Merge branch 'main' into redsun82/cargo-upgrade-2

Author: Paolo Tranquilli

.github/workflows/mad_modelDiff.yml

@@ -68,7 +68,7 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
+            python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
             mkdir -p $MODELS/$SHORTNAME
             mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
             cd ..

CODEOWNERS

@@ -17,6 +17,7 @@
 
 # Experimental CodeQL cryptography
 **/experimental/quantum/ @github/ps-codeql
+/shared/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers

MODULE.bazel

@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
@@ -193,10 +193,6 @@ use_repo(
     kotlin_extractor_deps,
     "codeql_kotlin_defaults",
     "codeql_kotlin_embeddable",
-    "kotlin-compiler-1.5.0",
-    "kotlin-compiler-1.5.10",
-    "kotlin-compiler-1.5.20",
-    "kotlin-compiler-1.5.30",
     "kotlin-compiler-1.6.0",
     "kotlin-compiler-1.6.20",
     "kotlin-compiler-1.7.0",
@@ -208,10 +204,7 @@ use_repo(
     "kotlin-compiler-2.0.20-Beta2",
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
-    "kotlin-compiler-embeddable-1.5.0",
-    "kotlin-compiler-embeddable-1.5.10",
-    "kotlin-compiler-embeddable-1.5.20",
-    "kotlin-compiler-embeddable-1.5.30",
+    "kotlin-compiler-2.2.0-Beta1",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -223,10 +216,7 @@ use_repo(
     "kotlin-compiler-embeddable-2.0.20-Beta2",
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
-    "kotlin-stdlib-1.5.0",
-    "kotlin-stdlib-1.5.10",
-    "kotlin-stdlib-1.5.20",
-    "kotlin-stdlib-1.5.30",
+    "kotlin-compiler-embeddable-2.2.0-Beta1",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -238,6 +228,7 @@ use_repo(
     "kotlin-stdlib-2.0.20-Beta2",
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
+    "kotlin-stdlib-2.2.0-Beta1",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected

@@ -0,0 +1 @@
+

actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected

@@ -0,0 +1,17 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected

@@ -0,0 +1,27 @@
+ql/actions/ql/src/Debug/SyntaxError.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
+ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql

actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected

@@ -0,0 +1,23 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

actions/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -0,0 +1,17 @@
+ql/actions/ql/src/Debug/partial.ql
+ql/actions/ql/src/Models/CompositeActionsSinks.ql
+ql/actions/ql/src/Models/CompositeActionsSources.ql
+ql/actions/ql/src/Models/CompositeActionsSummaries.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
+ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
+ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
+ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql

actions/ql/integration-tests/query-suite/test.py

@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, actions, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, actions, check_queries_not_included):
+    check_queries_not_included('actions', well_known_query_suites)

actions/ql/lib/CHANGELOG.md

@@ -1,7 +1,17 @@
-## 0.4.7
+## 0.4.9
 
 No user-facing changes.
 
+## 0.4.8
+
+No user-facing changes.
+
+## 0.4.7
+
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ## 0.4.6
 
 ### Bug Fixes