Docs: Threat-models supported in JS

Capturing - 7d3793e718 - e35c2b243a - e11bfc27bd
2025-12-17 01:03:14 +01:00 · 2024-10-29 11:32:41 +01:00
parent 84f6b89ced
commit 07bc1feb11
2 changed files with 9 additions and 2 deletions
--- a/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst
+++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst
@@ -506,7 +506,7 @@ Kinds
 Source kinds
 ~~~~~~~~~~~~

- **remote**: A generic source of remote flow. Most taint-tracking queries will use such a source. Currently this is the only supported source kind.
+See documentation below for :ref:`Threat models <threat-models-javascript>`.

 Sink kinds
 ~~~~~~~~~~
@@ -529,3 +529,10 @@ Summary kinds

 - **taint**: A summary that propagates taint. This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.
 - **value**: A summary that preserves the value of the input or creates a copy of the input such that all of its object properties are preserved.
+
+.. _threat-models-javascript:
+
+Threat models
+-------------
+
+.. include:: ../reusables/threat-model-description.rst
--- a/docs/codeql/reusables/beta-note-threat-models.rst
+++ b/docs/codeql/reusables/beta-note-threat-models.rst
@@ -2,4 +2,4 @@

    Note

-    Threat models are currently in beta and subject to change. During the beta, threat models are supported only by Java, C# and Python analysis.
+    Threat models are currently in beta and subject to change. During the beta, threat models are supported only by Java, C#, Python and JavaScript/TypeScript analysis.