Skip to content

[JAVA] What is the ThreatModelFlowSource? #16351

Closed Answered by michaelnebel
jiezhuzzz asked this question in Q&A
Discussion options

You must be logged in to vote

The sources in ThreatModelFlowSource is defined as a combination of Models as Data and QL. Sources are "often" return values of a method (API) call.
An example:
In java.net.model.yml the following source model is defined:

["java.net", "Socket", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]

This means that the return value of calling the method getInputStream (defined in the class Socket in the package java.net) is considered a remote source of input (which is included in the default threat model). Models as Data is documented here: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/

The dataflow library works by fi…

Replies: 1 comment 3 replies

Comment options

You must be logged in to vote
3 replies
@jiezhuzzz
Comment options

@michaelnebel
Comment options

Answer selected by jiezhuzzz
@jiezhuzzz
Comment options

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants