This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#23
and was opened by @dskrvk:

Bitbucket (which my team happens to use) is a fairly popular alternative to Github. Would be great to have an integration with that as well.

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon-core#45
and was opened by @p- :

Like the title says: it would be cool if selection and move of multiple elements would be supported.
(If it is supported: I'm sorry I couldn't figure out how 😉 )

This issue has been migrated from:
mike-goodwin/owasp-threat-dragon-desktop#107

@thomaskonrad reports:
Exception thrown, but cannot copy it:
When I open a model, an exception Uncaught Exception: Error: Command failed: 4294967295. Also, I cannot copy the exception so that I could easily post it here. It says System.Net.WebException: The remote server returned an error (500) Internal Server Error

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#124
and was opened by @johocurtest :

It seems there is no ACL on the threat model file created in GitHub

Steps:

Login as User A using your GitHub account
Create a model
Share the link with User B
User B logins in to GitHub and opens model file from User A GitHub repo hyperlink
Result:
User B can change file from User A (no Read/Edit/Modify ACL)

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#50
and was opened by @securestep9 :

ability to import/export Microsoft TM7 format, SVG & PDF will make this tool far more mature and useful.

This issue has been migrated from:
mike-goodwin/owasp-threat-dragon-desktop#101

There is a branch for applying auto-updates using squirrel. It should be cross platform for Windows, MacOS and Linux.
File app/app.js has been modified to not use autoupdate via PR OWASP/threat-dragon-desktop#102 because it was causing problems, but this modification can be undone when autoupdate is working:

//electron autoupdate
//Note: autoupdate has been disabled until this issue has been satisfied:
//      https://github.com/mike-goodwin/owasp-threat-dragon-desktop/issues/101
// app.run(['common', 'dialogs', 'electron', 'VERSION', require('./app/config.autoupdate')]);

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon-core#117
and was opened by @fajabird :

We are assessing threat dragon for our threat modeling workshops and lately we started to extend it to privacy threats. We came accros the great LINDDUN framework that is very similar to STRIDE and also uses DFDs.

Therefor it would be great to have either LINDDUN categories in the threat engine or even a "custom" threat option where users can create a list of custom threat categories that are displayed in the drop-down.

When we put the assets and data flows into the diagram, we are allowed to set a few checkboxes. If we ask the application to generate threat suggestions, it does not take them into consideration, thus suggesting a "Tampering" threat to a data flow that has been marked as "encrypted" in one of its checkboxes.

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#116
and was opened by @NAlhirabi :

Hello Mike
I tried to deploy locally in MAC OSX, but it fails , when I run
npm start
Terminal shows following error:

[email protected] start /Users/nadaalhirabi/Documents/GitHub/owasp-threat-dragon
node server.js

{"name":"threatdragon","excludes":["req-headers","res-headers","res","req","short-body","body","response-hrtime","incoming","user-agent","response-time","http-version"],"hostname":"m006.cs.cf.ac.uk","pid":81568,"level":50,"security":true,"msg":"secure session cookie flag was false - should only happen in dev environments","time":"2019-11-11T14:07:32.065Z","v":0}
{"name":"threatdragon","hostname":"m006.cs.cf.ac.uk","pid":81568,"level":50,"msg":"owasp threat dragon failed to start up","time":"2019-11-11T14:07:32.067Z","v":0}
{"name":"threatdragon","hostname":"m006.cs.cf.ac.uk","pid":81568,"level":50,"msg":"Credentials must be provided when creating a service client.","time":"2019-11-11T14:07:32.067Z","v":0}
events.js:187
throw er; // Unhandled 'error' event
^

Error: listen EADDRINUSE: address already in use :::3000
at Server.setupListenHandle [as _listen2] (net.js:1300:14)
at listenInCluster (net.js:1348:12)
at Server.listen (net.js:1436:7)
at Function.listen (/Users/nadaalhirabi/Documents/GitHub/owasp-threat-dragon/node_modules/express/lib/application.js:618:24)
at Object. (/Users/nadaalhirabi/Documents/GitHub/owasp-threat-dragon/server.js:7:18)
at Module._compile (internal/modules/cjs/loader.js:956:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:973:10)
at Module.load (internal/modules/cjs/loader.js:812:32)
at Function.Module._load (internal/modules/cjs/loader.js:724:14)
at Function.Module.runMain (internal/modules/cjs/loader.js:1025:10)
Emitted 'error' event on Server instance at:
at emitErrorNT (net.js:1327:8)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
code: 'EADDRINUSE',
errno: 'EADDRINUSE',
syscall: 'listen',
address: '::',
port: 3000
}
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] start: node server.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! /Users/nadaalhirabi/.npm/_logs/2019-11-11T14_07_32_140Z-debug.log
m006:owasp-threat-dragon nadaalhirabi$

