github
diff --git a/‎actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
Lines changed: 7 additions & 8 deletions b/‎actions/ql/lib/codeql/actions/dataflow/FlowSources.qll
Lines changed: 7 additions & 8 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
Lines changed: 2 additions & 4 deletions b/‎actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
Lines changed: 2 additions & 4 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
Lines changed: 15 additions & 15 deletions b/‎actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
Lines changed: 15 additions & 15 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/ControlChecks.qll
Lines changed: 1 addition & 4 deletions b/‎actions/ql/lib/codeql/actions/security/ControlChecks.qll
Lines changed: 1 addition & 4 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
Lines changed: 2 additions & 10 deletions b/‎actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
Lines changed: 2 additions & 10 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
Lines changed: 2 additions & 6 deletions b/‎actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
Lines changed: 2 additions & 6 deletions
diff --git a/‎actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
Lines changed: 1 addition & 3 deletions b/‎actions/ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll
Lines changed: 1 addition & 3 deletions
diff --git a/‎cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
Lines changed: 1 addition & 2 deletions b/‎cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExpr.qll
Lines changed: 1 addition & 2 deletions
diff --git a/‎cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll
Lines changed: 17 additions & 16 deletions b/‎cpp/ql/src/Security/CWE/CWE-457/UninitializedVariables.qll
Lines changed: 17 additions & 16 deletions
diff --git a/‎cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
Lines changed: 7 additions & 6 deletions b/‎cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
Lines changed: 7 additions & 6 deletions
@@ -31,14 +31,14 @@ abstract class RemoteFlowSource extends SourceNode {
 class GitHubCtxSource extends RemoteFlowSource {
   string flag;
   string event;
-  GitHubExpression e;
 
   GitHubCtxSource() {
-    this.asExpr() = e and
-    // github.head_ref
-    e.getFieldName() = "head_ref" and
-    flag = "branch" and
-    (
+    exists(GitHubExpression e |
+      this.asExpr() = e and
+      // github.head_ref
+      e.getFieldName() = "head_ref" and
+      flag = "branch"
+    |
       event = e.getATriggerEvent().getName() and
       event = "pull_request_target"
       or
@@ -148,7 +148,6 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
 class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
   string cmd;
   string flag;
-  string access_path;
   Run run;
 
   // Examples
@@ -163,7 +162,7 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
     run.getScript().getACommand() = cmd and
     cmd.matches("jq%") and
     cmd.matches("%GITHUB_EVENT_PATH%") and
-    exists(string regexp |
+    exists(string regexp, string access_path |
       untrustedEventPropertiesDataModel(regexp, flag) and
       not flag = "json" and
       access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and
 
@@ -19,7 +19,6 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
  */
 class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
   string command;
-  string argument;
 
   ArgumentInjectionFromEnvVarSink() {
     exists(Run run, string var |
@@ -28,7 +27,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
         exists(run.getInScopeEnvVarExpr(var)) or
         var = "GITHUB_HEAD_REF"
       ) and
-      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
+      run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, _)
     )
   }
 
@@ -44,13 +43,12 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
  */
 class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
   string command;
-  string argument;
 
   ArgumentInjectionFromCommandSink() {
     exists(CommandSource source, Run run |
       run = source.getEnclosingRun() and
       this.asExpr() = run.getScript() and
-      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
+      run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, _)
     )
   }
 
 
@@ -125,8 +125,6 @@ class LegitLabsDownloadArtifactActionStep extends UntrustedArtifactDownloadStep,
 }
 
 class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, UsesStep {
-  string script;
-
   ActionsGitHubScriptDownloadStep() {
     // eg:
     // - uses: actions/github-script@v6
@@ -149,12 +147,14 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
     //      var fs = require('fs');
     //      fs.writeFileSync('${{github.workspace}}/test-results.zip', Buffer.from(download.data));
     this.getCallee() = "actions/github-script" and
-    this.getArgument("script") = script and
-    script.matches("%listWorkflowRunArtifacts(%") and
-    script.matches("%downloadArtifact(%") and
-    script.matches("%writeFileSync(%") and
-    // Filter out artifacts that were created by pull-request.
-    not script.matches("%exclude_pull_requests: true%")
+    exists(string script |
+      this.getArgument("script") = script and
+      script.matches("%listWorkflowRunArtifacts(%") and
+      script.matches("%downloadArtifact(%") and
+      script.matches("%writeFileSync(%") and
+      // Filter out artifacts that were created by pull-request.
+      not script.matches("%exclude_pull_requests: true%")
+    )
   }
 
   override string getPath() {
@@ -259,15 +259,15 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
 
 class ArtifactPoisoningSink extends DataFlow::Node {
   UntrustedArtifactDownloadStep download;
-  PoisonableStep poisonable;
 
