microsoft
diff --git a/‎Cargo.lock
Lines changed: 15 additions & 42 deletions b/‎Cargo.lock
Lines changed: 15 additions & 42 deletions
diff --git a/‎MODULE.bazel
Lines changed: 4 additions & 14 deletions b/‎MODULE.bazel
Lines changed: 4 additions & 14 deletions
diff --git a/‎actions/ql/lib/CHANGELOG.md
Lines changed: 6 additions & 0 deletions b/‎actions/ql/lib/CHANGELOG.md
Lines changed: 6 additions & 0 deletions
diff --git a/‎actions/ql/lib/change-notes/released/0.4.3.md
Lines changed: 5 additions & 0 deletions b/‎actions/ql/lib/change-notes/released/0.4.3.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql-pack.release.yml
Lines changed: 1 addition & 1 deletion b/‎actions/ql/lib/codeql-pack.release.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎actions/ql/lib/codeql/actions/Bash.qll
Lines changed: 3 additions & 1 deletion b/‎actions/ql/lib/codeql/actions/Bash.qll
Lines changed: 3 additions & 1 deletion
diff --git a/‎actions/ql/lib/codeql/actions/config/Config.qll
Lines changed: 9 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/config/Config.qll
Lines changed: 9 additions & 0 deletions
diff --git a/‎actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
Lines changed: 5 additions & 0 deletions b/‎actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
Lines changed: 5 additions & 0 deletions
diff --git a/‎actions/ql/lib/ext/config/trusted_actions_owner.yml
Lines changed: 8 additions & 0 deletions b/‎actions/ql/lib/ext/config/trusted_actions_owner.yml
Lines changed: 8 additions & 0 deletions
diff --git a/‎actions/ql/lib/qlpack.yml
Lines changed: 1 addition & 1 deletion b/‎actions/ql/lib/qlpack.yml
Lines changed: 1 addition & 1 deletion
@@ -14,7 +14,7 @@ local_path_override(
 
 # see https://registry.bazel.build/ for a list of available packages
 
-bazel_dep(name = "platforms", version = "0.0.10")
+bazel_dep(name = "platforms", version = "0.0.11")
 bazel_dep(name = "rules_go", version = "0.50.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
@@ -28,7 +28,7 @@ bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.52.2")
+bazel_dep(name = "rules_rust", version = "0.57.1")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -53,15 +53,6 @@ use_repo(rust, "rust_toolchains")
 
 register_toolchains("@rust_toolchains//:all")
 
-rust_host_tools = use_extension("@rules_rust//rust:extensions.bzl", "rust_host_tools")
-
-# Don't download a second toolchain as host toolchain, make sure this is the same version as above
-# The host toolchain is used for vendoring dependencies.
-rust_host_tools.host_tools(
-    edition = RUST_EDITION,
-    version = RUST_VERSION,
-)
-
 # deps for python extractor
 # keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
 py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
@@ -96,7 +87,6 @@ use_repo(
     "vendor__globset-0.4.15",
     "vendor__itertools-0.14.0",
     "vendor__lazy_static-1.5.0",
-    "vendor__log-0.4.22",
     "vendor__mustache-0.9.0",
     "vendor__num-traits-0.2.19",
     "vendor__num_cpus-1.16.0",
@@ -123,10 +113,10 @@ use_repo(
     "vendor__serde-1.0.217",
     "vendor__serde_json-1.0.135",
     "vendor__serde_with-3.12.0",
-    "vendor__stderrlog-0.6.0",
     "vendor__syn-2.0.96",
     "vendor__toml-0.8.19",
     "vendor__tracing-0.1.41",
+    "vendor__tracing-flame-0.2.0",
     "vendor__tracing-subscriber-0.3.19",
     "vendor__tree-sitter-0.24.6",
     "vendor__tree-sitter-embedded-template-0.23.2",
@@ -252,7 +242,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.23.1")
+go_sdk.download(version = "1.24.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 
@@ -1,3 +1,9 @@
+## 0.4.3
+
+### New Features
+
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
+
 ## 0.4.2
 
 ### Bug Fixes
 
@@ -0,0 +1,5 @@
+## 0.4.3
+
+### New Features
+
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3
@@ -81,7 +81,9 @@ class BashShellScript extends ShellScript {
           "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
             quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
       )
-    )
+    ) and
+    // Only do this for strings that might otherwise disrupt subsequent parsing
+    quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
   }
 
   private predicate rankedQuotedStringReplacements(int i, string old, string new) {
 
@@ -126,6 +126,15 @@ predicate vulnerableActionsDataModel(
  */
 predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
 
+/**
+ * MaD models for trusted actions owners
+ * Fields:
+ *    - owner: owner name
+ */
+predicate trustedActionsOwnerDataModel(string owner) {
+  Extensions::trustedActionsOwnerDataModel(owner)
+}
+
 /**
  * MaD models for untrusted git commands
  * Fields:
 
@@ -63,6 +63,11 @@ extensible predicate vulnerableActionsDataModel(
  */
 extensible predicate immutableActionsDataModel(string action);
 
+/**
+ * Holds for trusted Actions owners.
+ */
+extensible predicate trustedActionsOwnerDataModel(string owner);
+
 /**
  * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
  */
 
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo: 
+      pack: codeql/actions-all
+      extensible: trustedActionsOwnerDataModel
+    data:      
+      - ["actions"]
+      - ["github"]
+      - ["advanced-security"]
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.2
+version: 0.4.3
 library: true
 warnOnImplicitThis: true
 dependencies:
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`---`
`2`		`-lastReleaseVersion: 0.4.2`
	`2`	`+lastReleaseVersion: 0.4.3`
Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,9 @@ class BashShellScript extends ShellScript {`
`81`	`81`	`"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +`
`82`	`82`	`quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")`
`83`	`83`	`)`
`84`		`- )`
	`84`	`+ ) and`
	`85`	`+ // Only do this for strings that might otherwise disrupt subsequent parsing`
	`86`	`+ quotedStr.regexpMatch("[\"'].[$\n\r'\"" + Bash::separator() + "].[\"']")`
`85`	`87`	`}`
`86`	`88`
`87`	`89`	`private predicate rankedQuotedStringReplacements(int i, string old, string new) {`