From dafc08feeb0239bd45b6abebfa4511fa1d288830 Mon Sep 17 00:00:00 2001 From: Izar Tarandach Date: Thu, 21 Mar 2024 08:04:55 -0400 Subject: [PATCH 1/3] updating versions --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 53ebb87..8511dd9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + uses: ossf/scorecard-action@v2.3.1 with: results_file: results.sarif results_format: sarif From f868ffd3f5be3c224e7a16e0b4e6885d00b98456 Mon Sep 17 00:00:00 2001 From: Izar Tarandach Date: Thu, 11 Apr 2024 12:07:42 -0400 Subject: [PATCH 2/3] first draft --- docs/reveal.md | 185 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 docs/reveal.md diff --git a/docs/reveal.md b/docs/reveal.md new file mode 100644 index 0000000..4fb4c16 --- /dev/null +++ b/docs/reveal.md @@ -0,0 +1,185 @@ +# {tm.name} + +--- + +## System Description + +{tm.description} + +--- + +## Dataflow Diagram + +![](sample.png) + +--- + +## Dataflows + +---- + +{dataflows:repeat: + +- **name** : {{item.display_name:call:}} +- **from** : {{item.source.name}} +- **to** : {{item.sink.name}}:{{item.dstPort}} +- **data** : {{item.data}} +- **protocol** : {{item.protocol}} + +---- +} + +--- + +## Data Dictionary + +---- + +{data:repeat: + +- **name** : {{item.name}} +- **description** : {{item.description}} +- **classification** : {{item.classification.name}} +- **carried by** : {{item.carriedBy:repeat:{{{{item.name}}}}
}} +- **processed by** : {{item.processedBy:repeat:{{{{item.name}}}}
}} + +---- +} + + +--- + +## Actors + +---- + +{actors:repeat: +- **name** : {{item.name}} +- **description** : {{item.description}} +- **is Admin** : {{item.isAdmin}} +- **# of findings** : {{item:call:getFindingCount}} + +{{item.findings:not: +--- +}} + +{{item.findings:if: +---- +**Findings** + +---- + +{{item.findings:repeat: + {{{{item.id}}}} -- {{{{item.description}}}} + + - **Targeted Element** : {{{{item.target}}}} + - **Severity** : {{{{item.severity}}}} + - **References** : {{{{item.references}}}} + +---- + +}} +}} +} + +## Trust Boundaries + +---- + +{boundaries:repeat: +- **name** : {{item.name}} +- **description** : {{item.description}} +- **in scope** : {{item.inScope}} +- **immediate parent** : {{item.parents:if:{{item:call:getParentName}}}}{{item.parents:not:N/A, primary boundary}} +- **all parents** : {{item.parents:call:{{{{item.display_name:call:}}}}, }} +- **classification** : {{item.maxClassification}} +- **finding count** : {{item:call:getFindingCount}} + +{{item.findings:not: +--- +}} + +{{item.findings:if: +---- +**Findings** + +---- + +{{item.findings:repeat: + {{{{item.id}}}} - {{{{item.description}}}} + + - **Targeted Element** : {{{{item.target}}}} + - **Severity** : {{{{item.severity}}}} + - **References** : {{{{item.references}}}} +---- + +}} +}} +} + +## Assets + +{assets:repeat: + +- **name** : {{item.name}} +- **description** : {{item.description}} +- **in scope** : {{item.inScope}} +- **type** : {{item:call:getElementType}} +- **# of findings** : {{item:call:getFindingCount}} + +{{item.findings:not: +--- +}} + +{{item.findings:if: +---- +**Findings** + +---- + +{{item.findings:repeat: + {{{{item.id}}}} - {{{{item.description}}}} + + - **Targeted Element** : {{{{item.target}}}} + - **Severity** : {{{{item.severity}}}} + - **References** : {{{{item.references}}}} +---- + +}} +}} +} + +## Data Flows + +{dataflows:repeat: +Name|{{item.name}} +|:----|:----| +Description|{{item.description}}| +Sink|{{item.sink}}| +Source|{{item.source}}| +Is Response|{{item.isResponse}}| +In Scope|{{item.inScope}}| +Finding Count|{{item:call:getFindingCount}}| + +{{item.findings:not: +--- +}} + +{{item.findings:if: +---- +**Findings** + +---- + +{{item.findings:repeat: + {{{{item.id}}}} - {{{{item.description}}}} + + - **Targeted Element** : {{{{item.target}}}} + - **Severity** : {{{{item.severity}}}} + - **References** : {{{{item.references}}}} +---- + +}} +}} +} + From 129591510c2a3a879324f0f97d5e6dc23e7762ea Mon Sep 17 00:00:00 2001 From: Izar Tarandach Date: Fri, 12 Apr 2024 09:19:10 -0400 Subject: [PATCH 3/3] Update README.md with movie Demo-ing the reveal template. --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index a810f0c..0b7251a 100644 --- a/README.md +++ b/README.md @@ -365,6 +365,16 @@ the `target.input` and `target.output` attributes. For example, to match a threa servers with incoming traffic, use `any(target.inputs)`. A more advanced example, matching elements connecting to SQL datastores, would be `any(f.sink.oneOf(Datastore) and f.sink.isSQL for f in target.outputs)`. +## Making slides! + +Once a threat model is done and ready, the dreaded presentation stage comes in - and now pytm can help you there as well, with a template that expresses your threat model in slides, using the power of (RevealMD)[https://github.com/webpro/reveal-md]! Just use the template docs/revealjs.md and you will get some pretty slides, fully configurable, that you can present and share from your browser. + + + +https://github.com/izar/pytm/assets/368769/30218241-c7cc-4085-91e9-bbec2843f838 + + + ## Currently supported threats ```text