Merge branch 'main' into nth

Author: geoffw0

.bazelrc

@@ -12,6 +12,9 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
 
+# print test output, like sembuild does.
+# Set to `errors` if this is too verbose.
+test --test_output all
 # we use transitions that break builds of `...`, so for `test` to work with that we need the following
 test --build_tests_only
 

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2006-2020 GitHub, Inc.
+Copyright (c) 2006-2025 GitHub, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

MODULE.bazel

@@ -58,15 +58,12 @@ register_toolchains("@rust_toolchains//:all")
 py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
 use_repo(
     py_deps,
-    "vendor__anyhow-1.0.44",
-    "vendor__cc-1.0.70",
-    "vendor__clap-2.33.3",
-    "vendor__regex-1.5.5",
-    "vendor__smallvec-1.6.1",
-    "vendor__string-interner-0.12.2",
-    "vendor__thiserror-1.0.29",
-    "vendor__tree-sitter-0.20.4",
-    "vendor__tree-sitter-graph-0.7.0",
+    "vendor_py__anyhow-1.0.95",
+    "vendor_py__cc-1.2.14",
+    "vendor_py__clap-4.5.30",
+    "vendor_py__regex-1.11.1",
+    "vendor_py__tree-sitter-0.20.4",
+    "vendor_py__tree-sitter-graph-0.7.0",
 )
 
 # deps for ruby+rust

actions/extractor/BUILD.bazel

@@ -4,6 +4,7 @@ codeql_pkg_files(
     name = "extractor",
     srcs = [
         "codeql-extractor.yml",
+        "//:LICENSE",
     ] + glob(["tools/**"]),
     strip_prefix = strip_prefix.from_pkg(),
     visibility = ["//actions:__pkg__"],

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### New Features
+
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
+
 ## 0.4.2
 
 ### Bug Fixes

actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md renamed to actions/ql/lib/change-notes/released/0.4.3.md

@@ -1,4 +1,5 @@
----
-category: feature
----
-* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
+## 0.4.3
+
+### New Features
+
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,29 @@
+## 0.5.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `code-scanning` and `security-extended` suites.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/if-expression-always-true/critical`
+  * `actions/if-expression-always-true/high`
+  * `actions/unnecessary-use-of-advanced-config`
+  
+* The following query has been moved from the `code-scanning` suite to the `security-extended`
+  suite. Any existing alerts for this query will be closed automatically unless the analysis is
+  configured to use the `security-extended` suite.
+  * `actions/unpinned-tag`
+* The following queries have been added to the `security-extended` suite.
+  * `actions/unversioned-immutable-action`
+  * `actions/envpath-injection/medium`
+  * `actions/envvar-injection/medium`
+  * `actions/code-injection/medium`
+  * `actions/artifact-poisoning/medium`
+  * `actions/untrusted-checkout/medium`
+
+### Minor Analysis Improvements
+
+* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
+
 ## 0.4.2
 
 No user-facing changes.

actions/ql/src/change-notes/2025-02-14-docker-false-positives.md

@@ -1,6 +1,7 @@
----
-category: breaking
----
+## 0.5.0
+
+### Breaking Changes
+
 * The following queries have been removed from the `code-scanning` and `security-extended` suites.
   Any existing alerts for these queries will be closed automatically.
   * `actions/if-expression-always-true/critical`
@@ -18,3 +19,7 @@ category: breaking
   * `actions/code-injection/medium`
   * `actions/artifact-poisoning/medium`
   * `actions/untrusted-checkout/medium`
+
+### Minor Analysis Improvements
+
+* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.

actions/ql/src/change-notes/2025-02-06-curate-suites.md renamed to actions/ql/src/change-notes/released/0.5.0.md

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.5.0

actions/ql/src/codeql-pack.release.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.4.3-dev
+version: 0.5.1-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/src/qlpack.yml

@@ -1,3 +1,7 @@
+## 4.0.1
+
+No user-facing changes.
+
 ## 4.0.0
 
 ### Breaking Changes

cpp/ql/lib/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 4.0.1
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/4.0.1.md

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.0.0
+lastReleaseVersion: 4.0.1

cpp/ql/lib/codeql-pack.release.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.0.1-dev
+version: 4.0.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/qlpack.yml

@@ -1,3 +1,7 @@
+## 1.3.4
+
+No user-facing changes.
+
 ## 1.3.3
 
 ### Minor Analysis Improvements

cpp/ql/src/CHANGELOG.md

@@ -49,11 +49,17 @@ predicate interestingConcatenation(DataFlow::Node incoming, DataFlow::Node outgo
     call.getTarget() = op and
     op.hasQualifiedName("std", "operator+") and
     op.getType().(UserType).hasQualifiedName("std", "basic_string") and
-    incoming.asIndirectArgument() = call.getArgument(1) and // left operand
+    incoming.asIndirectArgument() = call.getArgument(1) and // right operand
     call = outgoing.asInstruction().getUnconvertedResultExpression()
   )
 }
 
+/**
+ * A state will represent the most recent concatenation that occurred in the data flow.
+ *  - `TConcatState` if the concetenation has not yet occurred.
+ *  - `TExecState(incoming, outgoing)`, representing the concatenation of data from `incoming`
+ *    into result `outgoing`.
+ */
 newtype TState =
   TConcatState() or
   TExecState(DataFlow::Node incoming, DataFlow::Node outgoing) {
@@ -74,7 +80,9 @@ class ExecState extends TExecState {
 
   DataFlow::Node getOutgoingNode() { result = outgoing }
 
-  /** Holds if this is a possible `ExecState` for `sink`. */
+  /**
+   * Holds if this is a possible `ExecState` at `sink`, that is, if `outgoing` flows to `sink`.
+   */
   predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::flow(outgoing, sink) }
 
   string toString() { result = "ExecState" }
@@ -110,6 +118,12 @@ module ExecStateConfig implements DataFlow::ConfigSig {
 
 module ExecState = TaintTracking::Global<ExecStateConfig>;
 
+/**
+ * A full `TaintTracking` configuration from source to concatenation to sink, using a flow
+ * state to remember the concatenation. It's important that we track flow to the sink even though
+ * as soon as we reach the concatenation we know it will get there (due to the check of
+ * `isFeasibleForSink`), because this way we get a complete flow path.
+ */
 module ExecTaintConfig implements DataFlow::StateConfigSig {
   class FlowState = TState;
 

cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -0,0 +1,3 @@
+## 1.3.4
+
+No user-facing changes.

cpp/ql/src/change-notes/released/1.3.4.md

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.3
+lastReleaseVersion: 1.3.4

cpp/ql/src/codeql-pack.release.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.4-dev
+version: 1.3.5-dev
 groups:
   - cpp
   - queries