Hello everyone, i have some problems to configure the schema. i get a message from intelij that the schema could not be downloaded due to a 403 error. Besides that i am not sure how to import the schema.json to the Threagile schema in the Youtube video. Is there a detailed description? Many thanks in advance

Currently I tried to use threagile and created a model form the stub. When I try to execute threagile on that model I get the following error:

Parsing model: /app/work/threagile-model.yaml 2020/11/13 09:59:42 Unknown 'machine' of technical asset: Unknown 'machine' of technical asset:

I have a few technical assets in my model, so it would be handy to get the line number of the model file in the error message.

Are you building on Win?

go: downloading github.com/Threagile/threagile v0.0.0-20201115181100-9a846523ea83
go: github.com/Threagile/threagile upgrade => v0.0.0-20201115181100-9a846523ea83
go get: github.com/Threagile/[email protected]: parsing go.mod:
	module declares its path as: github.com/threagile/threagile
	        but was required as: github.com/Threagile/threagile

This PR adds the missing encryption types output from the -list-types CLI option. It fixes issue #2 .

New Output

I opted to put the encryption output higher up in the -list-types output (below Criticality) to make it ordered more alphabetically (without touching the other outputs). This should make it easier for others to find when scanning the list.

$ go build main.go
$ ./main -list-types

  _____ _                          _ _
 |_   _| |__  _ __ ___  __ _  __ _(_) | ___
   | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
   | | | | | | | |  __/ (_| | (_| | | |  __/
   |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                             |___/
Threagile - Agile Threat Modeling


Documentation: https://threagile.io
Docker Images: https://hub.docker.com/r/threagile
Sourcecode: https://github.com/threagile
License: Open-Source (MIT License)
Version: 1.0.0 ()


The following types are available (can be extended for custom rules):

  Quantity: [very-few few many very-many]

  Confidentiality: [public internal restricted confidential strictly-confidential]

  Criticality (for integrity and availability): [archive operational important critical mission-critical]

  Encryption: [none transparent data-with-symmetric-shared-key data-with-asymmetric-shared-key data-with-enduser-individual-key]

  Technical Asset Type: [external-entity process datastore]

  Technical Asset Size: [system service application component]

  Authorization: [none technical-user enduser-identity-propagation]

  Authentication: [none credentials session-id token client-certificate two-factor externalized]

  Usage: [business devops]

  Data Format: [json xml serialization file csv]

  Protocol: [unknown-protocol http https ws wss reverse-proxy-web-protocol reverse-proxy-web-protocol-encrypted mqtt jdbc jdbc-encrypted odbc odbc-encrypted sql-access-protocol sql-access-protocol-encrypted nosql-access-protocol nosql-access-protocol-encrypted binary binary-encrypted text text-encrypted ssh ssh-tunnel smtp smtp-encrypted pop3 pop3-encrypted imap imap-encrypted ftp ftps sftp scp ldap ldaps jms nfs smb smb-encrypted local-file-access nrpe xmpp iiop iiop-encrypted jrmp jrmp-encrypted in-process-library-call container-spawning]

  Technical Asset Technology: [unknown-technology client-system browser desktop mobile-app devops-client web-server web-application application-server database file-server local-file-system erp cms web-service-rest web-service-soap ejb search-index search-engine service-registry reverse-proxy load-balancer build-pipeline sourcecode-repository artifact-registry code-inspection-platform monitoring ldap-server container-platform batch-processing event-listener identity-provider identity-store-ldap identity-store-database tool cli task function gateway iot-device message-queue stream-processing service-mesh data-lake big-data-platform report-engine ai mail-server vault hsm waf ids ips scheduler mainframe block-storage library]

  Technical Asset Machine: [physical virtual container serverless]

  Trust Boundary Type: [network-on-prem network-dedicated-hoster network-virtual-lan network-cloud-provider network-cloud-security-group network-policy-namespace-isolation execution-environment]

  Data Loss Probability: [improbable possible probable]

  Risk Severity: [low medium elevated high critical]

  Risk Exploitation Likelihood: [unlikely likely very-likely frequent]

  Risk Exploitation Impact: [low medium high very-high]

  Risk Function: [business-side architecture development operations]

  Risk Status: [unchecked in-discussion accepted in-progress mitigated false-positive]

  STRIDE: [spoofing tampering repudiation information-disclosure denial-of-service elevation-of-privilege]

Overview

This fixes a simple typo in the impact analysis string of the Missing Cloud Hardening risk category, resulting in a typo in the generated PDF report.

