_root="src")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-only.expected")
|
||||
def test_config_paths_only(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-only.yml")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-ignore-only.expected")
|
||||
def test_config_paths_ignore_only(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-ignore-only.yml")
|
||||
|
||||
@pytest.mark.ql_test(expected=".paths-and-paths-ignore.expected")
|
||||
def test_config_paths_and_paths_ignore(codeql, actions):
|
||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-and-paths-ignore.yml")
|
||||
@@ -1 +0,0 @@
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
||||
@@ -1,27 +0,0 @@
|
||||
ql/actions/ql/src/Debug/SyntaxError.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
|
||||
ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
|
||||
@@ -1,23 +0,0 @@
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
|
||||
@@ -1,17 +0,0 @@
|
||||
ql/actions/ql/src/Debug/partial.ql
|
||||
ql/actions/ql/src/Models/CompositeActionsSinks.ql
|
||||
ql/actions/ql/src/Models/CompositeActionsSources.ql
|
||||
ql/actions/ql/src/Models/CompositeActionsSummaries.ql
|
||||
ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
|
||||
ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
|
||||
ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
|
||||
ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
|
||||
@@ -1,14 +0,0 @@
|
||||
import runs_on
|
||||
import pytest
|
||||
from query_suites import *
|
||||
|
||||
well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
|
||||
|
||||
@runs_on.posix
|
||||
@pytest.mark.parametrize("query_suite", well_known_query_suites)
|
||||
def test(codeql, actions, check_query_suite, query_suite):
|
||||
check_query_suite(query_suite)
|
||||
|
||||
@runs_on.posix
|
||||
def test_not_included_queries(codeql, actions, check_queries_not_included):
|
||||
check_queries_not_included('actions', well_known_query_suites)
|
||||
@@ -1,24 +1,3 @@
|
||||
## 0.4.9
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.8
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.4.7
|
||||
|
||||
### New Features
|
||||
|
||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
||||
|
||||
## 0.4.6
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The query `actions/code-injection/medium` now produces alerts for injection
|
||||
vulnerabilities on `pull_request` events.
|
||||
|
||||
## 0.4.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,6 +0,0 @@
|
||||
## 0.4.6
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The query `actions/code-injection/medium` now produces alerts for injection
|
||||
vulnerabilities on `pull_request` events.
|
||||
@@ -1,5 +0,0 @@
|
||||
## 0.4.7
|
||||
|
||||
### New Features
|
||||
|
||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.4.8
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.4.9
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.9
|
||||
lastReleaseVersion: 0.4.5
|
||||
|
||||
@@ -154,13 +154,3 @@ predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
|
||||
predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
|
||||
Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
|
||||
}
|
||||
|
||||
/**
|
||||
* MaD models for permissions needed by actions
|
||||
* Fields:
|
||||
* - action: action name, e.g. `actions/checkout`
|
||||
* - permission: permission name, e.g. `contents: read`
|
||||
*/
|
||||
predicate actionsPermissionsDataModel(string action, string permission) {
|
||||
Extensions::actionsPermissionsDataModel(action, permission)
|
||||
}
|
||||
|
||||
@@ -77,14 +77,3 @@ extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag)
|
||||
* Holds for gh commands that may introduce untrusted data
|
||||
*/
|
||||
extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
|
||||
|
||||
/**
|
||||
* Holds if `action` needs `permission` to run.
|
||||
* - 'action' is the name of the action without any version information.
|
||||
* E.g. for the action selector `actions/checkout@v2`, `action` is `actions/checkout`.
|
||||
* - `permission` is of the form `scope-name: read|write`, for example `contents: read`.
|
||||
* - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions
|
||||
* for an example of recommended permissions.
