Updated MaDs with certainty 5

Updated MaDs with certainty 4
Add MaDs for Apache Avro
2026-06-05 21:47:10 +02:00 · 2026-05-12 15:51:04 +02:00 · 2026-05-12 15:49:37 +02:00 · 2026-05-12 15:35:15 +02:00 · 2026-05-12 15:35:15 +02:00
9 changed files with 91 additions and 0 deletions
--- a/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.file.model.yml
+++ b/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.file.model.yml
@@ -0,0 +1,14 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Generated from https://github.com/apache/avro.git#892d6997dcb65627560b04bd76c5a3dd97666cdf by codeql-mads-via-llm
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.avro.file", "DataFileReader", True, "openReader", "(File,DatumReader)", "", "Argument[0]", "path-injection", "ai-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["org.apache.avro.file", "DataFileReader12", True, "next", "(Object)", "", "ReturnValue", "file", "ai-generated"]
+      - ["org.apache.avro.file", "DataFileStream", True, "next", "(Object)", "", "ReturnValue", "file", "ai-generated"]
--- a/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.generic.model.yml
+++ b/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.generic.model.yml
@@ -0,0 +1,9 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Generated from https://github.com/apache/avro.git#892d6997dcb65627560b04bd76c5a3dd97666cdf by codeql-mads-via-llm
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.avro.generic", "GenericDatumReader", True, "read", "(Object,Decoder)", "", "Argument[1]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.generic", "GenericDatumReader", True, "read", "(Object,Schema,ResolvingDecoder)", "", "Argument[2]", "unsafe-deserialization", "ai-generated"]
--- a/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.io.model.yml
+++ b/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.io.model.yml
@@ -0,0 +1,8 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Generated from https://github.com/apache/avro.git#d3072c20b9e38a9c0ceb11009eadfb2a8e420583 by codeql-mads-via-llm
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.avro.io", "DatumReader", True, "read", "(Object,Decoder)", "", "Argument[1]", "unsafe-deserialization", "ai-generated"]
--- a/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.message.model.yml
+++ b/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.message.model.yml
@@ -0,0 +1,19 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Generated from https://github.com/apache/avro.git#892d6997dcb65627560b04bd76c5a3dd97666cdf by codeql-mads-via-llm
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.avro.message", "MessageDecoder", True, "decode", "(ByteBuffer)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder", True, "decode", "(ByteBuffer,Object)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder", True, "decode", "(InputStream)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder", True, "decode", "(InputStream,Object)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder", True, "decode", "(byte[])", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder", True, "decode", "(byte[],Object)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder$BaseDecoder", True, "decode", "(ByteBuffer)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder$BaseDecoder", True, "decode", "(ByteBuffer,Object)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder$BaseDecoder", True, "decode", "(InputStream)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder$BaseDecoder", True, "decode", "(byte[])", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "MessageDecoder$BaseDecoder", True, "decode", "(byte[],Object)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
+      - ["org.apache.avro.message", "RawMessageDecoder", True, "decode", "(InputStream,Object)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
--- a/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.model.yml
+++ b/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.model.yml
@@ -0,0 +1,16 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Generated from https://github.com/apache/avro.git#892d6997dcb65627560b04bd76c5a3dd97666cdf by codeql-mads-via-llm
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.avro", "Protocol", True, "parse", "(File)", "", "Argument[0]", "path-injection", "ai-generated"]
+      - ["org.apache.avro", "SchemaParser", True, "parse", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-generated"]
+      - ["org.apache.avro", "SchemaParser", True, "parse", "(URI,Charset)", "", "Argument[0]", "request-forgery", "ai-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["org.apache.avro", "Protocol", True, "parse", "(File)", "", "ReturnValue", "file", "ai-generated"]
+      - ["org.apache.avro", "SchemaParser", True, "parse", "(Path,Charset)", "", "ReturnValue", "file", "ai-generated"]
--- a/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.reflect.model.yml
+++ b/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.reflect.model.yml
@@ -0,0 +1,8 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Generated from https://github.com/apache/avro.git#892d6997dcb65627560b04bd76c5a3dd97666cdf by codeql-mads-via-llm
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.avro.reflect", "ReflectDatumReader", True, "read", "(Object,Schema,ResolvingDecoder)", "", "Argument[2]", "unsafe-deserialization", "ai-generated"]
--- a/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.specific.model.yml
+++ b/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.specific.model.yml
@@ -0,0 +1,8 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Generated from https://github.com/apache/avro.git#892d6997dcb65627560b04bd76c5a3dd97666cdf by codeql-mads-via-llm
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.avro.specific", "SpecificRecordBase", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"]
--- a/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.util.model.yml
+++ b/java/ql/lib/ext/generated/llmgenerator/org.apache.avro.util.model.yml
@@ -0,0 +1,8 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Generated from https://github.com/apache/avro.git#d3072c20b9e38a9c0ceb11009eadfb2a8e420583 by codeql-mads-via-llm
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["org.apache.avro.util", "RandomData", True, "main", "(String[])", "", "Argument[0]", "commandargs", "ai-generated"]
--- a/shared/threat-models/ext/supported-threat-models.model.yml
+++ b/shared/threat-models/ext/supported-threat-models.model.yml
@@ -4,3 +4,4 @@ extensions:
      extensible: threatModelConfiguration
    data:
      - ["default", true, -2147483648] # The "default" threat model is included by default
+      - ["local", true, 0]
Author	SHA1	Message	Date
Jack Nørskov Jørgensen	ea469966a5	Updated MaDs with certainty 5	2026-05-12 15:51:04 +02:00
Jack Nørskov Jørgensen	0249be2277	Updated MaDs with certainty 4	2026-05-12 15:49:37 +02:00
Jack Nørskov Jørgensen	8d22ee5508	Add MaDs for Apache Avro	2026-05-12 15:35:15 +02:00
Jack Nørskov Jørgensen	1d19b2f41f	Enable local threat-model by default	2026-05-12 15:35:15 +02:00