Merge branch 'main' into cursor/fix-path-injection-codeql-05f4

Author: msukkari

.github/workflows/deploy-railway.yml

@@ -1,5 +1,7 @@
 name: Deploy to Railway
 
+permissions: {}
+
 on:
   workflow_run:
     workflows: ["Release Sourcebot (Development)"]

.github/workflows/trivy-vulnerability-triage.yml

@@ -341,7 +341,7 @@ jobs:
             fi
 
             EXTRACTED=$(echo "$BODY" | jq '[.[] | {
-              id: ("codeql:" + (.rule.id // "") + "#" + ((.number // 0) | tostring)),
+              id: ("codeql:" + (.rule.id // "")),
               number: .number,
               rule_id: (.rule.id // ""),
               rule_description: (.rule.description // ""),
@@ -394,15 +394,15 @@ jobs:
           claude_args: |
             --allowedTools Bash,Read,Write,Edit,Glob,Grep,WebSearch,WebFetch
             --model claude-sonnet-4-6
-            --json-schema '{"type":"object","properties":{"cves":{"type":"array","items":{"type":"object","properties":{"cveId":{"type":"string","description":"CVE ID, GHSA ID, or codeql:<rule-id>"},"severity":{"type":"string","enum":["CRITICAL","HIGH","MEDIUM","LOW"]},"source":{"type":"string","enum":["trivy","dependabot","codeql","trivy+dependabot"],"description":"Which scanner(s) reported this finding"},"title":{"type":"string","description":"Short summary for the Linear issue title"},"description":{"type":"string","description":"Markdown analysis: affected packages, direct vs transitive, remediation steps, and references"},"affectedPackage":{"type":"string"},"linearIssueExists":{"type":"boolean"}},"required":["cveId","severity","source","title","description","affectedPackage","linearIssueExists"]}}},"required":["cves"]}'
+            --json-schema '{"type":"object","properties":{"cves":{"type":"array","items":{"type":"object","properties":{"cveId":{"type":"string","description":"CVE ID, GHSA ID, or codeql:<rule-id>"},"severity":{"type":"string","enum":["CRITICAL","HIGH","MEDIUM","LOW"]},"source":{"type":"string","enum":["trivy","dependabot","codeql","trivy+dependabot"],"description":"Which scanner(s) reported this finding"},"title":{"type":"string","description":"Short summary for the Linear issue title"},"description":{"type":"string","description":"Markdown analysis: affected packages, direct vs transitive, remediation steps, and references"},"affectedPackage":{"type":"string"},"linearIssueExists":{"type":"boolean"},"linearIssueId":{"type":"string","description":"The Linear issue UUID if a matching issue was found, empty string otherwise"},"linearIssueClosed":{"type":"boolean","description":"True if the matching Linear issue is in a completed or canceled state"}},"required":["cveId","severity","source","title","description","affectedPackage","linearIssueExists","linearIssueId","linearIssueClosed"]}}},"required":["cves"]}'
           prompt: |
             You are a security engineer triaging vulnerabilities and security findings for the Sourcebot Docker image.
             You have three data sources to analyze. Each is a JSON array where every entry has a pre-computed
             `id` field for deterministic deduplication:
 
             1. **Trivy scan results** in `trivy-alerts.json` — each entry has `id` (CVE ID, e.g., `CVE-2024-1234`)
             2. **Dependabot alerts** in `dependabot-alerts.json` — each entry has `id` (CVE ID or GHSA ID)
-            3. **CodeQL alerts** in `codeql-alerts.json` — each entry has `id` (prefixed, e.g., `codeql:js/sql-injection#33`)
+            3. **CodeQL alerts** in `codeql-alerts.json` — each entry has `id` (prefixed, e.g., `codeql:js/sql-injection`). Multiple entries may share the same `id` (same rule, different locations).
 
             ## Your Task
 
@@ -419,19 +419,20 @@ jobs:
                - Include the affected package, severity, remediation steps, and whether it is direct or transitive.
 