————

This is the variables in bash_profile

GITHUB_CLIENT_ID=XXXXXX
GITHUB_CLIENT_SECRET=XXXXXX
SESSION_SIGNING_KEY=XXXXX (note it is the Personal access tokens in Github)
SESSION_STORE=local
AZURE_STORAGE_CONNECTION_STRING
NODE_ENV=development

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#126
and was opened by @Trolldemorted :

Would it be a lot of work to support local storage on the webapp like the electron client does?

This would be great for quick demos for audiences which are unwilling to allow write access to their github repositories, or do not have a github account.

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#150
and was opened by @gbiagomba :

Hello,

This is more of a request than an issue. But is there anyways to open a visio file oran xml file from draw.io into this tool? If no, is it possible to have that added?

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#68
and was opened by @subashsn :

We've added Gitlab as a provider along with Github for Threat Dragon. Currently it's functional, but the test cases are failing due to ES6 syntax and changes done to accomodate multiple providers; Github and Gitlab. Can we relax this?

If this is okay, I'd be happy to raise a pull request that adds Gitlab integration for Threat Dragon. Thanks

@thomaskonrad reports:
The fact that I have to edit the model to add a diagram: That seems counter-intuitive to me. I'd put the diagrams into the edit view of the model, and only put metadata into the edit dialog.

@thomaskonrad reports:
I cannot drag whole trust boundaries: When I point at a trust boundary, the cursor indicates that I can drag and drop the whole boundary, but instead, a new point is added to the curve, which I then drag. I could not find out a way to move a whole trust boundary at once.

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#74
and was opened by @anirbanctts :

Keep on getting this error after entering github credentials.
Error: Invalid key length
at new Cipheriv (crypto.js:219:16)
at Object.createCipheriv (crypto.js:619:10)
at encryptData
....

var crypto = require('crypto');
var inputEncoding = 'ascii';
var outputEncoding = 'base64';
var keyEncoding = 'ascii';
var algorithm = 'aes256';

these properties were unchanged. Not sure why this issue keeps on repeating.
using NodeJS 8.11.3 LTS version

@thomaskonrad reports:
Data Flow arrows are misaligned: The arrows seem to point towards the direct line between two objects, instead of the direction of the very last part of the curve. That makes it misaligned when it's curved.

@thomaskonrad reports:
The protocol isn't shown in the Data Flow: There is no indicator which protocol is in use, or whether it's encrypted, although I can specify these properties.

The save button was only enabled after changes are made in the diagram, but this feature has been temporarily removed in issue mike-goodwin/owasp-threat-dragon-core#96 .
It has also been migrated from mike-goodwin/owasp-threat-dragon-core#97 :

The problem was that the save button was only enabled after an element is de-selected. This confused some users of Threat Dragon, so to avoid concern the save button is always enabled.

It is a good thing to disable the save button when no changes have been made, so this feature should be reinstated.

It would be good to be able to specify bidirectional data flows, as well as the existing single direction data flow, as it would make some diagrams look less busy and would not detract from the information in the threat model

@ZhangK123 raised an issue mike-goodwin/owasp-threat-dragon-core#121 :

I want to add some new funtions in my computer. The problem is how do you debug and run the core part in your comuter?
Is this core-part must run on the Web application?

It would be good to have developer notes so that it is easy to understand the structure and also easier to modify / debug the core code

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#119
and was opened by @rav94 :

The repository was listed only after I changed the repository permissions to the public mode. Think this would be an important option to have because you are providing the Github credentials expecting to view your private repos as well. Plus people would be reluctant to put their threat model diagrams in public.

