diff --git a/actions/ql/lib/codeql/actions/Cfg.qll b/actions/ql/lib/codeql/actions/Cfg.qll index df7acf4e1c05..8ccc8de1d445 100644 --- a/actions/ql/lib/codeql/actions/Cfg.qll +++ b/actions/ql/lib/codeql/actions/Cfg.qll @@ -4,4 +4,3 @@ private import codeql.actions.controlflow.internal.Cfg as CfgInternal import CfgInternal::Completion import CfgInternal::CfgScope import CfgInternal::CfgImpl - diff --git a/actions/ql/lib/codeql/actions/Consistency.ql b/actions/ql/lib/codeql/actions/Consistency.ql index fa3a2bc9e5ce..a799ffce3a3a 100644 --- a/actions/ql/lib/codeql/actions/Consistency.ql +++ b/actions/ql/lib/codeql/actions/Consistency.ql @@ -1,3 +1 @@ import DataFlow::DataFlow::Consistency - - diff --git a/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll b/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll index ddec858aa62e..9bd9bd34dd44 100644 --- a/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll +++ b/actions/ql/lib/codeql/actions/Violations Of Best Practices/DefaultableCodeQLInitiatlizeActionQuery.qll @@ -7,9 +7,7 @@ private import actions * uses: github/codeql-action/init@v2 * with: * languages: ruby, javascript - * */ - class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { DefaultableCodeQLInitiatlizeActionQuery() { this.getCallee() = "github/codeql-action/init" and @@ -17,7 +15,7 @@ class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { } } -/** +/** * Holds if the with: part of the workflow step contains any arguments for with: other than "languages". * e.g. * - name: Initialize CodeQL @@ -25,12 +23,10 @@ class DefaultableCodeQLInitiatlizeActionQuery extends UsesStep { * with: * languages: ${{ matrix.language }} * config-file: ./.github/codeql/${{ matrix.language }}/codeql-config.yml - * */ - predicate customizedWorkflowStep(UsesStep codeQLInitStep) { exists(string arg | exists(codeQLInitStep.getArgument(arg)) and arg != "languages" ) -} \ No newline at end of file +} diff --git a/actions/ql/lib/codeql/actions/config/Config.qll b/actions/ql/lib/codeql/actions/config/Config.qll index 20c6fae92731..265d4bd820f8 100644 --- a/actions/ql/lib/codeql/actions/config/Config.qll +++ b/actions/ql/lib/codeql/actions/config/Config.qll @@ -124,11 +124,7 @@ predicate vulnerableActionsDataModel( * Fields: * - action: action name */ -predicate immutableActionsDataModel( - string action -) { - Extensions::immutableActionsDataModel(action) -} +predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) } /** * MaD models for untrusted git commands diff --git a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll index 7ed1d546dbac..99ad7eb8df1b 100644 --- a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll +++ b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll @@ -61,9 +61,7 @@ extensible predicate vulnerableActionsDataModel( /** * Holds for actions that are known to be immutable. */ -extensible predicate immutableActionsDataModel( - string action -); +extensible predicate immutableActionsDataModel(string action); /** * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch. diff --git a/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll b/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll index 90ce11764b58..0e58b1d878be 100644 --- a/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll +++ b/actions/ql/lib/codeql/actions/ideContextual/IDEContextual.qll @@ -16,4 +16,4 @@ File getFileBySourceArchiveName(string name) { // We can handle 2 and 3 together by unconditionally adding a leading slash // before replacing double slashes. name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/") -} \ No newline at end of file +} diff --git a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll index bd14b6749206..ef258fce2e5c 100644 --- a/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll +++ b/actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll @@ -12,15 +12,14 @@ class UnversionedImmutableAction extends UsesStep { bindingset[version] predicate isSemVer(string version) { // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix - version.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") - + version + .regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$") or // or N or N.x or N.N.x with optional v prefix - or version.regexpMatch("^v?[1-9]\\d*$") - or version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") - or version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") - + version.regexpMatch("^v?