vscode-codeql icon indicating copy to clipboard operation
vscode-codeql copied to clipboard
verified publisher icon github

Allow to specify the relevant threat model when running a query

Open intrigus-lgtm opened this issue 8 months ago • 3 comments

Is your feature request related to a problem? Please describe. The codeql CLI interface offers the option to specify a threat model by e.g. using the --threat-model local flag. However, as far as I'm aware, there is not such feature in the IDE itself to configure the threat model.

Describe the solution you'd like Either:

  • add a dropdown when running a query using CodeQL: Run Query on Selected Database where the user has to select the threat model every time they run a query
  • add a global config option to the plugin (could be problematic when different languages potentially support different threat models)
  • add a new CodeQL: Run Query on Selected Database with Thread Model option.
  • add a "Set Threat Model" for database command.

Describe alternatives you've considered Run the query on the db using codeql database analyze yada yada yada --threat-model local. However, looking at the result in SARIF isn't as nice as looking at the result of the CodeQL extension directly in the IDE.

intrigus-lgtm avatar May 05 '25 22:05 intrigus-lgtm

Hi @intrigus-lgtm. Thank you for this feature request. Resolving this through the extension is not a current product priority, but one way to achieve this would be to use a CodeQL configuration file and set the threat model setting there. Is this an acceptable workaround for you?

charisk avatar May 12 '25 08:05 charisk

Hi @charisk this is not really an acceptable workaround. AFAIK, the CodeQL configuration file is global and cannot apply to individual databases.

intrigus-lgtm avatar May 14 '25 21:05 intrigus-lgtm

Understood. We will track this feature request for future consideration.

charisk avatar May 15 '25 07:05 charisk