Rollback

Revert the PR.

Testing

I generated a new PDF report using a threagile.yml file that contains a cloud trust boundary, and the typo is gone.

Summary

There is a typo in the PDF report when displaying the impact analysis "Missing Cloud Hardening" risk (page 8; Impact Analysis of X Remaining Risks in Y Categories).

Expected

If this risk is unmitigated, attackers might access cloud components in an unintended way.

Actual

If this risk is unmitigated, attackers might access cloud components in an unintended way and .

Root Cause

The hard-coded string used to define the risk category contains the typo, see here: https://github.com/Threagile/threagile/blob/dad51398ceca985c63a13340abe08d65d3e63369/risks/built-in/missing-cloud-hardening/missing-cloud-hardening-rule.go#L14

Issue

When running threagile -list-types, the output does not includes the list of accepted encryption types.

Type

Bug

Expected Results

$ docker run --rm threagile/threagile -list-types

  _____ _                          _ _
 |_   _| |__  _ __ ___  __ _  __ _(_) | ___
   | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
   | | | | | | | |  __/ (_| | (_| | | |  __/
   |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                             |___/
Threagile - Agile Threat Modeling


Documentation: https://threagile.io
Docker Images: https://hub.docker.com/r/threagile
Sourcecode: https://github.com/threagile
License: Open-Source (MIT License)
Version: 1.0.0 ()


The following types are available (can be extended for custom rules):

  Quantity: [very-few few many very-many]

  Confidentiality: [public internal restricted confidential strictly-confidential]

  Criticality (for integrity and availability): [archive operational important critical mission-critical]

  Technical Asset Type: [external-entity process datastore]

  Technical Asset Size: [system service application component]

  Authorization: [none technical-user enduser-identity-propagation]

  Authentication: [none credentials session-id token client-certificate two-factor externalized]

  Usage: [business devops]

  Data Format: [json xml serialization file csv]

  Protocol: [unknown-protocol http https ws wss reverse-proxy-web-protocol reverse-proxy-web-protocol-encrypted mqtt jdbc jdbc-encrypted odbc odbc-encrypted sql-access-protocol sql-access-protocol-encrypted nosql-access-protocol nosql-access-protocol-encrypted binary binary-encrypted text text-encrypted ssh ssh-tunnel smtp smtp-encrypted pop3 pop3-encrypted imap imap-encrypted ftp ftps sftp scp ldap ldaps jms nfs smb smb-encrypted local-file-access nrpe xmpp iiop iiop-encrypted jrmp jrmp-encrypted in-process-library-call container-spawning]

  Technical Asset Technology: [unknown-technology client-system browser desktop mobile-app devops-client web-server web-application application-server database file-server local-file-system erp cms web-service-rest web-service-soap ejb search-index search-engine service-registry reverse-proxy load-balancer build-pipeline sourcecode-repository artifact-registry code-inspection-platform monitoring ldap-server container-platform batch-processing event-listener identity-provider identity-store-ldap identity-store-database tool cli task function gateway iot-device message-queue stream-processing service-mesh data-lake big-data-platform report-engine ai mail-server vault hsm waf ids ips scheduler mainframe block-storage library]

  Technical Asset Machine: [physical virtual container serverless]

  Trust Boundary Type: [network-on-prem network-dedicated-hoster network-virtual-lan network-cloud-provider network-cloud-security-group network-policy-namespace-isolation execution-environment]

  Data Loss Probability: [improbable possible probable]

  Risk Severity: [low medium elevated high critical]

  Risk Exploitation Likelihood: [unlikely likely very-likely frequent]

  Risk Exploitation Impact: [low medium high very-high]

  Risk Function: [business-side architecture development operations]

  Risk Status: [unchecked in-discussion accepted in-progress mitigated false-positive]

  STRIDE: [spoofing tampering repudiation information-disclosure denial-of-service elevation-of-privilege]

  Encryption: [none transparent data-with-symmetric-shared-key data-with-asymmetric-shared-key data-with-enduser-individual-key]

