Merge branch 'main' into rust-update-stdlib-models

Author: paldepind

actions/ql/lib/CHANGELOG.md

@@ -4,7 +4,9 @@ No user-facing changes.
 
 ## 0.4.7
 
-No user-facing changes.
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
 
 ## 0.4.6
 

actions/ql/lib/change-notes/released/0.4.7.md

@@ -1,3 +1,5 @@
 ## 0.4.7
 
-No user-facing changes.
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.

actions/ql/src/CHANGELOG.md

@@ -20,6 +20,10 @@
 
 ## 0.5.4
 
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ### Bug Fixes
 
 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

actions/ql/src/change-notes/released/0.5.4.md

@@ -1,5 +1,9 @@
 ## 0.5.4
 
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ### Bug Fixes
 
 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

actions/ql/src/codeql-suites/actions-code-quality.qls

@@ -1 +1,3 @@
-[]
+- queries: .
+- apply: code-quality-selectors.yml
+  from: codeql/suite-helpers

cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql

@@ -44,6 +44,10 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
     ) and
     getFullyConvertedType(node) = state
   }
+
+  predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
+
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
 }
 
 /**

cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql

@@ -8,7 +8,7 @@
  * @security-severity 7.8
  * @precision high
  * @tags security
- *       external/cwe/cwe-14
+ *       external/cwe/cwe-014
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql

@@ -5,7 +5,7 @@
  *              to it.
  * @id cpp/count-untrusted-data-external-api
  * @kind table
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql

@@ -5,7 +5,7 @@
  *              to it.
  * @id cpp/count-untrusted-data-external-api-ir
  * @kind table
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql

@@ -6,7 +6,7 @@
  * @precision low
  * @problem.severity error
  * @security-severity 7.8
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql

@@ -6,7 +6,7 @@
  * @precision low
  * @problem.severity error
  * @security-severity 7.8
- * @tags security external/cwe/cwe-20
+ * @tags security external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/change-notes/2025-05-01-cwe-tag-changed.md

@@ -0,0 +1,9 @@
+---
+category: queryMetadata
+---
+* The tag `external/cwe/cwe-14` has been removed from `cpp/memset-may-be-deleted` and the tag `external/cwe/cwe-014` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/count-untrusted-data-external-api` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/count-untrusted-data-external-api-ir` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/untrusted-data-to-external-api-ir` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/untrusted-data-to-external-api` and the tag `external/cwe/cwe-020` has been added.
+* The tag `external/cwe/cwe-20` has been removed from `cpp/late-check-of-function-argument` and the tag `external/cwe/cwe-020` has been added.

cpp/ql/src/codeql-suites/cpp-code-quality.qls

@@ -1 +1,3 @@
-[]
+- queries: .
+- apply: code-quality-selectors.yml
+  from: codeql/suite-helpers

cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql

@@ -10,7 +10,7 @@
  * @tags correctness
  *       security
  *       experimental
- *       external/cwe/cwe-20
+ *       external/cwe/cwe-020
  */
 
 import cpp

cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql

@@ -7,6 +7,7 @@
  */
 
 import internal.CaptureModels
+import SummaryModels
 
 from DataFlowSummaryTargetApi api, string flow
 where flow = ContentSensitive::captureFlow(api, _)

cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql

@@ -7,6 +7,7 @@
  */
 
 import internal.CaptureModels
+import SummaryModels
 
 from DataFlowSummaryTargetApi api, string noflow
 where noflow = captureNeutral(api)

cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql

@@ -7,8 +7,8 @@
  */
 
 import internal.CaptureModels
-import Heuristic
+import SinkModels
 
 from DataFlowSinkTargetApi api, string sink
-where sink = captureSink(api)
+where sink = Heuristic::captureSink(api)
 select sink order by sink

cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql

@@ -7,8 +7,8 @@
  */
 
 import internal.CaptureModels
-import Heuristic
+import SourceModels
 
 from DataFlowSourceTargetApi api, string source
-where source = captureSource(api)
+where source = Heuristic::captureSource(api)
 select source order by source

cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

@@ -7,6 +7,7 @@
  */
 
 import internal.CaptureModels
+import SummaryModels
 
 from DataFlowSummaryTargetApi api, string flow
 where flow = captureFlow(api, _)