Threat models

Author: spoorcc

pyproject.toml

@@ -157,6 +157,7 @@ disable = "logging-fstring-interpolation"
 min-similarity-lines = 10
 
 [tool.pylint.MASTER]
+ignored-modules = ["pytm"]
 ignore-paths = [
     "doc/_build/",
     "doc/_ext/sphinxcontrib_asciinema",

security/README.md

@@ -0,0 +1,23 @@
+# Security
+
+This folder contains the threat models.
+
+They depend on features not yet in a pytm release; install a pinned commit
+until an official release is available:
+
+`pip install git+https://github.com/OWASP/pytm.git@279ed14aa13ea8f0b989717812fd4626bfcddf3d`
+
+To update the pin, verify the new commit in the upstream repository and replace
+the SHA above.
+
+After this you can generate various reports using:
+
+```bash
+python -m security.tm_supply_chain --report security/report_template.md > report.md
+python -m security.tm_supply_chain --dfd
+python -m security.tm_supply_chain --seq
+
+python -m security.tm_usage --report security/report_template.md > report_usage.md
+python -m security.tm_usage --dfd
+python -m security.tm_usage --seq
+```

security/__init__.py

@@ -0,0 +1,114 @@
+## System Description
+
+{tm.description}
+
+## Dataflow Diagram - Level 0 DFD
+
+```dot
+{tm.dfd:call:}
+```
+
+## Dataflows
+
+Name|From|To |Data|Protocol|Port
+|:----:|:----:|:---:|:----:|:--------:|:----:|
+{dataflows:repeat:|{{item.display_name:call:}}|{{item.source.name}}|{{item.sink.name}}|{{item.data}}|{{item.protocol}}|{{item.dstPort}}|
+}
+
+## Data Dictionary
+
+{data:repeat:
+Name|{{item.name}}
+|:----|:----|
+Description|{{item.description}}|
+Classification|{{item.classification.name}}|
+Carried By|{{item.carriedBy:repeat:{{{{item.name}}}}<br>}}|
+Processed By|{{item.processedBy:repeat:{{{{item.name}}}}<br>}}|
+
+{{item:call:getInScopeFindings}}
+}
+
+## Actors
+
+{actors:repeat:
+Name|{{item.name}}
+|:----|:----|
+Description|{{item.description}}|
+Is Admin|{{item.isAdmin}}|
+Finding Count|{{item:call:getFindingCount}}|
+
+{{item:call:getInScopeFindings}}
+}
+
+## Boundaries
+
+{boundaries:repeat:
+Name|{{item.name}}
+|:----|:----|
+Description|{{item.description}}|
+In Scope|{{item.inScope}}|
+Immediate Parent|{{item.parents:if:{{item:call:getParentName}}}}{{item.parents:not:N/A, primary boundary}}|
+All Parents|{{item.parents:call:{{{{item.display_name:call:}}}}, }}|
+Classification|{{item.maxClassification}}|
+Finding Count|{{item:call:getFindingCount}}|
+
+{{item:call:getInScopeFindings}}
+}
+
+
+## Assets
+
+{assets:repeat:
+Name|{{item.name}}
+|:----|:----|
+Description|{{item.description}}|
+In Scope|{{item.inScope}}|
+Type|{{item:call:getElementType}}|
+Finding Count|{{item:call:getFindingCount}}|
+
+{{item:call:getInScopeFindings}}
+}
+
+
+## Data Flows
+
+{dataflows:repeat:
+Name|{{item.name}}
+|:----|:----|
+Description|{{item.description}}|
+Sink|{{item.sink}}|
+Source|{{item.source}}|
+Is Response|{{item.isResponse}}|
+In Scope|{{item.inScope}}|
+Finding Count|{{item:call:getFindingCount}}|
+
+{{item:call:getInScopeFindings}}
+}
+
+
+{tm.excluded_findings:if:
+# Excluded Threats
+}
+
+{tm.excluded_findings:repeat:
+<details>
+  <summary>
+    {{item:call:getThreatId}} - {{item:call:getFindingDescription}}
+  </summary>
+  <p>
+    <b>{{item:call:getThreatId}}</b> was excluded for
+    <b>{{item:call:getFindingTarget}}</b>
+    because of the assumption "{{item.assumption.name}}"
+  </p>
+  {{item.assumption.description:if:
+  <h6>Assumption description</h6>
+  <p>{{item.assumption.description}}</p>
+  }}
+  <h6>Severity</h6>
+  <p>{{item:call:getFindingSeverity}}</p>
+  <h6>Example Instances</h6>
+  <p>{{item:call:getFindingExample}}</p>
+  <h6>References</h6>
+  <p>{{item:call:getFindingReferences}}</p>
+</details>
+}