   ArtifactPoisoningSink() {
-    download.getAFollowingStep() = poisonable and
-    // excluding artifacts downloaded to the temporary directory
-    not download.getPath().regexpMatch("^/tmp.*") and
-    not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
-    not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*") and
-    (
+    exists(PoisonableStep poisonable |
+      download.getAFollowingStep() = poisonable and
+      // excluding artifacts downloaded to the temporary directory
+      not download.getPath().regexpMatch("^/tmp.*") and
+      not download.getPath().regexpMatch("^\\$\\{\\{\\s*runner\\.temp\\s*}}.*") and
+      not download.getPath().regexpMatch("^\\$RUNNER_TEMP.*")
+    |
       poisonable.(Run).getScript() = this.asExpr() and
       (
         // Check if the poisonable step is a local script execution step
 
@@ -159,11 +159,8 @@ abstract class CommentVsHeadDateCheck extends ControlCheck {
 
 /* Specific implementations of control checks */
 class LabelIfCheck extends LabelCheck instanceof If {
-  string condition;
-
   LabelIfCheck() {
-    condition = normalizeExpr(this.getCondition()) and
-    (
+    exists(string condition | condition = normalizeExpr(this.getCondition()) |
       // eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
       condition.regexpMatch(".*(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*")
       or
 
@@ -55,12 +55,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
  *          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
  */
 class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
-  CommandSource inCommand;
-  string injectedVar;
-  string command;
-
   EnvVarInjectionFromCommandSink() {
-    exists(Run run |
+    exists(Run run, CommandSource inCommand, string injectedVar, string command |
       this.asExpr() = inCommand.getEnclosingRun().getScript() and
       run = inCommand.getEnclosingRun() and
       run.getScript().getACmdReachingGitHubEnvWrite(inCommand.getCommand(), injectedVar) and
@@ -86,12 +82,8 @@ class EnvVarInjectionFromCommandSink extends EnvVarInjectionSink {
  *      echo "FOO=$BODY" >> $GITHUB_ENV
  */
 class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink {
-  string inVar;
-  string injectedVar;
-  string command;
-
   EnvVarInjectionFromEnvVarSink() {
-    exists(Run run |
+    exists(Run run, string inVar, string injectedVar, string command |
       run.getScript() = this.asExpr() and
       exists(run.getInScopeEnvVarExpr(inVar)) and
       run.getScript().getAnEnvReachingGitHubEnvWrite(inVar, injectedVar) and
 
@@ -99,18 +99,14 @@ class OutputClobberingFromEnvVarSink extends OutputClobberingSink {
  *          echo $BODY
  */
 class WorkflowCommandClobberingFromEnvVarSink extends OutputClobberingSink {
-  string clobbering_var;
-  string clobbered_value;
-
   WorkflowCommandClobberingFromEnvVarSink() {
-    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt |
+    exists(Run run, string workflow_cmd_stmt, string clobbering_stmt, string clobbering_var |
       run.getScript() = this.asExpr() and
       run.getScript().getAStmt() = clobbering_stmt and
       clobbering_stmt.regexpMatch("echo\\s+(-e\\s+)?(\"|')?\\$(\\{)?" + clobbering_var + ".*") and
       exists(run.getInScopeEnvVarExpr(clobbering_var)) and
       run.getScript().getAStmt() = workflow_cmd_stmt and
-      clobbered_value =
-        trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1))
+      exists(trimQuotes(workflow_cmd_stmt.regexpCapture(".*::set-output\\s+name=.*::(.*)", 1)))
     )
   }
 }
 
@@ -1,10 +1,8 @@
 import actions
 
 class UnversionedImmutableAction extends UsesStep {
-  string immutable_action;
-
   UnversionedImmutableAction() {
-    isImmutableAction(this, immutable_action) and
+    isImmutableAction(this, _) and
     not isSemVer(this.getVersion())
   }
 }
 
@@ -307,13 +307,12 @@ class SemStoreExpr extends SemUnaryExpr {
 }
 
 class SemConditionalExpr extends SemKnownExpr {
-  SemExpr condition;
   SemExpr trueResult;
   SemExpr falseResult;
 
