Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose Actor and Asset lists in report template #150

Merged
merged 3 commits into from
Apr 7, 2021
Merged

Expose Actor and Asset lists in report template #150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5ef3067
Expose list with only Assets to report template
nozmore-vera Apr 2, 2021
3b0662b
Updated json output test data to include asset list
nozmore-vera Apr 2, 2021
3e85351
Added global _actors list, exposed 'actors' to report template and up…
nozmore-vera Apr 6, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions pytm/pytm.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -609,6 +609,8 @@ class TM:

_flows = []
_elements = []
_actors = []
_assets = []
_threats = []
_boundaries = []
_data = []
Expand Down Expand Up @@ -645,6 +647,8 @@ def __init__(self, name, **kwargs):
def reset(cls):
cls._flows = []
cls._elements = []
cls._actors = []
cls._assets = []
cls._threats = []
cls._boundaries = []
cls._data = []
Expand Down Expand Up @@ -869,6 +873,8 @@ def report(self, template_path):
"threats": TM._threats,
"findings": self.findings,
"elements": TM._elements,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder should we replace _elements with _assets. It's easy to combine both lists and it'll be more explicit. The word elements is ambiguous anyway. @nozmore @izar WDYT?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a strong opinion either way as for the existence of _elements in the code. Obviously I agree with using assets since I raised the PR : ) I would probably go a step further and remove elements from json output and as mentioned add an Actor list so that objects are only referenced once. You could hold off on that for a major version to avoid breaking changes or do so now but add a bool flag on TM to remove elements and maintain existing functionality.

"assets": TM._assets,
"actors": TM._actors,
"boundaries": TM._boundaries,
"data": TM._data,
}
Expand Down Expand Up @@ -1237,6 +1243,9 @@ class Asset(Element):
OS = varString("")
providesIntegrity = varBool(False)

def __init__(self, name, **kwargs):
super().__init__(name, **kwargs)
TM._assets.append(self)

class Lambda(Asset):
"""A lambda function running in a Function-as-a-Service (FaaS) environment"""
Expand Down Expand Up @@ -1404,6 +1413,7 @@ class Actor(Element):

def __init__(self, name, **kwargs):
super().__init__(name, **kwargs)
TM._actors.append(self)


