microsoft
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎build-test-dbs.sh
Lines changed: 0 additions & 7 deletions b/‎build-test-dbs.sh
Lines changed: 0 additions & 7 deletions
diff --git a/‎codeql-workspace.yml
Lines changed: 2 additions & 1 deletion b/‎codeql-workspace.yml
Lines changed: 2 additions & 1 deletion
diff --git a/‎ql/lib/codeql/actions/Ast.qll
Lines changed: 6 additions & 1 deletion b/‎ql/lib/codeql/actions/Ast.qll
Lines changed: 6 additions & 1 deletion
diff --git a/‎ql/lib/codeql/actions/ast/internal/Actions.qll
Lines changed: 0 additions & 2 deletions b/‎ql/lib/codeql/actions/ast/internal/Actions.qll
Lines changed: 0 additions & 2 deletions
diff --git a/‎ql/lib/qlpack.yml
Lines changed: 0 additions & 1 deletion b/‎ql/lib/qlpack.yml
Lines changed: 0 additions & 1 deletion
diff --git a/‎ql/src/Security/CWE-020/CompositeActionSummaries.ql renamed to ‎ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/‎ql/src/Security/CWE-020/CompositeActionSummaries.ql renamed to ‎ql/src/Security/CWE-020/CompositeActionsSummaries.ql
diff --git a/‎ql/src/Security/CWE-829/UnpinnedActionsTag.ql
Lines changed: 3 additions & 3 deletions b/‎ql/src/Security/CWE-829/UnpinnedActionsTag.ql
Lines changed: 3 additions & 3 deletions
diff --git a/‎ql/src/Security/CWE-094/UntrustedCheckout.md renamed to ‎ql/src/Security/CWE-829/UntrustedCheckout.md b/‎ql/src/Security/CWE-094/UntrustedCheckout.md renamed to ‎ql/src/Security/CWE-829/UntrustedCheckout.md
diff --git a/‎ql/src/Security/CWE-094/UntrustedCheckout.ql renamed to ‎ql/src/Security/CWE-829/UntrustedCheckout.ql
Lines changed: 1 addition & 1 deletion b/‎ql/src/Security/CWE-094/UntrustedCheckout.ql renamed to ‎ql/src/Security/CWE-829/UntrustedCheckout.ql
Lines changed: 1 addition & 1 deletion
@@ -2,3 +2,4 @@
 **/*.testproj
 ql/lib/.codeql/
 ql/src/.codeql/
+ql/test/.codeql/
@@ -1,3 +1,4 @@
 provide:
   - "**/ql/src/qlpack.yml"
-  - "**/ql/lib/qlpack.yml"
+  - "**/ql/lib/qlpack.yml"
+  - "**/ql/test/qlpack.yml"
@@ -270,7 +270,12 @@ class StepUsesExpr extends StepStmt, UsesExpr {
 
   override string getCallee() { result = uses.getGitHubRepository() }
 
-  override string getVersion() { result = uses.getVersion() }
+  override string getVersion() {
+    result = uses.getVersion()
+    or
+    not exists(uses.getVersion()) and
+    result = "main"
+  }
 
   override Expression getArgumentExpr(string key) {
     exists(Actions::With with |
 
@@ -6,7 +6,6 @@
 import codeql.actions.ast.internal.Yaml
 import codeql.files.FileSystem
 
-// ALVARO: Make it private
 /**
  * Libraries for modeling GitHub Actions workflow files written in YAML.
  * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions.
@@ -376,7 +375,6 @@ module Actions {
   }
 
   /**
-   * ALVARO
    * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds
    */
   class Needs extends YamlNode {
 
@@ -10,7 +10,6 @@ dependencies:
   codeql/dataflow: ^0.1.7
 dbscheme: yaml.dbscheme
 extractor: yaml
-tests: test
 groups:
   - yaml
 dataExtensions:
 
@@ -24,15 +24,15 @@ private predicate isTrustedOrg(string repo) {
 from StepUsesExpr uses, string repo, string version, WorkflowStmt workflow, string name
 where
   uses.getCallee() = repo and
-  uses.getVersion() = version and
   uses.getEnclosingWorkflowStmt() = workflow and
   (
     workflow.getName() = name
     or
     not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
   ) and
-  not isPinnedCommit(version) and
-  not isTrustedOrg(repo)
+  uses.getVersion() = version and
+  not isTrustedOrg(repo) and
+  not isPinnedCommit(version)
 select uses,
   "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
     "', not a pinned commit hash", uses, uses.toString()
@@ -10,7 +10,7 @@
  * @id actions/untrusted-checkout
  * @tags actions
  *       security
- *       external/cwe/cwe-094
+ *       external/cwe/cwe-829
  */
 
 import actions