Bump qlpack versions

Alvaro Muñoz · Alvaro Muñoz · commit 844b6e014bb6 · 2024-05-31T19:04:32.000+02:00
diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -818,8 +818,9 @@ class JobImpl extends AstNodeImpl, TJobNode {
   }
 
   private predicate hasPrivilegedTrigger() {
-    // the Job is triggered by an event other than `pull_request`
+    // the Job is triggered by an event other than `pull_request`, `push`, or `workflow_call`
     count(this.getATriggerEvent()) = 1 and
+    not this.getATriggerEvent().getName() = "push" and
     not this.getATriggerEvent().getName() = "pull_request" and
     not this.getATriggerEvent().getName() = "workflow_call"
     or
@@ -832,8 +833,11 @@ class JobImpl extends AstNodeImpl, TJobNode {
       not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller())
     )
     or
-    // the Workflow has multiple triggers so at least one is not "pull_request"
-    count(this.getATriggerEvent()) > 1
+    // the Job is triggered by an event other than `push`, `pull_request`, or `workflow_call`
+    exists(string event |
+      this.getATriggerEvent().getName() = event and
+      not event = ["push", "pull_request", "workflow_call"]
+    )
   }
 
   /** Gets the trigger event that starts this workflow. */
diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml
@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: githubsecuritylab/actions-all
-version: 0.0.31
+version: 0.0.32
 dependencies:
   codeql/util: ^0.2.0
   codeql/yaml: ^0.1.2
diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml
@@ -1,7 +1,7 @@
 ---
 library: false
 name: githubsecuritylab/actions-queries
-version: 0.0.31
+version: 0.0.32
 groups:
   - actions
   - queries
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -1,7 +1,5 @@
 | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/level0.yml:125:9:129:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected
@@ -0,0 +1,2 @@
+| .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| .github/workflows/dependabot1.yml:15:9:19:6 \| Uses Step \| Potential unsafe checkout of untrusted pull request on privileged workflow. \|`
	`2`	`+\| .github/workflows/dependabot1.yml:39:9:43:6 \| Uses Step \| Potential unsafe checkout of untrusted pull request on privileged workflow. \|`