Implement threat models as extension packs #14548
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR allows users to configure the threat models for their analysis by representing each threat model as an extension pack that can be added to the analysis. For example, if a user wanted to enable the "local flow sources" threat model, they would run
codeql database analyze --extensionPack codeql/threat-local, or the Actions or VS Code equivalent. This avoids having to add a new configuration option in many different places.Implementation notes
I moved the existing
ExternalFlowConfiguration.qllfile from Java into its own library pack,codeql/threat-models. This pack is language-agnostic. Any language that wants to consume threat models will depend on this pack, and every threat model extension pack will target this pack for extension.For each of the high-level threat models currently supported, I added a new extension pack
codeql/threat-<name>, where<name>is the name of the threat model. This extension pack just adds a single row to thesupportedThreatModelspredicate fromcodeql/threat-models, specifying the name of the threat model.The threat model system in QL supports a hierarchy of threat models (for example, "files" and "environment" are both sub-threat-models of "local"). I haven't added extension packs for the low-level threat models yet, but we can add those later easily enough.