Agile Threat Modeling Toolkit

Overview

Threagile

Threagile Community Chat

Agile Threat Modeling Toolkit

Threagile (see https://threagile.io for more details) is an open-source toolkit for agile threat modeling:

It allows to model an architecture with its assets in an agile fashion as a YAML file directly inside the IDE. Upon execution of the Threagile toolkit all standard risk rules (as well as individual custom rules if present) are checked against the architecture model.

Execution via Docker Container

The easiest way to execute Threagile on the commandline is via its Docker container:

docker run --rm -it threagile/threagile


  _____ _                          _ _      
 |_   _| |__  _ __ ___  __ _  __ _(_) | ___ 
   | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
   | | | | | | | |  __/ (_| | (_| | | |  __/
   |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                             |___/        
Threagile - Agile Threat Modeling


Documentation: https://threagile.io
Docker Images: https://hub.docker.com/r/threagile
Sourcecode: https://github.com/threagile
License: Open-Source (MIT License)    

Usage: threagile [options]


Options:

  -background string
        background pdf file (default "background.pdf")
  -create-editing-support
        just create some editing support stuff in the output directory
  -create-example-model
        just create an example model named threagile-example-model.yaml in the output directory
  -create-stub-model
        just create a minimal stub model named threagile-stub-model.yaml in the output directory
  -custom-risk-rules-plugins string
        comma-separated list of plugins (.so shared object) file names with custom risk rules to load
  -diagram-dpi int
        DPI used to render: maximum is 240 (default 120)
  -execute-model-macro string
        Execute model macro (by ID)
  -generate-data-asset-diagram
        generate data asset diagram (default true)
  -generate-data-flow-diagram
        generate data-flow diagram (default true)
  -generate-report-pdf
        generate report pdf, including diagrams (default true)
  -generate-risks-excel
        generate risks excel (default true)
  -generate-risks-json
        generate risks json (default true)
  -generate-stats-json
        generate stats json (default true)
  -generate-tags-excel
        generate tags excel (default true)
  -generate-technical-assets-json
        generate technical assets json (default true)
  -ignore-orphaned-risk-tracking
        ignore orphaned risk tracking (just log them) not matching a concrete risk
  -list-model-macros
        print model macros
  -list-risk-rules
        print risk rules
  -list-types
        print type information (enum values to be used in models)
  -model string
        input model yaml file (default "threagile.yaml")
  -output string
        output directory (default ".")
  -print-3rd-party-licenses
        print 3rd-party license information
  -print-license
        print license information
  -raa-plugin string
        RAA calculation plugin (.so shared object) file name (default "raa.so")
  -server int
        start a server (instead of commandline execution) on the given port
  -skip-risk-rules string
        comma-separated list of risk rules (by their ID) to skip
  -verbose
        verbose output
  -version
        print version


Examples:

If you want to create an example model (via docker) as a starting point to learn about Threagile just run: 
 docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -create-example-model -output /app/work

If you want to create a minimal stub model (via docker) as a starting point for your own model just run: 
 docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -create-stub-model -output /app/work

If you want to execute Threagile on a model yaml file (via docker): 
 docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -verbose -model /app/work/threagile.yaml -output /app/work

If you want to run Threagile as a server (REST API) on some port (here 8080): 
 docker run --rm -it --shm-size=256m -p 8080:8080 --name threagile-server --mount 'type=volume,src=threagile-storage,dst=/data,readonly=false' threagile/threagile -server 8080

If you want to find out about the different enum values usable in the model yaml file: 
 docker run --rm -it threagile/threagile -list-types

If you want to use some nice editing help (syntax validation, autocompletion, and live templates) in your favourite IDE: 
 docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -create-editing-support -output /app/work

If you want to list all available model macros (which are macros capable of reading a model yaml file, asking you questions in a wizard-style and then update the model yaml file accordingly): 
 docker run --rm -it threagile/threagile -list-model-macros