The threat model PDF report generated by the tool is splitting the diagram across pages. For example, when a 1-page diagram occurs half-way down a page. To overcome this issue, the user could insert a page-break just before the diagram or manually ensure the diagram does not occur over a page break.

The OWASP project Cheat Sheets provides information on Threat Modeling :
https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
along with other cheat sheets on various defense topics.

It would be good if these cheat sheets could be referenced by the threat engine

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#148
and was opened by @madchap :

When wanting to try TD, it asked me for the following GitHub permissions, which in my opinion are too much:

As a result, I personally didn't want to grant so much.

Maybe it is possible to ask for less and achieve what is needed?

Cheers!

The zoom feature was removed temporarily, issue mike-goodwin/owasp-threat-dragon-core#94 .
It has also been migrated from mike-goodwin/owasp-threat-dragon-core#95 :
This feature needs to be reinstated so that:

• when zooming in it is possible to scroll across the paper
• when zoomed out, the paper size is adjusted when dragging elements across the paper
• it is possible to pan across the whole diagram when zoomed in, see issue mike-goodwin/owasp-threat-dragon-core#72
• anchors on the elements are scaled correctly when zoomed in, see issue mike-goodwin/owasp-threat-dragon-core#73
• dead space can not be created by zooming in and adding elements, see issue mike-goodwin/owasp-threat-dragon-core#60

This repo has been migrated from Mike Goodwin user space, and needs the CI tasks to point to this repo rather than mike-goodwin repos

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#52
and was opened by @xolian :

Ability to create arbitrary GIT Issues in github.com or GHE from the GIT Url of the application/code you are Threat Modeling.

The TD webapp and desktop app now include different thumbnails for STRIDE/CIA/LINDDUN . It would be good if the radio buttons in the diagram for STRIDE, CIA and LINDDUN also changed the path to the appropriate thumbnail instead of using the generic one.

Version 1.3 release is expected August 2020 or so. It may contain :

• code signing
• updated threat engine
• integration with EoP Threat Modeling Card Deck (under CC-BY)

It will need the usual testing, versioning, etc

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#122
and was opened by @micheelengronne :

Is it possible to add Gitlab integration ?

Thanks.

@fkl-rt writes
Threat Dragon is built on AngularJS which is reaching EOL in June 2021, if I understand their announcements correctly ([1], [2]).
Are there any plans to switch to the newer (not-backwards compatible) Angular.io release or to any other framework?

[1] https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c
[2] angular/angular.js#16895

@danwiltshire raised this issue in mike-goodwin/owasp-threat-dragon#152 :

When the user session times out, the application will let the user continue to work on a diagram but the Save function does not operate.

The user will need to refresh the page which will prompt for GitHub authentication resulting in lost progress.

Steps to reproduce:

Let browser idle or put device to sleep for a period of time
Continue working in Threat Dragon
Attempt to save progress.

I originally reported this in the wrong repo, so I'm re-reporting it here:

There is an XSS flaw in the app that can lead to RCE, its been confirmed on the OSX version of the application. I cant track the flaw down in the application code (although admittedly my JS/Electron skills are pretty low) so cant offer a PR or fix for it :(

I've sent details via the Flowcrypt form rather than post them here.

This repo has been migrated from Mike Goodwin user space, and needs the CI tasks to point to this repo rather than mike-goodwin repos

It would be good to have an alternative to the STRIDE categories for threats in TD, which has been discussed for LIDDUN OWASP/threat-dragon-core#16 . The most direct categorisation is Confidentiality Integrity Availability and Authenticity (CIAA), and it would be good to have these categories either alongside STRIDE or as an alternative to STRIDE

When running npm install there are warnings. These packages could be updated so that the warnings are reduced.

 npm install
npm WARN deprecated [email protected]: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN deprecated [email protected]: this package is now deprecated
npm WARN deprecated [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: This module is no longer maintained, try this instead:
npm WARN deprecated   npm i nyc
npm WARN deprecated Visit https://istanbul.js.org/integrations for other alternatives.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated [email protected]: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to at least constantinople 3.1.1
npm WARN deprecated [email protected]: Deprecated, use jstransformer
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please use the native JSON object instead of JSON 3
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
...
npm WARN notsup Unsupported engine for [email protected]: wanted: {"node":"0.10 || 0.12 || 4 || 5 || 6 || 7 || 8"} (current: {"node":"13.2.0","npm":"6.14.2"})
npm WARN notsup Not compatible with your version of node/npm: [email protected]

