mike-goodwin / owasp-threat-dragon Goto Github PK
View Code? Open in Web Editor NEWAn open source, online threat modelling tool from OWASP
Home Page: http://mike-goodwin.github.io/owasp-threat-dragon/
License: Apache License 2.0
owasp-threat-dragon's People
Contributors
Stargazers
Watchers
Forkers
ianoxley jeg1972 nagyistge ll2b brennantom gwena boriskac jgadsden darionalanya rhurlbut techiemac i0na-k ramusbucket alx75 tkuennen hoomanb1 petermosmans minkione hmilkovi aqualen pombredanne subashsn appsecco v1bh0r security-prince enascimento doduytrung ro9ueadmin slooppe dehydr8 drumhopper virajdave calebtonn smallscientist alfuananzo gjtaylor vickywane ramos-dev farinhap vidocapt kremonl sharmeelasg mrtnrdl gusabii naozibuhao wxyzz raimundojimenez redskysec dattachandan gravikumar123 3ur0c3nt5y peoplenet evilegend phillipssec dreganism lifer84 luisit0 fasere75 penneke kkalivar secusbot rbuchnajzer nalhirabi attesch suleymanpetek mn28866 sporiyano ellerbrock unsecureio boblone19 modulexcite sec-js prateeksingh103 stustison zombieraven brodieve rohankrishnamurthy heartsleep dcoulang aclbbc banzo strongboi yfc-daniel m-i-6 yungmichael startharik glcamillo amarjitghuman rockduan mimoo bonedaddy blackclaws kurtseifried mr-beerkiss noobprogrammer12 mr-h superf0sh mod01 hartl3y94 vinayasathyanarayanaowasp-threat-dragon's Issues
Auto save desktop version
Would be great to have all the changes autosaved everytime you make a modification to a diagram, add a threat..etc.
Improve the movement option - Enhancement request
Dear Owasp,
moving a data flow or trust boundary is very difficult. Could you improve the move option by selecting the whole arrow instead of moving first one end and then another end? Moving arrows should be a single operation like Actors, Stores and Processes.Also, add an option to select all the items inside the DFD for moving them down, up, left or right. Sometimes, you need to move down all the shapes, but selecting all items does not do the trick.
Thanks
Deleting the first model deletes them all!!
If you have several models defined and you delete the first one, ALL the models are deleted!
Link and reference OWASP cheat sheets
The OWASP project Cheat Sheets provides information on Threat Modeling :
https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
along with other cheat sheets on various defense topics.
local model storage (for the webapp)
Would it be a lot of work to support local storage on the webapp like the electron client does?
This would be great for quick demos for audiences which are unwilling to allow write access to their github repositories, or do not have a github account.
Navigation (Usage Question)
Hi,
How do you navigate back to the high-level "Project View" from within a single diagram? I do this by re-opening the project JSON file.
(I apologize, this doesn't seem like the right forum. Where is the best place to make questions about Threat Dragon usage?)
Best,
Michael
Should be able to create a new diagram straight from the threat model summary
It's not obvious that you should add a diagram when creating a new threat model. Then when you've saved it you are left wondering what to do.
Undo - threat model diagram editor
Undo button or Ctrl-Z does not work in the threat model diagram editor.
Demo threat model
The system should have a demo threat model to help people get started. This could be coloured differently to make sure people can tell it apart from their own, real models.
Content on threatdragon.org
hello
considering the new home for downloads&code for threat-dragon is on https://github.com/OWASP/threat-dragon it would be helpful to update the relevant content on threatdragon.org (docs, github link,...).
Thanks,
Too many GitHub permissions required
When wanting to try TD, it asked me for the following GitHub permissions, which in my opinion are too much:
As a result, I personally didn't want to grant so much.
Maybe it is possible to ask for less and achieve what is needed?
Cheers!
SyntaxError: Unexpected token U in JSON at position 0
Hi there. I am getting an error regarding the Github Oauth process and hoping for some assistance :)
The error seems to be related to the callback URL. My setting for the callback URL is http://:3000/oauth/github. My homepage URL is set to http://:3000.
