diff --git a/ThreatDragonModels/example-open-threat-model.json b/ThreatDragonModels/example-open-threat-model.json new file mode 100644 index 000000000..c479c79d2 --- /dev/null +++ b/ThreatDragonModels/example-open-threat-model.json @@ -0,0 +1,320 @@ +{ + "otmVersion": "0.2.0", + "project": { + "name": "Test project", + "id": "test-project", + "description": "This is a test project for the OTM development", + "owner": "John Doe", + "ownerContact": "john.doe@example.com", + "attributes": { + "cmdbId": "MyApp123" + } + }, + "representations": [ + { + "name": "Architecture Diagram", + "id": "architecture-diagram", + "type": "diagram", + "size": { + "width": 1000, + "height": 1100 + }, + "attributes": null + }, + { + "name": "Application Code", + "id": "application-code", + "type": "code", + "repository": { + "url": "https://github.com/my-project" + }, + "attributes": null + } + ], + "assets": [ + { + "name": "Credit Card Data", + "id": "cc-data", + "description": "Credit card numbers used for payments in the platform", + "risk": { + "confidentiality": 100, + "integrity": 100, + "availability": 100, + "riskComments": "We have decided that the values are a 100 for all values since this highly sensitive information" + }, + "attributes": null + }, + { + "name": "Public Info", + "id": "public-info", + "description": "Public information meant to be seen by any interested customer", + "risk": { + "confidentiality": 0, + "integrity": 100, + "availability": 50, + "riskComments": "Public information has no confidentiality at all but it is quite important for it to be available and to not be changed by attakers" + }, + "attributes": null + } + ], + "components": [ + { + "name": "Web Client", + "id": "web-client", + "description": "It represent a connection from the internet to our ecosystem", + "parent": { + "trustZone": "f0ba7722-39b6-4c81-8290-a30a248bb8d9" + }, + "type": "web-client", + "tags": [ + "external" + ], + "representations": [ + { + "representation": "architecture-diagram", + "id": "web-client-box", + "position": { + "x": 100, + "y": 100 + }, + "size": { + "width": 50, + "height": 50 + } + } + ], + "assets": null, + "threats": null, + "attributes": null + }, + { + "name": "Web Service", + "id": "web-service", + "description": "Runs our web application", + "parent": { + "trustZone": "2ab4effa-40b7-4cd2-ba81-8247d29a6f2d" + }, + "type": "web-service", + "tags": [ + "tomcat" + ], + "representations": [ + { + "representation": "architecture-diagram", + "id": "web-service-box", + "position": { + "x": 100, + "y": 100 + }, + "size": { + "width": 50, + "height": 50 + } + } + ], + "assets": { + "processed": [ + "cc-data", + "public-info" + ], + "stored": [ + "public-info" + ] + }, + "threats": [ + { + "threat": "22724267-be7e-44c0-8b1f-d7d33e9a34ec", + "state": "exposed", + "mitigations": [ + { + "mitigation": "fd6136f4-e2ff-11eb-ba80-0242ac130004", + "state": "implemented" + } + ] + } + ], + "attributes": null + }, + { + "name": "Customer Database", + "id": "customer-database", + "description": "Postgres database", + "parent": { + "trustZone": "2ab4effa-40b7-4cd2-ba81-8247d29a6f2d" + }, + "type": "database", + "tags": [ + "postgres" + ], + "representations": [ + { + "representation": "architecture-diagram", + "id": "box-for-postgress-DB", + "position": { + "x": 200, + "y": 100 + }, + "size": { + "width": 50, + "height": 50 + } + } + ], + "attributes": null + }, + { + "name": "Class CustomerDatabase", + "id": "class-customerdatabase", + "description": "Managages customer database", + "type": "code-class", + "parent": { + "trustZone": "2ab4effa-40b7-4cd2-ba81-8247d29a6f2d" + }, + "representations": [ + { + "representation": "application-code", + "id": "database class", + "package": "com.open.threat.model", + "file": "src/main/otm-file/OTMClass.java", + "line": 324, + "codeSnippet": "public void createOTM(String[] args) { Scanner reader = new Scanner(System.in); System.out.print(\"Enter a number: \"); int number = reader.nextInt() System.out.println(\"You entered: \" + number); }" + } + ], + "attributes": null + } + ], + "dataflows": [ + { + "name": "Dataflow between webclient and webservice.", + "id": "webclient-to-webservice", + "bidirectional": true, + "source": "web-client", + "destination": "web-service", + "tags": null, + "assets": null, + "representations": null, + "threats": null, + "attributes": null + }, + { + "name": "Dataflow between webservice and mongo.", + "id": "cc-store-in-db", + "bidirectional": true, + "source": "web-service", + "destination": "customer-database", + "tags": [ + "tag1-df", + "tag2-df" + ], + "assets": [ + "cc-data" + ], + "representations": null, + "threats": [ + { + "threat": "22724267-be7e-44c0-8b1f-d7d33e9a34ec", + "state": "exposed", + "mitigations": [ + { + "mitigation": "fd6136f4-e2ff-11eb-ba80-0242ac130004", + "state": "required" + } + ] + } + ], + "attributes": null + } + ], + "trustZones": [ + { + "name": "Internet", + "id": "f0ba7722-39b6-4c81-8290-a30a248bb8d9", + "type": "internet", + "description": "This is the internet trust zone", + "risk": { + "trustRating": 20 + }, + "representations": [ + { + "representation": "architecture-diagram", + "id": "internet-box-shape", + "position": { + "x": 600, + "y": 100 + }, + "size": { + "width": 100, + "height": 100 + } + } + ], + "attributes": null + }, + { + "name": "Private", + "id": "2ab4effa-40b7-4cd2-ba81-8247d29a6f2d", + "type": "private", + "description": "Private trustzone for protected components", + "risk": { + "trustRating": 100 + }, + "representations": [ + { + "representation": "architecture-diagram", + "id": "private-box-shape", + "position": { + "x": 0, + "y": 0 + }, + "size": { + "width": 100, + "height": 100 + } + } + ], + "attributes": null + } + ], + "threats": [ + { + "name": "Threat 1", + "id": "22724267-be7e-44c0-8b1f-d7d33e9a34ec", + "description": "Description fo the threat number 1", + "categories": [ + "Spoofing", + "Tampering" + ], + "cwes": [ + "CWE-79", + "CWE-787" + ], + "risk": { + "likelihood": 50, + "likelihoodComment": "It is reasonable to think this might happen but it requires for the attaketr to have a deep cyprografy knowledge", + "impact": 100, + "impactComment": "If this threat becomes a rallity company will strruggle to keep customers and the monetory loss would jeopardise the whole company" + }, + "attributes": null, + "tags": [ + "sql", + "cwe-123" + ] + } + ], + "mitigations": [ + { + "name": "This is the name of mitigation 1", + "id": "fd6136f4-e2ff-11eb-ba80-0242ac130004", + "description": "Description for mitigation 1", + "riskReduction": 50, + "attributes": null + }, + { + "name": "Mitigation 2", + "id": "3b837730-e300-11eb-ba80-0242ac130004", + "description": "Description for mitigation 2", + "riskReduction": 100, + "attributes": null + } + ] +} diff --git a/package-lock.json b/package-lock.json index bdbe2f375..8655bd2f8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "threat-dragon", - "version": "2.1.1", + "version": "2.1.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "threat-dragon", - "version": "2.1.1", + "version": "2.1.2", "hasInstallScript": true, "license": "Apache-2.0", "devDependencies": { diff --git a/package.json b/package.json index 14c180c1a..61fa1ff95 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "threat-dragon", - "version": "2.1.1", + "version": "2.1.2", "private": true, "scripts": { "audit": "npm-run-all -c audit:server audit:site", diff --git a/release-process.md b/release-process.md index 98823f58d..eb223a824 100644 --- a/release-process.md +++ b/release-process.md @@ -4,40 +4,40 @@ The steps used during the release process 1. `git clone git@github.com:OWASP/threat-dragon.git` 2. `cd threat-dragon` -3. update version eg `"version": "2.1.1",`, in `package.json`, `td.site/package.json` and `td.server/package.json` +3. update version eg `"version": "2.1.2",`, in `package.json`, `td.site/package.json` and `td.server/package.json` 4. update `buildState` in `td.vue/package.json` away from `-demo`, usually '' 5. `npm install` 6. `npm run build` 7. `npm test` 8. `npm run test:vue` 9. `git add --all; git status` -10. `git commit -m"release version 2.1.1"` +10. `git