Filter endpoints by confidence

Select endpoints to score at inference time base purely on their confidence level, and not on whether they fit the historical definition of endpoint filters.
2026-04-30 11:15:13 +02:00 · 2022-11-23 10:46:27 -08:00
parent 1c9545e49a
commit 03b8e649f1
2 changed files with 13 additions and 10 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
@@ -80,15 +80,18 @@ abstract class AtmConfig extends string {
    // characteristics that are specific to this sink type.
    // TODO: Experiment with excluding all endpoints that have a medium- or high-confidence characteristic that implies
    // they're not sinks for this sink type (or not sinks for any sink type), not just the EndpointFilterCharacteristics.
-    exists(EndpointCharacteristics::StandardEndpointFilterCharacteristic standardFilter |
-      standardFilter.getEndpoints(candidateSink) and
-      result = standardFilter
-    )
-    or
-    exists(EndpointCharacteristics::EndpointFilterCharacteristic specificFilter |
-      specificFilter.getEndpoints(candidateSink) and
-      specificFilter.getImplications(this.getASinkEndpointType(), false, _) and
-      result = specificFilter
+    exists(EndpointCharacteristics::EndpointCharacteristic filter, float confidence |
+      filter.getEndpoints(candidateSink) and
+      confidence >= filter.mediumConfidence() and
+      confidence < filter.highConfidence() and
+      (
+        // Exclude endpoints that have a characteristic that implies they're not sinks for _any_ sink type.
+        filter.getImplications(any(NegativeType negative), true, confidence)
+        or
+        // Exclude endpoints that have a characteristic that implies they're not sinks for _this particular_ sink type.
+        filter.getImplications(this.getASinkEndpointType(), false, confidence)
+      ) and
+      result = filter
    )
  }

--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
@@ -462,7 +462,7 @@ abstract class EndpointFilterCharacteristic extends EndpointCharacteristic {
 * An EndpointFilterCharacteristic that indicates that an endpoint is unlikely to be a sink of any type.
 * Replaces https://github.com/github/codeql/blob/387e57546bf7352f7c1cfe781daa1a3799b7063e/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/StandardEndpointFilters.qll#LL15C24-L15C24
 */
-abstract class StandardEndpointFilterCharacteristic extends EndpointFilterCharacteristic {
+abstract private class StandardEndpointFilterCharacteristic extends EndpointFilterCharacteristic {
  bindingset[this]
  StandardEndpointFilterCharacteristic() { any() }