Merge branch 'main' into v0_2_0

Author: GeekMasher

.github/CODEOWNERS

@@ -1,3 +1,3 @@
 # This project is maintained with love by:
 
-- @pwntester @geekmasher
+- @GitHubSecurityLab/codeql-community-packs-admin

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  # ---------- GitHub Actions ----------
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    reviewers:
+      - "GitHubSecurityLab/codeql-community-packs-admin"
+    target-branch: "main"
+    commit-message:
+      prefix: deps
+      prefix-development: chore
+    groups:
+      production-dependencies:
+        dependency-type: "production"
+      development-dependencies:
+        dependency-type: "development"

.github/workflows/ci.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  CODEQL_CLI_VERSION: 2.19.3
+  CODEQL_CLI_VERSION: 2.20.1
 
 jobs:
   compile-and-test:
@@ -18,10 +18,10 @@ jobs:
         language: [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       # Conditionally run actions based on files modified by PR, feature branch or pushed commits
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
         id: changes
         with:
           filters: |
@@ -126,7 +126,7 @@ jobs:
     steps:
       - name: Check if compile-and-test job failed to complete, if so fail
         if: ${{ needs.compile-and-test.result == 'failure' }}
-        uses: actions/github-script@v3
+        uses: actions/github-script@v7
         with:
           script: |
             core.setFailed('Test run job failed')
@@ -161,11 +161,11 @@ jobs:
         language: [ 'csharp', 'java' ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
         id: changes
         with:
           filters: |
@@ -196,11 +196,11 @@ jobs:
         language: [ 'csharp', 'java' ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
         id: changes
         with:
           filters: |
@@ -226,9 +226,9 @@ jobs:
     needs: compile-and-test
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36
         id: changes
         with:
           filters: |

.github/workflows/hotspots.yml

@@ -15,15 +15,15 @@ jobs:
       packages: write
     steps:
       - name: Checkout github/codeql
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           path: codeql
           repository: github/codeql
           token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 0
 
       - name: Checkout github/codeql-community-packs
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           path: codeql-community-packs
           repository: githubsecuritylab/codeql-community-packs

.github/workflows/publish.yml

@@ -20,7 +20,7 @@ jobs:
         language: ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"] 
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         run: |
@@ -32,7 +32,7 @@ jobs:
 
       - name: "Check and publish codeql-LANG-queries (src) pack"
         env:
-          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-queries/versions --jq '.[0].metadata.container.tags[0]')
           CURRENT_VERSION=$(grep version ${{ matrix.language }}/src/qlpack.yml | awk '{print $2}')
@@ -57,7 +57,7 @@ jobs:
         language: ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"] 
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         run: |
@@ -69,7 +69,7 @@ jobs:
 
       - name: "Check and publish codeql-LANG-libs (lib) pack"
         env:
-          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-libs/versions --jq '.[0].metadata.container.tags[0]')
           CURRENT_VERSION=$(grep version ${{ matrix.language }}/lib/qlpack.yml | awk '{print $2}')
@@ -84,13 +84,17 @@ jobs:
   extensions:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
         language: ["csharp", "java"]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         run: |
@@ -102,7 +106,7 @@ jobs:
 
       - name: Check and publish codeql-LANG-extensions (ext) pack
         env:
-          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-extensions/versions --jq '.[0].metadata.container.tags[0]')
           CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext/qlpack.yml | awk '{print $2}')
@@ -117,13 +121,17 @@ jobs:
   library_sources_extensions:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
         language: ["csharp", "java"]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Initialize CodeQL
         run: |
@@ -135,7 +143,7 @@ jobs:
 
       - name: Check and publish codeql-LANG-library-sources (ext-library-sources) pack
         env:
-          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-library-sources/versions --jq '.[0].metadata.container.tags[0]')
           CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext-library-sources/qlpack.yml | awk '{print $2}')

.github/workflows/update-release.yml

@@ -23,10 +23,10 @@ jobs:
 
       - name: Get Token
         id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974 # v4.0.0
+        uses: actions/create-github-app-token@v1
         with:
-          application_id: ${{ secrets.SECLABS_APP_ID }}
-          application_private_key: ${{ secrets.SECLABS_APP_KEY }}
+          app-id: ${{ secrets.SECLABS_APP_ID }}
+          private-key: ${{ secrets.SECLABS_APP_KEY }}
 
