Skip to content

Commit 0ef4c6f

Browse files
committed
Merge branch 'main' into okerr
2 parents 8bcfd00 + 9458f07 commit 0ef4c6f

File tree

643 files changed

+20498
-7110
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

643 files changed

+20498
-7110
lines changed

.bazelrc

+3
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
1212

1313
build --repo_env=CC=clang --repo_env=CXX=clang++
1414

15+
# print test output, like sembuild does.
16+
# Set to `errors` if this is too verbose.
17+
test --test_output all
1518
# we use transitions that break builds of `...`, so for `test` to work with that we need the following
1619
test --build_tests_only
1720

.github/workflows/go-tests-other-os.yml

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ on:
33
pull_request:
44
paths:
55
- "go/**"
6+
- "!go/documentation/**"
67
- "!go/ql/**" # don't run other-os if only ql/ files changed
78
- .github/workflows/go-tests-other-os.yml
89
- .github/actions/**

.github/workflows/go-tests.yml

+2
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ on:
33
push:
44
paths:
55
- "go/**"
6+
- "!go/documentation/**"
67
- "shared/**"
78
- .github/workflows/go-tests.yml
89
- .github/actions/**
@@ -13,6 +14,7 @@ on:
1314
pull_request:
1415
paths:
1516
- "go/**"
17+
- "!go/documentation/**"
1618
- "shared/**"
1719
- .github/workflows/go-tests.yml
1820
- .github/actions/**

Cargo.lock

+15-42
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

LICENSE

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
MIT License
22

3-
Copyright (c) 2006-2020 GitHub, Inc.
3+
Copyright (c) 2006-2025 GitHub, Inc.
44

55
Permission is hereby granted, free of charge, to any person obtaining a copy
66
of this software and associated documentation files (the "Software"), to deal

MODULE.bazel

+7-11
Original file line numberDiff line numberDiff line change
@@ -58,15 +58,12 @@ register_toolchains("@rust_toolchains//:all")
5858
py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
5959
use_repo(
6060
py_deps,
61-
"vendor__anyhow-1.0.44",
62-
"vendor__cc-1.0.70",
63-
"vendor__clap-2.33.3",
64-
"vendor__regex-1.5.5",
65-
"vendor__smallvec-1.6.1",
66-
"vendor__string-interner-0.12.2",
67-
"vendor__thiserror-1.0.29",
68-
"vendor__tree-sitter-0.20.4",
69-
"vendor__tree-sitter-graph-0.7.0",
61+
"vendor_py__anyhow-1.0.95",
62+
"vendor_py__cc-1.2.14",
63+
"vendor_py__clap-4.5.30",
64+
"vendor_py__regex-1.11.1",
65+
"vendor_py__tree-sitter-0.20.4",
66+
"vendor_py__tree-sitter-graph-0.7.0",
7067
)
7168

7269
# deps for ruby+rust
@@ -87,7 +84,6 @@ use_repo(
8784
"vendor__globset-0.4.15",
8885
"vendor__itertools-0.14.0",
8986
"vendor__lazy_static-1.5.0",
90-
"vendor__log-0.4.22",
9187
"vendor__mustache-0.9.0",
9288
"vendor__num-traits-0.2.19",
9389
"vendor__num_cpus-1.16.0",
@@ -114,10 +110,10 @@ use_repo(
114110
"vendor__serde-1.0.217",
115111
"vendor__serde_json-1.0.135",
116112
"vendor__serde_with-3.12.0",
117-
"vendor__stderrlog-0.6.0",
118113
"vendor__syn-2.0.96",
119114
"vendor__toml-0.8.19",
120115
"vendor__tracing-0.1.41",
116+
"vendor__tracing-flame-0.2.0",
121117
"vendor__tracing-subscriber-0.3.19",
122118
"vendor__tree-sitter-0.24.6",
123119
"vendor__tree-sitter-embedded-template-0.23.2",

actions/extractor/BUILD.bazel

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ codeql_pkg_files(
44
name = "extractor",
55
srcs = [
66
"codeql-extractor.yml",
7+
"//:LICENSE",
78
] + glob(["tools/**"]),
89
strip_prefix = strip_prefix.from_pkg(),
910
visibility = ["//actions:__pkg__"],

actions/ql/lib/CHANGELOG.md

+6
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
## 0.4.3
2+
3+
### New Features
4+
5+
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
6+
17
## 0.4.2
28

39
### Bug Fixes
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
1-
---
2-
category: feature
3-
---
4-
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
1+
## 0.4.3
2+
3+
### New Features
4+
5+
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
+1-1
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
---
2-
lastReleaseVersion: 0.4.2
2+
lastReleaseVersion: 0.4.3

actions/ql/lib/qlpack.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: codeql/actions-all
2-
version: 0.4.3-dev
2+
version: 0.4.4-dev
33
library: true
44
warnOnImplicitThis: true
55
dependencies:

actions/ql/src/CHANGELOG.md

+26
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,29 @@
1+
## 0.5.0
2+
3+
### Breaking Changes
4+
5+
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
6+
Any existing alerts for these queries will be closed automatically.
7+
* `actions/if-expression-always-true/critical`
8+
* `actions/if-expression-always-true/high`
9+
* `actions/unnecessary-use-of-advanced-config`
10+
11+
* The following query has been moved from the `code-scanning` suite to the `security-extended`
12+
suite. Any existing alerts for this query will be closed automatically unless the analysis is
13+
configured to use the `security-extended` suite.
14+
* `actions/unpinned-tag`
15+
* The following queries have been added to the `security-extended` suite.
16+
* `actions/unversioned-immutable-action`
17+
* `actions/envpath-injection/medium`
18+
* `actions/envvar-injection/medium`
19+
* `actions/code-injection/medium`
20+
* `actions/artifact-poisoning/medium`
21+
* `actions/untrusted-checkout/medium`
22+
23+
### Minor Analysis Improvements
24+
25+
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
26+
127
## 0.4.2
228

