Skip to content

Java: Introduce a class of dataflow nodes for the threat modeling.#14257

Merged
michaelnebel merged 6 commits intogithub:mainfrom
michaelnebel:java/threatmodelsources
Oct 3, 2023
Merged

Java: Introduce a class of dataflow nodes for the threat modeling.#14257
michaelnebel merged 6 commits intogithub:mainfrom
michaelnebel:java/threatmodelsources

Conversation

@michaelnebel
Copy link
Copy Markdown
Contributor

@michaelnebel michaelnebel commented Sep 19, 2023
edited
Loading

In this PR we introduce a class of data flow nodes called ThreatModelFlowSource.
The idea is that these are the exact source nodes we are interested in under a given threat model.
For more background information see EDR.

With this implementation it will also be easy to for a query to "opt-in" to threat models as defined by the ThreatModelFlowSource by updating the data flow configuration.

override predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }

With this change, we can convert most of the data flow related queries that are based on RemoteFlowSource to ThreatModelFlowSource as this (should) yield the same results as long as the default threat model is used (the default only contains remote).

@github-actions github-actions Bot added the Java label Sep 19, 2023
github-advanced-security[bot]
github-advanced-security AI found potential problems Sep 19, 2023
View reviewed changes
Comment thread java/ql/lib/semmle/code/java/dataflow/FlowSources.qll Fixed
@michaelnebel michaelnebel force-pushed the java/threatmodelsources branch 2 times, most recently from 9137397 to 52e8d6f Compare September 19, 2023 13:45
@michaelnebel michaelnebel force-pushed the java/threatmodelsources branch 3 times, most recently from 3323f6c to 512b386 Compare September 28, 2023 08:52
@michaelnebel michaelnebel marked this pull request as ready for review September 28, 2023 10:59
@michaelnebel michaelnebel requested a review from a team as a code owner September 28, 2023 10:59
@michaelnebel michaelnebel added the no-change-note-required This PR does not need a change note label Sep 28, 2023
@michaelnebel
Copy link
Copy Markdown
Contributor Author

michaelnebel commented Sep 29, 2023

DCA looks good!

aschackmull
aschackmull reviewed Oct 2, 2023
View reviewed changes
Comment thread java/ql/lib/semmle/code/java/dataflow/FlowSources.qll Outdated
@michaelnebel michaelnebel force-pushed the java/threatmodelsources branch 3 times, most recently from 83b7c82 to 29f4731 Compare October 2, 2023 14:22
@michaelnebel michaelnebel force-pushed the java/threatmodelsources branch from 29f4731 to 5b949b1 Compare October 3, 2023 07:16
aschackmull
aschackmull reviewed Oct 3, 2023
View reviewed changes
Comment thread java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
aschackmull
aschackmull approved these changes Oct 3, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've not really looked through the tests and their output, but the QL LGTM now.

@michaelnebel
Copy link
Copy Markdown
Contributor Author

michaelnebel commented Oct 3, 2023

I've not really looked through the tests and their output, but the QL LGTM now.

Thank you @aschackmull !

@michaelnebel michaelnebel merged commit 8224f17 into github:main Oct 3, 2023
@michaelnebel michaelnebel deleted the java/threatmodelsources branch October 3, 2023 14:10
@egregius313 egregius313 mentioned this pull request Oct 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aschackmull aschackmull aschackmull approved these changes

Assignees

No one assigned

Labels

Java no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michaelnebel @aschackmull @github-advanced-security