Printing / Save PDF

[ghost]

Latest version on github cloned. Created a new model and added components. Added threats. Closed model. Opened so I could get to the Report feature. Save PDF generated the pdf, but it is missing the threat information. I checked to included mitigated threats as well. I have a mix of mitigated and open; however, none of them showed up in the generated PDF.

[mike-goodwin]

Can I just check, did you also get the current owasp-threat-dragon-core package (v0.6.0)? All of the report generation code is centralised in that so it can be reused across the web and desktop apps. Thge deskto shell just provides the interaction with the Electron print/save dialogs.

If your have the up-to-date core package, would it be possible to share the model file so I can reproduce locally?

[mike-goodwin]

Also, could you tell me what OS you are on? I don't have access to a Mac at the moment so it is not tested on OSX (which is why the updated version has not been released yet).

[ghost]

I grabbed the core and tried to build on mac but get an error with 'rework-npm' not being a command so it fails on the bundle-css build, but this would make sense as to why the report does not include all the contents expected. I'm running Mac OS Mojave latest.

[ghost]

12 verbose stack Error: owasp-threat-dragon-core@0.6.0 bundle-css:rework-npm ./src/content/app.css -o ./src/content/threatdragon-core.css 12 verbose stack spawn ENOENT 12 verbose stack at ChildProcess.<anonymous> (/usr/local/lib/node_modules/npm/node_modules/npm-lifecycle/lib/spawn.js:48:18) 12 verbose stack at ChildProcess.emit (events.js:203:13) 12 verbose stack at maybeClose (internal/child_process.js:1021:16) 12 verbose stack at Process.ChildProcess._handle.onexit (internal/child_process.js:283:5) 13 verbose pkgid owasp-threat-dragon-core@0.6.0 14 verbose cwd /Users/dev/Repos/owasp-threat-dragon-core 15 verbose Darwin 18.6.0 16 verbose argv "/usr/local/Cellar/node/12.6.0/bin/node" "/usr/local/bin/npm" "run" "bundle-css" 17 verbose node v12.6.0 18 verbose npm v6.9.0 19 error file sh 20 error code ELIFECYCLE 21 error errno ENOENT 22 error syscall spawn 23 error owasp-threat-dragon-core@0.6.0 bundle-css:rework-npm ./src/content/app.css -o ./src/content/threatdragon-core.css 23 error spawn ENOENT 24 error Failed at the owasp-threat-dragon-core@0.6.0 bundle-css script. 24 error This is probably not a problem with npm. There is likely additional logging output above. 25 verbose exit [ 1, true ]

[mike-goodwin]

Thank you for the detail. So did you install all the dependencies and dev dependencies? In particular, Is rework-npm-cli installed? I'm going to find it hard to reproduce and fix this until I get my hands on a Mac...

[ghost]

I had to install rework-npm-cli, and then tried to generate the report again and it only shows the diagram but nothing about the threats. I did observe the following error: objc[86806]: Class FIFinderSyncExtensionHost is implemented in both /System/Library/PrivateFrameworks/FinderKit.framework/Versions/A/FinderKit (0x7fff9ea473d8) and /System/Library/PrivateFrameworks/FileProvider.framework/OverrideBundles/FinderSyncCollaborationFileProviderOverride.bundle/Contents/MacOS/FinderSyncCollaborationFileProviderOverride (0x113fe4f50). One of the two will be used. Which one is undefined.

The core build was a success after the proper npm package was installed.

I created a new model and attached the .json output here, and I also included the pdf which shows what is printed.

JSON:

{ "summary": { "title": "Test", "owner": "Test", "description": "Testing a system that never stood a chance with password authentication for SSH over key based authentication." }, "detail": { "contributors": [], "diagrams": [ { "title": "Web Servers", "thumbnail": "./public/content/images/thumbnail.jpg", "id": 0, "$$hashKey": "object:82", "diagramJson": { "cells": [ { "type": "tm.Actor", "size": { "width": 160, "height": 80 }, "position": { "x": 417, "y": 13 }, "angle": 0, "id": "cd41381b-2449-4938-a3fa-8d7515a31365", "z": 1, "hasOpenThreats": false, "attrs": { ".element-shape": { "class": "element-shape hasNoOpenThreats isInScope" }, "text": { "text": "Web User" }, ".element-text": { "class": "element-text hasNoOpenThreats isInScope" } } }, { "type": "tm.Process", "size": { "width": 100, "height": 100 }, "position": { "x": 443, "y": 136 }, "angle": 0, "id": "dae6d3f5-147f-4511-b973-10c019ceb9ca", "z": 2, "hasOpenThreats": false, "threats": [ { "status": "Mitigated", "severity": "High", "title": "HTTP in Use", "type": "Tampering", "description": "HTTP Traffic is allowed, anyone on the outside can spy on the traffic.", "mitigation": "HTTP was removed and HTTPS was enforced.", "$$hashKey": "object:193" } ], "attrs": { ".element-shape": { "class": "element-shape hasNoOpenThreats isInScope" }, "text": { "text": "Authentication" }, ".element-text": { "class": "element-text hasNoOpenThreats isInScope" } } }, { "type": "tm.Flow", "smooth": true, "source": { "id": "cd41381b-2449-4938-a3fa-8d7515a31365" }, "target": { "id": "dae6d3f5-147f-4511-b973-10c019ceb9ca" }, "vertices": [], "id": "e01b7f85-e65e-4943-8b91-e69c5456d2b5", "labels": [ { "position": 0.5, "attrs": { "text": { "text": "Auth", "font-weight": "400", "font-size": "small" } } } ], "z": 3, "hasOpenThreats": false, "isEncrypted": true, "isPublicNetwork": true, "protocol": "HTTPS", "attrs": { ".marker-target": { "class": "marker-target hasNoOpenThreats isInScope" }, ".connection": { "class": "connection hasNoOpenThreats isInScope" } } }, { "type": "tm.Store", "size": { "width": 160, "height": 80 }, "position": { "x": 233, "y": 306 }, "angle": 0, "id": "5bf08601-4058-4fda-a400-c984e00aa3e6", "z": 4, "hasOpenThreats": false, "storesCredentials": true, "isEncrypted": true, "attrs": { ".element-shape": { "class": "element-shape hasNoOpenThreats isInScope" }, "text": { "text": "Database PSQL" }, ".element-text": { "class": "element-text hasNoOpenThreats isInScope" } } }, { "type": "tm.Flow", "smooth": true, "source": { "id": "dae6d3f5-147f-4511-b973-10c019ceb9ca" }, "target": { "id": "5bf08601-4058-4fda-a400-c984e00aa3e6" }, "vertices": [], "id": "1e59efdf-4816-41a0-b2db-9b3e8b17271b", "labels": [ { "position": 0.5, "attrs": { "text": { "text": "Data Layer", "font-weight": "400", "font-size": "small" } } } ], "z": 5, "hasOpenThreats": false, "protocol": "TCP", "isEncrypted": true, "attrs": { ".marker-target": { "class": "marker-target hasNoOpenThreats isInScope" }, ".connection": { "class": "connection hasNoOpenThreats isInScope" } } }, { "type": "tm.Actor", "size": { "width": 160, "height": 80 }, "position": { "x": 602, "y": 14 }, "angle": 0, "id": "4722c360-961a-4f1c-abee-2a514baf2484", "z": 6, "hasOpenThreats": true, "threats": [ { "status": "Open", "severity": "High", "title": "SSH Password Based Authentication", "type": "Tampering", "description": "Weak passwords are easily brute forced.", "mitigation": "Use keybased authentication to improce security, also use a VPN.", "$$hashKey": "object:187" } ], "attrs": { ".element-shape": { "class": "element-shape hasOpenThreats isInScope" }, "text": { "text": "Developer" }, ".element-text": { "class": "element-text hasOpenThreats isInScope" } } }, { "type": "tm.Flow", "smooth": true, "source": { "id": "4722c360-961a-4f1c-abee-2a514baf2484" }, "target": { "id": "5bf08601-4058-4fda-a400-c984e00aa3e6" }, "vertices": [ { "x": 559, "y": 293 } ], "id": "4bef64c6-62a1-4683-8183-558a9f8e0479", "labels": [ { "position": 0.5, "attrs": { "text": { "text": "SSH Traffic", "font-weight": "400", "font-size": "small" } } } ], "z": 7, "hasOpenThreats": false, "protocol": "SSH", "isEncrypted": true, "isPublicNetwork": true, "attrs": { ".marker-target": { "class": "marker-target hasNoOpenThreats isInScope" }, ".connection": { "class": "connection hasNoOpenThreats isInScope" } } } ] }, "size": { "height": 590, "width": 912 } } ], "reviewer": "Test" } }

test.pdf

[ghost]

Apologies, not sure why the code isn't formatted nicely!

[mike-goodwin]

OK. Using your model, I see the what is happening. The isOutOfScope property on the model elements is not defined which means the filter on the report template filters them out of both the out-of-scope section and the in-scope section. I think the problem is in the custom JointJS shape definitions - the property should always be defined, so I will look into that. The only problem with that is any model with elements that don't have the property defined (like yours) will still not work, so I will also have to modify the report template filters to handle the case where the propery is missing entirely.

I was going to suggest a clunky workaround to fix it for your model to save you waiting for a fix (in the diagram editor, click each model element to out-of-scope and then in-scope again). But this causes ANOTHER bug in the report where the element titles don't display. Closing and re-opening the file does seem to fix it, so it is a workaround, but not a nice one.

[mike-goodwin]

This is fixed in PR #59

All the changes were made in owasp-threat-dragon-core at v0.6.1 so if you want to try it out you will need the latest core package (it is published on npm). The only change ot the desktop code was to upgrade the package versions - core and desktop both bumped to 0.6.1.

Thanks for raising it and for the detailed info.

p.s. It is only tested on Windows since I don't have access to a Mac currently