Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Introduce a class of dataflow nodes for the threat modeling. #14257

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Java: Introduce a class of dataflow nodes for the threat modeling. #14257

wants to merge 5 commits into from
+545 −24

Conversation

michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Sep 19, 2023
edited

In this PR we introduce a class of data flow nodes called ThreatModelFlowSource.
The idea is that these are the exact source nodes we are interested in under a given threat model.
For more background information see EDR.

With this implementation it will also be easy to for a query to "opt-in" to threat models as defined by the ThreatModelFlowSource by updating the data flow configuration.

override predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }

With this change, we can convert most of the data flow related queries that are based on RemoteFlowSource to ThreatModelFlowSource as this (should) yield the same results as long as the default threat model is used (the default only contains remote).

@github-actions github-actions bot added the Java label Sep 19, 2023
@michaelnebel michaelnebel force-pushed the java/threatmodelsources branch 2 times, most recently from 9137397 to 52e8d6f Compare September 19, 2023 13:45
@michaelnebel michaelnebel force-pushed the java/threatmodelsources branch 2 times, most recently from ec83cbc to 3323f6c Compare September 28, 2023 08:29
@michaelnebel michaelnebel marked this pull request as ready for review September 28, 2023 10:59
@michaelnebel michaelnebel requested a review from a team as a code owner September 28, 2023 10:59
@michaelnebel michaelnebel added the no-change-note-required This PR does not need a change note label Sep 28, 2023
@michaelnebel
Copy link
Contributor Author

DCA looks good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@michaelnebel