WIP. todo: modify help text in query to be helpful, write qlhelp file, find out how to not release to customers

Author: KyFaSt

ql/lib/codeql/actions/config/Config.qll

@@ -120,7 +120,7 @@ predicate vulnerableActionsDataModel(
 }
 
 /**
- * MaD models for vulnerable actions
+ * MaD models for immutable actions
  * Fields:
  *    - action: action name
  */

ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll

@@ -0,0 +1,11 @@
+import actions
+
+class UnversionedImmutableAction extends UsesStep {
+  string immutable_action;
+
+  UnversionedImmutableAction() {
+    immutableActionsDataModel(immutable_action) and
+    this.getCallee() = immutable_action and
+    not this.getVersion().regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$")
+  }
+}

ql/src/Security/CWE-829/UnversionedImmutableAction.ql

@@ -2,7 +2,6 @@
  * @name Unversioned Immutable Action
  * @description Using an Immutable Action without a semantic version tag opts out of the protections of Immutable Action
  * @kind problem
- * @security-severity 5.0
  * @problem.severity recommendation
  * @precision high
  * @id actions/unversioned-immutable-action
@@ -12,27 +11,9 @@
  */
 
 import actions
+import codeql.actions.security.UseOfUnversionedImmutableAction
 
-bindingset[version]
-private predicate isSemanticVersioned(string version) { version.regexpMatch("^v[0-9]+(\\.[0-9]+)*(\\.[xX])?$") }
-
-bindingset[repo]
-private predicate isTrustedOrg(string repo) {
-  exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%"))
-}
-
-from UsesStep uses, string repo, string version, Workflow workflow, string name
-where
-  uses.getCallee() = repo and
-  uses.getEnclosingWorkflow() = workflow and
-  (
-    workflow.getName() = name
-    or
-    not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
-  ) and
-  uses.getVersion() = version and
-  not isTrustedOrg(repo) and
-  not isPinnedCommit(version)
-select uses.getCalleeNode(),
-  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
-    "', not a pinned commit hash", uses, uses.toString()
+from UnversionedImmutableAction step
+select step,
+  "The workflow is using an immutable action ($@) without versinoning so it doesn't work", step,
+   step.getCallee()

ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml

@@ -4,7 +4,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@4
       with:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: 2

ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected

@@ -0,0 +1,19 @@
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script |
+| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script |
+| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout |
+| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout |
+| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout |
+| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout |
+| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages |
+| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact |
+| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages |
+| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout |
+| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout |
+| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout |
+| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout |
+| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout |
+| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout |
+| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout |
+| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout |
+| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout |

ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref

@@ -0,0 +1 @@
+Security/CWE-829/UnversionedImmutableAction.ql