search

OWASP / threat-dragon

An open source threat modeling tool from OWASP
https://owasp.org/www-project-threat-dragon/
Apache License 2.0
902 stars 244 forks source link

Threat ID not consistently added to threats #299

Closed Gavitron closed 2 years ago

Gavitron commented 2 years ago

Hi, this might be addressed by the rewrite for 2.0, but I thought I'd ask just in case.

I noticed in the JSON output of TD, that there was a threatID property, but only on some of the threats[], and not all of them. When I looked into why, I think it's because I created some threats in v1.40 but later upgraded to v1.55?

The code here seems to add the UUID to new threats: https://github.com/OWASP/threat-dragon/blob/ce18ce57898e232c37760a4414c6927e1f9637cf/td.desktop/core/diagrams/elementpropdirectives.js#L110

but maybe when editing an existing threat one needs to be generated, if none exists? https://github.com/OWASP/threat-dragon/blob/ce18ce57898e232c37760a4414c6927e1f9637cf/td.desktop/core/diagrams/elementpropdirectives.js#L127

(also, I think the use of threatId on line 138+ is a red herring, as that appears to be related to the id field of the parent cell, and not the threatId parameter of the individual threats[]. Am I wrong?)

jgadsden commented 2 years ago

Thanks for this @Gavitron - I have renamed variable threatId in 138+ so it does not cause confusion. Also I have created a pull request to add in the uuid threatId if none exists on editing the threat

Excellent bug report, thanks again!