My .env variables are set to the below:
GITHUB_CLIENT_ID=""
GITHUB_CLIENT_SECRET=""
SESSION_SIGNING_KEY="UIJL08ihIS7H3pkCnyc3cX6h6Rbbs0rp"
SESSION_STORE="local"
Error Message:
SyntaxError: Unexpected token U in JSON at position 0
at JSON.parse ()
at getPrimaryKey (/home/ubuntu/owasp/owasp-threat-dragon/td/helpers/encryption.helper.js:17:21)
at /home/ubuntu/owasp/owasp-threat-dragon/td/helpers/encryption.helper.js:60:19
at RandomBytes.ondone (/home/ubuntu/owasp/owasp-threat-dragon/td/helpers/encryption.helper.js:11:9)
npm ERR! Linux 4.15.0-1023-aws
npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "start"
npm ERR! node v8.10.0
npm ERR! npm v3.5.2
npm ERR! code ELIFECYCLE
npm ERR! [email protected] start: node server.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] start script 'node server.js'.
npm ERR! Make sure you have the latest version of node.js and npm installed.
npm ERR! If you do, this is most likely a problem with the owasp-threat-dragon package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node server.js
npm ERR! You can get information on how to open an issue for this project with:
npm ERR! npm bugs owasp-threat-dragon
npm ERR! Or if that isn't available, you can get their info via:
npm ERR! npm owner ls owasp-threat-dragon
npm ERR! There is likely additional logging output above.
npm ERR! Please include the following file with any support request:
npm ERR! /home/ubuntu/owasp/owasp-threat-dragon/npm-debug.log
Threat Model-Access Level Controls Defined on the model file -Github
It seems there is no ACL on the threat model file created in GitHub
Steps:
- Login as User A using your GitHub account
- Create a model
- Share the link with User B
- User B logins in to GitHub and opens model file from User A GitHub repo hyperlink
Result:
User B can change file from User A (no Read/Edit/Modify ACL)
Update the threat Dragon Home Page
Recently owasp-threat-dragon starts supporting linux for Desktop but the home page still says Linux coming soon Please update it As soon as possible
Which browsers are suported?
Having issues to create a basic template any recommendation on which browser i can use?
Server script fails only when running on Linux
When running on debian linux, npm start exits with the following error :
$ npm start
> [email protected] start ./owasp-threat-dragon
> node server.js
./owasp-threat-dragon/server.js:1
#!/usr/bin/env node
^
SyntaxError: Invalid or unexpected token
Tested on MacOS and Windows and this does not fail => Linux only
Remove warnings
The warning on the main window is probably no longer needed, as we should make any data model changes backwardly compatible.
Warning! Threat Dragon is still in early development (it is an OWASP incubator project) so it might have some bugs and the data model could change without warning, leaving you unable to open your threat models.
This is in file td/public/app/welcome/welcome.html
Add visual indication for unmitigated threats
Elements in diagrams that have open (unmitigated) threats should have some kind of visual distinguishing mark - say a different colour, or line style. This will make is easy for users to see where they need to look when designing mitigations.
GIT integration to create Issue(s) with Application Repo (Enhancement)
Ability to create arbitrary GIT Issues in github.com or GHE from the GIT Url of the application/code you are Threat Modeling.
Error: Invalid key length at new Cipheriv (crypto.js:219:16)
Keep on getting this error after entering github credentials.
Error: Invalid key length
at new Cipheriv (crypto.js:219:16)
at Object.createCipheriv (crypto.js:619:10)
at encryptData
....
var crypto = require('crypto');
var inputEncoding = 'ascii';
var outputEncoding = 'base64';
var keyEncoding = 'ascii';
var algorithm = 'aes256';
these properties were unchanged. Not sure why this issue keeps on repeating.
using NodeJS 8.11.3 LTS version
draw.io and/or visio intergration
Hello,
This is more of a request than an issue. But is there anyways to open a visio file oran xml file from draw.io into this tool? If no, is it possible to have that added?
Add ability to work with Bitbucket
Threat Dragon currently supports Github, but does not support Bitbucket. It would be beneficial to add support for Bitbucket.
No pagination on github requests
The GitHub integration does not support pagination for cases where >30 items are returned
ERR: Threat Dragon received an invalid request from GitHub
Whenever I try login I get: "Threat Dragon received an invalid request from GitHub. Your internet connection may not be secure!". I'm able to use GitHub as OAuth provider with other sites.
I click login, get directed to GH for auth, succesfully approve use by TD and then get redirected with that error.
Add Gitlab integration
Is it possible to add Gitlab integration ?
Thanks.
LGTM alert
There is an alert from LGTM in td/public/app/threatmodels/github.js
22 function activate() {
23 common.activateController([load()], controllerId)
-- the function load does not return anything, yet the return value is used --
24 .then(function () { log('Activated GitHub Controller'); });
25 }
npm audit: 61 vulnerabilities found
$ npm audit
=== npm audit security report ===
# Run npm install --dev [email protected] to resolve 13 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > engine.io > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > socket.io-adapter > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > socket.io-client > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > socket.io-client > engine.io-client > │
│ │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > socket.io-adapter > socket.io-parser > │
│ │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > socket.io-client > socket.io-parser > │
│ │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > socket.io-parser > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > engine.io > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > socket.io-client > engine.io-client > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ parsejson │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > socket.io > socket.io-client > engine.io-client > │
│ │ parsejson │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/528 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma > combine-lists > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm install --dev [email protected] to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jasmine-node [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jasmine-node > gaze > fileset > glob > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jasmine-node [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jasmine-node > gaze > fileset > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jasmine-node [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jasmine-node > gaze > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Command Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jasmine-node [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jasmine-node > jasmine-growl-reporter > growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/146 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm install [email protected] to resolve 5 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ octonode │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ octonode > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ octonode │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ octonode > request > hawk > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ octonode │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ octonode > request > hawk > cryptiles > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ octonode │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ octonode > request > hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ octonode │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ octonode > request > hawk > sntp > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm install [email protected] to resolve 4 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ codecov │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ codecov > request > hawk > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ codecov │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ codecov > request > hawk > cryptiles > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ codecov │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ codecov > request > hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ codecov │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ codecov > request > hawk > sntp > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm install [email protected] to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm install [email protected] to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-browserify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-browserify > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm install [email protected] to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-coverage │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-coverage > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update request --depth 3 to resolve 8 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-phantomjs-launcher │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-phantomjs-launcher > phantomjs-prebuilt > request > │
│ │ hawk > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-phantomjs-launcher │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-phantomjs-launcher > phantomjs-prebuilt > request > │
│ │ hawk > cryptiles > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-phantomjs-launcher │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-phantomjs-launcher > phantomjs-prebuilt > request > │
│ │ hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-phantomjs-launcher │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-phantomjs-launcher > phantomjs-prebuilt > request > │
│ │ hawk > sntp > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ phantomjs-prebuilt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ phantomjs-prebuilt > request > hawk > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ phantomjs-prebuilt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ phantomjs-prebuilt > request > hawk > cryptiles > boom > │
│ │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ phantomjs-prebuilt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ phantomjs-prebuilt > request > hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ phantomjs-prebuilt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ phantomjs-prebuilt > request > hawk > sntp > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update lodash --depth 5 to resolve 6 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ owasp-threat-dragon-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ owasp-threat-dragon-core > snyk > inquirer > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ owasp-threat-dragon-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ owasp-threat-dragon-core > snyk > snyk-go-plugin > graphlib │
│ │ > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ snyk │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ snyk > inquirer > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ snyk │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ snyk > snyk-go-plugin > graphlib > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-ie-launcher │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-ie-launcher > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-phantomjs-launcher │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-phantomjs-launcher > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update minimatch --depth 5 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-threshold-reporter [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-threshold-reporter > istanbul > fileset > glob > │
│ │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update uglify-js --depth 3 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm-html2js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm-html2js > jade > uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/48 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ connect-azuretables │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ connect-azuretables > azure-storage > request > hawk > boom │
│ │ > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ connect-azuretables │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ connect-azuretables > azure-storage > request > hawk > │
│ │ cryptiles > boom > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ connect-azuretables │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ connect-azuretables > azure-storage > request > hawk > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ connect-azuretables │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ connect-azuretables > azure-storage > request > hawk > sntp │
│ │ > hoek │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/566 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ owasp-threat-dragon-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ owasp-threat-dragon-core > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ owasp-threat-dragon-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ owasp-threat-dragon-core > jointjs > dagre > graphlib > │
│ │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ owasp-threat-dragon-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ owasp-threat-dragon-core > jointjs > dagre > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ owasp-threat-dragon-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ owasp-threat-dragon-core > jointjs > graphlib > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ owasp-threat-dragon-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ owasp-threat-dragon-core > jointjs > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jshint [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jshint > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-threshold-reporter [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ karma-threshold-reporter > istanbul > fileset > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm-html2js [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm-html2js > glob > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Incorrect Handling of Non-Boolean Comparisons During │
│ │ Minification │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 2.4.24 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm-html2js [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm-html2js > jade > transformers > uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/39 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ owasp-threat-dragon-core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ owasp-threat-dragon-core > nools > uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/48 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm-html2js [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm-html2js > jade > transformers > uglify-js │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/48 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ mime │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.4.1 < 2.0.0 || >= 2.0.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ rework-npm-cli [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ rework-npm-cli > rework > mime │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/535 │
└───────────────┴──────────────────────────────────────────────────────────────┘
[!] 61 vulnerabilities found - Packages audited: 5299 (3549 dev, 342 optional)
Severity: 30 Low | 21 Moderate | 9 High | 1 CriticalLocal model storage
Would be great to be able to just create a model from scratch, managed locally, as opposed to something tied to a particular Github repo. This is for evaluation purposes, plus not everyone uses Github for source control.
Typo in Information Disclosure threat for data-flows
When applying the suggested threats for a data flow component, there is a typo:
"Generic informtion disclosure threat", which should read "Generic information disclosure threat". This is only for the data flow components, the other components are spelt correctly.
Improve the DFD printing
Dear OWASP,
I am using the latest version 1.3.1 on Mac. If the DFD is too big, the diagram is not correctly printed. The scroll bars appear but the diagram is not complete. Check the screenshot
Thanks
Update documentation for threat generation
The documentation at docs.threatdragon.org needs updating, specifically the use of STRIDE By Element by the 'Threat generation rules' section http://docs.threatdragon.org/#threat-generation
In addition we now have linux distributions so the opening description needs updating
User session timeout not handled
When the user session times out, the application will let the user continue to work on a diagram but the Save function does not operate.
The user will need to refresh the page which will prompt for GitHub authentication resulting in lost progress.
Steps to reproduce:
- Let browser idle or put device to sleep for a period of time
- Continue working in Threat Dragon
- Attempt to save progress.
Update login page
Changes that should be applied to the login page:
- The Linux desktop application is now available
- The OWASP project page is now https://owasp.org/www-project-threat-dragon/
Tighten security headers
github oauth: too much of requested permissions
To use the online version of application the GitHub's authentication is requested.
However a requested scope of permissions is quietly wide:
This application will be able to read and write all public repository data. This includes the following:
Code Issues Pull requests Wikis Settings Webhooks and services Deploy keys
I'm pretty sure it's enough to get an empty scope (see https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/): to read public account information. It's not clear about all other permissions.
Thank you!