   SemConditionalExpr() {
     opcode instanceof Opcode::Conditional and
-    Specific::conditionalExpr(this, type, condition, trueResult, falseResult)
+    Specific::conditionalExpr(this, type, any(SemExpr condition), trueResult, falseResult)
   }
 
   final SemExpr getBranchExpr(boolean branch) {
 
@@ -31,27 +31,28 @@ private predicate hasConditionalInitialization(
 class ConditionallyInitializedVariable extends LocalVariable {
   ConditionalInitializationCall call;
   ConditionalInitializationFunction f;
-  VariableAccess initAccess;
   Evidence e;
 
   ConditionallyInitializedVariable() {
     // Find a call that conditionally initializes this variable
-    hasConditionalInitialization(f, call, this, initAccess, e) and
-    // Ignore cases where the variable is assigned prior to the call
-    not reaches(this.getAnAssignedValue(), initAccess) and
-    // Ignore cases where the variable is assigned field-wise prior to the call.
-    not exists(FieldAccess fa |
-      exists(Assignment a |
-        fa = getAFieldAccess(this) and
-        a.getLValue() = fa
+    exists(VariableAccess initAccess |
+      hasConditionalInitialization(f, call, this, initAccess, e) and
+      // Ignore cases where the variable is assigned prior to the call
+      not reaches(this.getAnAssignedValue(), initAccess) and
+      // Ignore cases where the variable is assigned field-wise prior to the call.
+      not exists(FieldAccess fa |
+        exists(Assignment a |
+          fa = getAFieldAccess(this) and
+          a.getLValue() = fa
+        )
+      |
+        reaches(fa, initAccess)
+      ) and
+      // Ignore cases where the variable is assigned by a prior call to an initialization function
+      not exists(Call c |
+        this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
+        reaches(c, initAccess)
       )
-    |
-      reaches(fa, initAccess)
-    ) and
-    // Ignore cases where the variable is assigned by a prior call to an initialization function
-    not exists(Call c |
-      this.getAnAccess() = getAnInitializedArgument(c).(AddressOfExpr).getOperand() and
-      reaches(c, initAccess)
     ) and
     /*
      * Static local variables with constant initializers do not have the initializer expr as part of
 
@@ -19,16 +19,17 @@ import cpp
  * Errors when using a variable declaration inside a loop.
  */
 class DangerousWhileLoop extends WhileStmt {
-  Expr exp;
   Declaration dl;
 
   DangerousWhileLoop() {
     this = dl.getParentScope().(BlockStmt).getParent*() and
-    exp = this.getCondition().getAChild*() and
-    not exp instanceof PointerFieldAccess and
-    not exp instanceof ValueFieldAccess and
-    exp.(VariableAccess).getTarget().getName() = dl.getName() and
-    not exp.getParent*() instanceof FunctionCall
+    exists(Expr exp |
+      exp = this.getCondition().getAChild*() and
+      not exp instanceof PointerFieldAccess and
+      not exp instanceof ValueFieldAccess and
+      exp.(VariableAccess).getTarget().getName() = dl.getName() and
+      not exp.getParent*() instanceof FunctionCall
+    )
   }
 
   Declaration getDeclaration() { result = dl }
Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,8 @@`
`1`	`1`	`import actions`
`2`	`2`
`3`	`3`	`class UnversionedImmutableAction extends UsesStep {`
`4`		`- string immutable_action;`
`5`		`-`
`6`	`4`	`UnversionedImmutableAction() {`
`7`		`- isImmutableAction(this, immutable_action) and`
	`5`	`+ isImmutableAction(this, _) and`
`8`	`6`	`not isSemVer(this.getVersion())`
`9`	`7`	`}`
`10`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -307,13 +307,12 @@ class SemStoreExpr extends SemUnaryExpr {`
`307`	`307`	`}`
`308`	`308`
`309`	`309`	`class SemConditionalExpr extends SemKnownExpr {`
`310`		`- SemExpr condition;`
`311`	`310`	`SemExpr trueResult;`
`312`	`311`	`SemExpr falseResult;`
`313`	`312`
`314`	`313`	`SemConditionalExpr() {`
`315`	`314`	`opcode instanceof Opcode::Conditional and`
`316`		`- Specific::conditionalExpr(this, type, condition, trueResult, falseResult)`
	`315`	`+ Specific::conditionalExpr(this, type, any(SemExpr condition), trueResult, falseResult)`
`317`	`316`	`}`
`318`	`317`
`319`	`318`	`final SemExpr getBranchExpr(boolean branch) {`