JS: Remove 'response' from default threat-models

I didn't want to put the configuration file in `semmle/javascript/frameworks/**/*.model.yml`, so created `ext/` as in other languages
2026-04-24 16:25:15 +02:00 · 2024-08-19 10:47:42 +02:00
parent 05dce8a0be
commit dbfbd2c00a
3 changed files with 9 additions and 1 deletions
--- a/javascript/ql/lib/ext/default-threat-models-fixup.model.yml
+++ b/javascript/ql/lib/ext/default-threat-models-fixup.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+    # Since responses are enabled by default in the shared threat-models configuration,
+    # we need to disable it here to keep existing behavior for the javascript analysis.
+      - ["response", false, -2147483647]
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -18,4 +18,5 @@ dataExtensions:
  - semmle/javascript/frameworks/**/model.yml
  - semmle/javascript/frameworks/**/*.model.yml
  - semmle/javascript/security/domains/**/*.model.yml
+  - ext/*.model.yml
 warnOnImplicitThis: true