I tried to deploy locally in MAC OSX, but it fails
Hello Mike
I tried to deploy locally in MAC OSX, but it fails , when I run
npm start
Terminal shows following error:
[email protected] start /Users/nadaalhirabi/Documents/GitHub/owasp-threat-dragon
node server.js
{"name":"threatdragon","excludes":["req-headers","res-headers","res","req","short-body","body","response-hrtime","incoming","user-agent","response-time","http-version"],"hostname":"m006.cs.cf.ac.uk","pid":81568,"level":50,"security":true,"msg":"secure session cookie flag was false - should only happen in dev environments","time":"2019-11-11T14:07:32.065Z","v":0}
{"name":"threatdragon","hostname":"m006.cs.cf.ac.uk","pid":81568,"level":50,"msg":"owasp threat dragon failed to start up","time":"2019-11-11T14:07:32.067Z","v":0}
{"name":"threatdragon","hostname":"m006.cs.cf.ac.uk","pid":81568,"level":50,"msg":"Credentials must be provided when creating a service client.","time":"2019-11-11T14:07:32.067Z","v":0}
events.js:187
throw er; // Unhandled 'error' event
^
Error: listen EADDRINUSE: address already in use :::3000
at Server.setupListenHandle [as _listen2] (net.js:1300:14)
at listenInCluster (net.js:1348:12)
at Server.listen (net.js:1436:7)
at Function.listen (/Users/nadaalhirabi/Documents/GitHub/owasp-threat-dragon/node_modules/express/lib/application.js:618:24)
at Object. (/Users/nadaalhirabi/Documents/GitHub/owasp-threat-dragon/server.js:7:18)
at Module._compile (internal/modules/cjs/loader.js:956:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:973:10)
at Module.load (internal/modules/cjs/loader.js:812:32)
at Function.Module._load (internal/modules/cjs/loader.js:724:14)
at Function.Module.runMain (internal/modules/cjs/loader.js:1025:10)
Emitted 'error' event on Server instance at:
at emitErrorNT (net.js:1327:8)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
code: 'EADDRINUSE',
errno: 'EADDRINUSE',
syscall: 'listen',
address: '::',
port: 3000
}
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] start: node server.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] start script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/nadaalhirabi/.npm/_logs/2019-11-11T14_07_32_140Z-debug.log
m006:owasp-threat-dragon nadaalhirabi$
————
This is the variables in bash_profile
GITHUB_CLIENT_ID=XXXXXX
GITHUB_CLIENT_SECRET=XXXXXX
SESSION_SIGNING_KEY=XXXXX (note it is the Personal access tokens in Github)
SESSION_STORE=local
AZURE_STORAGE_CONNECTION_STRING
NODE_ENV=development
Private github repositories are not listed in Github repo selection step
The repository was listed only after I changed the repository permissions to the public mode. Think this would be an important option to have because you are providing the Github credentials expecting to view your private repos as well. Plus people would be reluctant to put their threat model diagrams in public.
Bitbucket auth
Bitbucket (which my team happens to use) is a fairly popular alternative to Github. Would be great to have an integration with that as well.
Ability to export diagram with detailed threats into pdf or visio document
Excellent tool. Would like the ability to export the diagram, especially from the windows app, as a pdf or visio diagram with full threat detail present and visible.
File - Save - threat model diagram
On some occasions, the File - Save option does not save the threat model diagram and any updates which were made to the diagram are lost. To overcome this issue, the diagram should be saved within the diagram editor before saving the file.
How to deploy it on local.[enviroment variables]
After i try to deploy for 3 days, i can't stall not deploy it on my computer. I don't know how to deploy enviroment variables.
