Fix imports and simplify security library

Copilot · felickz · Copilot · commit fac99448ffba · 2025-09-05T16:37:26.000Z
Co-authored-by: felickz &lt;1760475+felickz@users.noreply.github.com&gt;
diff --git a/ql/lib/codeql/bicep/Frameworks.qll b/ql/lib/codeql/bicep/Frameworks.qll
@@ -4,6 +4,7 @@ import frameworks.Microsoft.Containers
 import frameworks.Microsoft.Dashboards
 import frameworks.Microsoft.General
 import frameworks.Microsoft.AKS
+import frameworks.Microsoft.Authorization
 import frameworks.Microsoft.Profiles
 import frameworks.Microsoft.Network
 import frameworks.Microsoft.Storage
diff --git a/ql/lib/codeql/bicep/security/OverlyPermissiveAccessControl.qll b/ql/lib/codeql/bicep/security/OverlyPermissiveAccessControl.qll
@@ -6,60 +6,9 @@
  */
 
 private import bicep
-private import codeql.bicep.dataflow.DataFlow
 private import codeql.bicep.frameworks.Microsoft.Authorization
 
 module OverlyPermissiveAccessControl {
-  /** A data flow source for overly permissive access control vulnerabilities. */
-  abstract class Source extends DataFlow::Node { }
-
-  /** A data flow sink for overly permissive access control vulnerabilities. */
-  abstract class Sink extends DataFlow::Node { }
-
-  /** A sanitizer for overly permissive access control vulnerabilities. */
-  abstract class Sanitizer extends DataFlow::Node { }
-
-  /**
-   * A role assignment resource that grants privileged roles at broad scopes.
-   */
-  private class OverlyPermissiveRoleAssignment extends Source {
-    Authorization::RoleAssignmentResource roleAssignment;
-
-    OverlyPermissiveRoleAssignment() {
-      this.asExpr() = roleAssignment.getResourceDeclaration() and
-      roleAssignment.isOverlyPermissive()
-    }
-
-    /**
-     * Gets the role assignment resource.
-     */
-    Authorization::RoleAssignmentResource getRoleAssignment() { result = roleAssignment }
-
-    /**
-     * Gets a description of why this role assignment is overly permissive.
-     */
-    string getDescription() {
-      exists(string role, string scope |
-        (
-          roleAssignment.getRoleDefinitionId() = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" and
-          role = "Owner"
-          or
-          roleAssignment.getRoleDefinitionId() = "b24988ac-6180-42a0-ab88-20f7382dd24c" and
-          role = "Contributor"
-          or
-          roleAssignment.getRoleDefinitionId() = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" and
-          role = "User Access Administrator"
-        ) and
-        (
-          roleAssignment.isSubscriptionScoped() and scope = "subscription"
-          or
-          roleAssignment.isResourceGroupScoped() and scope = "resource group"
-        ) and
-        result = role + " role assigned at " + scope + " scope"
-      )
-    }
-  }
-
   /**
    * Predicate to identify role assignments with overly broad scope.
    */
@@ -80,4 +29,28 @@ module OverlyPermissiveAccessControl {
   predicate isOverlyPermissive(Authorization::RoleAssignmentResource roleAssignment) {
     roleAssignment.isOverlyPermissive()
   }
+
+  /**
+   * Gets a description of why a role assignment is overly permissive.
+   */
+  string getPermissiveDescription(Authorization::RoleAssignmentResource roleAssignment) {
+    exists(string role, string scope |
+      (
+        roleAssignment.getRoleDefinitionId() = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" and
+        role = "Owner"
+        or
+        roleAssignment.getRoleDefinitionId() = "b24988ac-6180-42a0-ab88-20f7382dd24c" and
+        role = "Contributor"
+        or
+        roleAssignment.getRoleDefinitionId() = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" and
+        role = "User Access Administrator"
+      ) and
+      (
+        roleAssignment.isSubscriptionScoped() and scope = "subscription"
+        or
+        roleAssignment.isResourceGroupScoped() and scope = "resource group"
+      ) and
+      result = role + " role assigned at " + scope + " scope"
+    )
+  }
 }