             4. For **CodeQL findings**:
-               - Each CodeQL alert is a **separate finding** — do NOT group alerts by rule ID. Two alerts with the
-                 same rule but different files/locations must be separate entries.
-               - Use the `id` field as `cveId` (e.g., `codeql:js/path-injection#18`).
+               - **Group all alerts with the same `id` (rule ID) into a single entry.** Multiple alerts for
+                 the same rule in different files/locations should produce ONE finding, not separate ones.
+               - Use the `id` field as `cveId` (e.g., `codeql:js/path-injection`).
                - Set `source` to `"codeql"`.
-               - Set `affectedPackage` to the file path from `location_path`.
+               - Set `affectedPackage` to a comma-separated list of affected file paths, or the primary one
+                 if there are many.
                - Normalize `security_severity_level` to uppercase (CRITICAL/HIGH/MEDIUM/LOW).
-               - The `description` should include:
+               - The `description` MUST include details for **every alert instance** in the group:
                  - The rule ID and what it detects
-                 - The exact file path and line number(s) from the alert
-                 - A link to the alert URL (`html_url`)
-                 - An explanation of the specific code at that location and why it's flagged
+                 - For **each** alert: the exact file path, line number(s), and a link to its alert URL (`html_url`)
+                 - For **each** alert: an explanation of the specific code at that location and why it's flagged
                  - Concrete remediation steps with code examples where possible
                  - A link to the CodeQL rule documentation
+                 - A summary count (e.g., "This rule was triggered in 3 locations:")
 
             5. For each finding, determine:
                - A short `title` suitable for a Linear issue title.
@@ -443,17 +444,19 @@ jobs:
 
             7. **Check Linear for existing issues** for each finding:
                - For each `cveId`, run a GraphQL query against the Linear API to search for issues
-                 whose title contains that ID.
-               - **Important**: Exclude cancelled issues so that previously cancelled/rejected findings
-                 can be re-created. Use a state type filter to only match active issues.
+                 whose title contains that ID. Search ALL issues regardless of state (open, completed, cancelled).
                - Use the following curl command pattern:
                  ```
                  curl -s -X POST https://api.linear.app/graphql \
                    -H "Content-Type: application/json" \
                    -H "Authorization: $LINEAR_API_KEY" \
-                   -d '{"query": "query { issues(filter: { team: { id: { eq: \"'$LINEAR_TEAM_ID'\" } }, title: { contains: \"<ID>\" }, state: { type: { nin: [\"canceled\"] } } }) { nodes { id title } } }"}'
+                   -d '{"query": "query { issues(filter: { team: { id: { eq: \"'$LINEAR_TEAM_ID'\" } }, title: { contains: \"<ID>\" } }) { nodes { id title state { type } } } }"}'
                  ```
                - Set `linearIssueExists` to `true` if any matching issue is found, `false` otherwise.
+               - If multiple issues match, prefer the one with an open state (i.e., state type is NOT `"completed"` or `"canceled"`).
+                 Only use a closed issue if no open issue exists for that finding.
+               - Set `linearIssueId` to the `id` (UUID) of the selected matching issue, or `""` if none found.
+               - Set `linearIssueClosed` to `true` if the selected issue's `state.type` is `"completed"` or `"canceled"`, `false` otherwise.
 
             8. Return the structured JSON with all findings in the `cves` array.
 
@@ -472,7 +475,7 @@ jobs:
           echo "| ID | Source | Severity | Package | Linear Status |" >> "$GITHUB_STEP_SUMMARY"
           echo "|----|--------|----------|---------|---------------|" >> "$GITHUB_STEP_SUMMARY"
 
-          echo "$STRUCTURED_OUTPUT" | jq -r '.cves[] | "| \(.cveId) | \(.source) | \(.severity) | \(.affectedPackage) | \(if .linearIssueExists then "Existing" else "New" end) |"' >> "$GITHUB_STEP_SUMMARY"
+          echo "$STRUCTURED_OUTPUT" | jq -r '.cves[] | "| \(.cveId) | \(.source) | \(.severity) | \(.affectedPackage) | \(if .linearIssueClosed then "Reopen" elif .linearIssueExists then "Existing" else "New" end) |"' >> "$GITHUB_STEP_SUMMARY"
 
           echo "" >> "$GITHUB_STEP_SUMMARY"
           echo "### Details" >> "$GITHUB_STEP_SUMMARY"
@@ -526,6 +529,7 @@ jobs:
 
           CREATED_COUNT=0
           SKIPPED_COUNT=0
+          REOPENED_COUNT=0
           FAILED_COUNT=0
 
           echo "## Linear Issue Creation" >> "$GITHUB_STEP_SUMMARY"
@@ -542,13 +546,49 @@ jobs:
             TITLE=$(echo "$cve" | jq -r '.title')
             DESCRIPTION=$(echo "$cve" | jq -r '.description')
             LINEAR_EXISTS=$(echo "$cve" | jq -r '.linearIssueExists')
+            LINEAR_ISSUE_ID=$(echo "$cve" | jq -r '.linearIssueId')
+            LINEAR_CLOSED=$(echo "$cve" | jq -r '.linearIssueClosed')
 
