Skip to content

Commit d59be76

Browse files
committed
Merge remote-tracking branch 'origin/main' into redsun82/just2
2 parents 543c31f + f6fb613 commit d59be76

File tree

28 files changed

+253
-32
lines changed

28 files changed

+253
-32
lines changed

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,23 @@ string permissionsForJob(Job job) {
2626
"{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
2727
}
2828

29+
predicate jobHasPermissions(Job job) {
30+
exists(job.getPermissions())
31+
or
32+
exists(job.getEnclosingWorkflow().getPermissions())
33+
or
34+
// The workflow is reusable and cannot be triggered in any other way; check callers
35+
exists(ReusableWorkflow r | r = job.getEnclosingWorkflow() |
36+
not exists(Event e | e = r.getOn().getAnEvent() | e.getName() != "workflow_call") and
37+
forall(Job caller | caller = job.getEnclosingWorkflow().(ReusableWorkflow).getACaller() |
38+
jobHasPermissions(caller)
39+
)
40+
)
41+
}
42+
2943
from Job job, string permissions
3044
where
31-
not exists(job.getPermissions()) and
32-
not exists(job.getEnclosingWorkflow().getPermissions()) and
45+
not jobHasPermissions(job) and
3346
// exists a trigger event that is not a workflow_call
3447
exists(Event e |
3548
e = job.getATriggerEvent() and
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
on:
2+
workflow_call:
3+
4+
jobs:
5+
build:
6+
name: Build and test
7+
runs-on: ubuntu-latest
8+
steps:
9+
- uses: actions/deploy-pages
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
on:
2+
workflow_dispatch:
3+
4+
permissions:
5+
contents: read
6+
id-token: write
7+
pages: write
8+
9+
jobs:
10+
call-workflow:
11+
uses: ./.github/workflows/perms11.yml

cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,12 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
77
ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
88
ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
99
ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
10+
ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
1011
ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
1112
ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
1213
ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
1314
ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
15+
ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
1416
ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
1517
ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
1618
ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -28,6 +30,7 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
2830
ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
2931
ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
3032
ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
33+
ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
3134
ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
3235
ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
3336
ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* @kind problem
66
* @problem.severity warning
77
* @security-severity 8.1
8-
* @precision medium
8+
* @precision high
99
* @id cpp/integer-multiplication-cast-to-long
1010
* @tags reliability
1111
* security

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* @kind problem
66
* @problem.severity error
77
* @security-severity 7.5
8-
* @precision medium
8+
* @precision high
99
* @id cpp/wrong-type-format-argument
1010
* @tags reliability
1111
* correctness

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,9 @@ function may behave unpredictably.</p>
1414
<p>This may indicate a misspelled function name, or that the required header containing
1515
the function declaration has not been included.</p>
1616

17+
<p>Note: This query is not compatible with <code>build mode: none</code> databases, and produces
18+
no results on those databases.</p>
19+
1720
</overview>
1821
<recommendation>
1922
<p>Provide an explicit declaration of the function before invoking it.</p>
@@ -26,4 +29,4 @@ the function declaration has not been included.</p>
2629
<references>
2730
<li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL31-C.+Declare+identifiers+before+using+them">DCL31-C. Declare identifiers before using them</a></li>
2831
</references>
29-
</qhelp>
32+
</qhelp>

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* may lead to unpredictable behavior.
66
* @kind problem
77
* @problem.severity warning
8-
* @precision medium
8+
* @precision high
99
* @id cpp/implicit-function-declaration
1010
* @tags correctness
1111
* maintainability
@@ -17,6 +17,11 @@ import TooFewArguments
1717
import TooManyArguments
1818
import semmle.code.cpp.commons.Exclusions
1919

20+
/*
21+
* This query is not compatible with build mode: none databases, and produces
22+
* no results on those databases.
23+
*/
24+
2025
predicate locInfo(Locatable e, File file, int line, int col) {
2126
e.getFile() = file and
2227
e.getLocation().getStartLine() = line and
@@ -39,6 +44,7 @@ predicate isCompiledAsC(File f) {
3944
from FunctionDeclarationEntry fdeIm, FunctionCall fc
4045
where
4146
isCompiledAsC(fdeIm.getFile()) and
47+
not any(Compilation c).buildModeNone() and
4248
not isFromMacroDefinition(fc) and
4349
fdeIm.isImplicit() and
4450
sameLocation(fdeIm, fc) and

cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -79,9 +79,7 @@ private predicate hasZeroParamDecl(Function f) {
7979

8080
// True if this file (or header) was compiled as a C file
8181
private predicate isCompiledAsC(File f) {
82-
f.compiledAsC()
83-
or
84-
exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
82+
exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
8583
}
8684

8785
predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {

0 commit comments

Comments
 (0)