Use CodeQL threat model settings for Java (beta) to adapt CodeQL's code scanning analysis to detect the most relevant security vulnerabilities in your code.
No two codebases are the same and each is subject to different security risks and threats. Such risks and threats can be captured in a codebase's threat model which, in turn, depends on how the code has been designed and will be deployed. To understand the threat model you need to know what type of data is untrusted and poses a threat to the codebase. Additonally, you need to know how that unstrusted (or tainted) data interacts with the application. For example, one codebase might only consider data from remote network requests to be untrusted, whereas another might also consider data from local files to be tainted.
CodeQL can perform security analysis on all such codebases, but it needs to have the right context. It needs the threat model in order to behave slightly differently on different codebases. That way, CodeQL can include (or exclude) the appropriate sources of tainted data during its analysis, and flag up the most relevant security vulnerabilities to developers who work on the code.
CodeQL's default threat model works for the vast majority of codebases. It considers data from remote sources (such as HTTP requests) as tainted. Using new CodeQL threat model settings for Java, you can now optionally mark local sources of data as tainted. This includes data from local files, command-line arguments, environment variables, and databases. You can enable the local threat model option in code scanning to help security teams and developers uncover and fix more potential security vulnerabilities in their code.
CodeQL threat model settings can be configured in repositories running code scanning with CodeQL via default setup in the GitHub UI. Alternatively, you can specify it through advanced setup (in an Actions workflow file).
If your repository is running code scanning default setup on Java code, go to the Code security and analysis settings and click Edit configuration under Code scanning default setup. Here, you can change the threat model to Remote and local sources. For more information, see the documentation on including local sources of tainted data in default setup.
If your repository is running code scanning advanced setup on Java code, you can customize the CodeQL threat model by editing the code scanning workflow file. For more information, see the documentation on extending CodeQL coverage with threat models. If you run the CodeQL CLI on the command-line or in third party CI/CD, you can specify a
--threat-model when running a code scanning analysis. For more information see the CodeQL CLI documentation.
CodeQL threat model settings (beta) in code scanning default setup is available on GitHub.com for repositories containing Java code. It will be shipped in GitHub Enterprise Server 3.13.