       - name: "Patch Release Me"
         uses: 42ByteLabs/patch-release-me@1e802ecb51cf4c5869cb77563df59b2fbe6f584c # 0.4.1

cpp/lib/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 2.1.0
+    version: 3.1.0
   codeql/dataflow:
-    version: 1.1.5
+    version: 1.1.8
   codeql/mad:
-    version: 1.0.11
+    version: 1.0.14
   codeql/rangeanalysis:
-    version: 1.0.11
+    version: 1.0.14
   codeql/ssa:
-    version: 1.0.11
+    version: 1.0.14
   codeql/tutorial:
-    version: 1.0.11
+    version: 1.0.14
   codeql/typeflow:
-    version: 1.0.11
+    version: 1.0.14
   codeql/typetracking:
-    version: 1.0.11
+    version: 1.0.14
   codeql/util:
-    version: 1.0.11
+    version: 2.0.1
   codeql/xml:
-    version: 1.0.11
+    version: 1.0.14
 compiled: false

cpp/src/codeql-pack.lock.yml

@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 2.1.0
+    version: 3.1.0
   codeql/cpp-queries:
-    version: 1.2.6
+    version: 1.3.1
   codeql/dataflow:
-    version: 1.1.5
+    version: 1.1.8
   codeql/mad:
-    version: 1.0.11
+    version: 1.0.14
   codeql/rangeanalysis:
-    version: 1.0.11
+    version: 1.0.14
   codeql/ssa:
-    version: 1.0.11
+    version: 1.0.14
   codeql/suite-helpers:
-    version: 1.0.11
+    version: 1.0.14
   codeql/tutorial:
-    version: 1.0.11
+    version: 1.0.14
   codeql/typeflow:
-    version: 1.0.11
+    version: 1.0.14
   codeql/typetracking:
-    version: 1.0.11
+    version: 1.0.14
   codeql/util:
-    version: 1.0.11
+    version: 2.0.1
   codeql/xml:
-    version: 1.0.11
+    version: 1.0.14
 compiled: false

cpp/test/codeql-pack.lock.yml

@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 2.1.0
+    version: 3.1.0
   codeql/cpp-queries:
-    version: 1.2.6
+    version: 1.3.1
   codeql/dataflow:
-    version: 1.1.5
+    version: 1.1.8
   codeql/mad:
-    version: 1.0.11
+    version: 1.0.14
   codeql/rangeanalysis:
-    version: 1.0.11
+    version: 1.0.14
   codeql/ssa:
-    version: 1.0.11
+    version: 1.0.14
   codeql/suite-helpers:
-    version: 1.0.11
+    version: 1.0.14
   codeql/tutorial:
-    version: 1.0.11
+    version: 1.0.14
   codeql/typeflow:
-    version: 1.0.11
+    version: 1.0.14
   codeql/typetracking:
-    version: 1.0.11
+    version: 1.0.14
   codeql/util:
-    version: 1.0.11
+    version: 2.0.1
   codeql/xml:
-    version: 1.0.11
+    version: 1.0.14
 compiled: false

csharp/lib/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 1.0.11
+    version: 1.0.14
   codeql/csharp-all:
-    version: 3.1.0
+    version: 4.0.1
   codeql/dataflow:
-    version: 1.1.5
+    version: 1.1.8
   codeql/mad:
-    version: 1.0.11
+    version: 1.0.14
   codeql/ssa:
-    version: 1.0.11
+    version: 1.0.14
   codeql/threat-models:
-    version: 1.0.11
+    version: 1.0.14
   codeql/tutorial:
-    version: 1.0.11
+    version: 1.0.14
   codeql/typetracking:
-    version: 1.0.11
+    version: 1.0.14
   codeql/util:
-    version: 1.0.11
+    version: 2.0.1
   codeql/xml:
-    version: 1.0.11
+    version: 1.0.14
 compiled: false

csharp/src/audit/explore/Dependencies.ql

@@ -9,7 +9,7 @@
 
 private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
-private import Telemetry.ExternalApi
+private import semmle.code.csharp.telemetry.ExternalApi
 
 private predicate getRelevantUsages(string namespace, int usages) {
   usages =