Sync Main (autogenerated)

.github/workflows/codeql-analysis.yml

@@ -34,7 +34,7 @@ jobs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 9.0.100
+        dotnet-version: 9.0.300
 
     - name: Checkout repository
       uses: actions/checkout@v5

.github/workflows/csharp-qltest.yml

@@ -43,14 +43,14 @@ jobs:
       - name: Setup dotnet
         uses: actions/setup-dotnet@v4
         with:
-          dotnet-version: 9.0.100
+          dotnet-version: 9.0.300
       - name: Extractor unit tests
         run: |
           dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest

.github/workflows/query-list.yml

@@ -31,7 +31,7 @@ jobs:
       with:
         python-version: 3.8
     - name: Download CodeQL CLI
-      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
       uses: ./codeql/.github/actions/fetch-codeql
     - name: Build code scanning query list
       run: |

MODULE.bazel

@@ -26,7 +26,7 @@ bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.17.4")
+bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
 bazel_dep(name = "rules_rust", version = "0.63.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
@@ -172,7 +172,7 @@ http_archive(
 )
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "9.0.100")
+dotnet.toolchain(dotnet_version = "9.0.300")
 use_repo(dotnet, "dotnet_toolchains")
 
 register_toolchains("@dotnet_toolchains//:all")

actions/extractor/codeql-extractor.yml

@@ -1,5 +1,4 @@
 name: "actions"
-aliases: []
 display_name: "GitHub Actions"
 version: 0.0.1
 column_kind: "utf16"
@@ -8,9 +7,11 @@ build_modes:
   - none
 default_queries:
   - codeql/actions-queries
-file_coverage_languages: []
+# Actions workflows are not reported separately by the GitHub API, so we can't
+# associate them with a specific language.
 github_api_languages: []
-scc_languages: []
+scc_languages:
+  - YAML
 file_types:
   - name: workflow
     display_name: GitHub Actions workflow files

actions/extractor/tools/baseline-config.json

@@ -0,0 +1,10 @@
+{
+    "paths": [
+        ".github/workflows/*.yml",
+        ".github/workflows/*.yaml",
+        ".github/reusable_workflows/**/*.yml",
+        ".github/reusable_workflows/**/*.yaml",
+        "**/action.yml",
+        "**/action.yaml"
+    ]
+}

actions/extractor/tools/configure-baseline.cmd

@@ -0,0 +1,2 @@
+@echo off
+type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"

actions/extractor/tools/configure-baseline.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"

actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected

@@ -1,3 +1,4 @@
+ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql

actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected

@@ -1,4 +1,5 @@
 ql/actions/ql/src/Debug/SyntaxError.ql
+ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql

actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected

@@ -1,3 +1,4 @@
+ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.17
+
+No user-facing changes.
+
 ## 0.4.16
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.17.md

@@ -0,0 +1,3 @@
+## 0.4.17
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.16
+lastReleaseVersion: 0.4.17

actions/ql/lib/codeql/Locations.qll

@@ -70,8 +70,8 @@ class Location extends TLocation, TBaseLocation {
 
   /**
    * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
+   * The location spans column `sc` of line `sl` to
+   * column `ec` of line `el` in file `p`.
    * For more information, see
    * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */

actions/ql/lib/codeql/actions/Ast.qll

@@ -261,7 +261,7 @@ class If extends AstNode instanceof IfImpl {
 }
 
 /**
- * An Environemnt node representing a deployment environment.
+ * An Environment node representing a deployment environment.
  */
 class Environment extends AstNode instanceof EnvironmentImpl {
   string getName() { result = super.getName() }

actions/ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -125,12 +125,11 @@ abstract class AstNodeImpl extends TAstNode {
    * Gets the enclosing Step.
    */
   StepImpl getEnclosingStep() {
-    if this instanceof StepImpl
-    then result = this
-    else
-      if this instanceof ScalarValueImpl
-      then result.getAChildNode*() = this.getParentNode()
-      else none()
+    this instanceof StepImpl and
+    result = this
+    or
+    this instanceof ScalarValueImpl and
+    result.getAChildNode*() = this.getParentNode()
   }
 
