mermaid-js / mermaid

Generation of diagrams like flowcharts or sequence diagrams from text in a similar manner as markdown
https://mermaid.js.org
MIT License
72.63k stars 6.62k forks source link

Threat modelling #5895

Open ReneLombard opened 2 months ago

ReneLombard commented 2 months ago

Proposal

Introduce support for creating threat modeling diagrams using Mermaid.js. Threat modeling is a critical process in cybersecurity, enabling architects, developers, and security professionals to identify, analyze, and document potential threats in a system's design. Integrating threat modeling diagrams will expand Mermaid.js's capabilities, allowing users to visualize threat landscapes directly in their documentation

Key Features:

Nodes and Components:

Support for different types of components commonly found in threat modeling, such as: Processes: Represented as circles or ovals. Data Stores: Represented as open-ended rectangles. External Entities/ Actors: Represented as regular rectangles. Data Flows: Arrows indicating data transfer between components.

Threat Indicators:

Allow the annotation of potential threats directly on the diagram using specific markers/icons (e.g., a warning triangle) to indicate threat categories such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE model). Data Flow Lines:

Support for different line styles (solid, dashed, etc.) to represent different types of data flows, like secure vs. insecure communication. Security Boundaries:

Ability to draw security boundaries (represented as dashed or bold lines/boxes) to highlight trust zones and separation between different security levels. Labels and Descriptions:

Support for adding detailed labels and descriptions to each component, data flow, and threat indicator to provide context and information about identified risks. Customizable Colors and Icons:

Allow customization of colors and icons for each element to match organizational threat modeling standards.

For more information please see the following requirements: OWASP Threat Modelling

Use Cases

Screenshots

Basic Diagram

Syntax

threatModel actor User process "Web Application" as WebApp dataStore "Database" as DB dataFlow "User Request" from User to WebApp dataFlow "Data Fetch" from WebApp to DB boundary "Trust Boundary" { WebApp DB } threat "SQL Injection" on dataFlow "Data Fetch"

Implementation

None

fguisso commented 1 month ago

A really want's this feature, there is a starting point to implement that? I can implement but I need some guide to start.

@ReneLombard do you saw that? It's not perfect but I'm using sometimes.

I need something like this: image