JS: Add view-component-input threat model

[asgerf]

We sometimes get requests from users to treat React props, Vue props, or Angular inputs as taint sources. Such inputs are not true taint sources however, and tend to generate many false positives in practice if used as taint sources. These inputs are akin to function parameters in that they just hold whatever values are passed in at the component's instantiation site.

As a middle ground, this PR adds a new threat model kind called view-component-input. When enabled, React props, Vue props, and Angular2 inputs are seen as taint sources.

Also adds a new meta-query to report changes to threat model sources other than remote.

Evaluations:

• Evaluation with threat model turned on shows 14k new taint sources and 283 new alerts. I haven't found any TPs in the new alerts.
• Evaluation of just the type-restricting commit shows a couple of sources of type boolean or number gets filtered out.

Copilot reviewed 16 out of 34 changed files in this pull request and generated no comments.

Files not reviewed (18)

• docs/codeql/reusables/threat-model-description.rst: Language not supported
• javascript/ql/lib/semmle/javascript/Concepts.qll: Language not supported
• javascript/ql/lib/semmle/javascript/ViewComponentInput.qll: Language not supported
• javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll: Language not supported
• javascript/ql/lib/semmle/javascript/frameworks/React.qll: Language not supported
• javascript/ql/lib/semmle/javascript/frameworks/Vue.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll: Language not supported
• javascript/ql/src/meta/alerts/TaintSources.ql: Language not supported
• javascript/ql/src/meta/alerts/ThreatModelSources.ql: Language not supported
• javascript/ql/src/meta/internal/TaintMetrics.qll: Language not supported
• javascript/ql/test/library-tests/frameworks/Angular2/test.expected: Language not supported

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more