Update ql/src/Security/CWE-829/UnpinnedActionsTag.ql

KyFaSt · Alvaro Muñoz · web-flow · commit 5bf02e73ea2a · 2024-11-04T11:30:29.000-05:00
Co-authored-by: Alvaro Muñoz &lt;pwntester@github.com&gt;
diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f
 
 bindingset[repo]
 private predicate isTrustedOrg(string repo) {
-  exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%"))
+  repo.matches(["actions", "github", "advanced-security"] + "/%"))
 }
 
 from UsesStep uses, string repo, string version, Workflow workflow, string name

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f`
`18`	`18`
`19`	`19`	`bindingset[repo]`
`20`	`20`	`private predicate isTrustedOrg(string repo) {`
`21`		`- exists(string org \| org in ["actions", "github", "advanced-security"] \| repo.matches(org + "/%"))`
	`21`	`+ repo.matches(["actions", "github", "advanced-security"] + "/%"))`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`from UsesStep uses, string repo, string version, Workflow workflow, string name`