If you want to execute a certain model macro on the model yaml file (here the macro add-build-pipeline): 
 docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -model /app/work/threagile.yaml -output /app/work -execute-model-macro add-build-pipeline
Comments
  • Details for configuration the schema.json

    Details for configuration the schema.json

    Hello everyone, i have some problems to configure the schema. i get a message from intelij that the schema could not be downloaded due to a 403 error. Besides that i am not sure how to import the schema.json to the Threagile schema in the Youtube video. Is there a detailed description? Many thanks in advance

    documentation 
    opened by dawic-33 4
  • Feature Request: Show line number on error of model validation

    Feature Request: Show line number on error of model validation

    Currently I tried to use threagile and created a model form the stub. When I try to execute threagile on that model I get the following error:

    Parsing model: /app/work/threagile-model.yaml 2020/11/13 09:59:42 Unknown 'machine' of technical asset: Unknown 'machine' of technical asset:

    I have a few technical assets in my model, so it would be handy to get the line number of the model file in the error message.

    opened by mum-viadee 2
  • Go module build fails with upper/lower case problem

    Go module build fails with upper/lower case problem

    Are you building on Win?

    go: downloading github.com/Threagile/threagile v0.0.0-20201115181100-9a846523ea83
    go: github.com/Threagile/threagile upgrade => v0.0.0-20201115181100-9a846523ea83
    go get: github.com/Threagile/[email protected]: parsing go.mod:
    	module declares its path as: github.com/threagile/threagile
    	        but was required as: github.com/Threagile/threagile
    
    opened by fractalqb 1
  • Fixes #2: Adds encryption types list to -list-types CLI output

    Fixes #2: Adds encryption types list to -list-types CLI output

    This PR adds the missing encryption types output from the -list-types CLI option. It fixes issue #2 .

    New Output

    I opted to put the encryption output higher up in the -list-types output (below Criticality) to make it ordered more alphabetically (without touching the other outputs). This should make it easier for others to find when scanning the list.

    $ go build main.go
    $ ./main -list-types
    
      _____ _                          _ _
     |_   _| |__  _ __ ___  __ _  __ _(_) | ___
       | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
       | | | | | | | |  __/ (_| | (_| | | |  __/
       |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                                 |___/
    Threagile - Agile Threat Modeling
    
    
    Documentation: https://threagile.io
    Docker Images: https://hub.docker.com/r/threagile
    Sourcecode: https://github.com/threagile
    License: Open-Source (MIT License)
    Version: 1.0.0 ()
    
    
    The following types are available (can be extended for custom rules):
    
      Quantity: [very-few few many very-many]
    
      Confidentiality: [public internal restricted confidential strictly-confidential]
    
      Criticality (for integrity and availability): [archive operational important critical mission-critical]
    
      Encryption: [none transparent data-with-symmetric-shared-key data-with-asymmetric-shared-key data-with-enduser-individual-key]
    
      Technical Asset Type: [external-entity process datastore]
    
      Technical Asset Size: [system service application component]
    
      Authorization: [none technical-user enduser-identity-propagation]
    
      Authentication: [none credentials session-id token client-certificate two-factor externalized]
    
      Usage: [business devops]
    
      Data Format: [json xml serialization file csv]
    
      Protocol: [unknown-protocol http https ws wss reverse-proxy-web-protocol reverse-proxy-web-protocol-encrypted mqtt jdbc jdbc-encrypted odbc odbc-encrypted sql-access-protocol sql-access-protocol-encrypted nosql-access-protocol nosql-access-protocol-encrypted binary binary-encrypted text text-encrypted ssh ssh-tunnel smtp smtp-encrypted pop3 pop3-encrypted imap imap-encrypted ftp ftps sftp scp ldap ldaps jms nfs smb smb-encrypted local-file-access nrpe xmpp iiop iiop-encrypted jrmp jrmp-encrypted in-process-library-call container-spawning]
    
