Convert trusted actions list to data extension

felickz · felickz · commit 22e7b9a825f3 · 2025-01-07T15:35:12.000-05:00
diff --git a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
@@ -9,6 +9,12 @@ class UnversionedImmutableAction extends UsesStep {
   }
 }
 
+// The following predicate is extended in data extensions under actions/ql/lib/codeql/actions/security/owner/
+// and can be extended with custom model packs as necessary.
+
+/** Holds for actions owner defined in data extensions */
+extensible predicate trustedActionsOwner(string owner);
+
 bindingset[version]
 predicate isSemVer(string version) {
   // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix
diff --git a/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml b/actions/ql/lib/codeql/actions/security/owner/trusted/trusted_actions_owner.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo: 
+      pack: codeql/actions-all
+      extensible: trustedActionsOwner
+    data:      
+      - ["actions"]
+      - ["github"]
+      - ["advanced-security"]
diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml
@@ -14,3 +14,4 @@ dataExtensions:
   - ext/manual/*.model.yml
   - ext/generated/**/*.model.yml
   - ext/config/*.yml
+  - codeql/actions/security/owner/**/*.model.yml
diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -17,24 +17,25 @@ import codeql.actions.security.UseOfUnversionedImmutableAction
 bindingset[version]
 private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
 
-bindingset[repo]
-private predicate isTrustedOrg(string repo) {
-  repo.matches(["actions", "github", "advanced-security"] + "/%")
+bindingset[nwo]
+private predicate isTrustedOwner(string nwo) {  
+  // Gets the segment before the first '/' in the name with owner(nwo) string 
+  trustedActionsOwner(nwo.substring(0, nwo.indexOf("/")))
 }
 
-from UsesStep uses, string repo, string version, Workflow workflow, string name
+from UsesStep uses, string nwo, string version, Workflow workflow, string name
 where
-  uses.getCallee() = repo and
+  uses.getCallee() = nwo and
   uses.getEnclosingWorkflow() = workflow and
   (
     workflow.getName() = name
     or
     not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
   ) and
   uses.getVersion() = version and
-  not isTrustedOrg(repo) and
+  not isTrustedOwner(nwo) and
   not isPinnedCommit(version) and
-  not isImmutableAction(uses, repo)
+  not isImmutableAction(uses, nwo)
 select uses.getCalleeNode(),
-  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
+  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
     "', not a pinned commit hash", uses, uses.toString()

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,12 @@ class UnversionedImmutableAction extends UsesStep {`
`9`	`9`	`}`
`10`	`10`	`}`
`11`	`11`
	`12`	`+// The following predicate is extended in data extensions under actions/ql/lib/codeql/actions/security/owner/`
	`13`	`+// and can be extended with custom model packs as necessary.`
	`14`	`+`
	`15`	`+/** Holds for actions owner defined in data extensions */`
	`16`	`+extensible predicate trustedActionsOwner(string owner);`
	`17`	`+`
`12`	`18`	`bindingset[version]`
`13`	`19`	`predicate isSemVer(string version) {`
`14`	`20`	`// https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix`