├── .java-version ├── src ├── main │ ├── resources │ │ ├── version │ │ ├── report-templates │ │ │ ├── html │ │ │ │ ├── threat-model-report-entry-separator │ │ │ │ ├── threat-model-report-footer │ │ │ │ └── threat-model-report-entry │ │ │ └── json │ │ │ │ ├── threat-model-report-entry-separator │ │ │ │ ├── threat-model-report-footer │ │ │ │ ├── threat-model-report-header │ │ │ │ └── threat-model-report-entry │ │ └── help-info │ └── java │ │ └── com │ │ └── github │ │ └── rusakovichma │ │ └── tictaac │ │ ├── provider │ │ ├── reader │ │ │ ├── MitigationsFilter.java │ │ │ ├── ThreatModelFilter.java │ │ │ ├── Reader.java │ │ │ ├── ExternalReader.java │ │ │ ├── ClassPathReader.java │ │ │ └── UnifiedReader.java │ │ ├── model │ │ │ ├── ThreatModelProvider.java │ │ │ └── StandardThreatModelProvider.java │ │ ├── rules │ │ │ ├── ThreatRulesProvider.java │ │ │ └── StandardThreatRulesProvider.java │ │ └── mitigation │ │ │ ├── MitigationLibraryProvider.java │ │ │ ├── Mitigator.java │ │ │ ├── DullMitigator.java │ │ │ └── StandardMitigationProvider.java │ │ ├── correction │ │ ├── Guesser.java │ │ ├── Corrector.java │ │ ├── ElementNameCorrector.java │ │ ├── ProcessGuesser.java │ │ ├── DatabaseGuesser.java │ │ ├── ProxyServerGuesser.java │ │ ├── ExternalServiceGuesser.java │ │ ├── WebserverGuesser.java │ │ ├── InternalServiceGuesser.java │ │ ├── InteractorGuesser.java │ │ ├── DataFlowTitleCorrector.java │ │ ├── ElementGuesser.java │ │ └── UniversalElementGuesser.java │ │ ├── engine │ │ ├── el │ │ │ ├── parser │ │ │ │ ├── ParseException.java │ │ │ │ ├── ExternalContext.java │ │ │ │ ├── ExpressionPreProcessor.java │ │ │ │ ├── ExpressionParser.java │ │ │ │ ├── EvaluationTemplate.java │ │ │ │ ├── DefaultEvaluationTemplate.java │ │ │ │ ├── SimpleExternalContext.java │ │ │ │ ├── ExpressionSegregator.java │ │ │ │ ├── ExpressionEntitySeparator.java │ │ │ │ └── StringHashReplacer.java │ │ │ ├── expression │ │ │ │ ├── Expression.java │ │ │ │ ├── ValueComparable.java │ │ │ │ ├── ParametrableExpression.java │ │ │ │ ├── ContextAware.java │ │ │ │ ├── ExpressionAware.java │ │ │ │ ├── AbstractExpression.java │ │ │ │ ├── EqualsExpression.java │ │ │ │ ├── OrExpression.java │ │ │ │ ├── AndExpression.java │ │ │ │ ├── ParamComparableExpression.java │ │ │ │ ├── CompoundExpression.java │ │ │ │ ├── ParamEqualsExpression.java │ │ │ │ ├── ParamContainExpression.java │ │ │ │ └── ParamWithinExpression.java │ │ │ ├── EvaluationContext.java │ │ │ └── DefaultEvaluationContext.java │ │ ├── ThreatEngine.java │ │ └── EngineContext.java │ │ ├── mapper │ │ ├── ModelMapper.java │ │ ├── ThreatModelMapper.java │ │ ├── ThreatsLibraryMapper.java │ │ ├── MitigationsLibraryMapper.java │ │ └── ThreatRuleMapper.java │ │ ├── validation │ │ ├── Validator.java │ │ ├── Required.java │ │ ├── RequiresAtLeast.java │ │ ├── ValidationErrors.java │ │ └── ValidationException.java │ │ ├── reporter │ │ ├── chart │ │ │ ├── ChartPlotter.java │ │ │ └── XChartPlotter.java │ │ ├── dfd │ │ │ └── DataFlowRender.java │ │ ├── ReportFormat.java │ │ ├── ThreatsReporter.java │ │ ├── ReportHeader.java │ │ ├── FileStreamThreatsReporter.java │ │ └── analytics │ │ │ └── ThreatAnalytics.java │ │ ├── model │ │ ├── threatmodel │ │ │ ├── dataflow │ │ │ │ ├── Encryption.java │ │ │ │ ├── Authorization.java │ │ │ │ ├── AccountManagement.java │ │ │ │ └── AuthenticationMethod.java │ │ │ ├── asset │ │ │ │ └── AssetSensitivity.java │ │ │ ├── annotation │ │ │ │ ├── Id.java │ │ │ │ ├── Exclude.java │ │ │ │ ├── FlowSource.java │ │ │ │ ├── FlowTarget.java │ │ │ │ ├── RootCollection.java │ │ │ │ ├── Ref.java │ │ │ │ └── DefaultValue.java │ │ │ ├── element │ │ │ │ └── ElementType.java │ │ │ ├── boundary │ │ │ │ └── BoundaryCategory.java │ │ │ ├── Asset.java │ │ │ └── Boundary.java │ │ ├── ThreatSeverity.java │ │ ├── mitigation │ │ │ ├── MitigationStatus.java │ │ │ ├── ThreatRef.java │ │ │ └── MitigationsLibrary.java │ │ ├── exception │ │ │ └── QualityGateFailed.java │ │ ├── ThreatCategory.java │ │ ├── ThreatRisk.java │ │ ├── ThreatsCollection.java │ │ ├── ThreatsLibrary.java │ │ ├── risk │ │ │ └── RiskFactor.java │ │ └── OwaspCategory.java │ │ ├── parser │ │ ├── NodeParser.java │ │ └── model │ │ │ ├── NodeTree.java │ │ │ └── NodeHelper.java │ │ ├── risk │ │ └── RiskCalculationStrategy.java │ │ └── util │ │ ├── InputStreamUtil.java │ │ ├── ResourceUtil.java │ │ ├── ImageUtils.java │ │ └── ClassUtil.java └── test │ ├── resources │ ├── threat-model-minimized-validation-test.yml │ ├── mitigations-for-tests.yml │ ├── threat-model-validation-test.yml │ ├── threats-provider-test.yml │ ├── threats-provider-engine-context-test.yml │ ├── threat-model-test.yml │ ├── threat-model-engine-context-test.yml │ ├── data-flow-render-test.yml │ └── threat-model-test-with-comments.yml │ └── java │ └── com │ └── github │ └── rusakovichma │ └── tictaac │ ├── provider │ ├── reader │ │ └── ThreatModelFilterTest.java │ └── mitigation │ │ └── StandardMitigationProviderTest.java │ ├── parser │ ├── model │ │ ├── NodeHelperTest.java │ │ └── NodeTypeTest.java │ └── impl │ │ └── NodeTreeParserTest.java │ ├── util │ ├── ReflectionUtilTest.java │ ├── StringUtilsTest.java │ └── FileUtilTest.java │ ├── risk │ └── PlainMatrixRiskStrategyTest.java │ ├── correction │ └── UniversalElementGuesserTest.java │ ├── reporter │ ├── dfd │ │ └── GraphvizDataFlowRenderTest.java │ └── StreamThreatsReporterTest.java │ ├── mapper │ ├── ThreatsLibraryMapperTest.java │ └── ThreatModelMapperTest.java │ ├── validation │ └── ValidatorImplTest.java │ └── engine │ └── StandardEngineContextTest.java ├── etc ├── tic-taac-logo.png ├── tic-taac-logo-40per.png └── threat-modeling-report-example.png ├── .gitignore ├── RELEASE_NOTES.md ├── NOTICE.txt ├── SECURITY.md ├── CONTRIBUTORS ├── .github └── workflows │ ├── ci.yml │ └── tests.yml ├── expl ├── mitigations.yml ├── simpest-threat-model.yml └── intermediate-threat-model.yml ├── push-docker.sh ├── cicd └── Jenkinsfile └── Dockerfile /.java-version: -------------------------------------------------------------------------------- 1 | 11 -------------------------------------------------------------------------------- /src/main/resources/version: -------------------------------------------------------------------------------- 1 | Version: 1.3.0 -------------------------------------------------------------------------------- /src/main/resources/report-templates/html/threat-model-report-entry-separator: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/main/resources/report-templates/json/threat-model-report-entry-separator: -------------------------------------------------------------------------------- 1 | , -------------------------------------------------------------------------------- /src/main/resources/report-templates/json/threat-model-report-footer: -------------------------------------------------------------------------------- 1 | ] 2 | } -------------------------------------------------------------------------------- /src/main/resources/report-templates/html/threat-model-report-footer: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /etc/tic-taac-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rusakovichma/TicTaaC/HEAD/etc/tic-taac-logo.png -------------------------------------------------------------------------------- /etc/tic-taac-logo-40per.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rusakovichma/TicTaaC/HEAD/etc/tic-taac-logo-40per.png -------------------------------------------------------------------------------- /etc/threat-modeling-report-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rusakovichma/TicTaaC/HEAD/etc/threat-modeling-report-example.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Maven 2 | target/ 3 | 4 | # Eclipse 5 | .classpath 6 | .project 7 | .settings 8 | 9 | .idea 10 | *.iml 11 | 12 | # Sonar 13 | .sonar -------------------------------------------------------------------------------- /src/main/resources/report-templates/json/threat-model-report-header: -------------------------------------------------------------------------------- 1 | { 2 | "threat-model-name": "%s", 3 | "version": "%s", 4 | "date": "%s", 5 | "threats":[ -------------------------------------------------------------------------------- /RELEASE_NOTES.md: -------------------------------------------------------------------------------- 1 | # Release Notes 2 | 3 | ## [Version 1.2.3](https://github.com/rusakovichma/TicTaaC/releases/tag/1.2.3) (2022-07-03) 4 | 5 | **Changes** 6 | 7 | - Bug fixes. 8 | - Multiple Threat Modeling files support and files scan ([see #1](https://github.com/rusakovichma/TicTaaC/issues/1)). -------------------------------------------------------------------------------- /src/test/resources/threat-model-minimized-validation-test.yml: -------------------------------------------------------------------------------- 1 | name: Threat Model Name 2 | version: 0.0.1 3 | assets: 4 | elements: 5 | - legitimate-user 6 | type: interactor 7 | - web-server 8 | type: web-server 9 | boundaries: 10 | data-flows: 11 | - legitimate-user -> web-server -------------------------------------------------------------------------------- /src/main/resources/report-templates/html/threat-model-report-entry: -------------------------------------------------------------------------------- 1 | 2 |  %s  3 | %s 4 | Risk: %s      

Attack Vector: %s 5 | STRIDE: %s

OWASP: %s 6 | %s 7 | %s 8 |  %s  9 | -------------------------------------------------------------------------------- /src/main/resources/report-templates/json/threat-model-report-entry: -------------------------------------------------------------------------------- 1 | { 2 | "id": "%s", 3 | "title": "%s", 4 | "risk": "%s", 5 | "attack-vector": "%s", 6 | "categories": "%s", 7 | "owasp-categories": "%s", 8 | "description": "%s", 9 | "remediation": "%s", 10 | "status": "%s" 11 | } -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | tic-taac 2 | 3 | Copyright (c) 2021-2022 Mikhail Rusakovich. All Rights Reserved. 4 | 5 | The licenses for the software listed below can be found in the META-INF/licenses/[dependency name]. 6 | 7 | This product includes software developed by knowm.org (https://knowm.org/open-source/xchart/). 8 | 9 | This product uses Microsoft STRIDE methodology and OWASP Top 10 for threats classification: see https://en.wikipedia.org/wiki/STRIDE_(security) and https://owasp.org/Top10/ -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/provider/reader/ThreatModelFilterTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.provider.reader; 2 | 3 | import org.junit.jupiter.api.Test; 4 | 5 | import java.io.File; 6 | 7 | import static org.junit.jupiter.api.Assertions.*; 8 | 9 | class ThreatModelFilterTest { 10 | 11 | @Test 12 | void accept() { 13 | File dir = new File("src/test/resources"); 14 | File[] modelFiles = dir.listFiles(new ThreatModelFilter()); 15 | 16 | assertTrue(modelFiles.length == 6); 17 | } 18 | } -------------------------------------------------------------------------------- /src/test/resources/mitigations-for-tests.yml: -------------------------------------------------------------------------------- 1 | name: Threats mitigations for the application 2 | version: 0.1.1 3 | 4 | mitigated: # some comment 2 5 | - 7eefda5b73808a488729397937fbaf552f380887 6 | comment: already mitigated 7 | - 98sdfasgd097dfgsdfg9987s00876dfa98df6998 8 | - 64778600asdda09sdfa6s8d8a0s0d9f9as7df7f9 9 | 10 | accepted: 11 | 12 | avoided: 13 | - 15789asd0a7s7d8fa7sd5fa0sd0f6asd9f6asd9f 14 | - 6d6d6ss9ss0d8f6f5gg44h4h3j3hg66ff7fff88f 15 | 16 | transferred: 17 | 18 | notApplicable: 19 | - 34dfsdf788as6da98sd689ad76a98s76da98s6d8 20 | 21 | -------------------------------------------------------------------------------- /src/test/resources/threat-model-validation-test.yml: -------------------------------------------------------------------------------- 1 | name: Threat Model Name 2 | version: 1.0.1 3 | assets: 4 | - personal-data 5 | elements: 6 | - legitimate-user 7 | produced-assets: 8 | - personal-data 9 | - proxy-server 10 | - web-server 11 | - database 12 | stored-assets: 13 | - personal-data 14 | boundaries: 15 | - internet 16 | elements: 17 | - legitimate-user 18 | data-flows: 19 | - legitimate-user -> proxy-server 20 | title: Users Request 21 | - proxy-server -> web-server 22 | - web-server -> database 23 | title: Database query -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Reporting a Vulnerability 4 | 5 | If a security vulnerability is identified in TicTaaC please 6 | open an [issue](https://github.com/rusakovichma/TicTaaC/issues/new/choose) 7 | and/or submit a PR to resolve the identified vulnerability. 8 | 9 | The team is very responsive to reported vulnerabilities - reported issues must be resolved in 30 days or less. 10 | 11 | Note - there are several vulnerable test dependencies and test resources. These are never executed or included in a release; these vulnerable resources are present so that the functionality of TicTaaC can be tested. -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/reader/MitigationsFilter.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.provider.reader; 2 | 3 | import com.github.rusakovichma.tictaac.util.FileUtil; 4 | 5 | import java.io.File; 6 | import java.io.FileFilter; 7 | 8 | public class MitigationsFilter implements FileFilter { 9 | 10 | @Override 11 | public boolean accept(File mitigationsFile) { 12 | if (!mitigationsFile.getName().toLowerCase().endsWith(".yml")) { 13 | return false; 14 | } 15 | return FileUtil.findString(mitigationsFile, "mitigated:"); 16 | } 17 | 18 | } 19 | -------------------------------------------------------------------------------- /CONTRIBUTORS: -------------------------------------------------------------------------------- 1 | TicTaaC is developed by Rusakovich M. and the open-source community. 2 | 3 | We thank all of our contributors 4 | 5 | For the detailed history of contributions of a given file, try 6 | 7 | git blame file 8 | 9 | To see line-by-line credits and to see the change log even across renames and rewrites, try 10 | 11 | git log --follow file 12 | 13 | Copyright is held by the original contributor according to the versioning history; see NOTICE. 14 | 15 | The following list of authors was automatically generated from the project's git repo with the command: 16 | 17 | git log --format='%aN' | sort -u 18 | 19 | Mikhail Rusakovich -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/reader/ThreatModelFilter.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.provider.reader; 2 | 3 | import com.github.rusakovichma.tictaac.util.FileUtil; 4 | 5 | import java.io.File; 6 | import java.io.FileFilter; 7 | 8 | public class ThreatModelFilter implements FileFilter { 9 | 10 | @Override 11 | public boolean accept(File modelFile) { 12 | if (!modelFile.getName().toLowerCase().endsWith(".yml")) { 13 | return false; 14 | } 15 | return FileUtil.findString(modelFile, "elements:") 16 | && FileUtil.findString(modelFile, "data-flows:"); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/parser/model/NodeHelperTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.parser.model; 2 | 3 | import org.junit.jupiter.api.Test; 4 | 5 | import static org.junit.jupiter.api.Assertions.*; 6 | 7 | class NodeHelperTest { 8 | 9 | @Test 10 | void getFlowSource() { 11 | String source = NodeHelper.getFlowEntity("- interactor -> proxy-server", true); 12 | assertTrue(source.equals("interactor")); 13 | } 14 | 15 | @Test 16 | void getFlowTarget() { 17 | String source = NodeHelper.getFlowEntity("- interactor -> proxy-server", false); 18 | assertTrue(source.equals("proxy-server")); 19 | } 20 | } -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/util/ReflectionUtilTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.util; 2 | 3 | import com.github.rusakovichma.tictaac.model.threatmodel.Asset; 4 | import com.github.rusakovichma.tictaac.model.threatmodel.asset.AssetSensitivity; 5 | import org.junit.jupiter.api.Test; 6 | 7 | import java.util.Map; 8 | 9 | import static org.junit.jupiter.api.Assertions.