Actual Results

```bash
$ docker run --rm threagile/threagile -list-types

  _____ _                          _ _
 |_   _| |__  _ __ ___  __ _  __ _(_) | ___
   | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
   | | | | | | | |  __/ (_| | (_| | | |  __/
   |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                             |___/
Threagile - Agile Threat Modeling


Documentation: https://threagile.io
Docker Images: https://hub.docker.com/r/threagile
Sourcecode: https://github.com/threagile
License: Open-Source (MIT License)
Version: 1.0.0 ()


The following types are available (can be extended for custom rules):

  Quantity: [very-few few many very-many]

  Confidentiality: [public internal restricted confidential strictly-confidential]

  Criticality (for integrity and availability): [archive operational important critical mission-critical]

  Technical Asset Type: [external-entity process datastore]

  Technical Asset Size: [system service application component]

  Authorization: [none technical-user enduser-identity-propagation]

  Authentication: [none credentials session-id token client-certificate two-factor externalized]

  Usage: [business devops]

  Data Format: [json xml serialization file csv]

  Protocol: [unknown-protocol http https ws wss reverse-proxy-web-protocol reverse-proxy-web-protocol-encrypted mqtt jdbc jdbc-encrypted odbc odbc-encrypted sql-access-protocol sql-access-protocol-encrypted nosql-access-protocol nosql-access-protocol-encrypted binary binary-encrypted text text-encrypted ssh ssh-tunnel smtp smtp-encrypted pop3 pop3-encrypted imap imap-encrypted ftp ftps sftp scp ldap ldaps jms nfs smb smb-encrypted local-file-access nrpe xmpp iiop iiop-encrypted jrmp jrmp-encrypted in-process-library-call container-spawning]

  Technical Asset Technology: [unknown-technology client-system browser desktop mobile-app devops-client web-server web-application application-server database file-server local-file-system erp cms web-service-rest web-service-soap ejb search-index search-engine service-registry reverse-proxy load-balancer build-pipeline sourcecode-repository artifact-registry code-inspection-platform monitoring ldap-server container-platform batch-processing event-listener identity-provider identity-store-ldap identity-store-database tool cli task function gateway iot-device message-queue stream-processing service-mesh data-lake big-data-platform report-engine ai mail-server vault hsm waf ids ips scheduler mainframe block-storage library]

  Technical Asset Machine: [physical virtual container serverless]

  Trust Boundary Type: [network-on-prem network-dedicated-hoster network-virtual-lan network-cloud-provider network-cloud-security-group network-policy-namespace-isolation execution-environment]

  Data Loss Probability: [improbable possible probable]

  Risk Severity: [low medium elevated high critical]

  Risk Exploitation Likelihood: [unlikely likely very-likely frequent]

  Risk Exploitation Impact: [low medium high very-high]

  Risk Function: [business-side architecture development operations]

  Risk Status: [unchecked in-discussion accepted in-progress mitigated false-positive]

  STRIDE: [spoofing tampering repudiation information-disclosure denial-of-service elevation-of-privilege]

risks.json is a great way to visualize output changes in PRs (if Threagile output is stored in git).

There should be an option to pretty-print that output for easier reviews.

I'm running into an interesting error. When I use the Dockerfile to build threagile, the application is running without any issues. However, if I clone the repo locally, then build it using the Dockerfile.local, I see the error {"error":"graph rendering call failed with error:fork/exec /app/render-data-flow-diagram.sh: no such file or directory"}

Any ideas why that might be?

Hello. I'd like to be able to generate OTM from Threagile. For example, adding an option for --generate-otm would be ideal.

The Open Threat Model format is still early in development, but its goals are to standardize how data from threat models are represented, providing interoperability between different systems and tools.

Per the readme:

OTM allows both humans and computers to understand what are the components of a system, how are they distributed, the security risks that could be exposed to attackers and the mitigations that could be implemented to avoid those vulnerabilities.

OTM can be used to document your system and threat model, to keep you threat model aware of the changes that happens in the system and many other use cases.

The YAML file can grow very fast when while you add more details to your threat model.

It will be great to:

• Add an import feature for having complementary YAML files that can be added to the main YAML file. YAML by default does not support imports.

Or

• Create a CDK to define our model as code.

Hi, I've been looking through the code and some attributes, like protocol, are used in functions that are in the logic for different risks. But for size of technical asset (system, service, application, component), I can't find them being used anywhere. I see them declared in different technical assets in the add-build-pipeline-macro.go and add-vault-macro.go but don't see them used in code or impact threats in anyway? Any advice appreciated. Thanks!