Merge pull request #18705 from github/dbartol/actions-suite-selectors

dbartol · web-flow · commit 0b2e307f9ae2 · 2025-02-07T14:06:00.000-05:00
Use default query selectors for Actions suites
diff --git a/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
@@ -2,9 +2,9 @@
  * @name PATH Enviroment Variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @security-severity 5.0
- * @precision high
+ * @precision medium
  * @id actions/envpath-injection/medium
  * @tags actions
  *       security
diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
@@ -2,9 +2,9 @@
  * @name Enviroment Variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @security-severity 5.0
- * @precision high
+ * @precision medium
  * @id actions/envvar-injection/medium
  * @tags actions
  *       security
diff --git a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -3,11 +3,12 @@
  * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity recommendation
+ * @problem.severity warning
  * @precision high
  * @id actions/missing-workflow-permissions
  * @tags actions
  *       maintainability
+ *       security
  *       external/cwe/cwe-275
  */
 
diff --git a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
@@ -2,7 +2,8 @@
  * @name Excessive Secrets Exposure
  * @description All organization and repository secrets are passed to the workflow runner.
  * @kind problem
- * @problem.severity recommendation
+ * @precision high
+ * @problem.severity warning
  * @id actions/excessive-secrets-exposure
  * @tags actions
  *       security
diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
@@ -2,8 +2,8 @@
  * @name Artifact poisoning
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind path-problem
- * @problem.severity warning
- * @precision high
+ * @problem.severity error
+ * @precision medium
  * @security-severity 5.0
  * @id actions/artifact-poisoning/medium
  * @tags actions
diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -3,8 +3,8 @@
  * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity recommendation
- * @precision high
+ * @problem.severity warning
+ * @precision medium
  * @id actions/unpinned-tag
  * @tags security
  *       actions
diff --git a/actions/ql/src/change-notes/2025-02-06-curate-suites.md b/actions/ql/src/change-notes/2025-02-06-curate-suites.md
@@ -0,0 +1,20 @@
+---
+category: breaking
+---
+* The following queries have been removed from the `code-scanning` and `security-extended` suites.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/if-expression-always-true/critical`
+  * `actions/if-expression-always-true/high`
+  * `actions/unnecessary-use-of-advanced-config`
+  
+* The following query has been moved from the `code-scanning` suite to the `security-extended`
+  suite. Any existing alerts for this query will be closed automatically unless the analysis is
+  configured to use the `security-extended` suite.
+  * `actions/unpinned-tag`
+* The following queries have been added to the `security-extended` suite.
+  * `actions/unversioned-immutable-action`
+  * `actions/envpath-injection/medium`
+  * `actions/envvar-injection/medium`
+  * `actions/code-injection/medium`
+  * `actions/artifact-poisoning/medium`
+  * `actions/untrusted-checkout/medium`
diff --git a/actions/ql/src/codeql-suites/actions-code-scanning.qls b/actions/ql/src/codeql-suites/actions-code-scanning.qls
@@ -1,11 +1,4 @@
 - description: Standard Code Scanning queries for GitHub Actions
-- queries: '.'
-- include:
-    problem.severity: 
-      - error
-      - recommendation
-- exclude:
-    tags contain:
-      - experimental
-      - debug
-      - internal
+- queries: .
+- apply: code-scanning-selectors.yml
+  from: codeql/suite-helpers
diff --git a/actions/ql/src/codeql-suites/actions-security-extended.qls b/actions/ql/src/codeql-suites/actions-security-extended.qls
@@ -1,2 +1,4 @@
 - description: Security-extended queries for GitHub Actions
-- import: codeql-suites/actions-code-scanning.qls
+- queries: .
+- apply: security-extended-selectors.yml
+  from: codeql/suite-helpers
