Skip to content

Commit e07e00f

Browse files
committed
Threat models
1 parent 8e2d502 commit e07e00f

7 files changed

Lines changed: 2484 additions & 0 deletions

File tree

security/README.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# Security
2+
3+
This folder contains the threat models.
4+
5+
The threat catalogue (`threats.json`, DFT-01 – DFT-30) was cross-referenced
6+
against the [SLSA v1.2 threats document](https://slsa.dev/spec/v1.2/threats).
7+
DFT-27 – DFT-30 were added from that review (SLSA D, E5/E6, M2).
8+
Existing entries DFT-05/07/11/17/18/19/25 gained SLSA cross-reference links.
9+
10+
They depend on features not yet in a pytm release; install a pinned commit
11+
until an official release is available:
12+
13+
`pip install git+https://github.com/OWASP/pytm.git@279ed14aa13ea8f0b989717812fd4626bfcddf3d`
14+
15+
To update the pin, verify the new commit in the upstream repository and replace
16+
the SHA above.
17+
18+
After this you can generate various reports using:
19+
20+
```bash
21+
python -m security.tm_supply_chain --report security/report_template.md > report.md
22+
python -m security.tm_supply_chain --dfd
23+
python -m security.tm_supply_chain --seq
24+
25+
python -m security.tm_usage --report security/report_template.md > report_usage.md
26+
python -m security.tm_usage --dfd
27+
python -m security.tm_usage --seq
28+
```

security/__init__.py

Whitespace-only changes.

security/report_template.md

Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
## System Description
2+
3+
{tm.description}
4+
5+
## Dataflow Diagram - Level 0 DFD
6+
7+
```dot
8+
{tm.dfd:call:}
9+
```
10+
11+
## Dataflows
12+
13+
Name|From|To |Data|Protocol|Port
14+
|:----:|:----:|:---:|:----:|:--------:|:----:|
15+
{dataflows:repeat:|{{item.display_name:call:}}|{{item.source.name}}|{{item.sink.name}}|{{item.data}}|{{item.protocol}}|{{item.dstPort}}|
16+
}
17+
18+
## Data Dictionary
19+
20+
{data:repeat:
21+
Name|{{item.name}}
22+
|:----|:----|
23+
Description|{{item.description}}|
24+
Classification|{{item.classification.name}}|
25+
Carried By|{{item.carriedBy:repeat:{{{{item.name}}}}<br>}}|
26+
Processed By|{{item.processedBy:repeat:{{{{item.name}}}}<br>}}|
27+
28+
}
29+
30+
## Actors
31+
32+
{actors:repeat:
33+
Name|{{item.name}}
34+
|:----|:----|
35+
Description|{{item.description}}|
36+
Is Admin|{{item.isAdmin}}|
37+
Finding Count|{{item:call:getFindingCount}}|
38+
39+
{{item:call:getInScopeFindings}}
40+
}
41+
42+
## Boundaries
43+
44+
{boundaries:repeat:
45+
Name|{{item.name}}
46+
|:----|:----|
47+
Description|{{item.description}}|
48+
In Scope|{{item.inScope}}|
49+
Immediate Parent|{{item.parents:if:{{item:call:getParentName}}}}{{item.parents:not:N/A, primary boundary}}|
50+
All Parents|{{item.parents:call:{{{{item.display_name:call:}}}}, }}|
51+
Classification|{{item.maxClassification}}|
52+
Finding Count|{{item:call:getFindingCount}}|
53+
54+
{{item:call:getInScopeFindings}}
55+
}
56+
57+
58+
## Assets
59+
60+
{assets:repeat:
61+
Name|{{item.name}}|
62+
|:----|:----|
63+
Description|{{item.description}}|
64+
In Scope|{{item.inScope}}|
65+
Type|{{item:call:getElementType}}|
66+
Finding Count|{{item:call:getFindingCount}}|
67+
68+
{{item:call:getInScopeFindings}}
69+
}
70+
71+
72+
## Data Flows
73+
74+
{dataflows:repeat:
75+
Name|{{item.name}}
76+
|:----|:----|
77+
Description|{{item.description}}|
78+
Sink|{{item.sink}}|
79+
Source|{{item.source}}|
80+
Is Response|{{item.isResponse}}|
81+
In Scope|{{item.inScope}}|
82+
Finding Count|{{item:call:getFindingCount}}|
83+
84+
{{item:call:getInScopeFindings}}
85+
}
86+
87+
88+
{tm.excluded_findings:if:
89+
# Excluded Threats
90+
}
91+
92+
{tm.excluded_findings:repeat:
93+
<details>
94+
<summary>
95+
{{item:call:getThreatId}} - {{item:call:getFindingDescription}}
96+
</summary>
97+
<p>
98+
<b>{{item:call:getThreatId}}</b> was excluded for
99+
<b>{{item:call:getFindingTarget}}</b>
100+
because of the assumption "{{item.assumption.name}}"
101+
</p>
102+
{{item.assumption.description:if:
103+
<h6>Assumption description</h6>
104+
<p>{{item.assumption.description}}</p>
105+
}}
106+
<h6>Severity</h6>
107+
<p>{{item:call:getFindingSeverity}}</p>
108+
<h6>Example Instances</h6>
109+
<p>{{item:call:getFindingExample}}</p>
110+
<h6>References</h6>
111+
<p>{{item:call:getFindingReferences}}</p>
112+
</details>
113+
}

0 commit comments

Comments
 (0)