      Technical Asset Technology: [unknown-technology client-system browser desktop mobile-app devops-client web-server web-application application-server database file-server local-file-system erp cms web-service-rest web-service-soap ejb search-index search-engine service-registry reverse-proxy load-balancer build-pipeline sourcecode-repository artifact-registry code-inspection-platform monitoring ldap-server container-platform batch-processing event-listener identity-provider identity-store-ldap identity-store-database tool cli task function gateway iot-device message-queue stream-processing service-mesh data-lake big-data-platform report-engine ai mail-server vault hsm waf ids ips scheduler mainframe block-storage library]
    
      Technical Asset Machine: [physical virtual container serverless]
    
      Trust Boundary Type: [network-on-prem network-dedicated-hoster network-virtual-lan network-cloud-provider network-cloud-security-group network-policy-namespace-isolation execution-environment]
    
      Data Loss Probability: [improbable possible probable]
    
      Risk Severity: [low medium elevated high critical]
    
      Risk Exploitation Likelihood: [unlikely likely very-likely frequent]
    
      Risk Exploitation Impact: [low medium high very-high]
    
      Risk Function: [business-side architecture development operations]
    
      Risk Status: [unchecked in-discussion accepted in-progress mitigated false-positive]
    
      STRIDE: [spoofing tampering repudiation information-disclosure denial-of-service elevation-of-privilege]
    
    opened by scottbrown 1
  • Fixes #5, a typo in the impact analysis of the cloud hardening risk.

    Fixes #5, a typo in the impact analysis of the cloud hardening risk.

    Overview

    This fixes a simple typo in the impact analysis string of the Missing Cloud Hardening risk category, resulting in a typo in the generated PDF report.

    Rollback

    Revert the PR.

    Testing

    I generated a new PDF report using a threagile.yml file that contains a cloud trust boundary, and the typo is gone.

    opened by scottbrown 0
  • Typo in Impact statement of cloud hardening risk

    Typo in Impact statement of cloud hardening risk

    Summary

    There is a typo in the PDF report when displaying the impact analysis "Missing Cloud Hardening" risk (page 8; Impact Analysis of X Remaining Risks in Y Categories).

    Expected

    If this risk is unmitigated, attackers might access cloud components in an unintended way.

    Actual

    If this risk is unmitigated, attackers might access cloud components in an unintended way and .

    Root Cause

    The hard-coded string used to define the risk category contains the typo, see here: https://github.com/Threagile/threagile/blob/dad51398ceca985c63a13340abe08d65d3e63369/risks/built-in/missing-cloud-hardening/missing-cloud-hardening-rule.go#L14

    opened by scottbrown 0
  • list-types CLI call does not output Encryption types

    list-types CLI call does not output Encryption types

    Issue

    When running threagile -list-types, the output does not includes the list of accepted encryption types.

    Type

    Bug

    Expected Results

    $ docker run --rm threagile/threagile -list-types
    
      _____ _                          _ _
     |_   _| |__  _ __ ___  __ _  __ _(_) | ___
       | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
       | | | | | | | |  __/ (_| | (_| | | |  __/
       |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                                 |___/
    Threagile - Agile Threat Modeling
    
    
    Documentation: https://threagile.io
    Docker Images: https://hub.docker.com/r/threagile
    Sourcecode: https://github.com/threagile
    License: Open-Source (MIT License)
    Version: 1.0.0 ()
    
    
    The following types are available (can be extended for custom rules):
    
      Quantity: [very-few few many very-many]
    
      Confidentiality: [public internal restricted confidential strictly-confidential]
    
      Criticality (for integrity and availability): [archive operational important critical mission-critical]
    
      Technical Asset Type: [external-entity process datastore]
    
      Technical Asset Size: [system service application component]
    
      Authorization: [none technical-user enduser-identity-propagation]
    
      Authentication: [none credentials session-id token client-certificate two-factor externalized]
    
      Usage: [business devops]
    
      Data Format: [json xml serialization file csv]
    
