Merge branch 'main' into trim

Author: geoffw0

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.7
+
+No user-facing changes.
+
 ## 0.4.6
 
 ### Bug Fixes

actions/ql/lib/change-notes/released/0.4.7.md

@@ -0,0 +1,3 @@
+## 0.4.7
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.4.7

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.7-dev
+version: 0.4.8-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.5.4
+
+### Bug Fixes
+
+* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
+
 ## 0.5.3
 
 ### Bug Fixes

actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md

@@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v
 
 ### Exploitation
 
-An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
+An attacker would be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
 
 ## References
 

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

@@ -1,6 +1,6 @@
 /**
  * @name Workflow does not contain permissions
- * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
+ * @description Workflows should contain explicit permissions to restrict the scope of the default GITHUB_TOKEN.
  * @kind problem
  * @security-severity 5.0
  * @problem.severity warning

actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql

@@ -3,6 +3,7 @@
  * @description All organization and repository secrets are passed to the workflow runner.
  * @kind problem
  * @precision high
+ * @security-severity 5.0
  * @problem.severity warning
  * @id actions/excessive-secrets-exposure
  * @tags actions

actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md

@@ -2,11 +2,11 @@
 
 ## Description
 
-Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered.
+Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered.
 
 ## Recommendations
 
-Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner.
+Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner.
 
 ## Examples
 

actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.