   /**
@@ -1416,9 +1415,8 @@ class ExternalJobImpl extends JobImpl, UsesImpl {
   override string getVersion() {
     exists(YamlString name |
       n.lookup("uses") = name and
-      if not name.getValue().matches("\\.%")
-      then result = name.getValue().regexpCapture(repoUsesParser(), 4)
-      else none()
+      not name.getValue().matches("\\.%") and
+      result = name.getValue().regexpCapture(repoUsesParser(), 4)
     )
   }
 }

actions/ql/lib/codeql/actions/controlflow/BasicBlocks.qll

@@ -286,7 +286,7 @@ private module Cached {
   /**
    * Holds if `cfn` is the `i`th node in basic block `bb`.
    *
-   * In other words, `i` is the shortest distance from a node `bb`
+   * In other words, `i` is the shortest distance from a node `bbStart`
    * that starts a basic block to `cfn` along the `intraBBSucc` relation.
    */
   cached

actions/ql/lib/codeql/actions/controlflow/internal/Cfg.qll

@@ -3,6 +3,8 @@ private import codeql.controlflow.Cfg as CfgShared
 private import codeql.Locations
 
 module Completion {
+  import codeql.controlflow.SuccessorType
+
   private newtype TCompletion =
     TSimpleCompletion() or
     TBooleanCompletion(boolean b) { b in [false, true] } or
@@ -25,7 +27,7 @@ module Completion {
 
     override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
 
-    override NormalSuccessor getAMatchingSuccessorType() { any() }
+    override DirectSuccessor getAMatchingSuccessorType() { any() }
   }
 
   class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
@@ -49,34 +51,6 @@ module Completion {
 
     override ReturnSuccessor getAMatchingSuccessorType() { any() }
   }
-
-  cached
-  private newtype TSuccessorType =
-    TNormalSuccessor() or
-    TBooleanSuccessor(boolean b) { b in [false, true] } or
-    TReturnSuccessor()
-
-  class SuccessorType extends TSuccessorType {
-    string toString() { none() }
-  }
-
-  class NormalSuccessor extends SuccessorType, TNormalSuccessor {
-    override string toString() { result = "successor" }
-  }
-
-  class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
-    boolean value;
-
-    BooleanSuccessor() { this = TBooleanSuccessor(value) }
-
-    override string toString() { result = value.toString() }
-
-    boolean getValue() { result = value }
-  }
-
-  class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
-    override string toString() { result = "return" }
-  }
 }
 
 module CfgScope {
@@ -127,14 +101,8 @@ private module Implementation implements CfgShared::InputSig<Location> {
     last(scope.(CompositeAction), e, c)
   }
 
-  predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
-
-  predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
-
   SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
 
-  predicate isAbnormalExitType(SuccessorType t) { none() }
-
   int idOfAstNode(AstNode node) { none() }
 
   int idOfCfgScope(CfgScope scope) { none() }

actions/ql/lib/codeql/actions/dataflow/ExternalFlow.qll

@@ -63,10 +63,10 @@ predicate madSource(DataFlow::Node source, string kind, string fieldName) {
     (
       if fieldName.trim().matches("env.%")
       then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
-      else
-        if fieldName.trim().matches("output.%")
-        then source.asExpr() = uses
-        else none()
+      else (
+        fieldName.trim().matches("output.%") and
+        source.asExpr() = uses
+      )
     )
   )
 }

actions/ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -31,14 +31,14 @@ abstract class RemoteFlowSource extends SourceNode {
 class GitHubCtxSource extends RemoteFlowSource {
   string flag;
   string event;
-  GitHubExpression e;
 
   GitHubCtxSource() {
-    this.asExpr() = e and
-    // github.head_ref
-    e.getFieldName() = "head_ref" and
-    flag = "branch" and
-    (
+    exists(GitHubExpression e |
+      this.asExpr() = e and
+      // github.head_ref
+      e.getFieldName() = "head_ref" and
+      flag = "branch"
+    |
       event = e.getATriggerEvent().getName() and
       event = "pull_request_target"
       or
@@ -148,7 +148,6 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
 class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
   string cmd;
   string flag;
-  string access_path;
   Run run;
 
   // Examples
@@ -163,7 +162,7 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
     run.getScript().getACommand() = cmd and
     cmd.matches("jq%") and
     cmd.matches("%GITHUB_EVENT_PATH%") and
-    exists(string regexp |
+    exists(string regexp, string access_path |
       untrustedEventPropertiesDataModel(regexp, flag) and
       not flag = "json" and
       access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and

actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -19,7 +19,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
  */
 class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
   string command;
-  string argument;
 
   ArgumentInjectionFromEnvVarSink() {
     exists(Run run, string var |
@@ -28,7 +27,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
         exists(run.getInScopeEnvVarExpr(var)) or
         var = "GITHUB_HEAD_REF"
       ) and
-      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
+      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, _)
     )
   }
 
@@ -44,13 +43,12 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
  */
 class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
   string command;
-  string argument;
 
   ArgumentInjectionFromCommandSink() {
     exists(CommandSource source, Run run |
       run = source.getEnclosingRun() and
       this.asExpr() = run.getScript() and
-      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
+      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, _)
     )
   }