Closed jgadsden closed 8 months ago
hey @jgadsden! how can we get a generalized schema for threat models?
Hello @raghav1030 , thanks for taking this on. The threat model schema is here: https://github.com/OWASP/www-project-threat-dragon/blob/main/assets/schemas/owasp.threat-dragon.schema.json
but it may be out of date, last worked on it late 2022
Hey @jgadsden, should I proceed with the schema you provided, or do we have an updated version?
the updates will be very minor, and probably won't stop the existing models from being loaded I would go ahead with the existing schema and I can update it if necessary 👍🏾
If it helps the suggested place to do this check is in ImportModel.vue
:
onImportClick(fileName) {
let jsonModel;
// check for JSON syntax errors, schema errors come later
try {
jsonModel = JSON.parse(this.tmJson);
} catch (e) {
this.$toast.error(this.$t('threatmodel.errors.invalidJson'));
console.error(e);
return;
}
// ToDo: need to catch invalid threat model schemas, possibly using npmjs.com/package/ajv
// Identify if threat model is in OTM format and if so, convert OTM back to dragon format
if (Object.hasOwn(jsonModel, 'otmVersion')) {
jsonModel = openThreatModel.convertOTMtoTD(jsonModel);
}
Describe what problem your feature request solves It would be good to apply the Threat Dragon json schema to threat models when they are being opened. This couls be an added check - at present we check for valid JSON, but we could also check for valid threat model contents
Describe the solution you'd like When opening a threat model, apply
ajv
to check that it follows the schemaAdditional context