feat(lib): Add Taint Tracking module and update Concepts

GeekMasher · GeekMasher · commit ac05a3e6bc7c · 2025-06-17T21:02:41.000+01:00
diff --git a/ql/lib/codeql/bicep/Concepts.qll b/ql/lib/codeql/bicep/Concepts.qll
@@ -1,5 +1,47 @@
 private import codeql.bicep.AST
 private import codeql.bicep.CFG
+private import codeql.bicep.DataFlow
+private import codeql.threatmodels.ThreatModels
+
+
+/**
+ * A data flow source for a specific threat-model.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `ThreatModelSource::Range` instead.
+ */
+final class ThreatModelSource = ThreatModelSource::Range;
+
+/**
+ * Provides a class for modeling new sources for specific threat-models.
+ */
+module ThreatModelSource {
+  /**
+   * A data flow source, for a specific threat-model.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * Gets a string that represents the source kind with respect to threat modeling.
+     *
+     * See
+     * - https://github.com/github/codeql/blob/main/docs/codeql/reusables/threat-model-description.rst
+     * - https://github.com/github/codeql/blob/main/shared/threat-models/ext/threat-model-grouping.model.yml
+     */
+    abstract string getThreatModel();
+
+    /**
+     * Gets a string that describes the type of this threat-model source.
+     */
+    abstract string getSourceType();
+  }
+}
+
+/**
+ * A data flow source that is enabled in the current threat model configuration.
+ */
+class ActiveThreatModelSource extends ThreatModelSource {
+  ActiveThreatModelSource() { currentThreatModel(this.getThreatModel()) }
+}
 
 /**
  *  A Public Resource is a resource that is publicly accessible to the Internet.
diff --git a/ql/lib/codeql/bicep/TaintTracking.qll b/ql/lib/codeql/bicep/TaintTracking.qll
@@ -0,0 +1 @@
+import dataflow.TaintTracking
