Generalize the definition of a known sink:

If the list of reasons includes positive indicators with maximal confidence for this class, it's a known sink for the class.

This negates the need for each query config to define the isKnownSink predicate individually.

Author: tiferet

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll

@@ -6,6 +6,7 @@
 
 private import javascript as JS
 import EndpointTypes
+import ClassificationReasons
 
 /**
  * EXPERIMENTAL. This API may change in the future.
@@ -44,7 +45,14 @@ abstract class AtmConfig extends string {
    *
    * Holds if `sink` is a known sink of flow.
    */
-  predicate isKnownSink(JS::DataFlow::Node sink) { none() }
+  predicate isKnownSink(JS::DataFlow::Node sink) {
+    // If the list of reasons includes positive indicators with maximal confidence for this class, it's a known sink for
+    // the class.
+    exists(ClassificationReason reason |
+      reason.getEndpoints(sink) and
+      reason.getImplications(this.getASinkEndpointType(), true, 1.0)
+    )
+  }
 
   /**
    * EXPERIMENTAL. This API may change in the future.

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll

@@ -93,8 +93,6 @@ class NosqlInjectionAtmConfig extends AtmConfig {
     source instanceof NosqlInjection::Source or TaintedObject::isSource(source, _)
   }
 
-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof NosqlInjection::Sink }
-
   override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
     not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
   }

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll

@@ -65,8 +65,6 @@ class SqlInjectionAtmConfig extends AtmConfig {
 
   override predicate isKnownSource(DataFlow::Node source) { source instanceof SqlInjection::Source }
 
-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
-
   override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
     not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
   }

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll

@@ -64,8 +64,6 @@ class TaintedPathAtmConfig extends AtmConfig {
 
   override predicate isKnownSource(DataFlow::Node source) { source instanceof TaintedPath::Source }
 
-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof TaintedPath::Sink }
-
   override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
     not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
   }

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll

@@ -65,8 +65,6 @@ class DomBasedXssAtmConfig extends AtmConfig {
 
   override predicate isKnownSource(DataFlow::Node source) { source instanceof DomBasedXss::Source }
 
-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink }
-
   override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
     not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
   }