*; 10 | 11 | class ReflectionUtilTest { 12 | 13 | @Test 14 | void getFields() { 15 | Asset asset1 = new Asset(); 16 | asset1.setId("asset 1"); 17 | asset1.setSensitivity(AssetSensitivity.sensitive); 18 | 19 | Map fields = ReflectionUtil.getFields(asset1, "asset"); 20 | assertTrue(fields.size() == 3); 21 | } 22 | } -------------------------------------------------------------------------------- /src/test/resources/threats-provider-test.yml: -------------------------------------------------------------------------------- 1 | name: Threats rules set for test 2 | version: 0.1.1 3 | 4 | rules: # some comment 2 5 | - threat-number-one 6 | title: Threat title 1 # some comment 1 7 | severity: High 8 | categories: spoofing, tampering 9 | expression: source.type == database or target.type == database 10 | description: threat description 1 11 | remediation: threat 1 remediation practices 12 | # just a comment 13 | - threat-number-two 14 | title: Threat title 2 15 | severity: Medium 16 | categories: information-disclosure 17 | expression: flow crosses demilitarized-zone 18 | exclude: flow.inScope == false 19 | description: threat description 2 20 | remediation: threat 2 remediation practices 21 | # just a comment 2 -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time 2 | # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven 3 | 4 | name: CI 5 | 6 | on: 7 | push: 8 | branches: [ "master" ] 9 | pull_request: 10 | branches: [ "master" ] 11 | 12 | jobs: 13 | build: 14 | 15 | runs-on: ubuntu-latest 16 | 17 | steps: 18 | - uses: actions/checkout@v3 19 | - name: Set up JDK 11 20 | uses: actions/setup-java@v3 21 | with: 22 | java-version: '11' 23 | distribution: 'temurin' 24 | cache: maven 25 | - name: Build with Maven 26 | run: mvn -B package --file pom.xml 27 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/util/StringUtilsTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.util; 2 | 3 | import org.junit.jupiter.api.Test; 4 | 5 | import static org.junit.jupiter.api.Assertions.assertTrue; 6 | 7 | 8 | class StringUtilsTest { 9 | 10 | @Test 11 | void getStartingIndentLengthTest() throws Exception { 12 | int startingIndent = StringUtils.getStartingIndentLength("\t\tsensitivity: non-sensitive"); 13 | assertTrue(startingIndent == 8); 14 | 15 | startingIndent = StringUtils.getStartingIndentLength(" \tsensitivity: non-sensitive"); 16 | assertTrue(startingIndent == 5); 17 | 18 | startingIndent = StringUtils.getStartingIndentLength("elements:"); 19 | assertTrue(startingIndent == 0); 20 | } 21 | } -------------------------------------------------------------------------------- /expl/mitigations.yml: -------------------------------------------------------------------------------- 1 | name: Threats mitigations for the application 2 | version: 0.1.1 3 | 4 | mitigated: # Threats ID with Mitigated status 5 | - 7eefda5b73808a488729397937fbaf552f380887 6 | comment: already mitigated #Some details of the mitigation 7 | - 98sdfasgd097dfgsdfg9987s00876dfa98df6998 8 | - 64778600asdda09sdfa6s8d8a0s0d9f9as7df7f9 9 | 10 | accepted: # Threats with accepted risk status 11 | 12 | avoided: 13 | - 15789asd0a7s7d8fa7sd5fa0sd0f6asd9f6asd9f 14 | - 6d6d6ss9ss0d8f6f5gg44h4h3j3hg66ff7fff88f 15 | 16 | transferred: # Threats with transferred responsibility to different teams, vendors or any other parties 17 | 18 | notApplicable: # False-Positive Threats or threats that is not applicable due to some architecture aspects or business requirements 19 | - 34dfsdf788as6da98sd689ad76a98s76da98s6d8 20 | 21 | -------------------------------------------------------------------------------- /.github/workflows/tests.yml: -------------------------------------------------------------------------------- 1 | name: Testing 2 | 3 | on: 4 | push: 5 | workflow_dispatch: 6 | 7 | jobs: 8 | build: 9 | 10 | runs-on: ubuntu-latest 11 | 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v1 15 | 16 | - name: Set up JDK 1.11 17 | uses: actions/setup-java@v2 18 | with: 19 | java-version: '11' 20 | distribution: 'adopt' 21 | 22 | - name: Build 23 | run: mvn --batch-mode -DskipTests package 24 | 25 | - name: Test 26 | run: mvn --batch-mode -Dmaven.test.failure.ignore=true test 27 | 28 | - name: Report 29 | uses: dorny/test-reporter@v1 30 | if: always() 31 | with: 32 | name: Maven Tests 33 | path: target/surefire-reports/*.xml 34 | reporter: java-junit 35 | fail-on-error: true 36 | -------------------------------------------------------------------------------- /src/test/resources/threats-provider-engine-context-test.yml: -------------------------------------------------------------------------------- 1 | name: Threats rules set for test 2 | version: 0.1.1 3 | 4 | rules: # some comment 2 5 | - threat-number-one 6 | title: Threat title 1 # some comment 1 7 | severity: High 8 | categories: spoofing, tampering 9 | expression: target.type == database 10 | description: threat description 1 for {target.name} 11 | remediation: threat 1 remediation practices 12 | # just a comment 13 | - threat-number-two 14 | title: Threat title 2 15 | severity: Medium 16 | categories: information-disclosure 17 | expression: (source within global-network) and (target within demilitarized-zone) 18 | exclude: flow.inScope == false 19 | description: threat description 2 for {flow.name} with source of {source.name} and target - {target.name} 20 | remediation: threat 2 remediation practices 21 | # just a comment 2 -------------------------------------------------------------------------------- /push-docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | VERSION=$(mvn -q \ 4 | -Dexec.executable="echo" \ 5 | -Dexec.args='${project.version}' \ 6 | --non-recursive \ 7 | org.codehaus.mojo:exec-maven-plugin:1.3.1:exec) 8 | 9 | if [[ $VERSION = *"SNAPSHOT"* ]]; then 10 | echo "Do not publish a snapshot version of tic-taac" 11 | exit 1 12 | fi 13 | docker inspect --type=image rusakovichma/tic-taac:$VERSION > /dev/null 2>&1 14 | if [[ "$?" -ne 0 ]] ; then 15 | echo "docker image rusakovichma/tic-taac:$VERSION does not exist - run build_docker.sh first" 16 | exit 1 17 | fi 18 | docker inspect --type=image rusakovichma/tic-taac:latest > /dev/null 2>&1 19 | if [[ "$?" -ne 0 ]] ; then 20 | echo "docker image rusakovichma/tic-taac:latest does not exist - run build_docker.sh first" 21 | exit 1 22 | fi 23 | 24 | docker push rusakovichma/tic-taac:$VERSION 25 | docker push rusakovichma/tic-taac:latest -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/Guesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | public interface Guesser extends Corrector { 21 | 22 | } 23 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/ParseException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | public class ParseException extends RuntimeException { 21 | } 22 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/mapper/ModelMapper.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.mapper; 19 | 20 | public interface ModelMapper { 21 | 22 | public M getModel(); 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/Corrector.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | public interface Corrector { 21 | 22 | public boolean tryToCorrect(T t); 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/validation/Validator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.validation; 19 | 20 | public interface Validator { 21 | 22 | public void validate(Object model); 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/Expression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | public interface Expression { 21 | 22 | public V getEvaluationResult(); 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/ExternalContext.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | public interface ExternalContext

{ 21 | 22 | public P getParameter(String parameterName); 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/ValueComparable.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | public interface ValueComparable { 21 | 22 | public void setValueToCompare(V value); 23 | 24 | } 25 | -------------------------------------------------------------------------------- /cicd/Jenkinsfile: -------------------------------------------------------------------------------- 1 | pipeline { 2 | agent any 3 | 4 | stages { 5 | stage("threat modeling") { 6 | agent { 7 | docker { 8 | image "rusakovichma/tic-taac:latest" 9 | args '''\ 10 | --user 0 \ 11 | --volume ${WORKSPACE}/threat-model:/threat-model:ro \ 12 | --volume ${WORKSPACE}/report:/report:rw \ 13 | --entrypoint "" 14 | ''' 15 | reuseNode true 16 | } 17 | } 18 | steps { 19 | script { 20 | def result = sh label: "tic-taac", returnStatus: true, 21 | script: """\ 22 | mkdir -p report &>/dev/null 23 | /usr/share/tic-taac/bin/tic-taac.sh \ 24 | --failOnThreatRisk High \ 25 | --threatModel /threat-model/threat-model.yml \ 26 | --mitigations /threat-model/whitelisting.yml \ 27 | --outFormat html \ 28 | --out /report 29 | """ 30 | if (result > 0) { 31 | unstable(message: "Unmitigated Threats found") 32 | } 33 | } 34 | } 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/ParametrableExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | public interface ParametrableExpression

{ 21 | 22 | public void setParameter(P value); 23 | 24 | } 25 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/ExpressionPreProcessor.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | public interface ExpressionPreProcessor { 21 | 22 | public String preProcess(String expression); 23 | } 24 | 25 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/reporter/chart/ChartPlotter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.reporter.chart; 19 | 20 | public interface ChartPlotter { 21 | 22 | public void addSeries(String name, int value); 23 | 24 | public byte[] getImageBytes(); 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/provider/mitigation/StandardMitigationProviderTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.provider.mitigation; 2 | 3 | import com.github.rusakovichma.tictaac.model.mitigation.MitigationsLibrary; 4 | import org.junit.jupiter.api.Test; 5 | 6 | import static org.junit.jupiter.api.Assertions.*; 7 | 8 | class StandardMitigationProviderTest { 9 | 10 | @Test 11 | void getMitigations() { 12 | String path = "src/test/resources/mitigations-for-tests.yml"; 13 | 14 | StandardMitigationProvider provider = new StandardMitigationProvider(path); 15 | MitigationsLibrary library = provider.getMitigations(); 16 | assertTrue(library != null); 17 | 18 | assertTrue(library.getMitigated().size() == 3); 19 | assertTrue(library.getAvoided().size() == 2); 20 | 21 | assertTrue(library.getMitigated().get(0).getComment().equals("already mitigated")); 22 | 23 | assertTrue(library.getNotApplicable().size() == 1); 24 | } 25 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/reader/Reader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.reader; 19 | 20 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 21 | 22 | public interface Reader { 23 | 24 | public NodeTree read(String path); 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/parser/model/NodeTypeTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.parser.model; 2 | 3 | import org.junit.jupiter.api.Test; 4 | 5 | import static org.junit.jupiter.api.Assertions.*; 6 | 7 | class NodeTypeTest { 8 | 9 | @Test 10 | void getTypeTest() { 11 | assertTrue(NodeType.getType("\t- personal-data") == NodeType.element); 12 | assertTrue(NodeType.getType("\t-personal-data") == NodeType.element); 13 | 14 | assertTrue(NodeType.getType("\t- proxy-server -> web-server") == NodeType.flow); 15 | assertTrue(NodeType.getType("\t-proxy-server->web-server") == NodeType.flow); 16 | 17 | assertTrue(NodeType.getType("\t\taccount-management: external-sso") == NodeType.property); 18 | assertTrue(NodeType.getType("\t\taccount-management:external-sso") == NodeType.property); 19 | 20 | assertTrue(NodeType.getType(" dfgsd s dfgs dfgs") == NodeType.unknown); 21 | assertTrue(NodeType.getType(null) == NodeType.unknown); 22 | } 23 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/ContextAware.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | public interface ContextAware { 21 | 22 | public void setContextParam(Object contextObject); 23 | 24 | public String getContextParamName(); 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/model/ThreatModelProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.model; 19 | 20 | import com.github.rusakovichma.tictaac.model.ThreatModel; 21 | 22 | public interface ThreatModelProvider { 23 | 24 | public ThreatModel getModel(); 25 | 26 | } 27 | -------------------------------------------------------------------------------- /expl/simpest-threat-model.yml: -------------------------------------------------------------------------------- 1 | name: Simplest Data Flow for Threat Modeling 2 | version: 1.0.0 3 | assets: #We know nothing about application's data 4 | elements: #Here we describe the main elements of the data flow 5 | - user-browser #Application's User 6 | - application-web-server #Web application's server 7 | - database #Application's Database 8 | boundaries: #Here we define the data flow diagram boundaries and the context 9 | - internet #Users connect to the application from the Internet 10 | elements: 11 | - user-browser # Reference to the user element 12 | - amazon-vpc #Our application in Amazon VPC, for example 13 | elements: #Application's components references. In VPC we have... 14 | - application-web-server #Web-server element ... 15 | - database # ... and the database 16 | data-flows: #Section for the flows between the elements 17 | - user-browser -> application-web-server #User's Browser connects to the application flow 18 | - application-web-server -> database #The application connects to the database to fetch data -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/ExpressionAware.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | public interface ExpressionAware { 21 | 22 | public void setExprOne(Expression exprOne); 23 | 24 | public void setExprAnother(Expression exprAnother); 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/rules/ThreatRulesProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.rules; 19 | 20 | import com.github.rusakovichma.tictaac.model.ThreatsLibrary; 21 | 22 | public interface ThreatRulesProvider { 23 | 24 | public ThreatsLibrary getThreatsLibrary(); 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/risk/PlainMatrixRiskStrategyTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.risk; 2 | 3 | import com.github.rusakovichma.tictaac.model.ThreatRisk; 4 | import com.github.rusakovichma.tictaac.model.ThreatSeverity; 5 | import com.github.rusakovichma.tictaac.model.threatmodel.boundary.BoundaryCategory; 6 | import org.junit.jupiter.api.Test; 7 | 8 | import static org.junit.jupiter.api.Assertions.*; 9 | 10 | class PlainMatrixRiskStrategyTest { 11 | 12 | @Test 13 | void calc() { 14 | PlainMatrixRiskStrategy strategy = new PlainMatrixRiskStrategy(); 15 | 16 | ThreatRisk risk = strategy.calc(ThreatSeverity.Medium, BoundaryCategory.corporateNetwork); 17 | assertTrue(risk == ThreatRisk.Medium); 18 | 19 | risk = strategy.calc(ThreatSeverity.Low, BoundaryCategory.globalNetwork); 20 | assertTrue(risk == ThreatRisk.Medium); 21 | 22 | risk = strategy.calc(ThreatSeverity.Low, BoundaryCategory.undefined); 23 | assertTrue(risk == ThreatRisk.Undefined); 24 | } 25 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/ExpressionParser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.expression.Expression; 21 | 22 | public interface ExpressionParser { 23 | 24 | public Expression parse(String expression); 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/dataflow/Encryption.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.dataflow; 19 | 20 | public enum Encryption { 21 | no, 22 | yes, 23 | undefined; 24 | 25 | @Override 26 | public String toString() { 27 | return this.name(); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/correction/UniversalElementGuesserTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.correction; 2 | 3 | import com.github.rusakovichma.tictaac.model.threatmodel.Element; 4 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 5 | import org.junit.jupiter.api.Test; 6 | 7 | import static org.junit.jupiter.api.Assertions.*; 8 | 9 | class UniversalElementGuesserTest { 10 | 11 | @Test 12 | void guess() { 13 | Element element = new Element(); 14 | element.setId("some-gateway-to-guess"); 15 | 16 | UniversalElementGuesser guesser = new UniversalElementGuesser(); 17 | guesser.tryToCorrect(element); 18 | 19 | assertTrue(element.getType() == ElementType.proxyServer); 20 | } 21 | 22 | @Test 23 | void guessNull() { 24 | Element element = new Element(); 25 | 26 | UniversalElementGuesser guesser = new UniversalElementGuesser(); 27 | guesser.tryToCorrect(element); 28 | 29 | assertTrue(element.getType() == null); 30 | } 31 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/EvaluationTemplate.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | public interface EvaluationTemplate { 21 | 22 | public static final String DELIMITER = " "; 23 | 24 | public String getEvaluationStart(); 25 | 26 | public String getEvaluationEnd(); 27 | 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/mitigation/MitigationLibraryProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.mitigation; 19 | 20 | import com.github.rusakovichma.tictaac.model.mitigation.MitigationsLibrary; 21 | 22 | public interface MitigationLibraryProvider { 23 | 24 | public MitigationsLibrary getMitigations(); 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/mitigation/Mitigator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.mitigation; 19 | 20 | import com.github.rusakovichma.tictaac.model.Threat; 21 | 22 | import java.util.Collection; 23 | 24 | public interface Mitigator { 25 | 26 | public void setMitigationStrategy(Collection threats); 27 | 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/dataflow/Authorization.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.dataflow; 19 | 20 | public enum Authorization { 21 | read, 22 | readWrite, 23 | admin, 24 | undefined; 25 | 26 | @Override 27 | public String toString() { 28 | return this.name(); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/reporter/dfd/DataFlowRender.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.reporter.dfd; 19 | 20 | import com.github.rusakovichma.tictaac.model.ThreatModel; 21 | 22 | import java.io.IOException; 23 | 24 | public interface DataFlowRender { 25 | 26 | public byte[] createDataFlow(ThreatModel threatModel) throws IOException; 27 | 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/ThreatEngine.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine; 19 | 20 | import com.github.rusakovichma.tictaac.model.ThreatModel; 21 | import com.github.rusakovichma.tictaac.model.ThreatsCollection; 22 | 23 | public interface ThreatEngine { 24 | 25 | public ThreatsCollection generateThreats(ThreatModel threatModel); 26 | 27 | } 28 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/parser/NodeParser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.parser; 19 | 20 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 21 | 22 | import java.io.IOException; 23 | import java.io.InputStream; 24 | 25 | public interface NodeParser { 26 | 27 | public NodeTree getNodeTree(InputStream inputStream) throws IOException; 28 | 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/dataflow/AccountManagement.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.dataflow; 19 | 20 | public enum AccountManagement { 21 | externalSso, 22 | localAccount, 23 | activeDirectory, 24 | undefined; 25 | 26 | @Override 27 | public String toString() { 28 | return this.name(); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/parser/impl/NodeTreeParserTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.parser.impl; 2 | 3 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 4 | import com.github.rusakovichma.tictaac.util.FileUtil; 5 | import org.junit.jupiter.api.Test; 6 | 7 | import java.io.IOException; 8 | import java.io.InputStream; 9 | 10 | import static org.junit.jupiter.api.Assertions.*; 11 | 12 | class NodeTreeParserTest { 13 | 14 | @Test 15 | void getNodeTreeTest() throws IOException { 16 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threat-model-test.yml"); 17 | 18 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 19 | assertTrue(tree.size() == 83); 20 | } 21 | 22 | @Test 23 | void getNodeTreeWithCommentsTest() throws IOException { 24 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threat-model-test-with-comments.yml"); 25 | 26 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 27 | assertTrue(tree.size() == 85); 28 | } 29 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/asset/AssetSensitivity.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.asset; 19 | 20 | public enum AssetSensitivity { 21 | sensitive, 22 | nonSensitive, 23 | pii, 24 | health, 25 | paymentCard, 26 | undefined; 27 | 28 | @Override 29 | public String toString() { 30 | return this.name(); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/mitigation/DullMitigator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.mitigation; 19 | 20 | import com.github.rusakovichma.tictaac.model.Threat; 21 | 22 | import java.util.Collection; 23 | 24 | public class DullMitigator implements Mitigator { 25 | 26 | @Override 27 | public void setMitigationStrategy(Collection threats) { 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/EvaluationContext.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.expression.Expression; 21 | 22 | public interface EvaluationContext { 23 | 24 | public Object getEvaluationResult(Expression expression); 25 | 26 | public void addEvaluationResult(Expression expression, Object result); 27 | 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/validation/Required.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.validation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | @Retention(RetentionPolicy.RUNTIME) 26 | @Target(ElementType.FIELD) 27 | public @interface Required { 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/annotation/Id.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.annotation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | @Retention(RetentionPolicy.RUNTIME) 26 | @Target(ElementType.FIELD) 27 | public @interface Id { 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/DefaultEvaluationTemplate.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | public class DefaultEvaluationTemplate implements EvaluationTemplate { 21 | 22 | @Override 23 | public String getEvaluationStart() { 24 | return "$${"; 25 | } 26 | 27 | @Override 28 | public String getEvaluationEnd() { 29 | return "}"; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/element/ElementType.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.element; 19 | 20 | public enum ElementType { 21 | interactor, 22 | proxyServer, 23 | webServer, 24 | database, 25 | externalService, 26 | internalService, 27 | process; 28 | 29 | @Override 30 | public String toString() { 31 | return this.name(); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /expl/intermediate-threat-model.yml: -------------------------------------------------------------------------------- 1 | name: Intermediate Data Flow for Threat Modeling 2 | version: 1.0.1 3 | assets: 4 | - credit-card #Application's data asset 5 | sensitivity: sensitive #Values: sensitive, non-sensitive 6 | elements: 7 | - legitimate-user 8 | produced-assets: #Element may has: produced-assets, consumed-assets, processed-assets, stored-assets lists 9 | - credit-card 10 | - proxy-server 11 | processed-assets: 12 | - credit-card 13 | - web-server 14 | processed-assets: 15 | - credit-card 16 | - database 17 | stored-assets: 18 | - credit-card 19 | boundaries: 20 | - dmz 21 | elements: 22 | - proxy-server 23 | - internal-network 24 | elements: 25 | - web-server 26 | - database 27 | - internet 28 | elements: 29 | - legitimate-user 30 | data-flows: 31 | - legitimate-user -> proxy-server 32 | transferred-assets: #In this option we define assets references passed through the data flow 33 | - credit-card 34 | - proxy-server -> web-server 35 | transferred-assets: 36 | - credit-card 37 | - web-server -> database 38 | transferred-assets: 39 | - credit-card -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/annotation/Exclude.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.annotation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | @Retention(RetentionPolicy.RUNTIME) 26 | @Target(ElementType.FIELD) 27 | public @interface Exclude { 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/annotation/FlowSource.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.annotation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | @Retention(RetentionPolicy.RUNTIME) 26 | @Target(ElementType.FIELD) 27 | public @interface FlowSource { 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/annotation/FlowTarget.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.annotation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | @Retention(RetentionPolicy.RUNTIME) 26 | @Target(ElementType.FIELD) 27 | public @interface FlowTarget { 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/annotation/RootCollection.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.annotation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | @Retention(RetentionPolicy.RUNTIME) 26 | @Target(ElementType.FIELD) 27 | public @interface RootCollection { 28 | } 29 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/validation/RequiresAtLeast.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.validation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | @Retention(RetentionPolicy.RUNTIME) 26 | @Target(ElementType.FIELD) 27 | public @interface RequiresAtLeast { 28 | public int elements() default -1; 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/EngineContext.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine; 19 | 20 | import com.github.rusakovichma.tictaac.model.Threat; 21 | import com.github.rusakovichma.tictaac.model.ThreatModel; 22 | import com.github.rusakovichma.tictaac.model.ThreatRule; 23 | 24 | import java.util.Collection; 25 | 26 | interface EngineContext { 27 | 28 | Collection eval(ThreatModel threatModel, Collection rules); 29 | 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/reporter/ReportFormat.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.reporter; 19 | 20 | public enum ReportFormat { 21 | json, 22 | html; 23 | 24 | public static ReportFormat fromString(String str) { 25 | for (ReportFormat format : ReportFormat.values()) { 26 | if (format.name().equalsIgnoreCase(str)) { 27 | return format; 28 | } 29 | } 30 | return null; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/risk/RiskCalculationStrategy.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.risk; 19 | 20 | import com.github.rusakovichma.tictaac.model.ThreatRisk; 21 | import com.github.rusakovichma.tictaac.model.ThreatSeverity; 22 | import com.github.rusakovichma.tictaac.model.threatmodel.boundary.BoundaryCategory; 23 | 24 | public interface RiskCalculationStrategy { 25 | 26 | public ThreatRisk calc(ThreatSeverity impact, BoundaryCategory attackVector); 27 | } 28 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/annotation/Ref.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.annotation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | @Retention(RetentionPolicy.RUNTIME) 26 | @Target(ElementType.FIELD) 27 | public @interface Ref { 28 | public String rootCollection() default ""; 29 | } 30 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/annotation/DefaultValue.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.annotation; 19 | 20 | import java.lang.annotation.ElementType; 21 | import java.lang.annotation.Retention; 22 | import java.lang.annotation.RetentionPolicy; 23 | import java.lang.annotation.Target; 24 | 25 | 26 | @Retention(RetentionPolicy.RUNTIME) 27 | @Target(ElementType.FIELD) 28 | public @interface DefaultValue { 29 | public String value() default ""; 30 | } 31 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/reporter/ThreatsReporter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.reporter; 19 | 20 | import com.github.rusakovichma.tictaac.model.Threat; 21 | import com.github.rusakovichma.tictaac.model.ThreatModel; 22 | 23 | import java.io.IOException; 24 | import java.util.Collection; 25 | 26 | public interface ThreatsReporter { 27 | 28 | public void publish(ReportHeader header, ThreatModel threatModel, Collection threats) 29 | throws IOException; 30 | 31 | } 32 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/ThreatSeverity.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model; 19 | 20 | public enum ThreatSeverity { 21 | Low(0), 22 | Medium(1), 23 | High(2), 24 | Undefined(-1); 25 | 26 | private final int order; 27 | 28 | ThreatSeverity(int order) { 29 | this.order = order; 30 | } 31 | 32 | public int getOrder() { 33 | return order; 34 | } 35 | 36 | @Override 37 | public String toString() { 38 | return this.name(); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/dataflow/AuthenticationMethod.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.dataflow; 19 | 20 | public enum AuthenticationMethod { 21 | anonymous, 22 | credentials, 23 | basic, 24 | digest, 25 | openid, 26 | ldap, 27 | ntlm, 28 | kerberos, 29 | certificate, 30 | saml, 31 | bearer, 32 | s3, 33 | radius, 34 | undefined; 35 | 36 | @Override 37 | public String toString() { 38 | return this.name(); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/ElementNameCorrector.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.Element; 21 | 22 | public class ElementNameCorrector implements Corrector { 23 | 24 | @Override 25 | public boolean tryToCorrect(Element element) { 26 | if (element.getName() == null || element.getName().trim().isEmpty()) { 27 | element.setName(element.getId()); 28 | return true; 29 | } 30 | return false; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/reporter/dfd/GraphvizDataFlowRenderTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.reporter.dfd; 2 | 3 | import com.github.rusakovichma.tictaac.mapper.ThreatModelMapper; 4 | import com.github.rusakovichma.tictaac.model.ThreatModel; 5 | import com.github.rusakovichma.tictaac.parser.impl.NodeTreeParser; 6 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 7 | import com.github.rusakovichma.tictaac.util.FileUtil; 8 | import com.github.rusakovichma.tictaac.util.ImageUtils; 9 | import org.junit.jupiter.api.Test; 10 | 11 | import java.io.IOException; 12 | import java.io.InputStream; 13 | 14 | import static org.junit.jupiter.api.Assertions.*; 15 | 16 | class GraphvizDataFlowRenderTest { 17 | 18 | @Test 19 | void createDataFlow() throws IOException { 20 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/data-flow-render-test.yml"); 21 | 22 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 23 | ThreatModelMapper mapper = new ThreatModelMapper(tree); 24 | 25 | ThreatModel threatModel = mapper.getModel(); 26 | 27 | GraphvizDataFlowRender render = new GraphvizDataFlowRender(); 28 | 29 | assertTrue(render.createDataFlow(threatModel).length > 0); 30 | } 31 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/validation/ValidationErrors.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.validation; 19 | 20 | import java.util.ArrayList; 21 | import java.util.List; 22 | import java.util.stream.Collectors; 23 | 24 | class ValidationErrors { 25 | 26 | private List errors = new ArrayList<>(); 27 | 28 | public List getErrors() { 29 | return errors; 30 | } 31 | 32 | public String getSummary() { 33 | return errors.stream() 34 | .collect(Collectors.joining(System.lineSeparator())); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/mapper/ThreatModelMapper.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.mapper; 19 | 20 | import com.github.rusakovichma.tictaac.model.ThreatModel; 21 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 22 | 23 | public class ThreatModelMapper extends AbstractModelMapper { 24 | 25 | public ThreatModelMapper(NodeTree nodeTree) { 26 | super(nodeTree); 27 | } 28 | 29 | @Override 30 | public ThreatModel getModel() { 31 | ThreatModel threatModel = new ThreatModel(); 32 | mapModel(threatModel); 33 | return threatModel; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/mitigation/MitigationStatus.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.mitigation; 19 | 20 | public enum MitigationStatus { 21 | Mitigated("Mitigated"), 22 | Accepted("Accepted"), 23 | Transferred("Transferred"), 24 | Avoided("Avoided"), 25 | NotApplicable("Not Applicable"), 26 | NotMitigated("Not Mitigated"); 27 | 28 | private final String description; 29 | 30 | MitigationStatus(String description) { 31 | this.description = description; 32 | } 33 | 34 | public String getDescription() { 35 | return description; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/mitigation/ThreatRef.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.mitigation; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.annotation.Id; 21 | 22 | public class ThreatRef { 23 | 24 | @Id 25 | private String id; 26 | private String comment; 27 | 28 | public String getId() { 29 | return id; 30 | } 31 | 32 | public void setId(String id) { 33 | this.id = id; 34 | } 35 | 36 | public String getComment() { 37 | return comment; 38 | } 39 | 40 | public void setComment(String comment) { 41 | this.comment = comment; 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/mapper/ThreatsLibraryMapper.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.mapper; 19 | 20 | import com.github.rusakovichma.tictaac.model.ThreatsLibrary; 21 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 22 | 23 | public class ThreatsLibraryMapper extends AbstractModelMapper { 24 | 25 | public ThreatsLibraryMapper(NodeTree nodeTree) { 26 | super(nodeTree); 27 | } 28 | 29 | @Override 30 | public ThreatsLibrary getModel() { 31 | ThreatsLibrary threatsLibrary = new ThreatsLibrary(); 32 | mapModel(threatsLibrary); 33 | return threatsLibrary; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/ProcessGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 21 | 22 | import java.util.Arrays; 23 | import java.util.List; 24 | 25 | public class ProcessGuesser extends ElementGuesser { 26 | 27 | private final static List SIGNS = Arrays.asList(new String[]{ 28 | "process", "desktop-application", "scheduler"}); 29 | 30 | @Override 31 | ElementType getGuessedType() { 32 | return ElementType.process; 33 | } 34 | 35 | @Override 36 | List getDesignatingString() { 37 | return SIGNS; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/AbstractExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 21 | 22 | public abstract class AbstractExpression implements Expression { 23 | 24 | protected final EvaluationContext context; 25 | 26 | public AbstractExpression(EvaluationContext context) { 27 | this.context = context; 28 | } 29 | 30 | public abstract void interpret(EvaluationContext context); 31 | 32 | @Override 33 | public Object getEvaluationResult() { 34 | interpret(context); 35 | return context.getEvaluationResult(this); 36 | } 37 | 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/reporter/ReportHeader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.reporter; 19 | 20 | import java.util.Date; 21 | 22 | public class ReportHeader { 23 | 24 | private final String name; 25 | private final String version; 26 | private final Date date; 27 | 28 | public ReportHeader(String name, String version, Date date) { 29 | this.name = name; 30 | this.version = version; 31 | this.date = date; 32 | } 33 | 34 | public String getName() { 35 | return name; 36 | } 37 | 38 | public String getVersion() { 39 | return version; 40 | } 41 | 42 | public Date getDate() { 43 | return date; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/mapper/MitigationsLibraryMapper.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.mapper; 19 | 20 | import com.github.rusakovichma.tictaac.model.mitigation.MitigationsLibrary; 21 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 22 | 23 | public class MitigationsLibraryMapper extends AbstractModelMapper { 24 | 25 | public MitigationsLibraryMapper(NodeTree nodeTree) { 26 | super(nodeTree); 27 | } 28 | 29 | @Override 30 | public MitigationsLibrary getModel() { 31 | MitigationsLibrary mitigationsLibrary = new MitigationsLibrary(); 32 | mapModel(mitigationsLibrary); 33 | return mitigationsLibrary; 34 | } 35 | 36 | } 37 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/util/InputStreamUtil.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.util; 19 | 20 | import java.io.BufferedReader; 21 | import java.io.InputStream; 22 | import java.io.InputStreamReader; 23 | import java.util.function.Consumer; 24 | import java.util.stream.Stream; 25 | 26 | public class InputStreamUtil { 27 | 28 | private InputStreamUtil() { 29 | } 30 | 31 | public static void readLineByLine(InputStream inputStream, Consumer lineStringConsumer) { 32 | BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream)); 33 | try (Stream stream = reader.lines()) { 34 | stream.forEach(lineStringConsumer); 35 | } 36 | } 37 | 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/DatabaseGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 21 | 22 | import java.util.Arrays; 23 | import java.util.List; 24 | 25 | public class DatabaseGuesser extends ElementGuesser { 26 | 27 | private final static List SIGNS = Arrays.asList(new String[]{ 28 | "storage", "database", "data-base", "postgre", 29 | "sql", "oracle", "mongo", "redis", "memcached",}); 30 | 31 | @Override 32 | ElementType getGuessedType() { 33 | return ElementType.database; 34 | } 35 | 36 | @Override 37 | List getDesignatingString() { 38 | return SIGNS; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/DefaultEvaluationContext.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.expression.Expression; 21 | 22 | import java.util.HashMap; 23 | import java.util.Map; 24 | 25 | public class DefaultEvaluationContext implements EvaluationContext { 26 | 27 | private Map evaluationResults = new HashMap(); 28 | 29 | @Override 30 | public Object getEvaluationResult(Expression expression) { 31 | return evaluationResults.get(expression); 32 | } 33 | 34 | @Override 35 | public void addEvaluationResult(Expression expression, Object value) { 36 | evaluationResults.put(expression, value); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/ProxyServerGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 21 | 22 | import java.util.Arrays; 23 | import java.util.List; 24 | 25 | public class ProxyServerGuesser extends ElementGuesser { 26 | 27 | private final static List SIGNS = Arrays.asList(new String[]{ 28 | "proxyserver", "proxy-server", "load-balancer", "balancer", 29 | "nginx", "gateway", "apache-http"}); 30 | 31 | @Override 32 | ElementType getGuessedType() { 33 | return ElementType.proxyServer; 34 | } 35 | 36 | @Override 37 | List getDesignatingString() { 38 | return SIGNS; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/exception/QualityGateFailed.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.exception; 19 | 20 | public class QualityGateFailed extends RuntimeException { 21 | 22 | public QualityGateFailed() { 23 | } 24 | 25 | public QualityGateFailed(String message) { 26 | super(message); 27 | } 28 | 29 | public QualityGateFailed(String message, Throwable cause) { 30 | super(message, cause); 31 | } 32 | 33 | public QualityGateFailed(Throwable cause) { 34 | super(cause); 35 | } 36 | 37 | public QualityGateFailed(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) { 38 | super(message, cause, enableSuppression, writableStackTrace); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/ThreatCategory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model; 19 | 20 | public enum ThreatCategory { 21 | spoofing("Spoofing"), 22 | tampering("Tampering"), 23 | repudiation("Repudiation"), 24 | informationDisclosure("Information Disclosure"), 25 | denialOfService("Denial of Service"), 26 | elevationOfPrivilege("Elevation of Privilege"), 27 | Undefined("Undefined"); 28 | 29 | private final String description; 30 | 31 | ThreatCategory(String description) { 32 | this.description = description; 33 | } 34 | 35 | public String getDescription() { 36 | return description; 37 | } 38 | 39 | @Override 40 | public String toString() { 41 | return this.name(); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/ExternalServiceGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 21 | 22 | import java.util.Arrays; 23 | import java.util.List; 24 | 25 | public class ExternalServiceGuesser extends ElementGuesser { 26 | 27 | private final static List SIGNS = Arrays.asList(new String[]{ 28 | "external-service", "externalservice", "external-party", 29 | "external-third-party", "external-3rd-party"}); 30 | 31 | @Override 32 | ElementType getGuessedType() { 33 | return ElementType.externalService; 34 | } 35 | 36 | @Override 37 | List getDesignatingString() { 38 | return SIGNS; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/WebserverGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 21 | 22 | import java.util.Arrays; 23 | import java.util.List; 24 | 25 | public class WebserverGuesser extends ElementGuesser { 26 | 27 | private final static List SIGNS = Arrays.asList(new String[]{ 28 | "web-server", "webserver", "api", "back-end", "backend", 29 | "tomcat", "glassfish", "weblogic", "kestrel", "jetty"}); 30 | 31 | @Override 32 | ElementType getGuessedType() { 33 | return ElementType.webServer; 34 | } 35 | 36 | @Override 37 | List getDesignatingString() { 38 | return SIGNS; 39 | } 40 | 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/InternalServiceGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 21 | 22 | import java.util.Arrays; 23 | import java.util.List; 24 | 25 | public class InternalServiceGuesser extends ElementGuesser { 26 | 27 | private final static List SIGNS = Arrays.asList(new String[]{ 28 | "internal-service", "internalservice", "internal-party", 29 | "internal-third-party", "internal-3rd-party"}); 30 | 31 | @Override 32 | ElementType getGuessedType() { 33 | return ElementType.internalService; 34 | } 35 | 36 | @Override 37 | List getDesignatingString() { 38 | return SIGNS; 39 | } 40 | 41 | } 42 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/EqualsExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 21 | 22 | public class EqualsExpression extends CompoundExpression { 23 | 24 | public EqualsExpression(EvaluationContext context) { 25 | super(context); 26 | } 27 | 28 | @Override 29 | public void interpret(EvaluationContext context) { 30 | exprOne.interpret(context); 31 | exprAnother.interpret(context); 32 | 33 | Object oneResult = context.getEvaluationResult(exprOne); 34 | Object anotherResult = context.getEvaluationResult(exprOne); 35 | 36 | context.addEvaluationResult(this, oneResult.equals(anotherResult)); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/ThreatRisk.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model; 19 | 20 | public enum ThreatRisk { 21 | Low(0), 22 | Medium(1), 23 | High(2), 24 | Undefined(-1); 25 | 26 | private final int order; 27 | 28 | ThreatRisk(int order) { 29 | this.order = order; 30 | } 31 | 32 | public int getOrder() { 33 | return order; 34 | } 35 | 36 | public static ThreatRisk fromString(String str) { 37 | for (ThreatRisk risk : ThreatRisk.values()) { 38 | if (risk.name().equalsIgnoreCase(str)) { 39 | return risk; 40 | } 41 | } 42 | return Undefined; 43 | } 44 | 45 | @Override 46 | public String toString() { 47 | return this.name(); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/OrExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 21 | 22 | public class OrExpression extends CompoundExpression { 23 | 24 | public OrExpression(EvaluationContext context) { 25 | super(context); 26 | } 27 | 28 | @Override 29 | public void interpret(EvaluationContext context) { 30 | exprOne.interpret(context); 31 | exprAnother.interpret(context); 32 | 33 | boolean oneResult = (Boolean) context.getEvaluationResult(exprOne); 34 | boolean anotherResult = (Boolean) context.getEvaluationResult(exprAnother); 35 | 36 | context.addEvaluationResult(this, oneResult || anotherResult); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/AndExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | 21 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 22 | 23 | public class AndExpression extends CompoundExpression { 24 | 25 | public AndExpression(EvaluationContext context) { 26 | super(context); 27 | } 28 | 29 | @Override 30 | public void interpret(EvaluationContext context) { 31 | exprOne.interpret(context); 32 | exprAnother.interpret(context); 33 | 34 | boolean oneResult = (Boolean) context.getEvaluationResult(exprOne); 35 | boolean anotherResult = (Boolean) context.getEvaluationResult(exprAnother); 36 | context.addEvaluationResult(this, oneResult && anotherResult); 37 | } 38 | } 39 | 40 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/SimpleExternalContext.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | import java.util.HashMap; 21 | import java.util.Map; 22 | 23 | public class SimpleExternalContext implements ExternalContext { 24 | 25 | private Map parameters = new HashMap(); 26 | 27 | @Override 28 | public Object getParameter(String parameterName) { 29 | return parameters.get(parameterName); 30 | } 31 | 32 | public void addParameter(String name, Object value) { 33 | parameters.put(name, value); 34 | } 35 | 36 | public void addParameters(Map params) { 37 | parameters.putAll(params); 38 | } 39 | 40 | public void clear() { 41 | parameters.clear(); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/reader/ExternalReader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.reader; 19 | 20 | import com.github.rusakovichma.tictaac.parser.impl.NodeTreeParser; 21 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 22 | import com.github.rusakovichma.tictaac.util.FileUtil; 23 | 24 | import java.io.IOException; 25 | 26 | class ExternalReader implements Reader { 27 | 28 | @Override 29 | public NodeTree read(String path) { 30 | try { 31 | return new NodeTreeParser().getNodeTree( 32 | FileUtil.fileToInputStream(path)); 33 | } catch (IOException ex) { 34 | ex.printStackTrace(); 35 | throw new RuntimeException("Cannot init external file provider [" + path + "]", ex); 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/InteractorGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 21 | 22 | import java.util.Arrays; 23 | import java.util.List; 24 | 25 | public class InteractorGuesser extends ElementGuesser { 26 | 27 | private final static List SIGNS = Arrays.asList(new String[]{ 28 | "user", "human", "employee", "actor", "attacker", 29 | "mobile", "android", "ios", "phone", 30 | "threat-agent", "threatagent", "browser", "hacker"}); 31 | 32 | @Override 33 | ElementType getGuessedType() { 34 | return ElementType.interactor; 35 | } 36 | 37 | @Override 38 | List getDesignatingString() { 39 | return SIGNS; 40 | } 41 | 42 | } 43 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/validation/ValidationException.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.validation; 19 | 20 | public class ValidationException extends RuntimeException { 21 | 22 | public ValidationException() { 23 | } 24 | 25 | public ValidationException(ValidationErrors errors) { 26 | super(errors.getSummary()); 27 | } 28 | 29 | public ValidationException(ValidationErrors errors, Throwable cause) { 30 | super(errors.getSummary(), cause); 31 | } 32 | 33 | public ValidationException(Throwable cause) { 34 | super(cause); 35 | } 36 | 37 | public ValidationException(ValidationErrors errors, Throwable cause, boolean enableSuppression, boolean writableStackTrace) { 38 | super(errors.getSummary(), cause, enableSuppression, writableStackTrace); 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/ExpressionSegregator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | public class ExpressionSegregator implements ExpressionPreProcessor { 21 | 22 | private final EvaluationTemplate evaluationTemplate; 23 | 24 | public ExpressionSegregator(EvaluationTemplate evaluationTemplate) { 25 | this.evaluationTemplate = evaluationTemplate; 26 | } 27 | 28 | @Override 29 | public String preProcess(String expression) { 30 | return new StringBuilder(evaluationTemplate.getEvaluationStart()) 31 | .append(EvaluationTemplate.DELIMITER) 32 | .append(expression) 33 | .append(EvaluationTemplate.DELIMITER) 34 | .append(evaluationTemplate.getEvaluationEnd()) 35 | .toString(); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/ThreatsCollection.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model; 19 | 20 | import java.util.Collection; 21 | 22 | public class ThreatsCollection { 23 | 24 | private String name; 25 | private String version; 26 | 27 | private Collection threats; 28 | 29 | public String getName() { 30 | return name; 31 | } 32 | 33 | public String getVersion() { 34 | return version; 35 | } 36 | 37 | public Collection getThreats() { 38 | return threats; 39 | } 40 | 41 | public void setThreats(Collection threats) { 42 | this.threats = threats; 43 | } 44 | 45 | public void setName(String name) { 46 | this.name = name; 47 | } 48 | 49 | public void setVersion(String version) { 50 | this.version = version; 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/util/FileUtilTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.util; 2 | 3 | import com.github.rusakovichma.tictaac.provider.reader.ThreatModelFilter; 4 | import org.junit.jupiter.api.Test; 5 | 6 | import java.io.IOException; 7 | import java.util.ArrayList; 8 | import java.util.List; 9 | import java.util.function.Consumer; 10 | 11 | import static org.junit.jupiter.api.Assertions.*; 12 | 13 | class FileUtilTest { 14 | 15 | @Test 16 | void readLineByLine() throws IOException { 17 | Consumer lineReader = string -> assertTrue(!string.isEmpty()); 18 | FileUtil.readLineByLine("src/test/resources/threat-model-test.yml", lineReader); 19 | } 20 | 21 | @Test 22 | void extractFiles() throws IOException { 23 | List paths = new ArrayList<>(); 24 | 25 | paths.add("src/test/resources/threat-model-test.yml"); 26 | paths.add("src/test/resources/"); 27 | 28 | List threatModels = FileUtil.extractFiles(paths, new ThreatModelFilter()); 29 | assertEquals(7, threatModels.size()); 30 | } 31 | 32 | @Test 33 | void getFilenameWithoutExtensionFromPath() { 34 | String filename = FileUtil.getFilenameWithoutExtensionFromPath("src/test/resources/threat-model-test.yml"); 35 | assertEquals("threat-model-test", filename); 36 | } 37 | 38 | @Test 39 | void getParentFolderFromFilePath() { 40 | String parent = FileUtil.getParentFolderFromFilePath("src/test/resources/threat-model-test.yml"); 41 | assertEquals("src/test/resources/", parent); 42 | } 43 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/boundary/BoundaryCategory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel.boundary; 19 | 20 | public enum BoundaryCategory { 21 | globalNetwork(3, "External Network"), 22 | demilitarizedZone(2, "DMZ"), 23 | corporateNetwork(1, "Internal Network"), 24 | closedPerimeter(0, "Local"), 25 | undefined(-1, "Undefined"); 26 | 27 | private final int order; 28 | private final String description; 29 | 30 | BoundaryCategory(int order, String description) { 31 | this.order = order; 32 | this.description = description; 33 | } 34 | 35 | public int getOrder() { 36 | return order; 37 | } 38 | 39 | public String getDescription() { 40 | return description; 41 | } 42 | 43 | @Override 44 | public String toString() { 45 | return this.name(); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/DataFlowTitleCorrector.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.DataFlow; 21 | 22 | public class DataFlowTitleCorrector implements Corrector { 23 | 24 | @Override 25 | public boolean tryToCorrect(DataFlow flow) { 26 | if (flow.getTitle() == null || flow.getTitle().trim().isEmpty()) { 27 | String source = flow.getSource().getName() != null ? 28 | flow.getSource().getName() : flow.getSource().getId(); 29 | String target = flow.getTarget().getName() != null ? 30 | flow.getTarget().getName() : flow.getTarget().getId(); 31 | 32 | flow.setTitle(String.format("\"%s\" to \"%s\" flow", source, target)); 33 | return true; 34 | } 35 | return false; 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/reporter/FileStreamThreatsReporter.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.reporter; 19 | 20 | import java.io.File; 21 | import java.io.FileNotFoundException; 22 | import java.io.FileOutputStream; 23 | 24 | public class FileStreamThreatsReporter extends StreamThreatsReporter { 25 | 26 | public FileStreamThreatsReporter(String reportOut, String reportName, ReportFormat reportFormat) 27 | throws FileNotFoundException { 28 | super(new FileOutputStream(new File( 29 | new StringBuilder(reportOut) 30 | .append(File.separator) 31 | .append(reportName) 32 | .append(".") 33 | .append(reportFormat.name()) 34 | .toString())), 35 | reportFormat); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/util/ResourceUtil.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.util; 19 | 20 | import java.io.BufferedReader; 21 | import java.io.InputStreamReader; 22 | import java.net.URL; 23 | import java.util.stream.Collectors; 24 | 25 | 26 | public class ResourceUtil { 27 | 28 | private ResourceUtil() { 29 | } 30 | 31 | public static String readResource(String url) { 32 | URL resource = ResourceUtil.class.getResource(url); 33 | return readResource(resource); 34 | } 35 | 36 | public static String readResource(URL resource) { 37 | try (BufferedReader reader = new BufferedReader(new InputStreamReader(resource.openStream()))) { 38 | return reader.lines().collect(Collectors.joining("\n")); 39 | } catch (Exception e) { 40 | throw new IllegalStateException("Failed to read: " + resource, e); 41 | } 42 | } 43 | 44 | } 45 | 46 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/ThreatsLibrary.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.annotation.RootCollection; 21 | 22 | import java.util.LinkedList; 23 | 24 | public class ThreatsLibrary { 25 | 26 | private String name; 27 | private String version; 28 | @RootCollection 29 | private LinkedList rules; 30 | 31 | public String getName() { 32 | return name; 33 | } 34 | 35 | public void setName(String name) { 36 | this.name = name; 37 | } 38 | 39 | public LinkedList getRules() { 40 | return rules; 41 | } 42 | 43 | public void setRules(LinkedList rules) { 44 | this.rules = rules; 45 | } 46 | 47 | public String getVersion() { 48 | return version; 49 | } 50 | 51 | public void setVersion(String version) { 52 | this.version = version; 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/ParamComparableExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 21 | 22 | abstract class ParamComparableExpression extends AbstractExpression implements ValueComparable, ParametrableExpression

{ 23 | 24 | protected V valueToCompare; 25 | protected P parameter; 26 | 27 | public ParamComparableExpression(EvaluationContext context) { 28 | super(context); 29 | } 30 | 31 | @Override 32 | public void setValueToCompare(V valueToCompare) { 33 | this.valueToCompare = valueToCompare; 34 | } 35 | 36 | public V getValueToCompare() { 37 | return valueToCompare; 38 | } 39 | 40 | public P getParameter() { 41 | return parameter; 42 | } 43 | 44 | public void setParameter(P parameter) { 45 | this.parameter = parameter; 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/ElementGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.Element; 21 | import com.github.rusakovichma.tictaac.model.threatmodel.element.ElementType; 22 | 23 | import java.util.List; 24 | 25 | abstract class ElementGuesser implements Guesser { 26 | 27 | public boolean tryToCorrect(Element element) { 28 | if (element.getType() != null || element.getId() == null) { 29 | return false; 30 | } 31 | for (String elementSign : getDesignatingString()) { 32 | if (element.getId().toLowerCase().contains(elementSign.toLowerCase())) { 33 | element.setType(getGuessedType()); 34 | return true; 35 | } 36 | } 37 | 38 | return false; 39 | } 40 | 41 | abstract ElementType getGuessedType(); 42 | 43 | abstract List getDesignatingString(); 44 | 45 | } 46 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/parser/model/NodeTree.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.parser.model; 19 | 20 | import java.util.LinkedList; 21 | import java.util.List; 22 | import java.util.Optional; 23 | import java.util.function.Predicate; 24 | import java.util.stream.Collectors; 25 | 26 | public class NodeTree extends LinkedList { 27 | 28 | public NodeTree filter(List> predicates) { 29 | return this.stream() 30 | .filter(predicates.stream().reduce(x -> true, Predicate::and)) 31 | .collect(Collectors.toCollection(NodeTree::new)); 32 | } 33 | 34 | public Optional filterNode(List> predicates) { 35 | return filter(predicates) 36 | .stream() 37 | .findFirst(); 38 | } 39 | 40 | public Optional filter(Predicate predicate) { 41 | return this.stream() 42 | .filter(predicate) 43 | .findFirst(); 44 | } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/CompoundExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 21 | 22 | abstract class CompoundExpression extends AbstractExpression implements ExpressionAware { 23 | 24 | protected AbstractExpression exprOne; 25 | protected AbstractExpression exprAnother; 26 | 27 | public CompoundExpression(EvaluationContext context) { 28 | super(context); 29 | } 30 | 31 | public Expression getExprOne() { 32 | return exprOne; 33 | } 34 | 35 | @Override 36 | public void setExprOne(Expression exprOne) { 37 | this.exprOne = (AbstractExpression) exprOne; 38 | } 39 | 40 | public Expression getExprAnother() { 41 | return exprAnother; 42 | } 43 | 44 | @Override 45 | public void setExprAnother(Expression exprAnother) { 46 | this.exprAnother = (AbstractExpression) exprAnother; 47 | } 48 | 49 | } 50 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/reader/ClassPathReader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.reader; 19 | 20 | import com.github.rusakovichma.tictaac.parser.impl.NodeTreeParser; 21 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 22 | import com.github.rusakovichma.tictaac.util.ResourceUtil; 23 | 24 | import java.io.IOException; 25 | import java.net.URL; 26 | 27 | class ClassPathReader implements Reader { 28 | 29 | @Override 30 | public NodeTree read(String path) { 31 | try { 32 | if (path.startsWith("classpath:")) { 33 | path = path.replaceFirst("classpath:", ""); 34 | } 35 | 36 | URL resource = ResourceUtil.class.getResource(path); 37 | return new NodeTreeParser().getNodeTree(resource.openStream()); 38 | } catch (IOException ex) { 39 | ex.printStackTrace(); 40 | throw new RuntimeException("Cannot init classpath file[" + path + "]", ex); 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/util/ImageUtils.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.util; 2 | 3 | import javax.imageio.ImageIO; 4 | import java.awt.image.BufferedImage; 5 | import java.io.*; 6 | 7 | /* 8 | * This file is part of TicTaaC. 9 | * 10 | * Licensed under the Apache License, Version 2.0 (the "License"); 11 | * you may not use this file except in compliance with the License. 12 | * You may obtain a copy of the License at 13 | * 14 | * http://www.apache.org/licenses/LICENSE-2.0 15 | * 16 | * Unless required by applicable law or agreed to in writing, software 17 | * distributed under the License is distributed on an "AS IS" BASIS, 18 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 | * See the License for the specific language governing permissions and 20 | * limitations under the License. 21 | * 22 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 23 | */ 24 | public class ImageUtils { 25 | 26 | public static byte[] toByteArray(BufferedImage bi, String format) throws IOException { 27 | ByteArrayOutputStream baos = new ByteArrayOutputStream(); 28 | ImageIO.write(bi, format, baos); 29 | byte[] bytes = baos.toByteArray(); 30 | return bytes; 31 | 32 | } 33 | 34 | public static BufferedImage toBufferedImage(byte[] bytes) throws IOException { 35 | InputStream is = new ByteArrayInputStream(bytes); 36 | BufferedImage bi = ImageIO.read(is); 37 | return bi; 38 | } 39 | 40 | public static void saveToFile(byte[] image, String format, String path) throws IOException { 41 | ByteArrayInputStream bais = new ByteArrayInputStream(image); 42 | final BufferedImage bufferedImage = ImageIO.read(bais); 43 | ImageIO.write(bufferedImage, format, new File(path)); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/reader/UnifiedReader.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.reader; 19 | 20 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 21 | 22 | import java.util.Collections; 23 | import java.util.Map; 24 | 25 | public class UnifiedReader implements Reader { 26 | 27 | private final Map parameters; 28 | 29 | public UnifiedReader(Map parameters) { 30 | this.parameters = parameters; 31 | } 32 | 33 | public UnifiedReader() { 34 | this.parameters = Collections.EMPTY_MAP; 35 | } 36 | 37 | 38 | @Override 39 | public NodeTree read(String path) { 40 | if (path == null) { 41 | throw new IllegalArgumentException("File path parameter cannot be null"); 42 | } 43 | 44 | if (path.toLowerCase().startsWith("http:") || path.toLowerCase().startsWith("https:")) { 45 | return new UrlReader(parameters).read(path); 46 | } 47 | 48 | if (path.toLowerCase().startsWith("classpath:")) { 49 | return new ClassPathReader().read(path); 50 | } 51 | 52 | return new ExternalReader().read(path); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/correction/UniversalElementGuesser.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.correction; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.Element; 21 | 22 | import java.util.ArrayList; 23 | import java.util.Collection; 24 | 25 | public class UniversalElementGuesser implements Guesser { 26 | 27 | private Collection> guessers = new ArrayList<>(); 28 | 29 | private void init() { 30 | guessers.add(new WebserverGuesser()); 31 | guessers.add(new DatabaseGuesser()); 32 | guessers.add(new ProxyServerGuesser()); 33 | guessers.add(new InteractorGuesser()); 34 | guessers.add(new ExternalServiceGuesser()); 35 | guessers.add(new InternalServiceGuesser()); 36 | guessers.add(new ProcessGuesser()); 37 | } 38 | 39 | public UniversalElementGuesser() { 40 | init(); 41 | } 42 | 43 | @Override 44 | public boolean tryToCorrect(Element element) { 45 | for (Guesser guesser : guessers) { 46 | if (guesser.tryToCorrect(element)) { 47 | return true; 48 | } 49 | } 50 | return false; 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/risk/RiskFactor.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.risk; 19 | 20 | import com.github.rusakovichma.tictaac.model.ThreatSeverity; 21 | import com.github.rusakovichma.tictaac.model.threatmodel.boundary.BoundaryCategory; 22 | 23 | import java.util.Objects; 24 | 25 | public class RiskFactor { 26 | 27 | private final ThreatSeverity impact; 28 | private final BoundaryCategory attackVector; 29 | 30 | public RiskFactor(ThreatSeverity impact, BoundaryCategory attackVector) { 31 | this.impact = impact; 32 | this.attackVector = attackVector; 33 | } 34 | 35 | public ThreatSeverity getImpact() { 36 | return impact; 37 | } 38 | 39 | public BoundaryCategory getAttackVector() { 40 | return attackVector; 41 | } 42 | 43 | @Override 44 | public boolean equals(Object o) { 45 | if (this == o) return true; 46 | if (o == null || getClass() != o.getClass()) return false; 47 | RiskFactor that = (RiskFactor) o; 48 | return impact == that.impact && attackVector == that.attackVector; 49 | } 50 | 51 | @Override 52 | public int hashCode() { 53 | return Objects.hash(impact, attackVector); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/util/ClassUtil.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.util; 19 | 20 | import java.util.Collection; 21 | import java.util.HashSet; 22 | import java.util.Set; 23 | 24 | public class ClassUtil { 25 | 26 | private static final Set> WRAPPER_TYPES = getWrapperTypes(); 27 | 28 | private ClassUtil() { 29 | } 30 | 31 | public static boolean isCollection(Class cls) { 32 | return Collection.class.isAssignableFrom(cls); 33 | } 34 | 35 | public static boolean isWrapperType(Class clazz) { 36 | return WRAPPER_TYPES.contains(clazz); 37 | } 38 | 39 | private static Set> getWrapperTypes() { 40 | Set> ret = new HashSet>(); 41 | ret.add(Boolean.class); 42 | ret.add(Character.class); 43 | ret.add(Byte.class); 44 | ret.add(Short.class); 45 | ret.add(Integer.class); 46 | ret.add(Long.class); 47 | ret.add(Float.class); 48 | ret.add(Double.class); 49 | ret.add(Void.class); 50 | return ret; 51 | } 52 | 53 | public static boolean isPlainType(Class cls) { 54 | return cls.isPrimitive() || isWrapperType(cls) || cls.isAssignableFrom(String.class); 55 | } 56 | 57 | } 58 | -------------------------------------------------------------------------------- /src/test/resources/threat-model-test.yml: -------------------------------------------------------------------------------- 1 | name: Threat Model Name 2 | version: 1.0.1 3 | assets: 4 | - personal-data 5 | sensitivity: sensitive 6 | description: name, email 7 | - image-file 8 | sensitivity: sensitive 9 | - comments 10 | sensitivity: non-sensitive 11 | elements: 12 | - legitimate-user 13 | name: User 14 | type: interactor 15 | produced-assets: 16 | - personal-data 17 | - image-file 18 | - comments 19 | - proxy-server 20 | name: Proxy Server 21 | type: proxy-server 22 | processed-assets: 23 | - personal-data 24 | - image-file 25 | - comments 26 | - web-server 27 | name: API Server 28 | type: web-server 29 | processed-assets: 30 | - personal-data 31 | - image-file 32 | - comments 33 | - database 34 | name: PostgreSQL 35 | type: database 36 | stored-assets: 37 | - personal-data 38 | - image-file 39 | - comments 40 | boundaries: 41 | - dmz 42 | category: demilitarized-zone 43 | elements: 44 | - proxy-server 45 | - internal-network 46 | category: closed-perimeter 47 | elements: 48 | - web-server 49 | - database 50 | - internet 51 | category: global-network 52 | elements: 53 | - legitimate-user 54 | data-flows: 55 | - legitimate-user -> proxy-server 56 | title: Users Request 57 | authentication-method: openid 58 | authorization: read-write 59 | account-management: external-sso 60 | encryption: yes 61 | transferred-assets: 62 | - personal-data 63 | - image-file 64 | - comments 65 | - proxy-server -> web-server 66 | title: Request to WebServer 67 | authentication-method: certificate 68 | authorization: read-write 69 | encryption: no 70 | transferred-assets: 71 | - personal-data 72 | - image-file 73 | - comments 74 | - web-server -> database 75 | title: Database query 76 | authentication-method: credentials 77 | authorization: admin 78 | encryption: yes 79 | account-management: local-account 80 | transferred-assets: 81 | - personal-data 82 | - image-file 83 | - comments -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/ExpressionEntitySeparator.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | public class ExpressionEntitySeparator implements ExpressionPreProcessor { 21 | 22 | private static final String DELIM = EvaluationTemplate.DELIMITER; 23 | private static final String[] toSeparate = {"(", ")", "=="}; 24 | 25 | private void seclude(StringBuilder exprBuilder, String occur) { 26 | int index = exprBuilder.indexOf(occur); 27 | int offset = 0; 28 | 29 | while (index >= 0) { 30 | offset = index; 31 | 32 | if (offset - 1 > 0) { 33 | exprBuilder = exprBuilder.insert(index, DELIM); 34 | } 35 | 36 | exprBuilder.insert(index + occur.length() + 1, DELIM); 37 | index = exprBuilder.indexOf(occur, index + 2 * DELIM.length() + 1); 38 | } 39 | 40 | } 41 | 42 | @Override 43 | public String preProcess(String expression) { 44 | StringBuilder exprBuilder = new StringBuilder(expression); 45 | 46 | for (int i = 0; i < toSeparate.length; i++) { 47 | String token = toSeparate[i]; 48 | seclude(exprBuilder, token); 49 | } 50 | 51 | return exprBuilder.toString(); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/test/resources/threat-model-engine-context-test.yml: -------------------------------------------------------------------------------- 1 | name: Threat Model Name 2 | version: 1.0.1 3 | assets: 4 | - personal-data 5 | sensitivity: sensitive 6 | description: name, email 7 | - image-file 8 | sensitivity: sensitive 9 | - comments 10 | sensitivity: non-sensitive 11 | elements: 12 | - legitimate-user 13 | name: User 14 | type: interactor 15 | produced-assets: 16 | - personal-data 17 | - image-file 18 | - comments 19 | - proxy-server 20 | name: Proxy Server 21 | type: proxy-server 22 | processed-assets: 23 | - personal-data 24 | - image-file 25 | - comments 26 | - web-server 27 | name: API Server 28 | type: web-server 29 | processed-assets: 30 | - personal-data 31 | - image-file 32 | - comments 33 | - database 34 | name: PostgreSQL 35 | type: database 36 | stored-assets: 37 | - personal-data 38 | - image-file 39 | - comments 40 | boundaries: 41 | - dmz 42 | category: demilitarized-zone 43 | elements: 44 | - proxy-server 45 | - internal-network 46 | category: closed-perimeter 47 | elements: 48 | - web-server 49 | - database 50 | - internet 51 | category: global-network 52 | elements: 53 | - legitimate-user 54 | data-flows: 55 | - legitimate-user -> proxy-server 56 | title: Users Request 57 | authentication-method: openid 58 | authorization: read-write 59 | account-management: external-sso 60 | encryption: yes 61 | transferred-assets: 62 | - personal-data 63 | - image-file 64 | - comments 65 | - proxy-server -> web-server 66 | title: Request to WebServer 67 | authentication-method: certificate 68 | authorization: read-write 69 | encryption: no 70 | transferred-assets: 71 | - personal-data 72 | - image-file 73 | - comments 74 | - web-server -> database 75 | title: Database query 76 | authentication-method: credentials 77 | authorization: admin 78 | encryption: no 79 | account-management: local-account 80 | transferred-assets: 81 | - personal-data 82 | - image-file 83 | - comments -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/mapper/ThreatsLibraryMapperTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.mapper; 2 | 3 | import com.github.rusakovichma.tictaac.model.ThreatCategory; 4 | import com.github.rusakovichma.tictaac.model.ThreatSeverity; 5 | import com.github.rusakovichma.tictaac.model.ThreatsLibrary; 6 | import com.github.rusakovichma.tictaac.parser.impl.NodeTreeParser; 7 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 8 | import com.github.rusakovichma.tictaac.util.FileUtil; 9 | import org.junit.jupiter.api.Test; 10 | 11 | import java.io.InputStream; 12 | 13 | import static org.junit.jupiter.api.Assertions.*; 14 | 15 | class ThreatsLibraryMapperTest { 16 | 17 | @Test 18 | void getModel() throws Exception { 19 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threats-provider-test.yml"); 20 | 21 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 22 | ThreatsLibraryMapper mapper = new ThreatsLibraryMapper(tree); 23 | 24 | ThreatsLibrary threatsLibrary = mapper.getModel(); 25 | assertTrue(threatsLibrary.getName().equals("Threats rules set for test")); 26 | assertTrue(threatsLibrary.getVersion().equals("0.1.1")); 27 | 28 | assertTrue(threatsLibrary.getRules().size() == 2); 29 | assertTrue(threatsLibrary.getRules().get(0).getSeverity() == ThreatSeverity.High); 30 | assertTrue(threatsLibrary.getRules().get(1).getCategories().toArray()[0] == ThreatCategory.informationDisclosure); 31 | 32 | } 33 | 34 | @Test 35 | void checkOmitComments() throws Exception { 36 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threats-provider-test.yml"); 37 | 38 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 39 | ThreatsLibraryMapper mapper = new ThreatsLibraryMapper(tree); 40 | 41 | ThreatsLibrary threatsLibrary = mapper.getModel(); 42 | assertTrue(!threatsLibrary.getRules().get(0).getTitle().contains("# some comment 1")); 43 | } 44 | 45 | 46 | } -------------------------------------------------------------------------------- /src/test/resources/data-flow-render-test.yml: -------------------------------------------------------------------------------- 1 | name: Threat Model Name 2 | version: 1.0.1 3 | assets: 4 | - personal-data 5 | sensitivity: sensitive 6 | description: name, email 7 | - image-file 8 | sensitivity: sensitive 9 | - comments 10 | sensitivity: non-sensitive 11 | elements: 12 | - legitimate-user 13 | name: User 14 | type: interactor 15 | produced-assets: 16 | - personal-data 17 | - image-file 18 | - comments 19 | - proxy-server 20 | name: Proxy Server 21 | type: proxy-server 22 | processed-assets: 23 | - personal-data 24 | - image-file 25 | - comments 26 | - web-server 27 | name: API Server 28 | type: web-server 29 | processed-assets: 30 | - personal-data 31 | - image-file 32 | - comments 33 | - database 34 | name: PostgreSQL 35 | type: database 36 | stored-assets: 37 | - personal-data 38 | - image-file 39 | - comments 40 | - external-service 41 | name: External service 42 | type: external-service 43 | boundaries: 44 | - dmz 45 | category: demilitarized-zone 46 | elements: 47 | - proxy-server 48 | - internal-network 49 | category: closed-perimeter 50 | elements: 51 | - web-server 52 | - database 53 | - internet 54 | category: global-network 55 | elements: 56 | - legitimate-user 57 | data-flows: 58 | - legitimate-user -> proxy-server 59 | title: Users Request 60 | authentication-method: openid 61 | authorization: read-write 62 | account-management: external-sso 63 | encryption: yes 64 | transferred-assets: 65 | - personal-data 66 | - image-file 67 | - comments 68 | - proxy-server -> web-server 69 | title: Request to WebServer 70 | authentication-method: certificate 71 | authorization: read-write 72 | encryption: no 73 | transferred-assets: 74 | - personal-data 75 | - image-file 76 | - comments 77 | - web-server -> database 78 | title: Database query 79 | authentication-method: credentials 80 | authorization: admin 81 | encryption: yes 82 | account-management: local-account 83 | transferred-assets: 84 | - personal-data 85 | - image-file 86 | - comments 87 | - web-server -> external-service -------------------------------------------------------------------------------- /src/test/resources/threat-model-test-with-comments.yml: -------------------------------------------------------------------------------- 1 | name: Threat Model Name 2 | version: 1.0.1 3 | assets: # comment 1 4 | - personal-data 5 | sensitivity: sensitive 6 | description: name, email 7 | - image-file 8 | sensitivity: sensitive # comment 2 9 | - comments 10 | sensitivity: non-sensitive 11 | # comment j 12 | elements: 13 | - legitimate-user 14 | name: User 15 | type: interactor 16 | produced-assets: 17 | - personal-data 18 | - image-file # comment 3 19 | - comments 20 | - proxy-server # comment 4 21 | name: Proxy Server # comment 2 22 | type: proxy-server 23 | processed-assets: 24 | - personal-data 25 | - image-file 26 | - comments 27 | - web-server 28 | name: API Server 29 | type: web-server 30 | in-scope: false 31 | processed-assets: 32 | - personal-data 33 | - image-file 34 | - comments 35 | # comment 5 36 | - database 37 | name: PostgreSQL 38 | type: database 39 | stored-assets: 40 | - personal-data 41 | - image-file 42 | - comments 43 | boundaries: # comment 6 44 | - dmz 45 | category: demilitarized-zone 46 | elements: # comment 7 47 | - proxy-server 48 | - internal-network 49 | category: closed-perimeter 50 | elements: 51 | - web-server 52 | - database 53 | - internet 54 | category: global-network # comment 8 55 | elements: 56 | - legitimate-user 57 | # comment x 58 | data-flows: 59 | - legitimate-user -> proxy-server 60 | title: Users Request 61 | authentication-method: openid 62 | authorization: read-write 63 | account-management: external-sso 64 | encryption: yes 65 | transferred-assets: 66 | - personal-data 67 | - image-file 68 | - comments 69 | - proxy-server -> web-server 70 | title: Request to WebServer 71 | authentication-method: certificate 72 | authorization: read-write 73 | encryption: no 74 | transferred-assets: 75 | - personal-data 76 | - image-file 77 | - comments 78 | - web-server -> database 79 | title: Database query 80 | authentication-method: credentials 81 | authorization: admin 82 | encryption: yes 83 | in-scope: false 84 | account-management: local-account 85 | transferred-assets: 86 | - personal-data 87 | - image-file 88 | - comments -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM azul/zulu-openjdk-alpine:14 AS jlink 2 | 3 | RUN "$JAVA_HOME/bin/jlink" --compress=2 --module-path /opt/java/openjdk/jmods --add-modules java.base,java.compiler,java.datatransfer,jdk.crypto.ec,java.desktop,java.instrument,java.logging,java.management,java.naming,java.rmi,java.security.sasl,java.xml,jdk.unsupported --output /jlinked 4 | 5 | FROM azul/zulu-openjdk-alpine:14 6 | 7 | ARG VERSION 8 | ARG UID=1000 9 | ARG GID=1000 10 | 11 | ENV user=tictaac 12 | ENV JAVA_HOME=/opt/jdk 13 | 14 | COPY --from=jlink /jlinked /opt/jdk/ 15 | 16 | ADD target/tic-taac-${VERSION}-release.zip / 17 | 18 | RUN apk update && \ 19 | apk add unzip && \ 20 | apk --no-cache add fontconfig ttf-dejavu && \ 21 | unzip tic-taac-${VERSION}-release.zip -d /usr/share/ && \ 22 | rm tic-taac-${VERSION}-release.zip && \ 23 | addgroup -S -g ${GID} ${user} && adduser -S -D -u ${UID} -G ${user} ${user} && \ 24 | mkdir /usr/share/tic-taac/data && \ 25 | chown -R ${user}:0 /usr/share/tic-taac && \ 26 | chmod -R g=u /usr/share/tic-taac && \ 27 | mkdir /report && \ 28 | chown -R ${user}:0 /report && \ 29 | chmod -R g=u /report && \ 30 | chmod +x /usr/share/tic-taac/bin/tic-taac.sh 31 | 32 | ### remove any suid sgid - we don't need them 33 | RUN find / -perm +6000 -type f -exec chmod a-s {} \; 34 | USER ${UID} 35 | 36 | VOLUME ["/threat-model", "/report"] 37 | 38 | WORKDIR /threat-model 39 | 40 | CMD ["--help"] 41 | ENTRYPOINT ["/usr/share/tic-taac/bin/tic-taac.sh"] -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/validation/ValidatorImplTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.validation; 2 | 3 | import com.github.rusakovichma.tictaac.mapper.ThreatModelMapper; 4 | import com.github.rusakovichma.tictaac.model.ThreatModel; 5 | import com.github.rusakovichma.tictaac.parser.impl.NodeTreeParser; 6 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 7 | import com.github.rusakovichma.tictaac.util.FileUtil; 8 | import org.junit.jupiter.api.Test; 9 | 10 | import java.io.InputStream; 11 | 12 | import static org.junit.jupiter.api.Assertions.*; 13 | 14 | class ValidatorImplTest { 15 | 16 | @Test 17 | void validateNotPassed() throws Exception { 18 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threat-model-validation-test.yml"); 19 | 20 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 21 | ThreatModelMapper mapper = new ThreatModelMapper(tree); 22 | 23 | ThreatModel threatModel = mapper.getModel(); 24 | 25 | Exception exception = assertThrows(ValidationException.class, () -> { 26 | Validator validator = new ValidatorImpl(); 27 | validator.validate(threatModel); 28 | }); 29 | } 30 | 31 | @Test 32 | void validatePassed() throws Exception { 33 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threat-model-test.yml"); 34 | 35 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 36 | ThreatModelMapper mapper = new ThreatModelMapper(tree); 37 | 38 | ThreatModel threatModel = mapper.getModel(); 39 | 40 | Validator validator = new ValidatorImpl(); 41 | validator.validate(threatModel); 42 | } 43 | 44 | @Test 45 | void validateMinimized() throws Exception { 46 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threat-model-minimized-validation-test.yml"); 47 | 48 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 49 | ThreatModelMapper mapper = new ThreatModelMapper(tree); 50 | 51 | ThreatModel threatModel = mapper.getModel(); 52 | 53 | Validator validator = new ValidatorImpl(); 54 | validator.validate(threatModel); 55 | } 56 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/reporter/chart/XChartPlotter.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.reporter.chart; 2 | 3 | import org.knowm.xchart.BitmapEncoder; 4 | import org.knowm.xchart.PieChart; 5 | import org.knowm.xchart.PieChartBuilder; 6 | import org.knowm.xchart.style.PieStyler; 7 | /* 8 | * This file is part of TicTaaC. 9 | * 10 | * Licensed under the Apache License, Version 2.0 (the "License"); 11 | * you may not use this file except in compliance with the License. 12 | * You may obtain a copy of the License at 13 | * 14 | * http://www.apache.org/licenses/LICENSE-2.0 15 | * 16 | * Unless required by applicable law or agreed to in writing, software 17 | * distributed under the License is distributed on an "AS IS" BASIS, 18 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 | * See the License for the specific language governing permissions and 20 | * limitations under the License. 21 | * 22 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 23 | */ 24 | import org.knowm.xchart.style.Styler; 25 | 26 | import java.io.IOException; 27 | 28 | public class XChartPlotter implements ChartPlotter { 29 | 30 | private static final int WIDTH = 500; 31 | private static final int HEIGHT = 375; 32 | 33 | private final PieChart chart; 34 | 35 | private PieChart init(String title, int width, int height) { 36 | PieChart chart = new PieChartBuilder() 37 | .width(width) 38 | .height(height) 39 | .title(title) 40 | .theme(Styler.ChartTheme.Matlab) 41 | .build(); 42 | 43 | chart.getStyler().setLabelType(PieStyler.LabelType.Percentage); 44 | chart.getStyler().setSliceBorderWidth(10); 45 | return chart; 46 | } 47 | 48 | public XChartPlotter(String title) { 49 | this.chart = init(title, WIDTH, HEIGHT); 50 | } 51 | 52 | @Override 53 | public void addSeries(String name, int value) { 54 | chart.addSeries(name, value); 55 | } 56 | 57 | @Override 58 | public byte[] getImageBytes() { 59 | try { 60 | return BitmapEncoder.getBitmapBytes(chart, BitmapEncoder.BitmapFormat.PNG); 61 | } catch (IOException ex) { 62 | throw new RuntimeException(ex); 63 | } 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/ParamEqualsExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 21 | import com.github.rusakovichma.tictaac.parser.model.NodeHelper; 22 | import com.github.rusakovichma.tictaac.util.StringUtils; 23 | 24 | import java.util.Map; 25 | import java.util.Objects; 26 | 27 | public class ParamEqualsExpression extends ParamComparableExpression { 28 | 29 | private final Map stringsHashCache; 30 | 31 | public ParamEqualsExpression(EvaluationContext context, Map stringsHashCache) { 32 | super(context); 33 | this.stringsHashCache = stringsHashCache; 34 | } 35 | 36 | @Override 37 | public void interpret(EvaluationContext context) { 38 | Object param = getParameter(); 39 | Object valueToCompare = getValueToCompare(); 40 | 41 | if (param.getClass().isEnum()) { 42 | param = param.toString(); 43 | valueToCompare = NodeHelper.getConventionalName(valueToCompare.toString()); 44 | } 45 | 46 | if (param.getClass().isAssignableFrom(Boolean.class)) { 47 | valueToCompare = Boolean.valueOf(valueToCompare.toString()); 48 | } 49 | 50 | if (valueToCompare != null && StringUtils.isDigest(valueToCompare.toString())) { 51 | valueToCompare = stringsHashCache.get(valueToCompare.toString()); 52 | } 53 | 54 | context.addEvaluationResult(this, Objects.equals(param, valueToCompare)); 55 | } 56 | 57 | } 58 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/Asset.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.annotation.Id; 21 | import com.github.rusakovichma.tictaac.model.threatmodel.asset.AssetSensitivity; 22 | 23 | import java.util.Objects; 24 | 25 | public class Asset { 26 | 27 | @Id 28 | private String id; 29 | private AssetSensitivity sensitivity = AssetSensitivity.undefined; 30 | private String description; 31 | 32 | public String getId() { 33 | return id; 34 | } 35 | 36 | public void setId(String id) { 37 | this.id = id; 38 | } 39 | 40 | public AssetSensitivity getSensitivity() { 41 | return sensitivity; 42 | } 43 | 44 | public void setSensitivity(AssetSensitivity sensitivity) { 45 | this.sensitivity = sensitivity; 46 | } 47 | 48 | public String getDescription() { 49 | return description; 50 | } 51 | 52 | public void setDescription(String description) { 53 | this.description = description; 54 | } 55 | 56 | @Override 57 | public boolean equals(Object o) { 58 | if (this == o) return true; 59 | if (o == null || getClass() != o.getClass()) return false; 60 | Asset asset = (Asset) o; 61 | return Objects.equals(id, asset.id); 62 | } 63 | 64 | @Override 65 | public int hashCode() { 66 | return Objects.hash(id); 67 | } 68 | 69 | @Override 70 | public String toString() { 71 | return "Asset{" + 72 | "id='" + id + 73 | '}'; 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/ParamContainExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 21 | import com.github.rusakovichma.tictaac.model.threatmodel.Asset; 22 | import com.github.rusakovichma.tictaac.model.threatmodel.asset.AssetSensitivity; 23 | import com.github.rusakovichma.tictaac.parser.model.NodeHelper; 24 | 25 | import java.util.Collection; 26 | 27 | public class ParamContainExpression extends ParamComparableExpression { 28 | 29 | public ParamContainExpression(EvaluationContext context) { 30 | super(context); 31 | } 32 | 33 | @Override 34 | public void interpret(EvaluationContext context) { 35 | Object param = getParameter(); 36 | Object valueToCompare = getValueToCompare(); 37 | 38 | if (valueToCompare != null) { 39 | AssetSensitivity sensitivityParam = Enum.valueOf(AssetSensitivity.class, 40 | NodeHelper.getConventionalName(valueToCompare.toString())); 41 | 42 | if (param != null && Collection.class.isAssignableFrom(param.getClass())) { 43 | Collection assets = (Collection) param; 44 | 45 | for (Asset asset : assets) { 46 | if (asset.getSensitivity() == sensitivityParam) { 47 | context.addEvaluationResult(this, true); 48 | return; 49 | } 50 | } 51 | 52 | context.addEvaluationResult(this, false); 53 | } 54 | } 55 | } 56 | 57 | 58 | } 59 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/mapper/ThreatModelMapperTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.mapper; 2 | 3 | import com.github.rusakovichma.tictaac.model.ThreatModel; 4 | import com.github.rusakovichma.tictaac.parser.impl.NodeTreeParser; 5 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 6 | import com.github.rusakovichma.tictaac.util.FileUtil; 7 | import org.junit.jupiter.api.Test; 8 | 9 | import java.io.InputStream; 10 | 11 | import static org.junit.jupiter.api.Assertions.*; 12 | 13 | class ThreatModelMapperTest { 14 | 15 | @Test 16 | void getModel() throws Exception { 17 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threat-model-test.yml"); 18 | 19 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 20 | ThreatModelMapper mapper = new ThreatModelMapper(tree); 21 | 22 | ThreatModel threatModel = mapper.getModel(); 23 | 24 | assertTrue("Threat Model Name".equals(threatModel.getName())); 25 | assertTrue("1.0.1".equals(threatModel.getVersion())); 26 | 27 | assertTrue(threatModel.getAssets().size() == 3); 28 | assertTrue(threatModel.getElements().size() == 4); 29 | assertTrue(threatModel.getBoundaries().size() == 3); 30 | assertTrue(threatModel.getDataFlows().size() == 3); 31 | } 32 | 33 | @Test 34 | void getModelWithComments() throws Exception { 35 | InputStream fileInputStream = FileUtil.fileToInputStream("src/test/resources/threat-model-test-with-comments.yml"); 36 | 37 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 38 | ThreatModelMapper mapper = new ThreatModelMapper(tree); 39 | 40 | ThreatModel threatModel = mapper.getModel(); 41 | 42 | assertTrue("Threat Model Name".equals(threatModel.getName())); 43 | assertTrue("1.0.1".equals(threatModel.getVersion())); 44 | 45 | assertTrue(threatModel.getAssets().size() == 3); 46 | assertTrue(threatModel.getElements().size() == 4); 47 | assertFalse(threatModel.getElements().get(2).getInScope()); 48 | 49 | assertTrue(threatModel.getBoundaries().size() == 3); 50 | assertTrue(threatModel.getDataFlows().size() == 3); 51 | assertFalse(threatModel.getDataFlows().get(2).getInScope()); 52 | 53 | assertTrue(!threatModel.getElements().get(1).getName().contains("# comment 2")); 54 | } 55 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/rules/StandardThreatRulesProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.rules; 19 | 20 | import com.github.rusakovichma.tictaac.mapper.ThreatsLibraryMapper; 21 | import com.github.rusakovichma.tictaac.model.ThreatsLibrary; 22 | import com.github.rusakovichma.tictaac.provider.reader.Reader; 23 | import com.github.rusakovichma.tictaac.provider.reader.UnifiedReader; 24 | 25 | import java.util.HashMap; 26 | import java.util.Map; 27 | 28 | public class StandardThreatRulesProvider implements ThreatRulesProvider { 29 | 30 | private final String threatRulesPath; 31 | private final Reader reader; 32 | 33 | private Map getAccessParams(Map params) { 34 | Map accessParams = new HashMap<>(); 35 | 36 | String accessUsername = accessParams.get("threatsLibraryAccessUsername"); 37 | if (accessUsername != null && !accessUsername.trim().isEmpty()) { 38 | accessParams.put("username", accessUsername); 39 | } 40 | 41 | String accessPassword = accessParams.get("threatsLibraryAccessPassword"); 42 | if (accessPassword != null && !accessPassword.trim().isEmpty()) { 43 | accessParams.put("password", accessPassword); 44 | } 45 | 46 | return accessParams; 47 | } 48 | 49 | public StandardThreatRulesProvider(String threatRulesPath, Map params) { 50 | this.threatRulesPath = threatRulesPath; 51 | this.reader = new UnifiedReader(params); 52 | } 53 | 54 | @Override 55 | public ThreatsLibrary getThreatsLibrary() { 56 | return new ThreatsLibraryMapper( 57 | reader.read(threatRulesPath)) 58 | .getModel(); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/mapper/ThreatRuleMapper.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.mapper; 19 | 20 | import com.github.rusakovichma.tictaac.model.Threat; 21 | import com.github.rusakovichma.tictaac.model.ThreatRule; 22 | import com.github.rusakovichma.tictaac.model.threatmodel.DataFlow; 23 | 24 | import java.util.HashMap; 25 | import java.util.Map; 26 | 27 | 28 | public class ThreatRuleMapper implements ModelMapper { 29 | 30 | private final ThreatRule rule; 31 | private final DataFlow flow; 32 | 33 | private final Map entities = new HashMap<>(); 34 | 35 | private final void initEntities() { 36 | entities.put("\\{flow.name\\}", flow.getTitle()); 37 | entities.put("\\{source.name\\}", flow.getSource().getName()); 38 | entities.put("\\{target.name\\}", flow.getTarget().getName()); 39 | } 40 | 41 | private String solvePlaceholders(String field) { 42 | for (Map.Entry entry : entities.entrySet()) { 43 | field = field.replaceAll(entry.getKey(), entry.getValue()); 44 | } 45 | return field; 46 | } 47 | 48 | public ThreatRuleMapper(ThreatRule rule, DataFlow flow) { 49 | this.rule = rule; 50 | this.flow = flow; 51 | initEntities(); 52 | } 53 | 54 | @Override 55 | public Threat getModel() { 56 | Threat threat = new Threat(); 57 | 58 | threat.setTitle(solvePlaceholders(rule.getTitle())); 59 | threat.setCategories(rule.getCategories()); 60 | threat.setOwasp(rule.getOwasp()); 61 | threat.setDataFlow(flow); 62 | threat.setDescription(solvePlaceholders(rule.getDescription())); 63 | threat.setRemediation(solvePlaceholders(rule.getRemediation())); 64 | 65 | return threat; 66 | } 67 | 68 | } 69 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/OwaspCategory.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model; 19 | 20 | public enum OwaspCategory { 21 | brokenAccessControl("A01:2021 - Broken Access Control", "Broken Access Control"), 22 | cryptographicFailures("A02:2021 - Cryptographic Failures", "Cryptographic Failures"), 23 | injection("A03:2021 - Injection", "Injection"), 24 | insecureDesign("A04:2021 - Insecure Design", "Insecure Design"), 25 | securityMisconfiguration("A05:2021 - Security Misconfiguration", "Security Misconfiguration"), 26 | vulnerableAndOutdatedComponents("A06:2021 - Vulnerable and Outdated Components", "Vulnerable and Outdated Components"), 27 | identificationAndAuthenticationFailures("A07:2021 - Identification and Authentication Failures", "Identification and Authentication Failures"), 28 | softwareAndDataIntegrityFailures("A08:2021 - Software and Data Integrity Failures", "Software and Data Integrity Failures"), 29 | securityLoggingAndMonitoringFailures("A09:2021 - Security Logging and Monitoring Failures", "Security Logging and Monitoring Failures"), 30 | serverSideRequestForgery("A10:2021 - Server-Side Request Forgery", "Server-Side Request Forgery"), 31 | undefined("Undefined", "Undefined"); 32 | 33 | private final String description; 34 | private final String shortDescription; 35 | 36 | OwaspCategory(String description, String shortDescription) { 37 | this.description = description; 38 | this.shortDescription = shortDescription; 39 | } 40 | 41 | public String getDescription() { 42 | return description; 43 | } 44 | 45 | public String getShortDescription() { 46 | return shortDescription; 47 | } 48 | 49 | @Override 50 | public String toString() { 51 | return this.name(); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/main/resources/help-info: -------------------------------------------------------------------------------- 1 | usage: TicTaaC Core [--help] 2 | [--threatModel ] [--out ] [--outFormat ][--mitigations ] 3 | [--failOnThreatRisk ] [--threatsLibrary ] 4 | [--threatsLibraryAccessUsername ] [--threatsLibraryAccessPassword ] 5 | 6 | TicTaaC (Threat-Modeling-as-a-Code in a Tick) solution may be used to identify threats 7 | related to an application architecture, design and development process. 8 | Core will automatically generate threats classified by Microsoft STRIDE and OWASP Top 10 9 | according to the provided data flow diagram file described in a special lightweight format. 10 | 11 | -h, --help Print this help message 12 | --threatModel (Mandatory) Data flow diagram file to process. 13 | --out (Optional) The folder to write report to. 14 | This defaults to the current directory. 15 | --outFormat (Optional) The report format (HTML, JSON). 16 | The default is HTML. 17 | --mitigations (Optional) The file with the mitigation 18 | strategy for the corresponding threats from 19 | the report. 20 | --failOnThreatRisk (Optional) Specifies if the build should be 21 | failed if a Threat Risk above a specified 22 | level is identified (Low, Medium, High). 23 | By default the build will never fail. 24 | --threatsLibrary (Optional) The path to the file with the rules 25 | containing threat-generating logic. It may be 26 | a path to a local file, a web-resource file path 27 | or a classpath. 28 | --threatsLibraryAccessUsername (Optional) If web-resource file with the rules 29 | protected with authorization, specify this 30 | parameter. 31 | --threatsLibraryAccessPassword (Optional) If web-resource file with the rules 32 | protected with authorization, specify this 33 | parameter. 34 | -v, --version Print the version information. -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/mitigation/MitigationsLibrary.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.mitigation; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.annotation.RootCollection; 21 | 22 | import java.util.LinkedList; 23 | 24 | public class MitigationsLibrary { 25 | 26 | private String name; 27 | private String version; 28 | 29 | @RootCollection 30 | private LinkedList mitigated; 31 | 32 | @RootCollection 33 | private LinkedList accepted; 34 | 35 | @RootCollection 36 | private LinkedList avoided; 37 | 38 | @RootCollection 39 | private LinkedList transferred; 40 | 41 | @RootCollection 42 | private LinkedList notApplicable; 43 | 44 | public LinkedList getMitigated() { 45 | return mitigated; 46 | } 47 | 48 | public void setMitigated(LinkedList mitigated) { 49 | this.mitigated = mitigated; 50 | } 51 | 52 | public LinkedList getAccepted() { 53 | return accepted; 54 | } 55 | 56 | public void setAccepted(LinkedList accepted) { 57 | this.accepted = accepted; 58 | } 59 | 60 | public LinkedList getAvoided() { 61 | return avoided; 62 | } 63 | 64 | public void setAvoided(LinkedList avoided) { 65 | this.avoided = avoided; 66 | } 67 | 68 | public LinkedList getTransferred() { 69 | return transferred; 70 | } 71 | 72 | public void setTransferred(LinkedList transferred) { 73 | this.transferred = transferred; 74 | } 75 | 76 | public LinkedList getNotApplicable() { 77 | return notApplicable; 78 | } 79 | 80 | public void setNotApplicable(LinkedList notApplicable) { 81 | this.notApplicable = notApplicable; 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/engine/StandardEngineContextTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.engine; 2 | 3 | import com.github.rusakovichma.tictaac.mapper.ThreatModelMapper; 4 | import com.github.rusakovichma.tictaac.mapper.ThreatsLibraryMapper; 5 | import com.github.rusakovichma.tictaac.model.*; 6 | import com.github.rusakovichma.tictaac.parser.impl.NodeTreeParser; 7 | import com.github.rusakovichma.tictaac.parser.model.NodeTree; 8 | import com.github.rusakovichma.tictaac.util.FileUtil; 9 | import org.junit.jupiter.api.Test; 10 | 11 | import java.io.InputStream; 12 | import java.util.ArrayList; 13 | import java.util.Collection; 14 | import java.util.LinkedList; 15 | import java.util.List; 16 | 17 | import static org.junit.jupiter.api.Assertions.*; 18 | 19 | class StandardEngineContextTest { 20 | 21 | private ThreatModel getModel() throws Exception { 22 | InputStream fileInputStream = FileUtil.fileToInputStream( 23 | "src/test/resources/threat-model-engine-context-test.yml"); 24 | 25 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 26 | ThreatModelMapper mapper = new ThreatModelMapper(tree); 27 | 28 | return mapper.getModel(); 29 | } 30 | 31 | private LinkedList getRules() throws Exception { 32 | InputStream fileInputStream = FileUtil.fileToInputStream( 33 | "src/test/resources/threats-provider-engine-context-test.yml"); 34 | 35 | NodeTree tree = new NodeTreeParser().getNodeTree(fileInputStream); 36 | ThreatsLibraryMapper mapper = new ThreatsLibraryMapper(tree); 37 | 38 | return mapper.getModel().getRules(); 39 | } 40 | 41 | @Test 42 | void eval() throws Exception { 43 | ThreatModel model = getModel(); 44 | LinkedList rules = getRules(); 45 | 46 | StandardEngineContext engineContext = new StandardEngineContext(); 47 | 48 | ArrayList threats = new ArrayList<>(engineContext.eval(model, rules)); 49 | assertTrue(threats.size() == 2); 50 | 51 | assertTrue(threats.get(0).getId().equals("e1a127e52365395e8c13388ef9ec3c89b5605280")); 52 | assertTrue(threats.get(0).getRisk() == ThreatRisk.High); 53 | assertTrue(threats.get(0).getDescription().equals("threat description 2 for Users Request with source of User and target - Proxy Server")); 54 | 55 | assertTrue(threats.get(1).getId().equals("bb83b0d3eb7b4cc8a344e4d552b017c59703930d")); 56 | assertTrue(threats.get(1).getRisk() == ThreatRisk.Low); 57 | assertTrue(threats.get(1).getDescription().equals("threat description 1 for PostgreSQL")); 58 | } 59 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/parser/StringHashReplacer.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.parser; 19 | 20 | import java.nio.charset.StandardCharsets; 21 | import java.util.Map; 22 | import java.util.regex.Matcher; 23 | import java.util.regex.Pattern; 24 | 25 | import static com.github.rusakovichma.tictaac.util.StringUtils.*; 26 | 27 | public class StringHashReplacer implements ExpressionPreProcessor { 28 | 29 | private final static Pattern QUOTE_STRING_PATTERN = Pattern.compile("(?:^|\\s)'([^']*?)'(?:$|\\s)", 30 | Pattern.MULTILINE); 31 | 32 | private final Map stringsHashCache; 33 | 34 | public StringHashReplacer(Map stringsHashCache) { 35 | this.stringsHashCache = stringsHashCache; 36 | } 37 | 38 | private void addToCache(String string, String digest) { 39 | stringsHashCache.put(string, digest); 40 | } 41 | 42 | private String replaceStringWithHash(String expression, String entityWithQuotes) { 43 | String entityWithoutQuotes = removeFirstAndLastChar(entityWithQuotes, '\''); 44 | String entityDigest = bytesToHex(digest(entityWithoutQuotes.getBytes(StandardCharsets.UTF_8))); 45 | 46 | stringsHashCache.put(entityDigest, entityWithoutQuotes); 47 | 48 | return expression.replaceAll(entityWithQuotes, entityDigest); 49 | } 50 | 51 | @Override 52 | public String preProcess(String expression) { 53 | String expressionWithHashes = expression; 54 | Matcher expMatcher = QUOTE_STRING_PATTERN.matcher(expression); 55 | if (expMatcher.find()) { 56 | expressionWithHashes = replaceStringWithHash(expressionWithHashes, expMatcher.group().trim()); 57 | while (expMatcher.find()) 58 | expressionWithHashes = replaceStringWithHash(expressionWithHashes, expMatcher.group().trim()); 59 | } 60 | return expressionWithHashes; 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/model/StandardThreatModelProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.model; 19 | 20 | import com.github.rusakovichma.tictaac.mapper.ThreatModelMapper; 21 | import com.github.rusakovichma.tictaac.model.ThreatModel; 22 | import com.github.rusakovichma.tictaac.provider.reader.Reader; 23 | import com.github.rusakovichma.tictaac.provider.reader.UnifiedReader; 24 | 25 | import java.util.HashMap; 26 | import java.util.Map; 27 | 28 | public class StandardThreatModelProvider implements ThreatModelProvider { 29 | 30 | private final String threatModelPath; 31 | private final Reader reader; 32 | 33 | private Map getAccessParams(Map params) { 34 | Map accessParams = new HashMap<>(); 35 | 36 | String accessUsername = accessParams.get("threatModelAccessUsername"); 37 | if (accessUsername != null && !accessUsername.trim().isEmpty()) { 38 | accessParams.put("username", accessUsername); 39 | } 40 | 41 | String accessPassword = accessParams.get("threatModelAccessPassword"); 42 | if (accessPassword != null && !accessPassword.trim().isEmpty()) { 43 | accessParams.put("password", accessPassword); 44 | } 45 | 46 | return accessParams; 47 | } 48 | 49 | public StandardThreatModelProvider(String threatModelPath, Map params) { 50 | this.threatModelPath = threatModelPath; 51 | this.reader = new UnifiedReader(getAccessParams(params)); 52 | } 53 | 54 | public StandardThreatModelProvider(String threatModelPath) { 55 | this.threatModelPath = threatModelPath; 56 | this.reader = new UnifiedReader(); 57 | } 58 | 59 | @Override 60 | public ThreatModel getModel() { 61 | return new ThreatModelMapper( 62 | reader.read(threatModelPath)) 63 | .getModel(); 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /src/test/java/com/github/rusakovichma/tictaac/reporter/StreamThreatsReporterTest.java: -------------------------------------------------------------------------------- 1 | package com.github.rusakovichma.tictaac.reporter; 2 | 3 | import com.github.rusakovichma.tictaac.model.Threat; 4 | import com.github.rusakovichma.tictaac.model.ThreatCategory; 5 | import com.github.rusakovichma.tictaac.model.ThreatRisk; 6 | import com.github.rusakovichma.tictaac.model.mitigation.MitigationStatus; 7 | import org.junit.jupiter.api.Test; 8 | 9 | import java.io.ByteArrayOutputStream; 10 | import java.util.ArrayList; 11 | import java.util.Collection; 12 | import java.util.Date; 13 | import java.util.EnumSet; 14 | 15 | import static org.junit.jupiter.api.Assertions.*; 16 | 17 | class StreamThreatsReporterTest { 18 | 19 | private Collection getThreats() { 20 | Collection threats = new ArrayList<>(); 21 | 22 | Threat threat1 = new Threat(); 23 | threat1.setId("id1"); 24 | threat1.setTitle("Threat 1"); 25 | threat1.setRisk(ThreatRisk.High); 26 | threat1.setCategories(EnumSet.of(ThreatCategory.informationDisclosure)); 27 | threat1.setDescription("description 1"); 28 | threat1.setRemediation("remediation 1"); 29 | threat1.setMitigationStatus(MitigationStatus.Accepted); 30 | threats.add(threat1); 31 | 32 | Threat threat2 = new Threat(); 33 | threat2.setId("id2"); 34 | threat2.setTitle("Threat 2"); 35 | threat2.setCategories(EnumSet.of(ThreatCategory.denialOfService, ThreatCategory.tampering)); 36 | threat2.setDescription("description 2"); 37 | threat2.setRemediation("remediation 2"); 38 | threat2.setMitigationStatus(MitigationStatus.NotMitigated); 39 | threats.add(threat2); 40 | 41 | return threats; 42 | } 43 | 44 | private ReportHeader getReportHeader() { 45 | return new ReportHeader( 46 | "Big Report header", 47 | "1.1.1", 48 | new Date()); 49 | } 50 | 51 | @Test 52 | void publishJson() throws Exception { 53 | ByteArrayOutputStream stream = new ByteArrayOutputStream(); 54 | StreamThreatsReporter reporter = new StreamThreatsReporter(stream, ReportFormat.json); 55 | 56 | reporter.publish(getReportHeader(), null, getThreats()); 57 | 58 | assertTrue(!new String(stream.toByteArray()).isEmpty()); 59 | } 60 | 61 | @Test 62 | void publishHtml() throws Exception { 63 | ByteArrayOutputStream stream = new ByteArrayOutputStream(); 64 | StreamThreatsReporter reporter = new StreamThreatsReporter(stream, ReportFormat.html); 65 | 66 | reporter.publish(getReportHeader(), null, getThreats()); 67 | 68 | assertTrue(!new String(stream.toByteArray()).isEmpty()); 69 | } 70 | } -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/provider/mitigation/StandardMitigationProvider.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.provider.mitigation; 19 | 20 | import com.github.rusakovichma.tictaac.mapper.MitigationsLibraryMapper; 21 | import com.github.rusakovichma.tictaac.model.mitigation.MitigationsLibrary; 22 | import com.github.rusakovichma.tictaac.provider.reader.Reader; 23 | import com.github.rusakovichma.tictaac.provider.reader.UnifiedReader; 24 | 25 | import java.util.HashMap; 26 | import java.util.Map; 27 | 28 | public class StandardMitigationProvider implements MitigationLibraryProvider { 29 | 30 | private final String mitigationsLibraryPath; 31 | private final Reader reader; 32 | 33 | private Map getAccessParams(Map params) { 34 | Map accessParams = new HashMap<>(); 35 | 36 | String accessUsername = accessParams.get("mitigationsAccessUsername"); 37 | if (accessUsername != null && !accessUsername.trim().isEmpty()) { 38 | accessParams.put("username", accessUsername); 39 | } 40 | 41 | String accessPassword = accessParams.get("mitigationsAccessPassword"); 42 | if (accessPassword != null && !accessPassword.trim().isEmpty()) { 43 | accessParams.put("password", accessPassword); 44 | } 45 | 46 | return accessParams; 47 | } 48 | 49 | public StandardMitigationProvider(String mitigationsLibraryPath, Map params) { 50 | this.mitigationsLibraryPath = mitigationsLibraryPath; 51 | this.reader = new UnifiedReader(getAccessParams(params)); 52 | } 53 | 54 | public StandardMitigationProvider(String mitigationsLibraryPath) { 55 | this.mitigationsLibraryPath = mitigationsLibraryPath; 56 | this.reader = new UnifiedReader(); 57 | } 58 | 59 | @Override 60 | public MitigationsLibrary getMitigations() { 61 | return new MitigationsLibraryMapper( 62 | reader.read(mitigationsLibraryPath)) 63 | .getModel(); 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/engine/el/expression/ParamWithinExpression.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.engine.el.expression; 19 | 20 | import com.github.rusakovichma.tictaac.engine.el.EvaluationContext; 21 | import com.github.rusakovichma.tictaac.model.threatmodel.Boundary; 22 | import com.github.rusakovichma.tictaac.model.threatmodel.Element; 23 | import com.github.rusakovichma.tictaac.model.threatmodel.boundary.BoundaryCategory; 24 | import com.github.rusakovichma.tictaac.parser.model.NodeHelper; 25 | 26 | import java.util.Collection; 27 | 28 | public class ParamWithinExpression extends ParamComparableExpression implements ContextAware { 29 | 30 | private Collection boundaries; 31 | 32 | public ParamWithinExpression(EvaluationContext context) { 33 | super(context); 34 | } 35 | 36 | @Override 37 | public void interpret(EvaluationContext context) { 38 | Object param = getParameter(); 39 | Object valueToCompare = getValueToCompare(); 40 | 41 | if (valueToCompare != null) { 42 | BoundaryCategory boundaryCategory = Enum.valueOf(BoundaryCategory.class, 43 | NodeHelper.getConventionalName(valueToCompare.toString())); 44 | 45 | if (boundaries != null) { 46 | Element element = (Element) param; 47 | if (boundaries.stream() 48 | .filter(boundary -> boundary.getCategory() == boundaryCategory) 49 | .anyMatch(boundary -> boundary.getElements().contains(element))) { 50 | context.addEvaluationResult(this, true); 51 | return; 52 | } 53 | } 54 | } 55 | 56 | context.addEvaluationResult(this, false); 57 | } 58 | 59 | @Override 60 | public void setContextParam(Object contextObject) { 61 | this.boundaries = (Collection) contextObject; 62 | } 63 | 64 | @Override 65 | public String getContextParamName() { 66 | return "boundaries"; 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/model/threatmodel/Boundary.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.model.threatmodel; 19 | 20 | import com.github.rusakovichma.tictaac.model.threatmodel.annotation.Id; 21 | import com.github.rusakovichma.tictaac.model.threatmodel.annotation.Ref; 22 | import com.github.rusakovichma.tictaac.model.threatmodel.boundary.BoundaryCategory; 23 | import com.github.rusakovichma.tictaac.validation.Required; 24 | import com.github.rusakovichma.tictaac.validation.RequiresAtLeast; 25 | 26 | import java.util.LinkedList; 27 | import java.util.Objects; 28 | 29 | public class Boundary { 30 | 31 | @Id 32 | private String id; 33 | @Required 34 | private BoundaryCategory category; 35 | @RequiresAtLeast(elements = 1) 36 | @Ref(rootCollection = "elements") 37 | private LinkedList elements; 38 | 39 | public String getId() { 40 | return id; 41 | } 42 | 43 | public void setId(String id) { 44 | this.id = id; 45 | } 46 | 47 | public BoundaryCategory getCategory() { 48 | return category; 49 | } 50 | 51 | public int getCategoryOrder() { 52 | return category.getOrder(); 53 | } 54 | 55 | public void setCategory(BoundaryCategory category) { 56 | this.category = category; 57 | } 58 | 59 | public LinkedList getElements() { 60 | return elements; 61 | } 62 | 63 | public void setElements(LinkedList elements) { 64 | this.elements = elements; 65 | } 66 | 67 | @Override 68 | public boolean equals(Object o) { 69 | if (this == o) return true; 70 | if (o == null || getClass() != o.getClass()) return false; 71 | Boundary boundary = (Boundary) o; 72 | return Objects.equals(id, boundary.id); 73 | } 74 | 75 | @Override 76 | public int hashCode() { 77 | return Objects.hash(id); 78 | } 79 | 80 | @Override 81 | public String toString() { 82 | return "Boundary{" + 83 | "id='" + id + '\'' + 84 | '}'; 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/reporter/analytics/ThreatAnalytics.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.reporter.analytics; 19 | 20 | import com.github.rusakovichma.tictaac.model.OwaspCategory; 21 | import com.github.rusakovichma.tictaac.model.ThreatCategory; 22 | import com.github.rusakovichma.tictaac.model.mitigation.MitigationStatus; 23 | import com.github.rusakovichma.tictaac.model.threatmodel.boundary.BoundaryCategory; 24 | 25 | import java.util.LinkedHashMap; 26 | import java.util.Map; 27 | import java.util.concurrent.atomic.AtomicInteger; 28 | 29 | public class ThreatAnalytics { 30 | 31 | private Map byOwasp = new LinkedHashMap<>(); 32 | private Map byStride = new LinkedHashMap<>(); 33 | private Map byAttackVector = new LinkedHashMap<>(); 34 | private Map byStatus = new LinkedHashMap<>(); 35 | 36 | private void init() { 37 | for (OwaspCategory owasp : OwaspCategory.values()) { 38 | byOwasp.put(owasp, new AtomicInteger(0)); 39 | } 40 | 41 | for (ThreatCategory stride : ThreatCategory.values()) { 42 | byStride.put(stride, new AtomicInteger(0)); 43 | } 44 | 45 | for (BoundaryCategory vector : BoundaryCategory.values()) { 46 | byAttackVector.put(vector, new AtomicInteger(0)); 47 | } 48 | 49 | for (MitigationStatus status : MitigationStatus.values()) { 50 | byStatus.put(status, new AtomicInteger(0)); 51 | } 52 | } 53 | 54 | public ThreatAnalytics() { 55 | init(); 56 | } 57 | 58 | public Map getByOwasp() { 59 | return byOwasp; 60 | } 61 | 62 | public Map getByStride() { 63 | return byStride; 64 | } 65 | 66 | public Map getByAttackVector() { 67 | return byAttackVector; 68 | } 69 | 70 | public Map getByStatus() { 71 | return byStatus; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /src/main/java/com/github/rusakovichma/tictaac/parser/model/NodeHelper.java: -------------------------------------------------------------------------------- 1 | /* 2 | * This file is part of TicTaaC. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | * 16 | * Copyright (c) 2022 Mikhail Rusakovich. All Rights Reserved. 17 | */ 18 | package com.github.rusakovichma.tictaac.parser.model; 19 | 20 | import java.util.regex.Pattern; 21 | 22 | public class NodeHelper { 23 | 24 | private static final Pattern COLLECTION_PROPERTY_PATTERN = Pattern.compile("^(\\t|\\s)*[a-zA-Z0-9_-]+:$"); 25 | 26 | private NodeHelper() { 27 | } 28 | 29 | public static String getConventionalName(String rawName) { 30 | StringBuilder conventional = new StringBuilder(); 31 | 32 | boolean nextIsUpperCase = false; 33 | for (int i = 0; i < rawName.length(); i++) { 34 | if (rawName.charAt(i) == ':' || rawName.charAt(i) == ' ') { 35 | continue; 36 | } 37 | 38 | if (rawName.charAt(i) == '-' || rawName.charAt(i) == '_') { 39 | nextIsUpperCase = true; 40 | continue; 41 | } 42 | 43 | conventional.append(nextIsUpperCase ? 44 | Character.toUpperCase(rawName.charAt(i)) : rawName.charAt(i)); 45 | nextIsUpperCase = false; 46 | } 47 | return conventional.toString(); 48 | } 49 | 50 | public static boolean isCollectionProperty(String content) { 51 | return content != null && COLLECTION_PROPERTY_PATTERN.matcher(content.trim()).find(); 52 | } 53 | 54 | public static String getFlowEntity(String flowContent, boolean source) { 55 | final int sourceIndex = (source) ? 0 : 1; 56 | if (NodeType.getType(flowContent) == NodeType.flow) { 57 | return NodeType.element.getConventionalName( 58 | NodeType.flow.getConventionalName(flowContent).split("->")[sourceIndex] 59 | ); 60 | } 61 | return null; 62 | } 63 | 64 | public static String getFlowTarget(String flowContent) { 65 | if (NodeType.getType(flowContent) == NodeType.flow) { 66 | return NodeType.element.getConventionalName( 67 | NodeType.flow.getConventionalName(flowContent).split("->")[1] 68 | ); 69 | } 70 | return null; 71 | } 72 | 73 | } 74 | --------------------------------------------------------------------------------