Use extension packs for threat models

2025-12-16 16:53:25 +01:00 · 2023-10-19 17:07:26 -04:00
parent da44b13fd4
commit bd7de83aab
13 changed files with 50 additions and 12 deletions
--- a/codeql-workspace.yml
+++ b/codeql-workspace.yml
@@ -6,7 +6,7 @@ provide:
  - "*/ql/consistency-queries/qlpack.yml"
  - "*/ql/automodel/src/qlpack.yml"
  - "*/ql/automodel/test/qlpack.yml"
-  - "shared/*/qlpack.yml"
+  - "shared/**/qlpack.yml"
  - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
  - "go/ql/config/legacy-support/qlpack.yml"
  - "go/build/codeql-extractor-go/codeql-extractor.yml"
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -9,6 +9,7 @@ dependencies:
  codeql/dataflow: ${workspace}
  codeql/mad: ${workspace}
  codeql/regex: ${workspace}
+  codeql/threat-models: ${workspace}
  codeql/tutorial: ${workspace}
  codeql/typetracking: ${workspace}
  codeql/util: ${workspace}
@@ -16,5 +17,4 @@ dataExtensions:
  - ext/*.model.yml
  - ext/generated/*.model.yml
  - ext/experimental/*.model.yml
-  - ext/threatmodels/*.model.yml
 warnOnImplicitThis: true
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -29,7 +29,7 @@ import semmle.code.java.frameworks.struts.StrutsActions
 import semmle.code.java.frameworks.Thrift
 import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
 private import semmle.code.java.dataflow.ExternalFlow
-private import semmle.code.java.dataflow.ExternalFlowConfiguration
+private import codeql.threatmodels.ThreatModels

 /**
 * A data flow source.
--- a/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql
+++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql
@@ -1,5 +1,5 @@
-import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration
+import codeql.threatmodels.ThreatModels as ThreatModels

 query predicate supportedThreatModels(string kind) {
-  ExternalFlowConfiguration::currentThreatModel(kind)
+  ThreatModels::currentThreatModel(kind)
 }
--- a/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql
+++ b/java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql
@@ -1,5 +1,5 @@
-import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration
+import codeql.threatmodels.ThreatModels as ThreatModels

 query predicate supportedThreatModels(string kind) {
-  ExternalFlowConfiguration::currentThreatModel(kind)
+  ThreatModels::currentThreatModel(kind)
 }
--- a/shared/threat-models-ext/android/qlpack.yml
+++ b/shared/threat-models-ext/android/qlpack.yml
@@ -0,0 +1,10 @@
+name: codeql/threat-android
+version: 0.0.0-dev
+groups:
+  - shared
+  - threat-models
+library: true
+dataExtensions:
+  - "*.model.yml"
+extensionTargets:
+  codeql/threat-models: ${workspace}
--- a/shared/threat-models-ext/android/threat.model.yml
+++ b/shared/threat-models-ext/android/threat.model.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: supportedThreatModels
+    data:
+      - ["android"]
--- a/shared/threat-models-ext/local/qlpack.yml
+++ b/shared/threat-models-ext/local/qlpack.yml
@@ -0,0 +1,10 @@
+name: codeql/threat-local
+version: 0.0.0-dev
+groups:
+  - shared
+  - threat-models
+library: true
+dataExtensions:
+  - "*.model.yml"
+extensionTargets:
+  codeql/threat-models: ${workspace}
--- a/shared/threat-models-ext/local/threat.model.yml
+++ b/shared/threat-models-ext/local/threat.model.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: supportedThreatModels
+    data:
+      - ["local"]
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll
@@ -5,12 +5,10 @@
 * are applicable to generic queries.
 */

-private import ExternalFlowExtensions
-
 /**
 * Holds if the specified kind of source model is supported for the current query.
 */
-extensible private predicate supportedThreatModels(string kind);
+extensible predicate supportedThreatModels(string kind);

 /**
 * Holds if the specified kind of source model is containted within the specified group.
--- a/java/ql/lib/ext/threatmodels/supported-threat-models.model.yml
+++ b/java/ql/lib/ext/threatmodels/supported-threat-models.model.yml
@@ -1,7 +1,7 @@
 extensions:

  - addsTo:
-      pack: codeql/java-all
+      pack: codeql/threat-models
      extensible: supportedThreatModels
    data:
      - ["default"] # The "default" threat model is always included.
--- a/java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml
+++ b/java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml
@@ -1,7 +1,7 @@
 extensions:

  - addsTo:
-      pack: codeql/java-all
+      pack: codeql/threat-models
      extensible: threatModelGrouping
    data:
      # Default threat model
--- a/shared/threat-models/qlpack.yml
+++ b/shared/threat-models/qlpack.yml
@@ -0,0 +1,6 @@
+name: codeql/threat-models
+version: 0.0.0-dev
+library: true
+groups: shared
+dataExtensions:
+  - ext/*.model.yml