commit -m"release version 2.1.2"` 11. `git push` -12. tag the release `git tag v2.1.1` -13. `git push origin v2.1.1` +12. tag the release `git tag v2.1.2` +13. `git push origin v2.1.2` The github release workflow then creates the draft release and the install images ### Publish docker image 1. once tagged, the github workflow pushes the docker image to docker hub -2. check using `docker pull threatdragon/owasp-threat-dragon:v2.1.1` +2. check using `docker pull threatdragon/owasp-threat-dragon:v2.1.2` 3. on MacOS M1 this command may need to be used: - `docker pull --platform linux/x86_64 threatdragon/owasp-threat-dragon:v2.1.1` + `docker pull --platform linux/x86_64 threatdragon/owasp-threat-dragon:v2.1.2` 4. Test using the command to run a detached container: - `docker run -d -p 8080:3000 -v $(pwd)/.env:/app/.env threatdragon/owasp-threat-dragon:v2.1.1` + `docker run -d -p 8080:3000 -v $(pwd)/.env:/app/.env threatdragon/owasp-threat-dragon:v2.1.2` 5. Ideally test this release on Windows, linux and MacOS using `http://localhost:8080/#/` If the image tests correctly, promote the docker image -from dockerhub `threatdragon/` to dockerhub `OWASP/threat-dragon/v2.1.1`. +from dockerhub `threatdragon/` to dockerhub `OWASP/threat-dragon/v2.1.2`. There is _no going back_ on this last step, so it is deliberately left as a manual task: ```text -docker pull --platform linux/x86_64 threatdragon/owasp-threat-dragon:v2.1.1 -docker tag threatdragon/owasp-threat-dragon:v2.1.1 owasp/threat-dragon:v2.1.1 -docker push owasp/threat-dragon:v2.1.1 -docker pull owasp/threat-dragon:v2.1.1 +docker pull --platform linux/x86_64 threatdragon/owasp-threat-dragon:v2.1.2 +docker tag threatdragon/owasp-threat-dragon:v2.1.2 owasp/threat-dragon:v2.1.2 +docker push owasp/threat-dragon:v2.1.2 +docker pull owasp/threat-dragon:v2.1.2 ``` ensure the tag now exists within the OWASP Docker hub: `https://hub.docker.com/r/owasp/threat-dragon/tags` @@ -46,7 +46,7 @@ ensure the tag now exists within the OWASP Docker hub: `https://hub.docker.com/r Update the release notes for the draft in the [Threat Dragon release area][area] using the release notes using markdown provided by `.release-note-template.md` as a template, -making sure to revise `2.x.x` to the correct version number such as `2.1.1` +making sure to revise `2.x.x` to the correct version number such as `2.1.2` Promote the release from draft to public once everything is in place diff --git a/td.server/package-lock.json b/td.server/package-lock.json index dde83f3cf..326af107d 100644 --- a/td.server/package-lock.json +++ b/td.server/package-lock.json @@ -1,17 +1,17 @@ { "name": "threat-dragon-server", - "version": "2.1.1", + "version": "2.1.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "threat-dragon-server", - "version": "2.1.1", + "version": "2.1.2", "license": "Apache-2.0", "dependencies": { "@babel/runtime": "^7.21.0", - "bitbucket": "^2.11.0", "axios": "^1.6.0", + "bitbucket": "^2.11.0", "dotenv": "^16.0.3", "express": "^4.18.2", "express-rate-limit": "^6.7.0", diff --git a/td.server/package.json b/td.server/package.json index 6050ad5be..3932b0a64 100644 --- a/td.server/package.json +++ b/td.server/package.json @@ -1,6 +1,6 @@ { "name": "threat-dragon-server", - "version": "2.1.1", + "version": "2.1.2", "private": true, "scripts": { "audit": "npm audit", diff --git a/td.vue/package-lock.json b/td.vue/package-lock.json index a764c9ef6..135762c16 100644 --- a/td.vue/package-lock.json +++ b/td.vue/package-lock.json @@ -1,12 +1,12 @@ { "name": "threat-dragon", - "version": "2.1.1", + "version": "2.1.2", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "threat-dragon", - "version": "2.1.1", + "version": "2.1.2", "license": "Apache-2.0", "dependencies": { "@antv/x6": "^1.34.14", diff --git a/td.vue/package.json b/td.vue/package.json index c0dec0de5..d642dfe29 100644 --- a/td.vue/package.json +++ b/td.vue/package.json @@ -1,7 +1,7 @@ { "name": "threat-dragon", "productName": "Threat Dragon", - "version": "2.1.1", + "version": "2.1.2", "private": true, "scripts": { "audit": "npm audit",