Actions: Removed a false positive injection sink model for theveracode/veracode-sca action.#21604
Actions: Removed a false positive injection sink model for theveracode/veracode-sca action.#21604XinyuZhangXvX wants to merge 1 commit intogithub:mainfrom
veracode/veracode-sca action.#21604Conversation
…input of veracode/veracode-sca.
There was a problem hiding this comment.
Pull request overview
Removes an Actions command-injection sink model that was producing false positives for veracode/veracode-sca’s skip-collectors input, and documents the change via a new change note.
Changes:
- Removed the
command-injectionsink model forveracode/veracode-scainput.skip-collectors. - Added a minor-analysis change note describing the false-positive reduction.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| actions/ql/lib/ext/manual/veracode_veracode-sca.model.yml | Updates the manual sink-model entries for veracode/veracode-sca by removing the skip-collectors sink. |
| actions/ql/src/change-notes/2026-03-27-veracode#veracode-sca.md | Adds a change note for the modeling adjustment (false-positive reduction). |
| - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] | ||
| - ["veracode/veracode-sca", "*", "input.path", "command-injection", "manual"] | ||
| - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection", "manual"] | ||
| - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] |
There was a problem hiding this comment.
The actionsSinkModel data contains the input.url command-injection entry twice. This can lead to duplicate modeled sinks (and potentially duplicated results) and makes the model harder to maintain. Remove the duplicate row or replace it with the intended distinct input/kind if this was meant to cover something else.
| - ["veracode/veracode-sca", "*", "input.url", "command-injection", "manual"] |
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * Removed false positive injection sink models for the `skip-collectors` input of `veracode/veracode-sca`. No newline at end of file |
There was a problem hiding this comment.
The change note says "sink models" (plural), but this PR removes a single sink model entry (input.skip-collectors). Consider making this singular to keep the release note accurate.
| * Removed false positive injection sink models for the `skip-collectors` input of `veracode/veracode-sca`. | |
| * Removed a false positive injection sink model for the `skip-collectors` input of `veracode/veracode-sca`. |
Summary
Remove the command-injection sink model for the
skip-collectorsinput ofveracode/veracode-sca, as the input is sanitized before reaching the shell command.Data flow analysis
Reference: https://github.com/veracode/veracode-sca/blob/main/src/srcclr.ts
The
skip-collectorsinput flows through thecleanCollectors()function before being interpolated into a shell command.cleanCollectors()filters each value against a hardcoded allowlist of known collector names. Since the allowlist contains only safe, simple identifiers with no shell-special characters, attacker-controlled input cannot survive the filter. This makesskip-collectorsnot a viable command-injection sink, and the previous model produced false positives.