class Process(Asset):
Expand Down
256 changes: 256 additions & 0 deletions tests/output.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,260 @@
{
"actors": [
{
"__class__": "Actor",
"authenticatesDestination": false,
"checksDestinationRevocation": false,
"data": [],
"description": "",
"findings": [],
"inBoundary": "Internet",
"inScope": true,
"inputs": [
"Show comments (*)"
],
"isAdmin": false,
"levels": [
0
],
"maxClassification": "Classification.UNKNOWN",
"name": "User",
"outputs": [
"User enters comments (*)"
],
"overrides": [],
"port": -1,
"protocol": "",
"providesIntegrity": false
}
],
"assets": [
{
"OS": "",
"__class__": "Server",
"authenticatesDestination": false,
"authenticatesSource": false,
"authenticationScheme": "",
"authorizesSource": false,
"checksDestinationRevocation": false,
"checksInputBounds": false,
"data": [],
"definesConnectionTimeout": false,
"description": "",
"disablesDTD": false,
"encodesHeaders": false,
"encodesOutput": false,
"findings": [],
"handlesResourceConsumption": false,
"handlesResources": false,
"hasAccessControl": false,
"implementsAuthenticationScheme": false,
"implementsCSRFToken": false,
"implementsNonce": false,
"implementsPOLP": false,
"implementsServerSideValidation": false,
"implementsStrictHTTPValidation": false,
"inBoundary": null,
"inScope": true,
"inputs": [
"User enters comments (*)",
"Retrieve comments"
],
"invokesScriptFilters": false,
"isEncrypted": false,
"isHardened": false,
"isResilient": false,
"levels": [
0
],
"maxClassification": "Classification.UNKNOWN",
"name": "Web Server",
"onAWS": false,
"outputs": [
"Insert query with comments",
"Call func",
"Show comments (*)"
],
"overrides": [],
"port": -1,
"protocol": "",
"providesConfidentiality": false,
"providesIntegrity": false,
"sanitizesInput": false,
"usesCache": false,
"usesCodeSigning": false,
"usesEncryptionAlgorithm": "",
"usesEnvironmentVariables": false,
"usesLatestTLSversion": false,
"usesSessionTokens": false,
"usesStrongSessionIdentifiers": false,
"usesVPN": false,
"usesXMLParser": false,
"validatesContentType": false,
"validatesHeaders": false,
"validatesInput": false
},
{
"OS": "",
"__class__": "Lambda",
"authenticatesDestination": false,
"authenticatesSource": false,
"authenticationScheme": "",
"authorizesSource": false,
"checksDestinationRevocation": false,
"checksInputBounds": false,
"data": [],
"definesConnectionTimeout": false,
"description": "",
"encodesOutput": false,
"environment": "",
"findings": [],
"handlesResourceConsumption": false,
"handlesResources": false,
"hasAccessControl": false,
"implementsAPI": false,
"implementsAuthenticationScheme": false,
"implementsNonce": false,
"inBoundary": null,
"inScope": true,
"inputs": [
"Call func"
],
"isEncrypted": false,
"isHardened": false,
"levels": [
0
],
"maxClassification": "Classification.UNKNOWN",
"name": "Lambda func",
"onAWS": true,
"outputs": [],
"overrides": [],
"port": -1,
"protocol": "",
"providesIntegrity": false,
"sanitizesInput": false,
"usesEnvironmentVariables": false,
"validatesInput": false
},
{
"OS": "",
"__class__": "Process",
"allowsClientSideScripting": false,
"authenticatesDestination": false,
"authenticatesSource": false,
"authenticationScheme": "",
"authorizesSource": false,
"checksDestinationRevocation": false,
"checksInputBounds": false,
"codeType": "Unmanaged",
"data": [],
"definesConnectionTimeout": false,
"description": "",
"disablesiFrames": false,
"encodesOutput": false,
"encryptsCookies": false,
"encryptsSessionData": false,
"environment": "",
"findings": [],
"handlesCrashes": false,
"handlesInterruptions": false,
"handlesResourceConsumption": false,
"handlesResources": false,
"hasAccessControl": false,
"implementsAPI": false,
"implementsAuthenticationScheme": false,
"implementsCSRFToken": false,
"implementsCommunicationProtocol": false,
"implementsNonce": false,
"implementsPOLP": false,
"inBoundary": null,
"inScope": true,
"inputs": [],
"isEncrypted": false,
"isHardened": false,
"isResilient": false,
"levels": [
0
],
"maxClassification": "Classification.UNKNOWN",
"name": "Task queue worker",
"onAWS": false,
"outputs": [
"Query for tasks"
],
"overrides": [],
"port": -1,
"protocol": "",
"providesConfidentiality": false,
"providesIntegrity": false,
"sanitizesInput": false,
"tracksExecutionFlow": false,
"usesEnvironmentVariables": false,
"usesMFA": false,
"usesParameterizedInput": false,
"usesSecureFunctions": false,
"usesStrongSessionIdentifiers": false,
"validatesInput": false,
"verifySessionIdentifiers": false
},
{
"OS": "",
"__class__": "Datastore",
"authenticatesDestination": false,
"authenticatesSource": false,
"authenticationScheme": "",
"authorizesSource": false,
"checksDestinationRevocation": false,
"checksInputBounds": false,
"data": [],
"definesConnectionTimeout": false,
"description": "",
"encodesOutput": false,
"findings": [],
"handlesInterruptions": false,
"handlesResourceConsumption": false,
"handlesResources": false,
"hasAccessControl": false,
"hasWriteAccess": false,
"implementsAuthenticationScheme": false,
"implementsNonce": false,
"implementsPOLP": false,
"inBoundary": "Server/DB",
"inScope": true,
"inputs": [
"Insert query with comments",
"Query for tasks"
],
"isEncrypted": false,
"isEncryptedAtRest": false,
"isHardened": false,
"isResilient": false,
"isSQL": true,
"isShared": false,
"levels": [
0
],
"maxClassification": "Classification.UNKNOWN",
"name": "SQL Database",
"onAWS": false,
"onRDS": false,
"outputs": [
"Retrieve comments"
],
"overrides": [],
"port": -1,
"protocol": "",
"providesConfidentiality": false,
"providesIntegrity": false,
"sanitizesInput": false,
"storesLogData": false,
"storesPII": false,
"storesSensitiveData": false,
"usesEncryptionAlgorithm": "",
"usesEnvironmentVariables": false,
"validatesInput": false
}
],
"boundaries": [
{
"description": "",
Expand Down