|
||||
* - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
|
||||
*/
|
||||
extensible predicate actionsPermissionsDataModel(string action, string permission);
|
||||
|
||||
@@ -1,42 +0,0 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/actions-all
|
||||
extensible: actionsPermissionsDataModel
|
||||
data:
|
||||
- ["actions/checkout", "contents: read"]
|
||||
- ["actions/setup-node", "contents: read"]
|
||||
- ["actions/setup-python", "contents: read"]
|
||||
- ["actions/setup-java", "contents: read"]
|
||||
- ["actions/setup-go", "contents: read"]
|
||||
- ["actions/setup-dotnet", "contents: read"]
|
||||
- ["actions/labeler", "contents: read"]
|
||||
- ["actions/labeler", "pull-requests: write"]
|
||||
- ["actions/attest", "id-token: write"]
|
||||
- ["actions/attest", "attestations: write"]
|
||||
# No permissions needed for actions/add-to-project
|
||||
- ["actions/dependency-review-action", "contents: read"]
|
||||
- ["actions/attest-sbom", "id-token: write"]
|
||||
- ["actions/attest-sbom", "attestations: write"]
|
||||
- ["actions/stale", "contents: write"]
|
||||
- ["actions/stale", "issues: write"]
|
||||
- ["actions/stale", "pull-requests: write"]
|
||||
- ["actions/attest-build-provenance", "id-token: write"]
|
||||
- ["actions/attest-build-provenance", "attestations: write"]
|
||||
- ["actions/deploy-pages", "pages: write"]
|
||||
- ["actions/deploy-pages", "id-token: write"]
|
||||
- ["actions/delete-package-versions", "packages: write"]
|
||||
- ["actions/jekyll-build-pages", "contents: read"]
|
||||
- ["actions/jekyll-build-pages", "pages: write"]
|
||||
- ["actions/jekyll-build-pages", "id-token: write"]
|
||||
- ["actions/publish-action", "contents: write"]
|
||||
- ["actions/versions-package-tools", "contents: read"]
|
||||
- ["actions/versions-package-tools", "actions: read"]
|
||||
- ["actions/reusable-workflows", "contents: read"]
|
||||
- ["actions/reusable-workflows", "actions: read"]
|
||||
- ["actions/ai-inference", "contents: read"]
|
||||
- ["actions/ai-inference", "models: read"]
|
||||
# TODO: Add permissions for actions/download-artifact
|
||||
# TODO: Add permissions for actions/upload-artifact
|
||||
# No permissions needed for actions/upload-pages-artifact
|
||||
# TODO: Add permissions for actions/cache
|
||||
# No permissions needed for actions/configure-pages
|
||||
@@ -30,9 +30,6 @@ extensions:
|
||||
- ["pull_request_review_comment", "github.event.review"]
|
||||
- ["pull_request_review_comment", "github.head_ref"]
|
||||
- ["pull_request_review_comment", "github.event.changes"]
|
||||
- ["pull_request", "github.event.pull_request"]
|
||||
- ["pull_request", "github.head_ref"]
|
||||
- ["pull_request", "github.event.changes"]
|
||||
- ["pull_request_target", "github.event.pull_request"]
|
||||
- ["pull_request_target", "github.head_ref"]
|
||||
- ["pull_request_target", "github.event.changes"]
|
||||
|
||||
@@ -12,7 +12,6 @@ extensions:
|
||||
- ["pull_request_comment"]
|
||||
- ["pull_request_review"]
|
||||
- ["pull_request_review_comment"]
|
||||
- ["pull_request"]
|
||||
- ["pull_request_target"]
|
||||
- ["workflow_run"] # depending on branch filter
|
||||
- ["workflow_call"] # depending on caller
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.10-dev
|
||||
version: 0.4.6-dev
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,45 +1,3 @@
|
||||
## 0.6.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.6.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The following queries have been removed from the `security-and-quality` suite.
|
||||
They are not intended to produce user-facing
|
||||
alerts describing vulnerabilities.
|
||||
Any existing alerts for these queries will be closed automatically.
|
||||
* `actions/composite-action-sinks`
|
||||
* `actions/composite-action-sources`
|
||||
* `actions/composite-action-summaries`
|
||||
* `actions/reusable-workflow-sinks`
|
||||
(renamed from `actions/reusable-wokflow-sinks`)
|
||||
* `actions/reusable-workflow-sources`
|
||||
* `actions/reusable-workflow-summaries`
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
|
||||
|
||||
## 0.5.4
|
||||
|
||||
### New Features
|
||||
|
||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
|
||||
|
||||
## 0.5.3
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed typos in the query and alert titles for the queries
|
||||
`actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
|
||||
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
|
||||
|
||||
## 0.5.2
|
||||
|
||||
No user-facing changes.
|
||||
@@ -49,10 +7,9 @@ No user-facing changes.
