Delete CoreKnowledge.

All remaining functionality in `CoreKnowledge` is only being used in `EndpointCharacteristics`, so it can be moved there as a small set of helper predicates.

Author: tiferet

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll

@@ -7,10 +7,47 @@ private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
 private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
 private import semmle.javascript.security.dataflow.TaintedPathCustomizations
-private import CoreKnowledge as CoreKnowledge
 private import semmle.javascript.heuristics.SyntacticHeuristics as SyntacticHeuristics
 private import semmle.javascript.filters.ClassifyFiles as ClassifyFiles
 private import StandardEndpointFilters as StandardEndpointFilters
+private import semmle.javascript.security.dataflow.XxeCustomizations
+private import semmle.javascript.security.dataflow.RemotePropertyInjectionCustomizations
+private import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTamperingCustomizations
+private import semmle.javascript.security.dataflow.ZipSlipCustomizations
+private import semmle.javascript.security.dataflow.TaintedPathCustomizations
+private import semmle.javascript.security.dataflow.CleartextLoggingCustomizations
+private import semmle.javascript.security.dataflow.XpathInjectionCustomizations
+private import semmle.javascript.security.dataflow.Xss::Shared as Xss
+private import semmle.javascript.security.dataflow.StackTraceExposureCustomizations
+private import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations
+private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
+private import semmle.javascript.security.dataflow.RequestForgeryCustomizations
+private import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsCustomizations
+private import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentCustomizations
+private import semmle.javascript.security.dataflow.DifferentKindsComparisonBypassCustomizations
+private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
+private import semmle.javascript.security.dataflow.PrototypePollutionCustomizations
+private import semmle.javascript.security.dataflow.UnvalidatedDynamicMethodCallCustomizations
+private import semmle.javascript.security.dataflow.TaintedFormatStringCustomizations
+private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
+private import semmle.javascript.security.dataflow.PostMessageStarCustomizations
+private import semmle.javascript.security.dataflow.RegExpInjectionCustomizations
+private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
+private import semmle.javascript.security.dataflow.InsecureRandomnessCustomizations
+private import semmle.javascript.security.dataflow.XmlBombCustomizations
+private import semmle.javascript.security.dataflow.InsufficientPasswordHashCustomizations
+private import semmle.javascript.security.dataflow.HardcodedCredentialsCustomizations
+private import semmle.javascript.security.dataflow.FileAccessToHttpCustomizations
+private import semmle.javascript.security.dataflow.UnsafeDynamicMethodAccessCustomizations
+private import semmle.javascript.security.dataflow.UnsafeDeserializationCustomizations
+private import semmle.javascript.security.dataflow.HardcodedDataInterpretedAsCodeCustomizations
+private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
+private import semmle.javascript.security.dataflow.IndirectCommandInjectionCustomizations
+private import semmle.javascript.security.dataflow.ConditionalBypassCustomizations
+private import semmle.javascript.security.dataflow.HttpToFileAccessCustomizations
+private import semmle.javascript.security.dataflow.BrokenCryptoAlgorithmCustomizations
+private import semmle.javascript.security.dataflow.LoopBoundInjectionCustomizations
+private import semmle.javascript.security.dataflow.CleartextStorageCustomizations
 
 /**
  * A set of characteristics that a particular endpoint might have. This set of characteristics is used to make decisions
@@ -61,6 +98,63 @@ abstract class EndpointCharacteristic extends string {
   final float mediumConfidence() { result = 0.6 }
 }
 