      Protocol: [unknown-protocol http https ws wss reverse-proxy-web-protocol reverse-proxy-web-protocol-encrypted mqtt jdbc jdbc-encrypted odbc odbc-encrypted sql-access-protocol sql-access-protocol-encrypted nosql-access-protocol nosql-access-protocol-encrypted binary binary-encrypted text text-encrypted ssh ssh-tunnel smtp smtp-encrypted pop3 pop3-encrypted imap imap-encrypted ftp ftps sftp scp ldap ldaps jms nfs smb smb-encrypted local-file-access nrpe xmpp iiop iiop-encrypted jrmp jrmp-encrypted in-process-library-call container-spawning]
    
      Technical Asset Technology: [unknown-technology client-system browser desktop mobile-app devops-client web-server web-application application-server database file-server local-file-system erp cms web-service-rest web-service-soap ejb search-index search-engine service-registry reverse-proxy load-balancer build-pipeline sourcecode-repository artifact-registry code-inspection-platform monitoring ldap-server container-platform batch-processing event-listener identity-provider identity-store-ldap identity-store-database tool cli task function gateway iot-device message-queue stream-processing service-mesh data-lake big-data-platform report-engine ai mail-server vault hsm waf ids ips scheduler mainframe block-storage library]
    
      Technical Asset Machine: [physical virtual container serverless]
    
      Trust Boundary Type: [network-on-prem network-dedicated-hoster network-virtual-lan network-cloud-provider network-cloud-security-group network-policy-namespace-isolation execution-environment]
    
      Data Loss Probability: [improbable possible probable]
    
      Risk Severity: [low medium elevated high critical]
    
      Risk Exploitation Likelihood: [unlikely likely very-likely frequent]
    
      Risk Exploitation Impact: [low medium high very-high]
    
      Risk Function: [business-side architecture development operations]
    
      Risk Status: [unchecked in-discussion accepted in-progress mitigated false-positive]
    
      STRIDE: [spoofing tampering repudiation information-disclosure denial-of-service elevation-of-privilege]
    
      Encryption: [none transparent data-with-symmetric-shared-key data-with-asymmetric-shared-key data-with-enduser-individual-key]
    

    Actual Results

    ```bash
    $ docker run --rm threagile/threagile -list-types
    
      _____ _                          _ _
     |_   _| |__  _ __ ___  __ _  __ _(_) | ___
       | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \
       | | | | | | | |  __/ (_| | (_| | | |  __/
       |_| |_| |_|_|  \___|\__,_|\__, |_|_|\___|
                                 |___/
    Threagile - Agile Threat Modeling
    
    
    Documentation: https://threagile.io
    Docker Images: https://hub.docker.com/r/threagile
    Sourcecode: https://github.com/threagile
    License: Open-Source (MIT License)
    Version: 1.0.0 ()
    
    
    The following types are available (can be extended for custom rules):
    
      Quantity: [very-few few many very-many]
    
      Confidentiality: [public internal restricted confidential strictly-confidential]
    
      Criticality (for integrity and availability): [archive operational important critical mission-critical]
    
      Technical Asset Type: [external-entity process datastore]
    
      Technical Asset Size: [system service application component]
    
      Authorization: [none technical-user enduser-identity-propagation]
    
      Authentication: [none credentials session-id token client-certificate two-factor externalized]
    
      Usage: [business devops]
    
      Data Format: [json xml serialization file csv]
    
      Protocol: [unknown-protocol http https ws wss reverse-proxy-web-protocol reverse-proxy-web-protocol-encrypted mqtt jdbc jdbc-encrypted odbc odbc-encrypted sql-access-protocol sql-access-protocol-encrypted nosql-access-protocol nosql-access-protocol-encrypted binary binary-encrypted text text-encrypted ssh ssh-tunnel smtp smtp-encrypted pop3 pop3-encrypted imap imap-encrypted ftp ftps sftp scp ldap ldaps jms nfs smb smb-encrypted local-file-access nrpe xmpp iiop iiop-encrypted jrmp jrmp-encrypted in-process-library-call container-spawning]
    