|
||||
### Bug Fixes
|
||||
|
||||
* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
|
||||
Immutable Actions feature is not yet available for customer use. The query has also been moved
|
||||
to the experimental folder and will not be used in code scanning unless it is explicitly added
|
||||
to a code scanning configuration. Once the Immutable Actions feature is available, the query will
|
||||
be updated to report alerts again.
|
||||
Immutable Actions feature is not yet available for customer use. The query remains in the
|
||||
default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
|
||||
available, the query will be updated to report alerts again.
|
||||
|
||||
## 0.5.0
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
* @problem.severity warning
|
||||
* @security-severity 9.3
|
||||
* @precision high
|
||||
* @id actions/reusable-workflow-sinks
|
||||
* @id actions/reusable-wokflow-sinks
|
||||
* @tags actions
|
||||
* model-generator
|
||||
* external/cwe/cwe-020
|
||||
|
||||
@@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v
|
||||
|
||||
### Exploitation
|
||||
|
||||
An attacker would be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
|
||||
An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
|
||||
|
||||
## References
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* @name Use of a known vulnerable action
|
||||
* @name Use of a known vulnerable action.
|
||||
* @description The workflow is using an action with known vulnerabilities.
|
||||
* @kind problem
|
||||
* @problem.severity error
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
* @name Workflow does not contain permissions
|
||||
* @description Workflows should contain explicit permissions to restrict the scope of the default GITHUB_TOKEN.
|
||||
* @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
|
||||
* @kind problem
|
||||
* @security-severity 5.0
|
||||
* @problem.severity warning
|
||||
@@ -14,19 +14,7 @@
|
||||
|
||||
import actions
|
||||
|
||||
Step stepInJob(Job job) { result = job.(LocalJob).getAStep() }
|
||||
|
||||
string jobNeedsPermission(Job job) {
|
||||
actionsPermissionsDataModel(stepInJob(job).(UsesStep).getCallee(), result)
|
||||
}
|
||||
|
||||
/** Gets a suggestion for the minimal token permissions for `job`, as a JSON string. */
|
||||
string permissionsForJob(Job job) {
|
||||
result =
|
||||
"{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
|
||||
}
|
||||
|
||||
from Job job, string permissions
|
||||
from Job job
|
||||
where
|
||||
not exists(job.getPermissions()) and
|
||||
not exists(job.getEnclosingWorkflow().getPermissions()) and
|
||||
@@ -34,8 +22,5 @@ where
|
||||
exists(Event e |
|
||||
e = job.getATriggerEvent() and
|
||||
not e.getName() = "workflow_call"
|
||||
) and
|
||||
permissions = permissionsForJob(job)
|
||||
select job,
|
||||
"Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: "
|
||||
+ permissions
|
||||
)
|
||||
select job, "Actions Job or Workflow does not set permissions"
|
||||
|
||||
@@ -3,7 +3,6 @@
|
||||
* @description All organization and repository secrets are passed to the workflow runner.
|
||||
* @kind problem
|
||||
* @precision high
|
||||
* @security-severity 5.0
|
||||
* @problem.severity warning
|
||||
* @id actions/excessive-secrets-exposure
|
||||
* @tags actions
|
||||
|
||||
@@ -2,11 +2,11 @@
|
||||
|
||||
## Description
|
||||
|
||||
Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered.
|
||||
Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered.
|
||||
|
||||
## Recommendations
|
||||
|
||||
Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner.
|
||||
Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner.
|
||||
|
||||
## Examples
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/**
|
||||
* @name Checkout of untrusted code in a privileged context
|
||||
* @name Checkout of untrusted code in trusted context
|
||||
* @description Privileged workflows have read/write access to the base repository and access to secrets.
|
||||
* By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
|
||||
* that is able to push to the base repository and to access secrets.
