Skip to content

Java: Opt-in java/tainted-permissions-check to threat models. #16772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 18, 2024
Merged

Java: Opt-in java/tainted-permissions-check to threat models. #16772

merged 3 commits into from
Jun 18, 2024

Conversation

michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Jun 17, 2024
edited
Loading

In this PR we opt-in the java/tainted-permissions-check to threat models.

Prior to this change, the query used both remote and local sources as input. Now the default is to use only remote sources (as this the threat models default). However, it is possible to enable local (or other) sources by enabling the relevant threat model.

Using MRVA on java top-100 for this query we get

  • 1 result for remote flow sources.
  • 3 results for remote + local flow sources.

DCA looks good; There are no changes to performance or alerts.

It seems that this query doesn't produce an overwhelming number of results in general.

@michaelnebel michaelnebel changed the title Java: Opt-in Java/taintedpermissionthreatmodel to threat models. Java: Opt-in java/tainted-permissions-check to threat models. Jun 17, 2024
@michaelnebel michaelnebel marked this pull request as ready for review June 17, 2024 12:46
@michaelnebel michaelnebel requested a review from a team as a code owner June 17, 2024 12:46
owen-mc
owen-mc reviewed Jun 17, 2024
View reviewed changes
@michaelnebel @owen-mc
Update java/ql/src/change-notes/2024-06-17-tainted-permissions-check.md
5686efd 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
@michaelnebel michaelnebel merged commit cd9d58f into github:main Jun 18, 2024
@michaelnebel michaelnebel deleted the java/taintedpermissionthreatmodel branch June 18, 2024 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@owen-mc owen-mc owen-mc left review comments

@aschackmull aschackmull aschackmull approved these changes

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michaelnebel @aschackmull @owen-mc