Merge remote-tracking branch 'origin/main' into redsun82/just2

Author: redsun82

MODULE.bazel

@@ -27,7 +27,7 @@ bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
-bazel_dep(name = "gazelle", version = "0.47.0")
+bazel_dep(name = "gazelle", version = "0.50.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
 bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
 bazel_dep(name = "rules_rust", version = "0.69.0")

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql

@@ -20,6 +20,6 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
 where
   ArtifactPoisoningFlow::flowPath(source, sink) and
   event = getRelevantEventInPrivilegedContext(sink.getNode())
-select sink.getNode(), source, sink,
-  "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
-  sink.getNode().toString(), event, event.getName()
+select source.getNode(), source, sink,
+  "Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@).",
+  event, event.getName()

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql

@@ -20,6 +20,5 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
 where
   ArtifactPoisoningFlow::flowPath(source, sink) and
   inNonPrivilegedContext(sink.getNode().asExpr())
-select sink.getNode(), source, sink,
-  "Potential artifact poisoning in $@, which may be controlled by an external user.", sink,
-  sink.getNode().toString()
+select source.getNode(), source, sink,
+  "Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user."

actions/ql/src/change-notes/2026-04-02-alert-msg-poisoning.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also clarify the wording to make it clear that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Also change the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.

actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.

cpp/ql/lib/change-notes/2026-04-07-autoconf.md

@@ -42,3 +42,10 @@ class MesonPrivateTestFile extends ConfigurationTestFile {
     )
   }
 }
+
+/**
+ * A file created by a GNU autoconf configure script to test the system configuration.
+ */
+class AutoconfConfigureTestFile extends ConfigurationTestFile {
+  AutoconfConfigureTestFile() { this.getBaseName().regexpMatch("conftest[0-9]*\\.c(pp)?") }
+}

cpp/ql/lib/semmle/code/cpp/ConfigurationTestFile.qll

@@ -0,0 +1,2 @@
+| conftest.c.c:4:3:4:8 | call to strlen | This expression has no effect (because $@ has no external side effects). | conftest.h:3:8:3:13 | strlen | strlen |
+| conftest_abc.c:4:3:4:8 | call to strlen | This expression has no effect (because $@ has no external side effects). | conftest.h:3:8:3:13 | strlen | strlen |

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.expected

@@ -0,0 +1 @@
+Likely Bugs/Likely Typos/ExprHasNoEffect.ql

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref

@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main2() {
+  strlen(""); // GOOD: conftest files are ignored
+  return 0;
+}