Initial implementation of models-as-data. Please use the backlinked issue for high-level discussion of the format itself.

The implementation is split in three files:

• Shared.qll is intended to be shared between languages (some day; currently only works for JS)
• Impl.qll is intended to contain the langauge-specific details.
• ModelsAsData.qll is the public interface from the rest of the library

Some predicates from Shared.qll must be usable from Impl.qll, but should not be public in the library, so ModelsAsData.qll acts as a gatekeeper toward the public API.

The API exposes two modules:

• ModelInput is used for contributing models
  • For example, subclass ModelInput::SinkModelCsv to add new sinks
• ModelOutput is used for accessing interpreted models in terms of API nodes
  • For example, use ModelOutput::getASinkNode("sql-injection") to get SQL injection sinks

In this PR I have ported Sequelize and Spanner, as initial validation.

Evaluation from a slightly earlier version.

• The new result is due to MaD always using API graphs whereas the old model used local flow for credentials.
• (The new taint sources were due to the inclusion of an rough Express MaD model in the earlier version. They only show up in the diff because getSourceType() returned a different string for those source, not because they were truly new)