      Technical Asset Technology: [unknown-technology client-system browser desktop mobile-app devops-client web-server web-application application-server database file-server local-file-system erp cms web-service-rest web-service-soap ejb search-index search-engine service-registry reverse-proxy load-balancer build-pipeline sourcecode-repository artifact-registry code-inspection-platform monitoring ldap-server container-platform batch-processing event-listener identity-provider identity-store-ldap identity-store-database tool cli task function gateway iot-device message-queue stream-processing service-mesh data-lake big-data-platform report-engine ai mail-server vault hsm waf ids ips scheduler mainframe block-storage library]
    
      Technical Asset Machine: [physical virtual container serverless]
    
      Trust Boundary Type: [network-on-prem network-dedicated-hoster network-virtual-lan network-cloud-provider network-cloud-security-group network-policy-namespace-isolation execution-environment]
    
      Data Loss Probability: [improbable possible probable]
    
      Risk Severity: [low medium elevated high critical]
    
      Risk Exploitation Likelihood: [unlikely likely very-likely frequent]
    
      Risk Exploitation Impact: [low medium high very-high]
    
      Risk Function: [business-side architecture development operations]
    
      Risk Status: [unchecked in-discussion accepted in-progress mitigated false-positive]
    
      STRIDE: [spoofing tampering repudiation information-disclosure denial-of-service elevation-of-privilege]
    
    opened by scottbrown 0
  • Add an option to pretty-format risks.json

    Add an option to pretty-format risks.json

    risks.json is a great way to visualize output changes in PRs (if Threagile output is stored in git).

    There should be an option to pretty-print that output for easier reviews.

    opened by crenshaw-dev 0
  • Error when building with Dockerfile.local

    Error when building with Dockerfile.local

    I'm running into an interesting error. When I use the Dockerfile to build threagile, the application is running without any issues. However, if I clone the repo locally, then build it using the Dockerfile.local, I see the error {"error":"graph rendering call failed with error:fork/exec /app/render-data-flow-diagram.sh: no such file or directory"}

    Any ideas why that might be?

    opened by cory-chang 0
  • Add support for generating Open Threat Model (OTM)

    Add support for generating Open Threat Model (OTM)

    Hello. I'd like to be able to generate OTM from Threagile. For example, adding an option for --generate-otm would be ideal.

    The Open Threat Model format is still early in development, but its goals are to standardize how data from threat models are represented, providing interoperability between different systems and tools.

    Per the readme:

    OTM allows both humans and computers to understand what are the components of a system, how are they distributed, the security risks that could be exposed to attackers and the mitigations that could be implemented to avoid those vulnerabilities.

    OTM can be used to document your system and threat model, to keep you threat model aware of the changes that happens in the system and many other use cases.

    opened by stevespringett 0
  • idea open to discussion: CDK for building and maintaining big threat models

    idea open to discussion: CDK for building and maintaining big threat models

    The YAML file can grow very fast when while you add more details to your threat model.

    It will be great to:

    • Add an import feature for having complementary YAML files that can be added to the main YAML file. YAML by default does not support imports.

    Or

    • Create a CDK to define our model as code.
    opened by klahnen 2
  • What's the use of size attribute for technical assets?

    What's the use of size attribute for technical assets?

    Hi, I've been looking through the code and some attributes, like protocol, are used in functions that are in the logic for different risks. But for size of technical asset (system, service, application, component), I can't find them being used anywhere. I see them declared in different technical assets in the add-build-pipeline-macro.go and add-vault-macro.go but don't see them used in code or impact threats in anyway? Any advice appreciated. Thanks!

    opened by chujiaoma 1
Owner
Threagile
Agile Threat Modeling Toolkit
Threagile
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

JFrog Ltd. 171 Dec 25, 2022
Threat Intel Platform for T-POTs

GreedyBear The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to p

The Honeynet Project 72 Jan 1, 2023
Phishing Campaign Toolkit

King Phisher Phishing Campaign Toolkit Installation For instructions on how to install, please see the INSTALL.md file. After installing, for instruct

RSM US LLP 1.9k Jan 1, 2023
Proof-of-concept obfuscation toolkit for C# post-exploitation tools

InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio proj

null 259 Dec 19, 2022
A knockoff social-engineer toolkit

The Python SE Dopp Kit is a social engineering toolkit with many purposes. It contains 5 different modules designed to be of assistance in different s

null 48 Nov 26, 2022
Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints.

jolokia-exploitation-toolkit Jolokia Exploitation Toolkit (JET) helps exploitation of exposed jolokia endpoints. Core concept Jolokia is a protocol br

Laluka 194 Jan 1, 2023
M.E.A.T. - Mobile Evidence Acquisition Toolkit

M.E.A.T. - Mobile Evidence Acquisition Toolkit Meet M.E.A.T! From Jack Farley - BlackStone Discovery This toolkit aims to help forensicators perform d

null 1 Nov 11, 2021
A toolkit for web reconnaissance, it's fast and easy to use.

A toolkit for web reconnaissance, it's fast and easy to use. File Structure httpsuite/ main.py init.py db/ db.py init.py subdomains_db directories_db

whoami security 22 Jul 22, 2022
Python Toolkit containing different Cyber Attacks Tools

Helikopter Python Toolkit containing different Cyber Attacks Tools. Tools in Helikopter Toolkit 1. FattyNigger (PYTHON WORM) 2. Taxes (PYTHON PASS EXT

Saqlain Naqvi 22 Dec 4, 2022
ONT Analysis Toolkit (OAT)

A toolkit for monitoring ONT MinION sequencing, followed by data analysis, for viral genomes amplified with tiled amplicon sequencing.

null 6 Jun 14, 2022
Salesforce Recon and Exploitation Toolkit

Salesforce Recon and Exploitation Toolkit Salesforce Recon and Exploitation Toolkit Usage python3 main.py <URL> References Announcement Blog - https:/

null 81 Dec 23, 2022
VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit

Vortex VPN Overall Reconnaissance, Testing, Enumeration and Exploitation Toolkit Overview A very simple Python framework, inspired by SprayingToolkit,

null 315 Dec 28, 2022
Red Team Toolkit is an Open-Source Django Offensive Web-App which is keeping the useful offensive tools used in the red-teaming together.

RedTeam Toolkit Note: Only legal activities should be conducted with this project. Red Team Toolkit is an Open-Source Django Offensive Web-App contain

Mohammadreza Sarayloo 382 Jan 1, 2023
A Pythonic framework for threat modeling

pytm: A Pythonic framework for threat modeling Introduction Traditional threat modeling too often comes late to the party, or sometimes not at all. In

Izar Tarandach 644 Dec 20, 2022
:truck: Agile Data Preparation Workflows made easy with dask, cudf, dask_cudf and pyspark

To launch a live notebook server to test optimus using binder or Colab, click on one of the following badges: Optimus is the missing framework to prof

Iron 1.3k Dec 30, 2022
Free and open source full-stack enterprise framework for agile development of secure database-driven web-based applications, written and programmable in Python.

Readme web2py is a free open source full-stack framework for rapid development of fast, scalable, secure and portable database-driven web-based applic

null 2k Dec 31, 2022
Agile project management platform. Built on top of Django and AngularJS

Taiga Backend Documentation Currently, we have authored three main documentation hubs: API: Our API documentation and reference for developing from Ta

Taiga.io 5.8k Jan 5, 2023
Apache Liminal is an end-to-end platform for data engineers & scientists, allowing them to build, train and deploy machine learning models in a robust and agile way

Apache Liminals goal is to operationalise the machine learning process, allowing data scientists to quickly transition from a successful experiment to an automated pipeline of model training, validation, deployment and inference in production. Liminal provides a Domain Specific Language to build ML workflows on top of Apache Airflow.

The Apache Software Foundation 121 Dec 28, 2022
:P Some basic stuff I'm gonna use for my upcoming Agile Software Development and Devops

reverse-image-search-py bash script.sh img_name.jpg Requirements pip install requests pip install pyshorteners Dry run [kunal@Gordonfreeman]$ bash sc

Sudhanva M 3 Dec 18, 2021