Better handling of all threat model without too many binding sets

github · Oct 24, 2023 · 33f10d8 · 33f10d8
1 parent 5fd56ce
commit 33f10d8
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 54 deletions.
diff --git a/shared/threat-models-ext/README.md b/shared/threat-models-ext/README.md
diff --git a/shared/threat-models-ext/android/qlpack.yml b/shared/threat-models-ext/android/qlpack.yml
diff --git a/shared/threat-models-ext/android/threat.model.yml b/shared/threat-models-ext/android/threat.model.yml
diff --git a/shared/threat-models-ext/local/qlpack.yml b/shared/threat-models-ext/local/qlpack.yml
diff --git a/shared/threat-models-ext/local/threat.model.yml b/shared/threat-models-ext/local/threat.model.yml
diff --git a/shared/threat-models/codeql/threatmodels/ThreatModels.qll b/shared/threat-models/codeql/threatmodels/ThreatModels.qll
@@ -28,29 +28,51 @@ extensible predicate threatModelConfiguration(string kind, boolean enable, int p
  */
 extensible private predicate threatModelGrouping(string kind, string group);
 
+/** Holds if the specified threat model kind is mentioned in either the configuration or grouping table. */
+private predicate knownThreatModel(string kind) {
+  threatModelConfiguration(kind, _, _) or
+  threatModelGrouping(kind, _) or
+  threatModelGrouping(_, kind) or
+  kind = "all"
+}
+
 /**
  * Gets the threat model group that directly contains the specified threat model.
  */
 private string getParentThreatModel(string child) {
   threatModelGrouping(child, result)
+  or
+  knownThreatModel(child) and child != "all" and result = "all"
 }
 
 /**
- * Holds if the source model kind `kind` is relevant for generic queries
- * under the current threat model configuration.
+ * Gets the `enabled` column of the highest-priority configuration row whose `kind` column includes
+ * the specified threat model kind.
  */
-bindingset[kind]
-predicate currentThreatModel(string kind) {
+private boolean threatModelExplicitState(string kind) {
   // Find the highest-oriority configuration row whose `kind` column includes the specified threat
   // model kind. If such a row exists and its `enabled` column is `true`, then the threat model is
   // enabled.
-  max(boolean enabled, int priority |
-    exists(string configuredKind |
-      configuredKind = getParentThreatModel*(kind) or configuredKind = "all"
+  (knownThreatModel(kind) or kind = "<other>") and
+  result =
+    max(boolean enabled, int priority |
+      exists(string configuredKind | configuredKind = getParentThreatModel*(kind) |
+        threatModelConfiguration(configuredKind, enabled, priority)
+      )
     |
-      threatModelConfiguration(configuredKind, enabled, priority)
+      enabled order by priority
     )
-  |
-    enabled order by priority
-  ) = true
+}
+
+/**
+ * Holds if the source model kind `kind` is relevant for generic queries
+ * under the current threat model configuration.
+ */
+bindingset[kind]
+predicate currentThreatModel(string kind) {
+  knownThreatModel(kind) and threatModelExplicitState(kind) = true
+  or
+  // For any threat model kind not mentioned in the configuration or grouping tables, its state of
+  // enablement is controlled only by the entries that specifiy the "all" kind.
+  not knownThreatModel(kind) and threatModelExplicitState("all") = true
 }