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon-core#118
and was opened by @jcoupal :

My company built a utility that helps us out a lot with Threat Modeling - we have a 2-way sync utility that pushes open (non-mitigated) vulnerabilities into a a named Jira Epic as a simpler way to build backlog for our dev team. Once closed in Jira, the items get marked as closed in TD.

threat-mvp-master.zip

It would be good to have a CONTRIBUTING.md file along the same lines as OWASP ZAP's at https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon-core#75
and was opened by @adamshostack :

The sample diagram has some elements (background worker, worker config, etc) which show in red. It's not clear what red means. (dashed lines seem to be used for both trust boundaries and Out of scope).

I suggest adding a key, but possibly alternately reducing use of color to address the threat of black & white printing.

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon-core#58
and was opened by @securestep9 :

Undo command is missing in Edit - it makes life very difficult when you accidentally delete something by mistake (Redo is needed as well)

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon-core#56
and was opened by @zeroXten :

STRIDE isn't used to categorise threats, but as an aid to discovering them, so some threats may feel naturally associated with more than one STRIDE type.

Version 1.3 release is expected August 2020 or so. It may contain :

• updated threat engine
• integration with EoP Threat Modeling Card Deck (under CC-BY)

It will need the usual testing, versioning, npm packaging, etc

There is an alert from LGTM in td/public/app/threatmodels/github.js

22 function activate() {
23     common.activateController([load()], controllerId)
 -- the function load does not return anything, yet the return value is used --
24             .then(function () { log('Activated GitHub Controller'); });
25 }

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon-core#77
and was opened by @dschadt :

This is probably the wrong place to ask questions like this but I didn't find another place.

Severity can be rated in 3 levels. It looks very similar to TMT priority.
What exactly is the practical use of severity?
From a classical risk oriented approach a priority is similar to a resulting risk with different levels before and after mitigation. Before mitigation it helps to prioritize activities applying countermeasures.
Risk is defined as a product of impact and likelihood if you want to simplify. Impact in my opinion is simply characterized by sensitivity of the data processed in the data flow and broken SLA. Both are different (business) impacts to be referenced to the character of the STRIDE attack vector. The other dimension likelihood is just a guess how easy it is to materialize the threat.
If possible I try to setup likelihood and impact based on the companies risk definition and throw out the risk level as a result.
Using priority TMT had the "problem" that it was setup by guessing not having a basis with risk assessment. Therefore it produced no real value for me. I changed it to calculate risks in a spreadsheet instead of prioritizing within TMT.
It would be helpful to know what the reason is for implementing severity this way.

The OWASP project Cheat Sheets provides information on Threat Modeling :
https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
along with other cheat sheets on various defense topics.

TD suggests STRIDE when adding threats to the data flow diagram, and one idea is that when one of STRIDE categories is suggested by TD, then the default description could have a link to the specific EoP suit (so for example if it is Repudiation then we could link to the EoP Repudiation suit).

This would need the EoP to be split out into the individual suits (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege), subject of adamshostack/eop#3

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#149
and was opened by @RobSkye :

Would be great to have all the changes autosaved everytime you make a modification to a diagram, add a threat..etc.

It would be good to increase the number of browsers we test against, at present it is:

• Chrome
• Firefox
• IE
• PhantomJS

Consider using Karma-detect-browsers: https://www.npmjs.com/package/karma-detect-browsers
to increase coverage to:

• Opera
• Safari
• Edge

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon-core#74
and was opened by @adamshostack :

Arc trust boundaries are ambiguous. For example, in the sample diagram, one arc can be extended to split "background worker process", another can be extended to bisect "database."

Closed boundaries (such as boxes) are more clear, and should be the default shape.

This issue has been migrated from :
mike-goodwin/owasp-threat-dragon#72
and was opened by @fadeevab :

To use the online version of application the GitHub's authentication is requested.

However a requested scope of permissions is quietly wide:

This application will be able to read and write all public repository data. This includes the following:

Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys

I'm pretty sure it's enough to get an empty scope (see https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/): to read public account information. It's not clear about all other permissions.

Thank you!