refactor: Create abstract class for known vulnerable actions

Alvaro Muñoz · Alvaro Muñoz · commit 483f6229ff5f · 2024-07-31T23:02:52.000+02:00
diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
@@ -13,26 +13,37 @@
 
 import actions
 
+abstract class KnownVulnerableAction extends UsesStep {
+  abstract string getFixedVersion();
+}
+
+class ActionsDownloadArtifact extends KnownVulnerableAction {
+  ActionsDownloadArtifact() {
+    this.getCallee() = "actions/download-artifact" and
+    (
+      this.getVersion() =
+        [
+          "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1",
+          "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6",
+          "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0",
+        ]
+      or
+      this.getVersion()
+          .matches([
+                "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4",
+                "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e",
+                "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c",
+                "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591",
+                "18f0f591", "18f0f591",
+              ] + "%")
+    )
+  }
+
+  override string getFixedVersion() { result = "4.1.7" }
+}
+
 //  gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate
-from UsesStep step
-where
-  step.getCallee() = "actions/download-artifact" and
-  (
-    step.getVersion() =
-      [
-        "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1",
-        "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6",
-        "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0",
-      ]
-    or
-    step.getVersion()
-        .matches([
-              "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4",
-              "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e",
-              "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c",
-              "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591",
-              "18f0f591", "18f0f591",
-            ] + "%")
-  )
-select step, "The workflow is using a known vulnerable version ($@) of the $@ action.", step,
-  step.getVersion(), step, step.getCallee()
+from KnownVulnerableAction step
+select step,
+  "The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@", step,
+  step.getVersion(), step, step.getCallee(), step, step.getFixedVersion()
diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected
@@ -1,9 +1,9 @@
-| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 4.1.7 |