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
## 0.5.3
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Fixed typos in the query and alert titles for the queries
|
||||
`actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
|
||||
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
|
||||
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
|
||||
@@ -1,9 +0,0 @@
|
||||
## 0.5.4
|
||||
|
||||
### New Features
|
||||
|
||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
|
||||
@@ -1,19 +0,0 @@
|
||||
## 0.6.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
* The following queries have been removed from the `security-and-quality` suite.
|
||||
They are not intended to produce user-facing
|
||||
alerts describing vulnerabilities.
|
||||
Any existing alerts for these queries will be closed automatically.
|
||||
* `actions/composite-action-sinks`
|
||||
* `actions/composite-action-sources`
|
||||
* `actions/composite-action-summaries`
|
||||
* `actions/reusable-workflow-sinks`
|
||||
(renamed from `actions/reusable-wokflow-sinks`)
|
||||
* `actions/reusable-workflow-sources`
|
||||
* `actions/reusable-workflow-summaries`
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.6.1
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.1
|
||||
lastReleaseVersion: 0.5.2
|
||||
|
||||
1
actions/ql/src/codeql-suites/actions-ccr.qls
Normal file
1
actions/ql/src/codeql-suites/actions-ccr.qls
Normal file
@@ -0,0 +1 @@
|
||||
[]
|
||||
@@ -1,3 +0,0 @@
|
||||
- queries: .
|
||||
- apply: code-quality-selectors.yml
|
||||
from: codeql/suite-helpers
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.6.2-dev
|
||||
version: 0.5.3-dev
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -400,7 +400,6 @@ nodes
|
||||
| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body |
|
||||
| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body |
|
||||
| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
|
||||
| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
|
||||
| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
|
||||
| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
|
||||
| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
|
||||
@@ -630,7 +629,6 @@ nodes
|
||||
| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
|
||||
| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
|
||||
| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
|
||||
| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
|
||||
| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
|
||||
| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
|
||||
| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
|
||||
|
||||
@@ -400,7 +400,6 @@ nodes
|
||||
| .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body |
|
||||
| .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body |
|
||||
| .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
|
||||
| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
|
||||
| .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
|
||||
| .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
|
||||
| .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
|
||||
@@ -630,7 +629,6 @@ nodes
|
||||
| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
|
||||
| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
|
||||
| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
|
||||
| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
|
||||
| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
|
||||
| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
|
||||
| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
|
||||
@@ -708,7 +706,6 @@ subpaths
|
||||
| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
|
||||
| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
|
||||
| .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
|
||||
| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
|
||||
| .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
|
||||
| .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
|
||||
| .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/ai-inference
|
||||
@@ -1,13 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/jekyll-build-pages
|
||||
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/add-to-project@v2
|
||||
@@ -1,10 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/deploy-pages
|
||||
@@ -1,10 +0,0 @@
|
||||
on:
|
||||
workflow_call:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and test
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/delete-package-versions
|
||||
@@ -1,8 +1,3 @@
|
||||
| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
|
||||
| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
|
||||
| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
|
||||
| .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
|
||||
| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
|
||||
| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
|
||||
| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
|
||||
| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |
|
||||
| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
|
||||
| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions |
|
||||
| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions |
|
||||
|
||||
@@ -58,19 +58,7 @@ def file_checksum(filename):
|
||||
with open(filename, 'rb') as file_handle:
|
||||
return hashlib.sha1(file_handle.read()).hexdigest()
|
||||
|
||||
def accept_prefix(line1, line2):
|
||||
suffix = line2.removeprefix(line1)
|
||||
return not suffix or suffix.lstrip().startswith("//")
|
||||
|
||||
def equivalent_lines(lines1, lines2):
|
||||
if len(lines1) != len(lines2):
|
||||
return False
|
||||
for line1, line2 in zip(lines1, lines2):
|
||||
if not accept_prefix(line1, line2) and not accept_prefix(line2, line1):
|
||||
return False
|
||||
return True
|
||||
|
||||
def check_group(group_name, files, master_file_picker, emit_error, accept_prefix):
|
||||
def check_group(group_name, files, master_file_picker, emit_error):
|
||||
extant_files = [f for f in files if path.isfile(f)]
|
||||
if len(extant_files) == 0:
|
||||
emit_error(__file__, 0, "No files found from group '" + group_name + "'.")