+/*
+ * Helper predicates.
+ */
+
+/**
+ * Holds if the node `n` is a known sink for the external API security query.
+ *
+ * This corresponds to known sinks from security queries whose sources include remote flow and
+ * DOM-based sources.
+ */
+private predicate isKnownExternalApiQuerySink(DataFlow::Node n) {
+  n instanceof Xxe::Sink or
+  n instanceof TaintedPath::Sink or
+  n instanceof XpathInjection::Sink or
+  n instanceof Xss::Sink or
+  n instanceof ClientSideUrlRedirect::Sink or
+  n instanceof CodeInjection::Sink or
+  n instanceof RequestForgery::Sink or
+  n instanceof CorsMisconfigurationForCredentials::Sink or
+  n instanceof CommandInjection::Sink or
+  n instanceof PrototypePollution::Sink or
+  n instanceof UnvalidatedDynamicMethodCall::Sink or
+  n instanceof TaintedFormatString::Sink or
+  n instanceof NosqlInjection::Sink or
+  n instanceof PostMessageStar::Sink or
+  n instanceof RegExpInjection::Sink or
+  n instanceof SqlInjection::Sink or
+  n instanceof XmlBomb::Sink or
+  n instanceof ZipSlip::Sink or
+  n instanceof UnsafeDeserialization::Sink or
+  n instanceof ServerSideUrlRedirect::Sink or
+  n instanceof CleartextStorage::Sink or
+  n instanceof HttpToFileAccess::Sink
+}
+
+/**
+ * Holds if the node `n` is a known sink in a modeled library.
+ */
+private predicate isKnownLibrarySink(DataFlow::Node n) {
+  isKnownExternalApiQuerySink(n) or
+  n instanceof CleartextLogging::Sink or
+  n instanceof StackTraceExposure::Sink or
+  n instanceof ShellCommandInjectionFromEnvironment::Sink or
+  n instanceof InsecureRandomness::Sink or
+  n instanceof FileAccessToHttp::Sink or
+  n instanceof IndirectCommandInjection::Sink
+}
+
+/**
+ * Holds if the node `n` is known as the predecessor in a modeled flow step.
+ */
+private predicate isKnownStepSrc(DataFlow::Node n) {
+  TaintTracking::sharedTaintStep(n, _) or
+  DataFlow::SharedFlowStep::step(n, _) or
+  DataFlow::SharedFlowStep::step(n, _, _, _)
+}
+
 /*
  * Characteristics that are indicative of a sink.
  * NOTE: Initially each sink type has only one characteristic, which is that it's a sink of this type in the standard
@@ -511,9 +605,9 @@ class IsArgumentToModeledFunctionCharacteristic extends StandardEndpointFilterCh
       invk.getAnArgument() = n and
       invk.getAnArgument() = known and
       (
-        CoreKnowledge::isKnownLibrarySink(known)
+        isKnownLibrarySink(known)
         or
-        CoreKnowledge::isKnownStepSrc(known)
+        isKnownStepSrc(known)
         or
         exists(OtherModeledArgumentCharacteristic characteristic |
           characteristic.getEndpoints(known)
@@ -616,10 +710,19 @@ private class DatabaseAccessCallHeuristicCharacteristic extends NosqlInjectionSi
 private class ModeledSinkCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic {
   ModeledSinkCharacteristic() { this = "modeled sink" }
 
+  /**
+   * Holds if the node `n` is a known sink in a modeled library, or a sibling-argument of such a sink.
+   */
+  predicate isArgumentToKnownLibrarySinkFunction(DataFlow::Node n) {
+    exists(DataFlow::InvokeNode invk, DataFlow::Node known |
+      invk.getAnArgument() = n and invk.getAnArgument() = known and isKnownLibrarySink(known)
+    )
+  }
+
   override predicate getEndpoints(DataFlow::Node n) {
     exists(DataFlow::CallNode call | n = call.getAnArgument() |
       // Remove modeled sinks
-      CoreKnowledge::isArgumentToKnownLibrarySinkFunction(n)
+      isArgumentToKnownLibrarySinkFunction(n)
     )
   }
 }
@@ -630,7 +733,7 @@ private class PredecessorInModeledFlowStepCharacteristic extends NosqlInjectionS
   override predicate getEndpoints(DataFlow::Node n) {
     exists(DataFlow::CallNode call | n = call.getAnArgument() |
       // Remove common kinds of unlikely sinks
-      CoreKnowledge::isKnownStepSrc(n)
+      isKnownStepSrc(n)
     )
   }
 }

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll

@@ -8,7 +8,6 @@ import javascript
 private import semmle.javascript.heuristics.SyntacticHeuristics
 private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
 import AdaptiveThreatModeling
-private import CoreKnowledge as CoreKnowledge
 
 class NosqlInjectionAtmConfig extends AtmConfig {
   NosqlInjectionAtmConfig() { this = "NosqlInjectionATMConfig" }

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll

@@ -7,7 +7,6 @@
 import semmle.javascript.heuristics.SyntacticHeuristics
 import semmle.javascript.security.dataflow.SqlInjectionCustomizations
 import AdaptiveThreatModeling
-import CoreKnowledge as CoreKnowledge
 
 class SqlInjectionAtmConfig extends AtmConfig {
   SqlInjectionAtmConfig() { this = "SqlInjectionATMConfig" }

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll

@@ -7,7 +7,6 @@
 import semmle.javascript.heuristics.SyntacticHeuristics
 import semmle.javascript.security.dataflow.TaintedPathCustomizations
 import AdaptiveThreatModeling
-import CoreKnowledge as CoreKnowledge
 
 class TaintedPathAtmConfig extends AtmConfig {
   TaintedPathAtmConfig() { this = "TaintedPathATMConfig" }

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll

@@ -7,7 +7,6 @@
 private import semmle.javascript.heuristics.SyntacticHeuristics
 private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 import AdaptiveThreatModeling
-import CoreKnowledge as CoreKnowledge
 
 class DomBasedXssAtmConfig extends AtmConfig {
   DomBasedXssAtmConfig() { this = "DomBasedXssATMConfig" }