hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

update threat models section

Browse Source
This commit is contained in:
james
2023-12-01 11:19:00 +00:00
parent fe126c450b
commit 7f3ff7f9a5
1 changed files with 6 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst
View File

@@ -299,32 +299,11 @@ Threat models
.. include:: ../reusables/beta-note-threat-models-java.rst
A threat model is a named class of dataflow sources that can be enabled or disabled independently. Threat models allow you to control the set of dataflow sources that you want to consider unsafe. Threat models are defined in a hierarchy. A threat model can have child threat models, so that enabling or disabling the parent threat model does the same for each of its children.
A threat model is a named class of dataflow sources that can be enabled or disabled independently. Threat models allow you to control the set of dataflow sources that you want to consider unsafe. For example, one codebase may only consider remote HTTP requests to be tainted, whereas another may also consider data from local files to be unsafe. You can use threat models to ensure that the relevant taint sources are used in a CodeQL analysis.
The ``default`` threat model is included by default. The ``default`` grouping only contains one child threat model, the ``remote`` threat model, which represents remote HTTP requests.
The ``kind`` property of the ``sourceModel`` determines which threat model a source is associated with. There are two main categories:
- ``remote`` which represents remote HTTP requests.
- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), and environment variables(``environement``).
You can extend the CodeQL threat model to specify other sources of untrusted data. For example, if your codebase considers local files to be sources of tainted data, you can specify the ``local`` threat model to be used in CodeQL analysis.
The shared ``threat-models`` library pack exposes the following extensible predicates:
- ``threatModelConfiguration(string kind, boolean enabled, int priority)``. This is used to configure which threat models are enabled or disabled for the analysis.
- ``threatModelGrouping(string kind, string group)``. This is used to define the taxonomy of threat models as a parent-child hierarchy.
You can specify a threat model to use during analysis by adding a data extension YAML file named ``<test-name>.ext.yml`` in your test directory. In the YAML file, you can extend the ``threatModelConfiguration`` predicate.
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- [local, true, 0]
- [environment, false, 1]
Each data row consists of three columns:
- The first value ``local`` is the name of the threat model to enable or disable.
- The second value ``true`` is a boolean that you can set to ``true`` to enable the named threat model, or ``false`` to disable it.
- The third value ``0`` is an integer specifying the order in which to process the row. Rows are processed in ascending order of priority.
When running a CodeQL analysis, the ``remote`` threat model is included by default. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information see TODO.