JS: Consolidate command-line argument modeling

Such that we can reuse the existing modeling, but have it globally
applied as a threat-model as well.

I Basically just moved the modeling. One important aspect is that this
changes is that the previously query-specific `argsParseStep` is now a
globally applied taint-step. This seems reasonable, if someone applied
the argument parsing to any user-controlled string, it seems correct to
propagate that taint for _any_ query.

javascript/ql/test/library-tests/threat-models/sources/sources.js

@@ -2,3 +2,43 @@ import 'dummy';
 
 var x = process.env['foo']; // $ threat-source=environment
 SINK(x); // $ hasFlow
+
+var y = process.argv[2]; // $ threat-source=commandargs
+SINK(y); // $ hasFlow
+
+
+// Accessing command line arguments using yargs
+// https://www.npmjs.com/package/yargs/v/17.7.2
+const yargs = require('yargs/yargs');
+const { hideBin } = require('yargs/helpers');
+const argv = yargs(hideBin(process.argv)).argv; // $ threat-source=commandargs
+
+SINK(argv.foo); // $ MISSING: hasFlow
+
+// older version
+// https://www.npmjs.com/package/yargs/v/7.1.2
+const yargsOld = require('yargs');
+const argvOld = yargsOld.argv; // $ threat-source=commandargs
+
+SINK(argvOld.foo); // $ hasFlow
+
+// Accessing command line arguments using yargs-parser
+const yargsParser = require('yargs-parser');
+const src = process.argv.slice(2); // $ threat-source=commandargs
+const parsedArgs = yargsParser(src);
+
+SINK(parsedArgs.foo); // $ hasFlow
+
+// Accessing command line arguments using minimist
+const minimist = require('minimist');
+const args = minimist(process.argv.slice(2)); // $ threat-source=commandargs
+
+SINK(args.foo); // $ hasFlow
+
+
+// Accessing command line arguments using commander
+const { Command } = require('commander'); // $ SPURIOUS: threat-source=commandargs
+const program = new Command();
+program.parse(process.argv); // $ threat-source=commandargs
+
+SINK(program.opts().foo); // $ hasFlow SPURIOUS: threat-source=commandargs