Merge branch 'github:main' into main-1

Author: krishnprakash

.github/codeql/codeql-config.yml

@@ -8,5 +8,6 @@ paths-ignore:
   - '/java/'
   - '/python/'
   - '/javascript/ql/test'
+  - '/javascript/ql/integration-tests'
   - '/javascript/extractor/tests'
   - '/rust/ql'

.github/workflows/codeql-analysis.yml

@@ -18,6 +18,10 @@ on:
 
 jobs:
   CodeQL-Build:
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['actions', 'csharp']
 
     runs-on: ubuntu-latest
 
@@ -38,9 +42,8 @@ jobs:
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@main
-      # Override language selection by uncommenting this and choosing your languages
       with:
-        languages: csharp
+        languages: ${{ matrix.language }}
         config-file: ./.github/codeql/codeql-config.yml
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).

Cargo.lock

@@ -73,6 +73,7 @@ use_repo(
     tree_sitter_extractors_deps,
     "vendor_ts__anyhow-1.0.96",
     "vendor_ts__argfile-0.2.1",
+    "vendor_ts__chalk-ir-0.99.0",
     "vendor_ts__chrono-0.4.39",
     "vendor_ts__clap-4.5.31",
     "vendor_ts__dunce-1.0.5",
@@ -94,6 +95,7 @@ use_repo(
     "vendor_ts__ra_ap_hir-0.0.266",
     "vendor_ts__ra_ap_hir_def-0.0.266",
     "vendor_ts__ra_ap_hir_expand-0.0.266",
+    "vendor_ts__ra_ap_hir_ty-0.0.266",
     "vendor_ts__ra_ap_ide_db-0.0.266",
     "vendor_ts__ra_ap_intern-0.0.266",
     "vendor_ts__ra_ap_load-cargo-0.0.266",

MODULE.bazel

@@ -43,7 +43,7 @@ jobs:
 The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
 
 ```yaml
-name: Insecure Workflow
+name: Secure Workflow
 
 on:
   workflow_run:

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.md

@@ -43,7 +43,7 @@ jobs:
 The following example, correctly creates a temporary directory and extracts the contents of the artifact there before calling `cmd.sh`.
 
 ```yaml
-name: Insecure Workflow
+name: Secure Workflow
 
 on:
   workflow_run:

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.md

@@ -1,2 +1,4 @@
 - description: Security-and-quality queries for GitHub Actions
-- import: codeql-suites/actions-security-extended.qls
+- queries: .
+- apply: security-and-quality-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/codeql-suites/actions-security-and-quality.qls

@@ -1,2 +1,4 @@
 - description: Extended and experimental security queries for GitHub Actions
-- import: codeql-suites/actions-code-scanning.qls
+- queries: .
+- apply: security-experimental-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/codeql-suites/actions-security-experimental.qls

@@ -8,3 +8,4 @@ extractor: actions
 defaultSuiteFile: codeql-suites/actions-code-scanning.qls
 dependencies:
   codeql/actions-all: ${workspace}
+  codeql/suite-helpers: ${workspace}

actions/ql/src/qlpack.yml

@@ -16,6 +16,7 @@
 import csharp
 import Dispose
 import semmle.code.csharp.frameworks.System
+import semmle.code.csharp.frameworks.system.threading.Tasks
 import semmle.code.csharp.commons.Disposal
 
 private class ReturnNode extends DataFlow::ExprNode {
@@ -24,15 +25,27 @@ private class ReturnNode extends DataFlow::ExprNode {
   }
 }
 
+private class Task extends Type {
+  Task() {
+    this instanceof SystemThreadingTasksTaskClass or
+    this instanceof SystemThreadingTasksTaskTClass
+  }
+}
+
 module DisposeCallOnLocalIDisposableConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
-    node.asExpr() =
-      any(LocalScopeDisposableCreation disposable |
-        // Only care about library types - user types often have spurious IDisposable declarations
-        disposable.getType().fromLibrary() and
-        // WebControls are usually disposed automatically
-        not disposable.getType() instanceof WebControl
-      )
+    exists(LocalScopeDisposableCreation disposable, Type t |
+      node.asExpr() = disposable and
+      t = disposable.getType()
+    |
+      // Only care about library types - user types often have spurious IDisposable declarations
+      t.fromLibrary() and
+      // WebControls are usually disposed automatically
+      not t instanceof WebControl and
+      // It is typically not nessesary to dispose tasks
+      // https://devblogs.microsoft.com/pfxteam/do-i-need-to-dispose-of-tasks/
+      not t instanceof Task
+    )
   }
 
   predicate isSink(DataFlow::Node node) {