-
-
Notifications
You must be signed in to change notification settings - Fork 260
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Adds Open Threat Modeling (OTM) support #787
Conversation
- Enhances the web application interface to allow for the import and export of threat models in the OTM format. - resolves OWASP#440
many thanks for this important feature, and looking at this now @mmcdonald4tw |
Thanks @jgadsden , please let me know if you see anything that you would like for me to adjust. |
Looking very good indeed, many thanks again @mmcdonald4tw So I thought I would collect my thoughts on the use cases The user can open a model in 3 ways:
The file is then converted if necessary to TD version 2.0 format from either OTM or TD version 1.x. There are also a couple of ways of opening a new model, but that is not relevant for our purposes. So the user has deliberately selected either a TD or an OTM file, and does not actually care (too much) what the format is within Threat Dragon. The user does care (probably a lot) about what format the file is saved in. They may be disgruntled if they end up overwriting their OTM file in TD format and do not realise it until later, for example. It would be nice to use OTM exclusively for TD from now on, but that would probably upset our existing users :) Anyhow, the model is saved from 3 places:
|
So maybe the user should make the decision to store the model in TD or OTM format from the threat model edit window; where all the meta information is viewed and edited? And this decision is reused until the user changes their mind? @mmcdonald4tw I will use the example file from the IriusRisk Open Threat Model repo |
Thank you @jgadsden , a lot of great thoughts here. I would need to take a deeper look at the code again but it sounds like the design would be to add an additional field to the model meta data that stored the current file format. This file format field would be populated at the time a model is opened:
The current file format data could be displayed in the UI next to the other meta data but would maybe be a drop-down allowing it to be changed. Changing the file format field in an open model would just change the format in which the model is saved in. The save function would look for this meta data field to determine if it should be saved out as TD or OTM. This would allow for only one, standard save button. Have i understand your idea correctly? Is this something that you would like me to change within the current PR? |
Hello @mmcdonald4tw , I agree with what you are suggesting - thanks for working out my convoluted thoughts :) The OTM models would always have something like But at some point they will think 'Hey, I would like to save as OTM now, rather than TD', and I like your suggestion of what buttons / drop down menu to put in place to allow them to do that |
I can make pull requests to your branch mmcdonald4tw:otm-support if that helps |
thanks @mmcdonald4tw for access to the repo, I will try out some suggestions this weekend |
Sounds good @jgadsden , I am also available and may do some investigation/PoC coding around these ideas. |
@mmcdonald4tw version 2.1.2 was released yesterday because of a problematic bug that needed to be fixed, but version 2.1.3 can be released next month with the OTM feature when it is ready |
Hi @jgadsden , I took some time to walk through a few use cases in TD related to our discussion and wanted to share my thoughts. Opening an existing model: Creating a new model: Saving a model:
I look forward to hearing your thoughts and continuing the discussion. |
Hello @mmcdonald4tw you make 3 very good points and I agree |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all good, merged, many thanks @mmcdonald4tw
I have tried every which way I can think of and the new version (2.1.3) simply will not open, save, import or export an OTM model. What am I missing? I've tried a local build, docker container and the desktop app. The app comes closest in that it actually has an export to OTM in the file menu but it is disabled. If I "open existing" and pass in the EXAMPLE.json from IriusRisk it still seems to try to parse it as a TD model. |
The support of Open Threat Model is not functional with the release of Treat Dragon version 2.1.3 |
Summary:
This change resolves issue #440 by adding import and export capabilities for threat models in the Open Threat Model format. The feature specifically targets the web applications Open and Save functions and allows for the conversion between the Threat Dragon format and the OTM 2.0 format.
Description for the changelog:
Added Open and Save feature to the web application to support threat models in the Open Threat Model (OTM) format.
Other info:
Change required updates to existing unit test cases and a new test case was created to cover the OTM conversion methods.
Thanks for submitting a pull request!
Please make sure you follow our code_of_conduct.md and our contributing guidelines contributing.md