New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alternate threat model implementation #14582
base: main
Are you sure you want to change the base?
Conversation
|
This looks really nice @dbartol! |
| /** | ||
| * Gets the `enabled` column of the highest-priority configuration row whose `kind` column includes | ||
| * the specified threat model kind. | ||
| */ | ||
| private boolean threatModelExplicitState(string kind) { | ||
| // Find the highest-oriority configuration row whose `kind` column includes the specified threat | ||
| // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is | ||
| // enabled. | ||
| (knownThreatModel(kind) or kind = "<other>") and | ||
| result = | ||
| max(boolean enabled, int priority | | ||
| exists(string configuredKind | configuredKind = getParentThreatModel*(kind) | | ||
| threatModelConfiguration(configuredKind, enabled, priority) | ||
| ) | ||
| | | ||
| enabled order by priority | ||
| ) | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| /** | |
| * Gets the `enabled` column of the highest-priority configuration row whose `kind` column includes | |
| * the specified threat model kind. | |
| */ | |
| private boolean threatModelExplicitState(string kind) { | |
| // Find the highest-oriority configuration row whose `kind` column includes the specified threat | |
| // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is | |
| // enabled. | |
| (knownThreatModel(kind) or kind = "<other>") and | |
| result = | |
| max(boolean enabled, int priority | | |
| exists(string configuredKind | configuredKind = getParentThreatModel*(kind) | | |
| threatModelConfiguration(configuredKind, enabled, priority) | |
| ) | |
| | | |
| enabled order by priority | |
| ) | |
| } | |
| /** | |
| * Holds if the `enabled` column is set to `true` of the highest-priority configuration row | |
| * whose `kind` column includes the specified threat model kind. | |
| */ | |
| private predicate threatModelEnabled(string kind) { | |
| // Find the highest-oriority configuration row whose `kind` column includes the specified threat | |
| // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is | |
| // enabled. | |
| knownThreatModel(kind) and | |
| max(boolean enabled, int priority | | |
| exists(string configuredKind | configuredKind = getParentThreatModel*(kind) | | |
| threatModelConfiguration(configuredKind, enabled, priority) | |
| ) | |
| | | |
| enabled order by priority | |
| ) = true | |
| } |
| // Find the highest-oriority configuration row whose `kind` column includes the specified threat | ||
| // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is | ||
| // enabled. | ||
| (knownThreatModel(kind) or kind = "<other>") and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does kind = <other> represent?
| */ | ||
| bindingset[kind] | ||
| predicate currentThreatModel(string kind) { | ||
| knownThreatModel(kind) and threatModelExplicitState(kind) = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| knownThreatModel(kind) and threatModelExplicitState(kind) = true | |
| knownThreatModel(kind) and threatModelEnabled(kind) |
| or | ||
| // For any threat model kind not mentioned in the configuration or grouping tables, its state of | ||
| // enablement is controlled only by the entries that specifiy the "all" kind. | ||
| not knownThreatModel(kind) and threatModelExplicitState("all") = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| not knownThreatModel(kind) and threatModelExplicitState("all") = true | |
| not knownThreatModel(kind) and threatModelEnabled("all") |
This is an alternate implementation of threat models that depends on a new CLI option (
--threat-model) that generates a temporary extension pack to configure the supported threat models. Compare to #14548, which does not require a new CLI option.This implementation has a few advantages over the other:
localsources exceptenvironment).allthreat model works as originally intended.The downside is that we have to add a new configuration setting to half a dozen places.
Implementation details
codeql database analyzewill accept a new--threat-modeloption that can be specified multiple times. Each instance of the option accepts a string argument with the name of a threat model, optionally preceded by!. Without a!, the option enables the specified threat model, or, if the specified model is a group, all of its descendants. With a!, the option disables the specified threat model or its descendants. The options are processed in order.Before running the analysis, the CLI will generate a temporary extension pack that extends the
threatModelConfigurationpredicate with one row for each instance of the--threat-modeloption. The row will contain the following columns:kind- The name of the threat model, without any!prefix.enabled- Abooleanvalue set tofalseif the argument had a!prefix, andtrue, otherwise.priority- Anintvalue specifying the order in which the option was processed. The first instance gets priority0, the next gets priority1, and so on.At evaluation time, the
codeql/threat-modelslibrary processes thethreatModelConfigurationtable to determine which threat models are actually enabled.