|
||||
@@ -82,23 +70,11 @@ def check_group(group_name, files, master_file_picker, emit_error, accept_prefix
|
||||
return
|
||||
|
||||
checksums = {file_checksum(f) for f in extant_files}
|
||||
same_lengths = len(extant_files) == len(files)
|
||||
if len(checksums) == 1 and same_lengths:
|
||||
|
||||
if len(checksums) == 1 and len(extant_files) == len(files):
|
||||
# All files are present and identical.
|
||||
return
|
||||
|
||||
# In this case we also consider files indentical, if
|
||||
# (1) The group only containts two files.
|
||||
# (2) The lines of one file are the same as the lines of another file
|
||||
# modulo comments.
|
||||
if accept_prefix and same_lengths and len(extant_files) == 2:
|
||||
with open(extant_files[0], 'r') as f1:
|
||||
file1_lines = [l.strip('\n\r') for l in f1.readlines()]
|
||||
with open(extant_files[1], 'r') as f2:
|
||||
file2_lines = [l.strip('\n\r') for l in f2.readlines()]
|
||||
if equivalent_lines(file1_lines, file2_lines):
|
||||
return
|
||||
|
||||
master_file = master_file_picker(extant_files)
|
||||
if master_file is None:
|
||||
emit_error(__file__, 0,
|
||||
@@ -163,10 +139,9 @@ def sync_identical_files(emit_error):
|
||||
raise Exception("Bad command line or file not found")
|
||||
chdir_repo_root()
|
||||
load_if_exists('.', 'config/identical-files.json')
|
||||
for group_name, files in csharp_test_files().items():
|
||||
check_group(group_name, files, master_file_picker, emit_error, True)
|
||||
file_groups.update(csharp_test_files())
|
||||
for group_name, files in file_groups.items():
|
||||
check_group(group_name, files, master_file_picker, emit_error, False)
|
||||
check_group(group_name, files, master_file_picker, emit_error)
|
||||
|
||||
def main():
|
||||
sync_identical_files(emit_local_error)
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,3 +0,0 @@
|
||||
description: Add a new predicate `isVla()` to the `ArrayType` class
|
||||
compatibility: full
|
||||
type_is_vla.rel: delete
|
||||
@@ -1,11 +0,0 @@
|
||||
class Expr extends @expr {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
class AggregateLiteral extends Expr, @aggregateliteral {
|
||||
override string toString() { none() }
|
||||
}
|
||||
|
||||
from AggregateLiteral aggregate, Expr initializer, int element_index, int position
|
||||
where aggregate_array_init(aggregate, initializer, element_index, position, _)
|
||||
select aggregate, initializer, element_index, position
|
||||
@@ -1,15 +0,0 @@
|
||||
class Expr extends @expr {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
class AggregateLiteral extends Expr, @aggregateliteral {
|
||||
override string toString() { none() }
|
||||
}
|
||||
|
||||
class MemberVariable extends @membervariable {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
from AggregateLiteral aggregate, Expr initializer, MemberVariable field, int position
|
||||
where aggregate_field_init(aggregate, initializer, field, position, _)
|
||||
select aggregate, initializer, field, position
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -1,4 +0,0 @@
|
||||
description: add `hasDesignator` predicate to `ArrayOrVectorAggregateLiteral` and `ClassAggregateLiteral`
|
||||
compatibility: backwards
|
||||
aggregate_array_init.rel: run aggregate_array_init.qlo
|
||||
aggregate_field_init.rel: run aggregate_field_init.qlo
|
||||
@@ -1,11 +0,0 @@
|
||||
class Type extends @type {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
class Expr extends @expr {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
from Type decltype, Expr expr, Type basetype, boolean parentheses
|
||||
where decltypes(decltype, expr, _, basetype, parentheses)
|
||||
select decltype, expr, basetype, parentheses
|
||||
@@ -1,19 +0,0 @@
|
||||
class Type extends @type {
|
||||
string toString() { none() }
|
||||
}
|
||||
|
||||
predicate derivedType(Type type, string name, int kind, Type type_id) {
|
||||
derivedtypes(type, name, kind, type_id)
|
||||
}
|
||||
|
||||
predicate typeTransformation(Type type, string name, int kind, Type type_id) {
|
||||
type_operators(type, _, _, type_id) and
|
||||
name = "" and
|
||||
kind = 3 // @type_with_specifiers
|
||||
}
|
||||
|
||||
from Type type, string name, int kind, Type type_id
|
||||
where
|
||||
derivedType(type, name, kind, type_id) or
|
||||
typeTransformation(type, name, kind, type_id)
|
||||
select type, name, kind, type_id
|
||||
File diff suppressed because it is too large
Load Diff
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user