diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md index e06a9907bd14..5c6255466be5 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.md @@ -285,7 +285,7 @@ If your codebase depends on a library or framework that is not recognized by the {% data reusables.code-scanning.beta-model-packs %} -{% ifversion codeql-threat-models-java %} +{% ifversion codeql-threat-models %} ### Using {% data variables.product.prodname_codeql %} model packs @@ -501,7 +501,7 @@ packs: {% endraw %} {% endif %} -{% ifversion codeql-threat-models-java %} +{% ifversion codeql-threat-models %} ### Extending {% data variables.product.prodname_codeql %} coverage with threat models diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md index 74e9c5eeacb6..625066208ccd 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md @@ -15,8 +15,8 @@ topics: After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your code security needs. For existing configurations of default setup, you can edit{% ifversion code-scanning-without-workflow-310 %}: - Which languages default setup will analyze. -- {% endif %} The query suite run during analysis. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."{% ifversion codeql-threat-models-java %} -- The threat models (beta) to use for analysis. Your choice of threat model determines which sources of tainted data are treated as a risk to your application. During the beta, threat models are supported only by Java analysis. For more information about threat models, see "[Including local sources of tainted data in default setup](#including-local-sources-of-tainted-data-in-default-setup)." +- {% endif %} The query suite run during analysis. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."{% ifversion codeql-threat-models %} +- The threat models (beta) to use for analysis. Your choice of threat model determines which sources of tainted data are treated as a risk to your application. During the beta, threat models are supported only for analysis of {% data variables.code-scanning.code_scanning_threat_model_support %}. For more information about threat models, see "[Including local sources of tainted data in default setup](#including-local-sources-of-tainted-data-in-default-setup)." {% endif %} {% ifversion codeql-model-packs %} @@ -37,7 +37,7 @@ If you need to change any other aspects of your {% data variables.product.prodna 1. In the "{% data variables.product.prodname_codeql %} analysis" row of the "{% data variables.product.prodname_code_scanning_caps %}" section, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "gear" aria-hidden="true" %} **View {% data variables.product.prodname_codeql %} configuration**. 1. In the "{% data variables.product.prodname_codeql %} default configuration" window, click {% octicon "pencil" aria-hidden="true" %} **Edit**. 1. Optionally, in the "Languages" section, select or deselect languages for analysis. -1. Optionally, in the "Query suite" row of the "Scan settings" section, select a different query suite to run against your code.{% ifversion codeql-threat-models-java %} +1. Optionally, in the "Query suite" row of the "Scan settings" section, select a different query suite to run against your code.{% ifversion codeql-threat-models %} 1. (Beta) Optionally, in the "Threat model" row of the "Scan settings" section, select **Remote and local sources**. {% endif %} 1. To update your configuration, as well as run an initial analysis of your code with the new configuration, click **Save changes**. All future analyses will use your new configuration. @@ -64,7 +64,7 @@ If you need to change any other aspects of your {% data variables.product.prodna 1. Under "{% data variables.product.prodname_code_scanning_caps %}", in the "Protection rules" section, use the drop-down menu to define which alerts should cause a check failure. Choose one level for alerts of type "Security" and one level for all other alerts.{% else %} 1. Under "{% data variables.product.prodname_code_scanning_caps %}", to the right of "Check Failure", use the drop-down menu to select the level of severity you would like to cause a pull request check failure.