After i seted these
process.env.SESSION_STORE = 'local';
process.env.NODE_ENV = development
it shows:
{"name":"threatdragon","hostname":"DESKTOP-5O3JJ6D","pid":17136,"level":50,"msg":"owasp threat dragon failed to start up","time":"2020-06-21T12:40:43.293Z","v":0}
{"name":"threatdragon","hostname":"DESKTOP-5O3JJ6D","pid":17136,"level":50,"msg":"OAuth2Strategy requires a clientID option","time":"2020-06-21T12:40:43.293Z","v":0}
Error: secret option required for sessions
at session (D:\CodeSpace\Final_project\node_modules\express-session\index.js:200:12)
at Layer.handle [as handle_request] (D:\CodeSpace\Final_project\node_modules\express\lib\router\layer.js:95:5)
at trim_prefix (D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:317:13)
at D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:284:7
at Function.process_params (D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:335:12)
at next (D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:275:10)
at csp (D:\CodeSpace\Final_project\node_modules\helmet-csp\dist\index.js:53:13)
at Layer.handle [as handle_request] (D:\CodeSpace\Final_project\node_modules\express\lib\router\layer.js:95:5)
at trim_prefix (D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:317:13)
at D:\CodeSpace\Final_project\node_modules\express\lib\router\index.js:284:7
Error when searching for model to import
When I was searching for a model to import, I chose to select a threat model from jeg1972/owasp-threat-dragon/master, unfortunately there wasn't a file to import from that location. but I received the following error message.
Threat model file in the web version
After the web version is up in our machine, where do we we upload the threat model JSON file based on which our code is to be scanned.
Fail to deploy in MAC OSX
Hi, I want to deploy locally in MAC OSX, but it fails , when I run
npm start
Terminal shows following error:
[email protected] start /Users/windycui/Desktop/windy/software/Threat_Dragon/owasp-threat-dragon
node server.js
{"name":"threatdragon","excludes":["req-headers","res-headers","res","req","short-body","body","response-hrtime","incoming","user-agent","response-time","http-version"],"hostname":"homedeMacBook-Pro.local","pid":1053,"level":50,"security":true,"msg":"secure session cookie flag was false - should only happen in dev environments","time":"2017-05-03T03:43:02.937Z","v":0}
{"name":"threatdragon","hostname":"homedeMacBook-Pro.local","pid":1053,"level":50,"msg":"owasp threat dragon failed to start up","time":"2017-05-03T03:43:02.941Z","v":0}
{"name":"threatdragon","hostname":"homedeMacBook-Pro.local","pid":1053,"level":50,"msg":"Credentials must be provided when creating a service client.","time":"2017-05-03T03:43:02.942Z","v":0}
Any idea ?
Are there any plans to add support for other SCM providers ?
Are there any plans afoot to add support for integration with other SCM providers like enterprise bitbucket etc? If not I could help with this?
feature request: ability to import/export Microsoft TM7, SVG & PDF
ability to import/export Microsoft TM7 format, SVG & PDF will make this tool far more mature and useful.
Request to relax test case requirements
We've added Gitlab as a provider along with Github for Threat Dragon. Currently it's functional, but the test cases are failing due to ES6 syntax and changes done to accomodate multiple providers; Github and Gitlab. Can we relax this?
If this is okay, I'd be happy to raise a pull request that adds Gitlab integration for Threat Dragon. Thanks
Adding the same model twice gives an error
Related to duplicate item in Angular repeater
Travis build is failing
The travis build is failing with
sh: 0: Can't open /etc/init.d/xvfb
The command "sh -e /etc/init.d/xvfb start" failed and exited with 127 during
so the file .travis.yml may need to be updated for this?
github authentication is not working on localhost
I have just cloned the master repo and setup the oauth in my git account as per given steps, Also i have setup env, client_id, client_secret etc as env variable. Have setup SESSION_STORE as local in env variable. Now when i click the login it is redirecting me to git authentication login page but post authentication i am again getting redirected back to login page of this application. Have tried setup the Authorization callback URL as 'http://localhost:3000', 'http://localhost:3000/new/threatmodel' and 'http://localhost:3000/#/' but none of the 3 is taking me to logged in page.
Though i am getting redirected back to the login page but the login action doesn't do any thing post redirection from github. Once i close the browser instance and then relaunch the browser then only the login action take me to authentication page of github but after login attempt same process repeats.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.