Better handling of all threat model without too many binding sets

shared/threat-models-ext/README.md

@@ -1,7 +0,0 @@
-This directory contains an extension pack for each supported threat model. Each pack should have the
-same layout. To add a new threat model, just copy one of the existing packs, and update the following:
-
-- In `qlpack.yml`, update the `name` to `codeql/threat-$name`, where `$name` is the name of the threat model.
-- In `threat.model.yml`, change the single row of the `data` property to `- ["$name"]`
-
-If creating these by copying and pasting becomes a burder, we can always automate the process with a script.

shared/threat-models-ext/android/qlpack.yml

@@ -1,11 +0,0 @@
-name: codeql/threat-android
-version: 0.0.0-dev
-groups:
-  - shared
-  - threat-models
-library: true
-dataExtensions:
-  - "*.model.yml"
-extensionTargets:
-  codeql/threat-models: ${workspace}
-warnOnImplicitThis: true

shared/threat-models-ext/android/threat.model.yml

@@ -1,7 +0,0 @@
-extensions:
-
-  - addsTo:
-      pack: codeql/threat-models
-      extensible: supportedThreatModels
-    data:
-      - ["android"]

shared/threat-models-ext/local/qlpack.yml

@@ -1,11 +0,0 @@
-name: codeql/threat-local
-version: 0.0.0-dev
-groups:
-  - shared
-  - threat-models
-library: true
-dataExtensions:
-  - "*.model.yml"
-extensionTargets:
-  codeql/threat-models: ${workspace}
-warnOnImplicitThis: true

shared/threat-models-ext/local/threat.model.yml

@@ -1,7 +0,0 @@
-extensions:
-
-  - addsTo:
-      pack: codeql/threat-models
-      extensible: supportedThreatModels
-    data:
-      - ["local"]

shared/threat-models/codeql/threatmodels/ThreatModels.qll

@@ -28,11 +28,40 @@ extensible predicate threatModelConfiguration(string kind, boolean enable, int p
  */
 extensible private predicate threatModelGrouping(string kind, string group);
 
+/** Holds if the specified threat model kind is mentioned in either the configuration or grouping table. */
+private predicate knownThreatModel(string kind) {
+  threatModelConfiguration(kind, _, _) or
+  threatModelGrouping(kind, _) or
+  threatModelGrouping(_, kind) or
+  kind = "all"
+}
+
 /**
  * Gets the threat model group that directly contains the specified threat model.
  */
 private string getParentThreatModel(string child) {
   threatModelGrouping(child, result)
+  or
+  knownThreatModel(child) and child != "all" and result = "all"
+}
+
+/**
+ * Gets the `enabled` column of the highest-priority configuration row whose `kind` column includes
+ * the specified threat model kind.
+ */
+private boolean threatModelExplicitState(string kind) {
+  // Find the highest-oriority configuration row whose `kind` column includes the specified threat
+  // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is
+  // enabled.
+  (knownThreatModel(kind) or kind = "<other>") and
+  result =
+    max(boolean enabled, int priority |
+      exists(string configuredKind | configuredKind = getParentThreatModel*(kind) |
+        threatModelConfiguration(configuredKind, enabled, priority)
+      )
+    |
+      enabled order by priority
+    )
 }
 
 /**
@@ -41,16 +70,9 @@ private string getParentThreatModel(string child) {
  */
 bindingset[kind]
 predicate currentThreatModel(string kind) {
-  // Find the highest-oriority configuration row whose `kind` column includes the specified threat
-  // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is
-  // enabled.
-  max(boolean enabled, int priority |
-    exists(string configuredKind |
-      configuredKind = getParentThreatModel*(kind) or configuredKind = "all"
-    |
-      threatModelConfiguration(configuredKind, enabled, priority)
-    )
-  |
-    enabled order by priority
-  ) = true
+  knownThreatModel(kind) and threatModelExplicitState(kind) = true
+  or
+  // For any threat model kind not mentioned in the configuration or grouping tables, its state of
+  // enablement is controlled only by the entries that specifiy the "all" kind.
+  not knownThreatModel(kind) and threatModelExplicitState("all") = true
 }