-            if [ "$LINEAR_EXISTS" = "true" ]; then
-              echo "Skipping $CVE_ID — Linear issue already exists."
+            if [ "$LINEAR_EXISTS" = "true" ] && [ "$LINEAR_CLOSED" = "false" ]; then
+              echo "Skipping $CVE_ID — Linear issue already exists and is open."
               SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
               continue
             fi
 
+            if [ "$LINEAR_EXISTS" = "true" ] && [ "$LINEAR_CLOSED" = "true" ]; then
+              # Reopen the closed issue by setting its state back to Triage
+              if [ -z "$STATE_ID" ]; then
+                echo "::warning::Cannot reopen $CVE_ID — no Triage state found. Skipping."
+                SKIPPED_COUNT=$((SKIPPED_COUNT + 1))
+                continue
+              fi
+
+              REOPEN_MUTATION='mutation($issueId: String!, $stateId: String!) { issueUpdate(id: $issueId, input: { stateId: $stateId }) { success issue { id identifier url } } }'
+              REOPEN_VARIABLES=$(jq -n \
+                --arg issueId "$LINEAR_ISSUE_ID" \
+                --arg stateId "$STATE_ID" \
+                '{issueId: $issueId, stateId: $stateId}')
+              REOPEN_PAYLOAD=$(jq -n --arg query "$REOPEN_MUTATION" --argjson vars "$REOPEN_VARIABLES" '{query: $query, variables: $vars}')
+
+              REOPEN_RESPONSE=$(curl -s -X POST https://api.linear.app/graphql \
+                -H "Content-Type: application/json" \
+                -H "Authorization: $LINEAR_API_KEY" \
+                -d "$REOPEN_PAYLOAD")
+
+              REOPEN_URL=$(echo "$REOPEN_RESPONSE" | jq -r '.data.issueUpdate.issue.url // empty')
+              if [ -n "$REOPEN_URL" ]; then
+                echo "Reopened Linear issue for $CVE_ID: $REOPEN_URL"
+                echo "- Reopened [$CVE_ID]($REOPEN_URL) (moved back to Triage)" >> "$GITHUB_STEP_SUMMARY"
+                REOPENED_COUNT=$((REOPENED_COUNT + 1))
+              else
+                echo "::error::Failed to reopen Linear issue for $CVE_ID"
+                echo "$REOPEN_RESPONSE" | jq .
+                FAILED_COUNT=$((FAILED_COUNT + 1))
+              fi
+              continue
+            fi
+
+            # Create new issue
             PRIORITY=$(severity_to_priority "$SEVERITY")
             ISSUE_TITLE="[$REPOSITORY] $CVE_ID: $TITLE"
 
@@ -587,7 +627,7 @@ jobs:
           done < /tmp/cves.jsonl
 
           echo "" >> "$GITHUB_STEP_SUMMARY"
-          echo "**Summary:** Created $CREATED_COUNT issue(s), skipped $SKIPPED_COUNT existing issue(s), failed $FAILED_COUNT issue(s)." >> "$GITHUB_STEP_SUMMARY"
+          echo "**Summary:** Created $CREATED_COUNT issue(s), reopened $REOPENED_COUNT issue(s), skipped $SKIPPED_COUNT existing issue(s), failed $FAILED_COUNT issue(s)." >> "$GITHUB_STEP_SUMMARY"
 
           if [ "$FAILED_COUNT" -gt 0 ]; then
             echo "::error::Failed to create $FAILED_COUNT Linear issue(s)"

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixed revision selection so the 64-revision cap prefers the newest matching branches and tags instead of pruning by ref-name order. [#1122](https://github.com/sourcebot-dev/sourcebot/pull/1122)
 - Fixed infinite pagination loop in Gitea/Forgejo when an API token can only see a subset of org repos (the `x-total-count` header reports org total while token returns fewer items). [#1130](https://github.com/sourcebot-dev/sourcebot/pull/1130)
 - Fixed path injection vulnerability (CodeQL js/path-injection) in review agent log writing by validating paths stay within the expected log directory. [#1134](https://github.com/sourcebot-dev/sourcebot/pull/1134)
+- Fixed CodeQL missing-workflow-permissions alert by adding explicit empty permissions to `deploy-railway.yml`. [#1132](https://github.com/sourcebot-dev/sourcebot/pull/1132)
 
 ## [4.16.11] - 2026-04-17