329
No user-facing changes.

actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql

+9-1
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,14 @@ private predicate isTrustedOwner(string nwo) {
2323
trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
2424
}
2525

26+
bindingset[version]
27+
private predicate isPinnedContainer(string version) {
28+
version.regexpMatch("^sha256:[A-Fa-f0-9]{64}$")
29+
}
30+
31+
bindingset[nwo]
32+
private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
33+
2634
from UsesStep uses, string nwo, string version, Workflow workflow, string name
2735
where
2836
uses.getCallee() = nwo and
@@ -34,7 +42,7 @@ where
3442
) and
3543
uses.getVersion() = version and
3644
not isTrustedOwner(nwo) and
37-
not isPinnedCommit(version) and
45+
not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
3846
not isImmutableAction(uses, nwo)
3947
select uses.getCalleeNode(),
4048
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +

actions/ql/src/change-notes/2025-02-06-curate-suites.md renamed to actions/ql/src/change-notes/released/0.5.0.md

+8-3
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
1-
---
2-
category: breaking
3-
---
1+
## 0.5.0
2+
3+
### Breaking Changes
4+
45
* The following queries have been removed from the `code-scanning` and `security-extended` suites.
56
Any existing alerts for these queries will be closed automatically.
67
* `actions/if-expression-always-true/critical`
@@ -18,3 +19,7 @@ category: breaking
1819
* `actions/code-injection/medium`
1920
* `actions/artifact-poisoning/medium`
2021
* `actions/untrusted-checkout/medium`
22+
23+
### Minor Analysis Improvements
24+
25+
* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
+1-1
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
---
2-
lastReleaseVersion: 0.4.2
2+
lastReleaseVersion: 0.5.0

actions/ql/src/qlpack.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: codeql/actions-queries
2-
version: 0.4.3-dev
2+
version: 0.5.1-dev
33
library: false
44
warnOnImplicitThis: true
55
groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml

+2
Original file line numberDiff line numberDiff line change
@@ -9,3 +9,5 @@ jobs:
99
- uses: foo/bar
1010
- uses: foo/bar@v1
1111
- uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb
12+
- uses: docker://foo/bar@latest
13+
- uses: docker://foo/bar@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9

actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected

+1
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,4 @@
3232
| .github/workflows/test17.yml:20:21:20:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Uses Step |
3333
| .github/workflows/test18.yml:37:21:37:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step |
3434
| .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step |
35+
| .github/workflows/unpinned_tags.yml:12:13:12:35 | docker://foo/bar@latest | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'docker://foo/bar' with ref 'latest', not a pinned commit hash | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | Uses Step |

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

+3-1
Original file line numberDiff line numberDiff line change
@@ -299,7 +299,9 @@ edges
299299
| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
300300
| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
301301
| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
302-
| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
302+
| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step |
303+
| .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step |
304+
| .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | .github/workflows/unpinned_tags.yml:13:7:13:101 | Uses Step |
303305
| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step |
304306
| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
305307
| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step |

cpp/ql/lib/CHANGELOG.md

+4
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
1+
## 4.0.1
2+
3+
No user-facing changes.
4+
15
## 4.0.0
26

37
### Breaking Changes
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
## 4.0.1
2+
3+
No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
---
2-
lastReleaseVersion: 4.0.0
2+
lastReleaseVersion: 4.0.1

cpp/ql/lib/qlpack.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: codeql/cpp-all
2-
version: 4.0.1-dev
2+
version: 4.0.2-dev
33
groups: cpp
44
dbscheme: semmlecode.cpp.dbscheme
55
extractor: cpp

cpp/ql/lib/semmle/code/cpp/Location.qll

+4-1
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,10 @@ class Location extends @location {
7575

7676
/** Holds if `this` comes on a line strictly before `l`. */
7777
pragma[inline]
78-
predicate isBefore(Location l) { this.isBefore(l, false) }
78+
predicate isBefore(Location l) {
79+
this.getFile() = l.getFile() and
80+
this.getEndLine() < l.getStartLine()
81+
}
7982

8083
/**
8184
* Holds if `this` comes strictly before `l`. The boolean `sameLine` is

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

+5-6
Original file line numberDiff line numberDiff line change
@@ -869,12 +869,11 @@ private predicate elementSpecMatchesSignature(
869869
bindingset[nameWithoutArgs]
870870
pragma[inline_late]
871871
private Class getClassAndNameImpl(Function method, string nameWithoutArgs) {
872-
exists(string memberName | result = method.getClassAndName(memberName) |
873-
nameWithoutArgs = "operator " + method.(ConversionOperator).getDestType()
874-
or
875-
not method instanceof ConversionOperator and
876-
memberName = nameWithoutArgs
877-
)
872+
result = method.getDeclaringType() and
873+
nameWithoutArgs = "operator " + method.(ConversionOperator).getDestType()
874+
or
875+
result = method.getClassAndName(nameWithoutArgs) and
876+
not method instanceof ConversionOperator
878877
}
879878

880879
/**

0 commit comments

Comments
 (0)