{% endif %} -{% ifversion codeql-threat-models-java %} +{% ifversion codeql-threat-models %} ## Including local sources of tainted data in default setup diff --git a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries.md b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries.md index afaeeb50a972..11fb33207ebc 100644 --- a/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries.md +++ b/content/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries.md @@ -296,13 +296,13 @@ For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advan For information about creating custom query suites, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-codeql-query-suites)." -{% ifversion codeql-cli-threat-models-java %} +{% ifversion codeql-cli-threat-models %} ### Including model packs to add potential sources of tainted data {% data reusables.code-scanning.beta-threat-models-cli %} -You can configure threat models in a {% data variables.product.prodname_code_scanning %} analysis. For more information, see "[Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin)" in the {% data variables.product.prodname_codeql %} documentation. +You can configure threat models in a {% data variables.product.prodname_code_scanning %} analysis. For more information, see "[Threat models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/#threat-models)" and "[Threat models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/#threat-models)" in the {% data variables.product.prodname_codeql %} documentation. ```shell $ codeql database analyze /codeql-dbs/my-company --format=sarif-latest \ diff --git a/data/features/codeql-cli-threat-models-java.yml b/data/features/codeql-cli-threat-models.yml similarity index 77% rename from data/features/codeql-cli-threat-models-java.yml rename to data/features/codeql-cli-threat-models.yml index e84844e20160..60b8e678630d 100644 --- a/data/features/codeql-cli-threat-models-java.yml +++ b/data/features/codeql-cli-threat-models.yml @@ -1,4 +1,4 @@ -# Reference: #12431. +# Reference: #12431 and #13323 # Documentation for CodeQL threat models for CodeQL CLI versions: fpt: '*' diff --git a/data/features/codeql-threat-models-java.yml b/data/features/codeql-threat-models.yml similarity index 74% rename from data/features/codeql-threat-models-java.yml rename to data/features/codeql-threat-models.yml index 000ec5acc597..272b93e56882 100644 --- a/data/features/codeql-threat-models-java.yml +++ b/data/features/codeql-threat-models.yml @@ -1,4 +1,4 @@ -# Reference: #12431. +# Reference: #12431 and #13323 # Documentation for CodeQL threat models versions: fpt: '*' diff --git a/data/reusables/code-scanning/beta-threat-models-cli.md b/data/reusables/code-scanning/beta-threat-models-cli.md index 70b0ac92ba06..610c80ec3056 100644 --- a/data/reusables/code-scanning/beta-threat-models-cli.md +++ b/data/reusables/code-scanning/beta-threat-models-cli.md @@ -1,8 +1,8 @@ -{% ifversion codeql-cli-threat-models-java %} +{% ifversion codeql-cli-threat-models %} {% note %} -**Note:** Threat models are currently in beta and subject to change. During the beta, threat models are supported only by Java analysis. +**Note:** Threat models are currently in beta and subject to change. During the beta, threat models are supported only by analysis for {% data variables.code-scanning.code_scanning_threat_model_support %}. {% endnote %} diff --git a/data/reusables/code-scanning/beta-threat-models.md b/data/reusables/code-scanning/beta-threat-models.md index f5d7dc2578b4..d3f4862ed7f7 100644 --- a/data/reusables/code-scanning/beta-threat-models.md +++ b/data/reusables/code-scanning/beta-threat-models.md @@ -1,8 +1,8 @@ -{% ifversion codeql-threat-models-java %} +{% ifversion codeql-threat-models %} {% note %} -**Note:** Threat models are currently in beta and subject to change. During the beta, threat models are supported only by Java analysis. +**Note:** Threat models are currently in beta and subject to change. During the beta, threat models are supported only by analysis for {% data variables.code-scanning.code_scanning_threat_model_support %}. {% endnote %} diff --git a/data/variables/code-scanning.yml b/data/variables/code-scanning.yml index 18c626152990..76766d1cc35a 100644 --- a/data/variables/code-scanning.yml +++ b/data/variables/code-scanning.yml @@ -14,3 +14,6 @@ compiled_languages: 'C/C++, C#, {% ifversion codeql-go-autobuild %} Go,{% endif # List of languages where the libraries support expansion using CodeQL model packs at the repository level. codeql_model_packs_support: 'Java/Kotlin and C#' + +# List of that allow threat models to be configurable for code scanning +code_scanning_threat_model_support: 'Java/Kotlin{% ifversion fpt or ghec or ghes > 3.12 %} and C#{% endif %}'