Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeQL threat models are configurable in order to enable/disable sources of taint in code scanning (Java)[beta] #810

Open
github-product-roadmap opened this issue Aug 9, 2023 · 1 comment
Labels
beta Feature phase: Beta code scanning Feature: Github Code Scanning codeql Feature: GitHub codeql GHES 3.13 GHES 3.13 github advanced security Product SKU: GitHub Advanced Security shipped Shipped

Comments

@github-product-roadmap
Copy link
Collaborator

Summary

New CodeQL threat model settings will allow security-minded users to configure additional local sources of taint to use in code scanning if required by their codebase. The first language to support this functionality in CodeQL will be Java.

Intended Outcome

No two codebases are the same and each has a different threat model, depending on it has been designed and how it's deployed. For example, one codebase might only consider remote HTTP requests tainted to be potentially untrusted, whereas another might also consider local files to be a source of tainted user data. CodeQL can perform security analysis on all such codebases, but it needs to behave slightly differently in each case. If we fail to include types of taint source that are relevant to a codebase, then we may miss important results (false negatives). Conversely, if we include types of taint source that are irrelevant, then we may generate too many results (false positives).

How will it work?

With CodeQL threat model settings, code scanning users will be able to configure which types of tainted data to use in code scanning in the UI. CodeQL CLI users will be able to specify threat model settings on the command line.

@github github locked and limited conversation to collaborators Aug 9, 2023
@github-product-roadmap github-product-roadmap added beta Feature phase: Beta code scanning Feature: Github Code Scanning codeql Feature: GitHub codeql github advanced security Product SKU: GitHub Advanced Security labels Aug 9, 2023
@ankneis
Copy link
Collaborator

ankneis commented Jan 11, 2024

@ankneis ankneis added shipped Shipped GHES 3.13 GHES 3.13 labels Jan 11, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
beta Feature phase: Beta code scanning Feature: Github Code Scanning codeql Feature: GitHub codeql GHES 3.13 GHES 3.13 github advanced security Product SKU: GitHub Advanced Security shipped Shipped
Projects
Status: Q4 2023 – Oct-Dec
Development

No branches or pull requests

2 participants