Merge pull request #14582 from github/dbartol/threat-models-2

Java: Threat model implementation with priorities.
2026-04-28 10:15:14 +02:00 · 2023-10-27 09:33:53 -04:00
parent 4aed638066 e4276f7adb
commit b18a6d5e0b
21 changed files with 189 additions and 89 deletions
--- a/java/ql/lib/ext/threatmodels/supported-threat-models.model.yml
+++ b/java/ql/lib/ext/threatmodels/supported-threat-models.model.yml
@@ -1,7 +0,0 @@
-extensions:
-
-  - addsTo:
-      pack: codeql/java-all
-      extensible: supportedThreatModels
-    data:
-      - ["default"] # The "default" threat model is always included.
--- a/java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml
+++ b/java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml
@@ -1,22 +0,0 @@
-extensions:
-
-  - addsTo:
-      pack: codeql/java-all
-      extensible: threatModelGrouping
-    data:
-      # Default threat model
-      - ["remote", "default"]
-
-      # Remote threat models
-      - ["request", "remote"]
-      - ["response", "remote"]
-
-      # Local threat models
-      - ["database", "local"]
-      - ["commandargs", "local"]
-      - ["environment", "local"]
-      - ["file", "local"]
-
-      # Android threat models
-      - ["android-external-storage-dir", "android"]
-      - ["contentprovider", "android"]
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -10,6 +10,7 @@ dependencies:
  codeql/mad: ${workspace}
  codeql/rangeanalysis: ${workspace}
  codeql/regex: ${workspace}
+  codeql/threat-models: ${workspace}
  codeql/tutorial: ${workspace}
  codeql/typetracking: ${workspace}
  codeql/util: ${workspace}
@@ -17,5 +18,4 @@ dataExtensions:
  - ext/*.model.yml
  - ext/generated/*.model.yml
  - ext/experimental/*.model.yml
-  - ext/threatmodels/*.model.yml
 warnOnImplicitThis: true
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll
@@ -1,31 +0,0 @@
-/**
- * INTERNAL use only. This is an experimental API subject to change without notice.
- *
- * This module provides extensible predicates for configuring which kinds of MaD models
- * are applicable to generic queries.
- */
-
-private import ExternalFlowExtensions
-
-/**
- * Holds if the specified kind of source model is supported for the current query.
- */
-extensible private predicate supportedThreatModels(string kind);
-
-/**
- * Holds if the specified kind of source model is containted within the specified group.
- */
-extensible private predicate threatModelGrouping(string kind, string group);
-
-/**
- * Gets the threat models that are direct descendants of the specified kind/group.
- */
-private string getChildThreatModel(string group) { threatModelGrouping(result, group) }
-
-/**
- * Holds if the source model kind `kind` is relevant for generic queries
- * under the current threat model configuration.
- */
-predicate currentThreatModel(string kind) {
-  exists(string group | supportedThreatModels(group) and kind = getChildThreatModel*(group))
-}
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -29,7 +29,7 @@ import semmle.code.java.frameworks.struts.StrutsActions
 import semmle.code.java.frameworks.Thrift
 import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
 private import semmle.code.java.dataflow.ExternalFlow
-private import semmle.code.java.dataflow.ExternalFlowConfiguration
+private import codeql.threatmodels.ThreatModels

 /**
 * A data flow source.
@@ -47,10 +47,6 @@ abstract class SourceNode extends DataFlow::Node {
 */
 class ThreatModelFlowSource extends DataFlow::Node {
  ThreatModelFlowSource() {
-    // Expansive threat model.
-    currentThreatModel("all") and
-    (this instanceof SourceNode or sourceNode(this, _))
-    or
    exists(string kind |
      // Specific threat model.
      currentThreatModel(kind) and