Java: Threat Models

java/ql/lib/ext/threatmodels/supported-threat-models.model.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: supportedThreatModels
+    data:
+      - ["default"] # The "default" threat model is always included.

java/ql/lib/ext/threatmodels/threat-model-grouping.model.yml

@@ -0,0 +1,23 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: threatModelGrouping
+    data:
+      # Default threat model
+      - ["remote", "default"]
+      - ["uri-path", "default"]
+
+      # Android threat models
+      - ["android-external-storage-dir", "android"]
+      - ["contentprovider", "android"]
+
+      # Remote threat models
+      - ["request", "remote"]
+      - ["response", "remote"]
+
+      # Local threat models
+      - ["database", "local"]
+      - ["cli", "local"]
+      - ["environment", "local"]
+      - ["file", "local"]

java/ql/lib/qlpack.yml

@@ -15,4 +15,5 @@ dataExtensions:
   - ext/*.model.yml
   - ext/generated/*.model.yml
   - ext/experimental/*.model.yml
+  - ext/threatmodels/*.model.yml
 warnOnImplicitThis: true

java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll

@@ -0,0 +1,31 @@
+/**
+ * INTERNAL use only. This is an experimental API subject to change without notice.
+ *
+ * This module provides extensible predicates for configuring which kinds of MaD models
+ * are applicable to generic queries.
+ */
+
+private import ExternalFlowExtensions
+
+/**
+ * Holds if the specified kind of source model is supported for the current query.
+ */
+extensible private predicate supportedThreatModels(string kind);
+
+/**
+ * Holds if the specified kind of source model is containted within the specified group.
+ */
+extensible private predicate threatModelGrouping(string kind, string group);
+
+/**
+ * Gets the threat models that are direct descendants of the specified kind/group.
+ */
+private string getChildThreatModel(string group) { threatModelGrouping(result, group) }
+
+/**
+ * Holds if the source model kind `kind` is relevant for generic queries
+ * under the current threat model configuration.
+ */
+predicate sourceModelKindConfig(string kind) {
+  exists(string group | supportedThreatModels(group) and kind = getChildThreatModel*(group))
+}

java/ql/test/library-tests/dataflow/threat-models/Empty.java

@@ -0,0 +1 @@
+class Empty { }

java/ql/test/library-tests/dataflow/threat-models/threat-models1.expected

@@ -0,0 +1,5 @@
+| default |
+| remote |
+| request |
+| response |
+| uri-path |

java/ql/test/library-tests/dataflow/threat-models/threat-models1.ql

@@ -0,0 +1,5 @@
+import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration
+
+query predicate supportedThreatModels(string kind) {
+  ExternalFlowConfiguration::sourceModelKindConfig(kind)
+}

java/ql/test/library-tests/dataflow/threat-models/threat-models2.expected

@@ -0,0 +1,10 @@
+| cli |
+| database |
+| default |
+| environment |
+| file |
+| local |
+| remote |
+| request |
+| response |
+| uri-path |

java/ql/test/library-tests/dataflow/threat-models/threat-models2.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: supportedThreatModels
+    data:
+      - ["local"] # Add the "local" group threat model.

java/ql/test/library-tests/dataflow/threat-models/threat-models2.ql

@@ -0,0 +1,5 @@
+import semmle.code.java.dataflow.ExternalFlowConfiguration as ExternalFlowConfiguration
+
+query predicate supportedThreatModels(string kind) {
+  ExternalFlowConfiguration::sourceModelKindConfig(kind)
+}