Merge branch 'main' into lessnoise

Author: geoffw0

CODEOWNERS

@@ -14,6 +14,9 @@
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
+# Experimental CodeQL cryptography
+**/experimental/quantum/ @github/ps-codeql
+
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.4.6
+
+### Bug Fixes
+
+* The query `actions/code-injection/medium` now produces alerts for injection
+  vulnerabilities on `pull_request` events.
+
 ## 0.4.5
 
 No user-facing changes.

actions/ql/lib/change-notes/2025-03-20-code-injection-pr.md renamed to actions/ql/lib/change-notes/released/0.4.6.md

@@ -1,5 +1,6 @@
----
-category: fix
----
+## 0.4.6
+
+### Bug Fixes
+
 * The query `actions/code-injection/medium` now produces alerts for injection
-  vulnerabilities on `pull_request` events.
+  vulnerabilities on `pull_request` events.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.5
+lastReleaseVersion: 0.4.6

actions/ql/lib/codeql/actions/config/Config.qll

@@ -154,3 +154,13 @@ predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
 predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
   Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
 }
+
+/**
+ * MaD models for permissions needed by actions
+ * Fields:
+ *    - action: action name, e.g. `actions/checkout`
+ *    - permission: permission name, e.g. `contents: read`
+ */
+predicate actionsPermissionsDataModel(string action, string permission) {
+  Extensions::actionsPermissionsDataModel(action, permission)
+}

actions/ql/lib/codeql/actions/config/ConfigExtensions.qll

@@ -77,3 +77,14 @@ extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag)
  * Holds for gh commands that may introduce untrusted data
  */
 extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
+
+/**
+ * Holds if `action` needs `permission` to run.
+ * - 'action' is the name of the action without any version information.
+ *   E.g. for the action selector `actions/checkout@v2`, `action` is `actions/checkout`.
+ * - `permission` is of the form `scope-name: read|write`, for example `contents: read`.
+ * - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions
+ *   for an example of recommended permissions.
+ * - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
+ */
+extensible predicate actionsPermissionsDataModel(string action, string permission);

actions/ql/lib/ext/config/actions_permissions.yml

@@ -0,0 +1,37 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: actionsPermissionsDataModel
+    data:
+      - ["actions/checkout", "contents: read"]
+      - ["actions/setup-node", "contents: read"]
+      - ["actions/setup-python", "contents: read"]
+      - ["actions/setup-java", "contents: read"]
+      - ["actions/setup-go", "contents: read"]
+      - ["actions/setup-dotnet", "contents: read"]
+      - ["actions/labeler", "contents: read"]
+      - ["actions/labeler", "pull-requests: write"]
+      - ["actions/attest", "id-token: write"]
+      - ["actions/attest", "attestations: write"]
+      # No permissions needed for actions/add-to-project
+      - ["actions/dependency-review-action", "contents: read"]
+      - ["actions/attest-sbom", "id-token: write"]
+      - ["actions/attest-sbom", "attestations: write"]
+      - ["actions/stale", "contents: write"]
+      - ["actions/stale", "issues: write"]
+      - ["actions/stale", "pull-requests: write"]
+      - ["actions/attest-build-provenance", "id-token: write"]
+      - ["actions/attest-build-provenance", "attestations: write"]
+      - ["actions/jekyll-build-pages", "contents: read"]
+      - ["actions/jekyll-build-pages", "pages: write"]
+      - ["actions/jekyll-build-pages", "id-token: write"]
+      - ["actions/publish-action", "contents: write"]
+      - ["actions/versions-package-tools", "contents: read"]      
+      - ["actions/versions-package-tools", "actions: read"]
+      - ["actions/reusable-workflows", "contents: read"]      
+      - ["actions/reusable-workflows", "actions: read"]
+      # TODO: Add permissions for actions/download-artifact
+      # TODO: Add permissions for actions/upload-artifact
+      # TODO: Add permissions for actions/cache
+
+      

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.6-dev
+version: 0.4.7-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.5.3
+
+### Bug Fixes
+
+* Fixed typos in the query and alert titles for the queries
+  `actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
+  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
+
 ## 0.5.2
 
 No user-facing changes.
@@ -7,9 +15,10 @@ No user-facing changes.
 ### Bug Fixes
 
 * The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
-  Immutable Actions feature is not yet available for customer use. The query remains in the
-  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
-  available, the query will be updated to report alerts again.
+  Immutable Actions feature is not yet available for customer use. The query has also been moved
+  to the experimental folder and will not be used in code scanning unless it is explicitly added
+  to a code scanning configuration. Once the Immutable Actions feature is available, the query will
+  be updated to report alerts again.
 
 ## 0.5.0
 

actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql

@@ -1,5 +1,5 @@
 /**
- * @name Use of a known vulnerable action.
+ * @name Use of a known vulnerable action
  * @description The workflow is using an action with known vulnerabilities.
  * @kind problem
  * @problem.severity error