Merge pull request #13149 from issyl0/add-code-scanning-workflow

.github/codeql/codeql-config.yml

@@ -0,0 +1,2 @@
+paths-ignore:
+  - Library/Homebrew/vendor/

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,31 @@
+name: "CodeQL"
+
+on:
+ push:
+   branches:
+     - master
+ pull_request:
+   branches:
+     - master
+
+jobs:
+ analyze:
+   name: Analyze
+   runs-on: ubuntu-latest
+   permissions:
+     actions: read
+     contents: read
+     security-events: write
+
+   steps:
+   - name: Checkout repository
+     uses: actions/checkout@v3
+
+   - name: Initialize CodeQL
+     uses: github/codeql-action/init@v2
+     with:
+       languages: ruby
+       config-file: ./.github/codeql/codeql-config.yml
+
+   - name: Perform CodeQL Analysis
+     uses: github/codeql-action/analyze@v2

Library/Homebrew/dev-cmd/bump-formula-pr.rb

@@ -383,13 +383,13 @@ module Homebrew
 
   def determine_mirror(url)
     case url
-    when %r{.*ftp.gnu.org/gnu.*}
+    when %r{.*ftp\.gnu\.org/gnu.*}
       url.sub "ftp.gnu.org/gnu", "ftpmirror.gnu.org"
-    when %r{.*download.savannah.gnu.org/*}
+    when %r{.*download\.savannah\.gnu\.org/*}
       url.sub "download.savannah.gnu.org", "download-mirror.savannah.gnu.org"
-    when %r{.*www.apache.org/dyn/closer.lua\?path=.*}
+    when %r{.*www\.apache\.org/dyn/closer\.lua\?path=.*}
       url.sub "www.apache.org/dyn/closer.lua?path=", "archive.apache.org/dist/"
-    when %r{.*mirrors.ocf.berkeley.edu/debian.*}
+    when %r{.*mirrors\.ocf\.berkeley\.edu/debian.*}
       url.sub "mirrors.ocf.berkeley.edu/debian", "mirrorservice.org/sites/ftp.debian.org/debian"
     end
   end

Library/Homebrew/download_strategy.rb

@@ -1404,18 +1404,18 @@ class DownloadStrategyDetector
     when %r{^https?://www\.apache\.org/dyn/closer\.cgi},
          %r{^https?://www\.apache\.org/dyn/closer\.lua}
       CurlApacheMirrorDownloadStrategy
-    when %r{^https?://(.+?\.)?googlecode\.com/svn},
+    when %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/svn},
          %r{^https?://svn\.},
          %r{^svn://},
          %r{^svn\+http://},
          %r{^http://svn\.apache\.org/repos/},
-         %r{^https?://(.+?\.)?sourceforge\.net/svnroot/}
+         %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/svnroot/}
       SubversionDownloadStrategy
     when %r{^cvs://}
       CVSDownloadStrategy
     when %r{^hg://},
-         %r{^https?://(.+?\.)?googlecode\.com/hg},
+         %r{^https?://([A-Za-z0-9\-.]+\.)?googlecode\.com/hg},
-         %r{^https?://(.+?\.)?sourceforge\.net/hgweb/}
+         %r{^https?://([A-Za-z0-9\-.]+\.)?sourceforge\.net/hgweb/}
       MercurialDownloadStrategy
     when %r{^bzr://}
       BazaarDownloadStrategy

Library/Homebrew/rubocops/homepage.rb

@@ -70,12 +70,12 @@ module RuboCop
           when
                # Check for http:// GitHub homepage URLs, https:// is preferred.
                # Note: only check homepages that are repo pages, not *.github.com hosts
-               %r{^http://github.com/},
+               %r{^http://github\.com/},
                %r{^http://[^/]*\.github\.io/},
 
                # Savannah has full SSL/TLS support but no auto-redirect.
                # Doesn't apply to the download URLs, only the homepage.
-               %r{^http://savannah.nongnu.org/},
+               %r{^http://savannah\.nongnu\.org/},
 
                %r{^http://[^/]*\.sourceforge\.io/},
                # There's an auto-redirect here, but this mistake is incredibly common too.

Library/Homebrew/rubocops/urls.rb

@@ -21,7 +21,7 @@ module RuboCop
           end
 
           # GNU URLs; doesn't apply to mirrors
-          gnu_pattern = %r{^(?:https?|ftp)://ftpmirror.gnu.org/(.*)}
+          gnu_pattern = %r{^(?:https?|ftp)://ftpmirror\.gnu\.org/(.*)}
           audit_urls(urls, gnu_pattern) do |match, url|
             problem "Please use \"https://ftp.gnu.org/gnu/#{match[1]}\" instead of #{url}."
           end
@@ -177,7 +177,7 @@ module RuboCop
           end
 
           # Check for new-url Google Code download URLs, https:// is preferred
-          google_code_pattern = Regexp.union([%r{^http://.*\.googlecode\.com/files.*},
+          google_code_pattern = Regexp.union([%r{^http://[A-Za-z0-9\-.]*\.googlecode\.com/files.*},
                                               %r{^http://code\.google\.com/}])
           audit_urls(urls, google_code_pattern) do |_, url|
             problem "Please use https:// for #{url}"
@@ -267,13 +267,13 @@ module RuboCop
           urls += mirrors
 
           # Check pypi URLs
-          pypi_pattern = %r{^https?://pypi.python.org/}
+          pypi_pattern = %r{^https?://pypi\.python\.org/}
           audit_urls(urls, pypi_pattern) do |_, url|
             problem "use the `Source` url found on PyPI downloads page (`#{get_pypi_url(url)}`)"
           end
 
           # Require long files.pythonhosted.org URLs
-          pythonhosted_pattern = %r{^https?://files.pythonhosted.org/packages/source/}
+          pythonhosted_pattern = %r{^https?://files\.pythonhosted\.org/packages/source/}
           audit_urls(urls, pythonhosted_pattern) do |_, url|
             problem "use the `Source` url found on PyPI downloads page (`#{get_pypi_url(url)}`)"
           end