[1-9]\\d*$") or + version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$") or + version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$") or // or latest which will work - or version = "latest" + version = "latest" } predicate isImmutableAction(UsesStep actionStep, string actionName) { diff --git a/actions/ql/lib/ide-contextual-queries/printAst.ql b/actions/ql/lib/ide-contextual-queries/printAst.ql index 9effce3721f5..450f4446e361 100644 --- a/actions/ql/lib/ide-contextual-queries/printAst.ql +++ b/actions/ql/lib/ide-contextual-queries/printAst.ql @@ -26,4 +26,3 @@ class Cfg extends PrintAstConfiguration { n.getLocation().getFile() = getFileBySourceArchiveName(selectedSourceFile()) } } - diff --git a/actions/ql/lib/ide-contextual-queries/printCfg.ql b/actions/ql/lib/ide-contextual-queries/printCfg.ql index d4a90f87f923..4f4d76f5f13c 100644 --- a/actions/ql/lib/ide-contextual-queries/printCfg.ql +++ b/actions/ql/lib/ide-contextual-queries/printCfg.ql @@ -7,47 +7,47 @@ * @tags ide-contextual-queries/print-cfg */ - private import codeql.actions.Cfg - private import codeql.actions.Cfg::TestOutput - private import codeql.actions.ideContextual.IDEContextual - private import codeql.Locations - - /** - * Gets the source file to generate a CFG from. - */ - external string selectedSourceFile(); - - external string selectedSourceLine(); - - external string selectedSourceColumn(); - - bindingset[file, line, column] - private CfgScope smallestEnclosingScope(File file, int line, int column) { - result = - min(Location loc, CfgScope scope | - loc = scope.getLocation() and - ( - loc.getStartLine() < line - or - loc.getStartLine() = line and loc.getStartColumn() <= column - ) and - ( - loc.getEndLine() > line - or - loc.getEndLine() = line and loc.getEndColumn() >= column - ) and - loc.getFile() = file - | - scope - order by - loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn() - ) - } - - class MyRelevantNode extends RelevantNode { - MyRelevantNode() { - this.getScope() = - smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()), - selectedSourceLine().toInt(), selectedSourceColumn().toInt()) - } - } +private import codeql.actions.Cfg +private import codeql.actions.Cfg::TestOutput +private import codeql.actions.ideContextual.IDEContextual +private import codeql.Locations + +/** + * Gets the source file to generate a CFG from. + */ +external string selectedSourceFile(); + +external string selectedSourceLine(); + +external string selectedSourceColumn(); + +bindingset[file, line, column] +private CfgScope smallestEnclosingScope(File file, int line, int column) { + result = + min(Location loc, CfgScope scope | + loc = scope.getLocation() and + ( + loc.getStartLine() < line + or + loc.getStartLine() = line and loc.getStartColumn() <= column + ) and + ( + loc.getEndLine() > line + or + loc.getEndLine() = line and loc.getEndColumn() >= column + ) and + loc.getFile() = file + | + scope + order by + loc.getStartLine() desc, loc.getStartColumn() desc, loc.getEndLine(), loc.getEndColumn() + ) +} + +class MyRelevantNode extends RelevantNode { + MyRelevantNode() { + this.getScope() = + smallestEnclosingScope(getFileBySourceArchiveName(selectedSourceFile()), + selectedSourceLine().toInt(), selectedSourceColumn().toInt()) + } +} diff --git a/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql index 0bc571ad4734..ac8cc249318e 100644 --- a/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql +++ b/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.ql @@ -14,6 +14,5 @@ import actions import codeql.actions.security.UseOfUnversionedImmutableAction from UnversionedImmutableAction step -select step, - "The workflow is using an eligible immutable action ($@) without semantic versioning", step, - step.getCallee() \ No newline at end of file +select step, "The workflow is using an eligible immutable action ($@) without semantic versioning", + step, step.getCallee() diff --git a/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql index c2259473b9cd..dc65fab292b3 100644 --- a/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql +++ b/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql @@ -12,4 +12,4 @@ import codeql.actions.Violations_Of_Best_Practices.DefaultableCodeQLInitiatlizeActionQuery from DefaultableCodeQLInitiatlizeActionQuery action -select action, "CodeQL Action could use default setup instead of advanced configuration." \ No newline at end of file +select action, "CodeQL Action could use default setup instead of advanced configuration."