diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a7b9f477..1b89d525 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,12 +1,20 @@ -name: Build and Publish Windows CodeQL queries +name: Publish CodeQL Pack on: workflow_dispatch: inputs: - version: + codeql-version: description: 'CodeQL version to use' required: true type: string + release-type: + description: 'Publish as a pre-release' + required: false + type: choice + options: + - alpha + - beta + jobs: publish: runs-on: windows-latest @@ -26,7 +34,7 @@ jobs: - name: CodeQL Download run: - Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ github.event.inputs.version }}/codeql-win64.zip" -OutFile codeql-win64.zip; + Invoke-WebRequest -Uri "https://github.com/github/codeql-cli-binaries/releases/download/v${{ github.event.inputs.codeql-version }}/codeql-win64.zip" -OutFile codeql-win64.zip; Expand-Archive -Path codeql-win64.zip -DestinationPath .\codeql-zip -Force; Move-Item -Path .\codeql-zip\codeql -Destination .\codeql-cli\ @@ -40,5 +48,12 @@ jobs: shell: pwsh env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: - .\codeql-cli\codeql.cmd pack publish ./src; + run: | + if ("${{ github.event.inputs.release-type }}" -ne "") { + $version =( Select-String .\src\qlpack.yml -Pattern "version").line; + $new_ver = "$version-${{ github.event.inputs.release-type }}"; + (Get-Content .\src\qlpack.yml).Replace($version, $new_ver) | Set-Content .\src\qlpack.yml; + .\codeql-cli\codeql.cmd pack publish --allow-prerelease ./src; + } else { + .\codeql-cli\codeql.cmd pack publish ./src + } diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..dd92bd4e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,12 @@ + +# Change Log +All notable changes to this project will be documented in this file. + +## [1.8.0] - 2025-07-17 + +### Added + - CHANGELOG.md +### Changed + - ExtendedDeprecatedApis.ql moved from recommended.qls to mustfix.qls +### Fixed + \ No newline at end of file diff --git a/config/codeql-config.yml b/config/codeql-config.yml index 2ec7940a..ecb3062f 100644 --- a/config/codeql-config.yml +++ b/config/codeql-config.yml @@ -2,8 +2,8 @@ name: "CodeQL config" disable-default-queries: true packs: - - microsoft/cpp-queries@0.0.2:codeql-suites/cpp-code-scanning.qls - - microsoft/windows-drivers@1.5.0-beta+5:windows-driver-suites/recommended.qls - - microsoft/windows-drivers@1.5.0-beta+5:drivers\general\queries\experimental\DriverIsolationZwViolation1\DriverIsolationZwViolation1.ql - - microsoft/windows-drivers@1.5.0-beta+5:drivers\general\queries\experimental\DriverIsolationZwViolation2\DriverIsolationZwViolation2.ql - - microsoft/windows-drivers@1.5.0-beta+5:drivers\general\queries\experimental\DriverIsolationRtlViolation\DriverIsolationRtlViolation.ql + - microsoft/cpp-queries@0.0.4:codeql-suites/cpp-code-scanning.qls + - microsoft/windows-drivers@1.x:windows-driver-suites/recommended.qls + - microsoft/windows-drivers@1.x:drivers\general\queries\experimental\DriverIsolationZwViolation1\DriverIsolationZwViolation1.ql + - microsoft/windows-drivers@1.x:drivers\general\queries\experimental\DriverIsolationZwViolation2\DriverIsolationZwViolation2.ql + - microsoft/windows-drivers@1.x:drivers\general\queries\experimental\DriverIsolationRtlViolation\DriverIsolationRtlViolation.ql diff --git a/src/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql b/src/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql index 63fd8fac..6a16a30a 100644 --- a/src/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql +++ b/src/drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql @@ -493,4 +493,5 @@ class ExtendedDeprecatedCall extends Element { from ExtendedDeprecatedCall deprecatedCall where not deprecatedCall.getLocation().getFile().toString().matches("%Windows Kits%include%.h") +and not deprecatedCall.getLocation().getFile().toString().matches("%.tmh") // Exclude autogenerated WPP files select deprecatedCall, deprecatedCall.getMessage() diff --git a/src/qlpack.yml b/src/qlpack.yml index 0e4e2832..38debf75 100644 --- a/src/qlpack.yml +++ b/src/qlpack.yml @@ -2,7 +2,7 @@ # Licensed under the MIT license. name: microsoft/windows-drivers -version: 1.7.1 +version: 1.8.0 dependencies: codeql/cpp-all: ^4.2.0 microsoft/cpp-queries: ^0.0.4 diff --git a/src/windows-driver-suites/mustfix.qls b/src/windows-driver-suites/mustfix.qls index bb71ff33..4bb6cc3a 100644 --- a/src/windows-driver-suites/mustfix.qls +++ b/src/windows-driver-suites/mustfix.qls @@ -7,6 +7,7 @@ - include: query path: - drivers/general/queries/WdkDeprecatedApis/wdk-deprecated-api.ql + - drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql - microsoft/Security/CWE/CWE-704/WcharCharConversionLimited.ql - queries: . from: microsoft/cpp-queries diff --git a/src/windows-driver-suites/recommended.qls b/src/windows-driver-suites/recommended.qls index 93beaa10..0594bc83 100644 --- a/src/windows-driver-suites/recommended.qls +++ b/src/windows-driver-suites/recommended.qls @@ -12,7 +12,6 @@ - drivers/general/queries/DefaultPoolTag/DefaultPoolTag.ql - drivers/general/queries/DriverEntrySaveBuffer/DriverEntrySaveBuffer.ql - drivers/general/queries/ExaminedValue/ExaminedValue.ql - - drivers/general/queries/ExtendedDeprecatedApis/ExtendedDeprecatedApis.ql - drivers/general/queries/IRPStackEntryCopy/IRPStackEntryCopy.ql - drivers/general/queries/ImportantFunctionCallOptimizedOut/ImportantFunctionCallOptimizedOut.ql - drivers/general/queries/ImproperNotOperatorOnZero/ImproperNotOperatorOnZero.ql