JS: Add meta query for reporting threat model sources

javascript/ql/src/meta/alerts/TaintSources.ql

@@ -11,6 +11,6 @@
 import javascript
 import meta.internal.TaintMetrics
 
-from DataFlow::Node node
-where node = relevantTaintSource()
+from ThreatModelSource node
+where node = relevantTaintSource() and node.getThreatModel() = "remote"
 select node, getTaintSourceName(node)

javascript/ql/src/meta/alerts/ThreatModelSources.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Threat model sources
+ * @description Sources of possibly untrusted input that can be configured via threat models.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/threat-model-sources
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+from ThreatModelSource node, string threatModel
+where
+  node = relevantTaintSource() and
+  threatModel = node.getThreatModel() and
+  threatModel != "remote" // "remote" is reported by TaintSources.ql
+select node, getTaintSourceName(node) + " (\"" + threatModel + "\" threat model)"