-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go: Introduce Threat Modeling #16697
Go: Introduce Threat Modeling #16697
Conversation
491bd7c
to
413fa9a
Compare
413fa9a
to
03aa05c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! One question: what is the string from getSourceType()
ever used for? There are some cases where it could be more precise/consistent, but then I didn't actually see its value being used for anything so I wasn't sure if that was important.
This might not be necessary for Go. In the C# library, this is used for some of the queries which give some extra information about the source in the alert message. For example: codeql/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql Lines 19 to 24 in 24c9062
I can remove the |
I ran a poll amongst our colleagues and they unanimously voted for not introducing getSourceType. If you remove it in a separate commit then that commit can always be reverted if someone wants it in future. It sounds like they want to deprecate it and eventually remove it for java as well. |
03aa05c
to
fa2c506
Compare
@owen-mc sorry for the delay, but I have added the commit to remove |
Initial implementation of threat modeling in Go. Based on #15359 which introduced the threat modeling in C#.
The terms in the
getSourceType
implementations might not be the best for each individual remote source.Note
The Go library currently does not appear to have any local sources modeled, so this currently only handles remote flow sources.
Important
This does not change the queries and libraries to use
ThreatModelFlowSource
. This merely introduces the class and a few minor changes to the class hierarchy to make later changes easier.Changing queries to use
ThreatModelFlowSource
instead ofRemoteFlowSource
is tracked in #16709.