search

iriusrisk / OpenThreatModel

The Open Threat Modeling Format (OTM) defines a platform independent way to define the threat model of any system.
169 stars 13 forks source link

Adding optional representations to the dataflow type #20

Closed xntrik closed 1 year ago

xntrik commented 1 year ago

I noticed in the example JSON files that there are representations in the dataflow elements. But this isn't defined in the schema. This PR adds this to the schema.

I don't know if this requires a minor version semantic bump, but I added that in too - but happy for you folks to manage the versioning how ever you feel is appropriate.

Thanks!

daFont-iriusrisk commented 1 year ago

Hello again @xntrik

After consulting with the team, we think it would be very useful to understand why it is necessary for you to include this in the data flow, could you give us an explanation?

Maybe we should rethink the purpose of this element and your need could provide us with valuable information.

xntrik commented 1 year ago

hi @daFont-iriusrisk, the reason I raised this is because I've noticed that in the examples files (see https://github.com/iriusrisk/OpenThreatModel/blob/586135378a64738dcebc8867642fc0d12207ac5c/EXAMPLE.json#L195) you include a null representation. I don't have any preferences for or against its inclusion - I was just hoping to ensure that the schema was thorough.

This popped up recently as I'm working through building a Golang package https://github.com/xntrik/go-otm (mainly just a struct representation of the OTM schema) for further use in hcltm https://github.com/xntrik/hcltm/issues/53

daFont-iriusrisk commented 1 year ago

Hello @xntrik,

You're right, it has nonsense to include representations in dataflow object, so we will fix the schema.

I'll be back with some news.

Thank you for the advise and for your interest to create software using OTM, we are very grateful 😃

daFont-iriusrisk commented 1 year ago

Hi @xntrik

I am going to close the pr because as we talked previously we are not going to allow to use the object representations inside the object dataflows.

Functionally it doesn't make sense, so we will work internally to make a change and restrict this behavior.

You can assume this for your development, sorry for the inconvenience and thank you for your time and dedication.

If you need anything you can contact us at any time.

Best regards.