Merge branch 'main' into add-missing-predicate-to-mad-generation

Author: MathiasVP

actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected

@@ -0,0 +1 @@
+

actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected

@@ -0,0 +1,17 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected

@@ -0,0 +1,33 @@
+ql/actions/ql/src/Debug/SyntaxError.ql
+ql/actions/ql/src/Models/CompositeActionsSinks.ql
+ql/actions/ql/src/Models/CompositeActionsSources.ql
+ql/actions/ql/src/Models/CompositeActionsSummaries.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
+ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql

actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected

@@ -0,0 +1,23 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

actions/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -0,0 +1,11 @@
+ql/actions/ql/src/Debug/partial.ql
+ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
+ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
+ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql

actions/ql/integration-tests/query-suite/test.py

@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, actions, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, actions, check_queries_not_included):
+    check_queries_not_included('actions', well_known_query_suites)

actions/ql/src/Models/ReusableWorkflowsSinks.ql

@@ -5,7 +5,7 @@
  * @problem.severity warning
  * @security-severity 9.3
  * @precision high
- * @id actions/reusable-wokflow-sinks
+ * @id actions/reusable-workflow-sinks
  * @tags actions
  *       model-generator
  *       external/cwe/cwe-020

actions/ql/src/change-notes/2025-04-24-model-generator-queries.md

@@ -0,0 +1,14 @@
+### Breaking Changes
+
+* The following queries have been removed from the `security-and-quality` suite.
+  They are not intended to produce user-facing
+  alerts describing vulnerabilities.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/composite-action-sinks`
+  * `actions/composite-action-sources`
+  * `actions/composite-action-summaries`
+  * `actions/reusable-workflow-sinks`
+    (renamed from `actions/reusable-wokflow-sinks`)
+  * `actions/reusable-workflow-sources`
+  * `actions/reusable-workflow-summaries`
+  

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -179,6 +179,7 @@ predicate overflows(MulExpr me, Type t) {
 
 from MulExpr me, Type t1, Type t2
 where
+  not any(Compilation c).buildModeNone() and
   t1 = me.getType().getUnderlyingType() and
   t2 = me.getConversion().getType().getUnderlyingType() and
   t1.getSize() < t2.getSize() and

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -154,6 +154,7 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
 
 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
+  not any(Compilation c).buildModeNone() and
   (
     formattingFunctionCallExpectedType(ffc, n, expected) and
     formattingFunctionCallActualType(ffc, n, arg, actual) and