From 65b988ad36acd60f5b6e5c2daafc628e5181fddb Mon Sep 17 00:00:00 2001 From: Yevhen Zavhorodnii Date: Thu, 6 Jun 2024 20:28:43 +0100 Subject: [PATCH] Inline raa calculations --- Dockerfile | 4 -- Dockerfile.local | 4 -- Makefile | 8 --- README.md | 64 ++++++++++++------------ cmd/raa_dummy/main.go | 59 ---------------------- internal/threagile/flags.go | 2 - internal/threagile/root.go | 4 -- pkg/common/config.go | 5 -- pkg/common/consts.go | 2 - cmd/raa/main.go => pkg/model/raa.go | 76 ++--------------------------- pkg/model/read.go | 29 +---------- pkg/server/execute.go | 2 +- 12 files changed, 37 insertions(+), 222 deletions(-) delete mode 100644 cmd/raa_dummy/main.go rename cmd/raa/main.go => pkg/model/raa.go (80%) diff --git a/Dockerfile b/Dockerfile index bd52e7c9..1d951453 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,8 +25,6 @@ COPY --from=clone /app/threagile /app RUN go version RUN go test ./... -RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_calc cmd/raa/main.go -RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_dummy cmd/raa_dummy/main.go RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o risk_demo_rule cmd/risk_demo/main.go RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o threagile # add the -race parameter to go build call in order to instrument with race condition detector: https://blog.golang.org/race-detector @@ -61,8 +59,6 @@ RUN mkdir -p /app /data RUN chown -R 1000:1000 /app /data COPY --from=build --chown=1000:1000 /app/threagile /app/ -COPY --from=build --chown=1000:1000 /app/raa_calc /app/ -COPY --from=build --chown=1000:1000 /app/raa_dummy /app/ COPY --from=build --chown=1000:1000 /app/risk_demo_rule /app/ COPY --from=build --chown=1000:1000 /app/LICENSE.txt /app/ COPY --from=build --chown=1000:1000 /app/report/template/background.pdf /app/ diff --git a/Dockerfile.local b/Dockerfile.local index 6003a64c..667a3e1c 100644 --- a/Dockerfile.local +++ b/Dockerfile.local @@ -19,8 +19,6 @@ RUN go version RUN go test ./... # build binaries -RUN go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_calc cmd/raa/main.go -RUN go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_dummy cmd/raa_dummy/main.go RUN go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o risk_demo_rule cmd/risk_demo/main.go RUN go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o threagile cmd/threagile/main.go @@ -68,8 +66,6 @@ RUN chown -R threagile:threagile /app /data USER threagile COPY --from=build --chown=threagile:threagile /app/threagile /app/ -COPY --from=build --chown=threagile:threagile /app/raa_calc /app/ -COPY --from=build --chown=threagile:threagile /app/raa_dummy /app/ COPY --from=build --chown=threagile:threagile /app/risk_demo_rule /app/ COPY --from=build --chown=threagile:threagile /app/LICENSE.txt /app/ COPY --from=build --chown=threagile:threagile /app/report/template/background.pdf /app/ diff --git a/Makefile b/Makefile index de4c3428..13e3a7f4 100644 --- a/Makefile +++ b/Makefile @@ -10,8 +10,6 @@ ASSETS = \ pkg/security/types/technologies.yaml \ server BIN = \ - raa_calc \ - raa_dummy \ risk_demo_rule \ threagile @@ -66,12 +64,6 @@ gv: out/tmp/diagram.png out/tmp/diagram.png: out/tmp/diagram.gv dot -Tpng $< -o $@ -bin/raa_calc: cmd/raa/main.go - $(GO) build $(GOFLAGS) -o $@ $< - -bin/raa_dummy: cmd/raa_dummy/main.go - $(GO) build $(GOFLAGS) -o $@ $< - bin/risk_demo_rule: cmd/risk_demo/main.go $(GO) build $(GOFLAGS) -o $@ $< diff --git a/README.md b/README.md index a29acecc..ec197f1e 100644 --- a/README.md +++ b/README.md @@ -13,30 +13,30 @@ are checked against the architecture model. #### Execution via Docker Container The easiest way to execute Threagile on the commandline is via its Docker container: - - docker run --rm -it threagile/threagile --help - - _____ _ _ _ - |_ _| |__ _ __ ___ __ _ __ _(_) | ___ + + docker run --rm -it threagile/threagile --help + + _____ _ _ _ + |_ _| |__ _ __ ___ __ _ __ _(_) | ___ | | | '_ \| '__/ _ \/ _` |/ _` | | |/ _ \ | | | | | | | | __/ (_| | (_| | | | __/ |_| |_| |_|_| \___|\__,_|\__, |_|_|\___| - |___/ + |___/ Threagile - Agile Threat Modeling - - + + Documentation: https://threagile.io Docker Images: https://hub.docker.com/r/threagile/threagile Sourcecode: https://github.com/threagile License: Open-Source (MIT License) Version: 1.0.0 (20231104141112) - - + + Usage: threagile [options] - - + + Options: - + -background string background pdf file (default "background.pdf") -create-editing-support @@ -83,8 +83,6 @@ The easiest way to execute Threagile on the commandline is via its Docker contai print 3rd-party license information -print-license print license information - -raa-plugin string - RAA calculation plugin (.so shared object) file name (default "raa.so") -server int start a server (instead of commandline execution) on the given port -skip-risk-rules string @@ -93,30 +91,30 @@ The easiest way to execute Threagile on the commandline is via its Docker contai verbose output -version print version - - + + Examples: - - If you want to create an example model (via docker) as a starting point to learn about Threagile just run: + + If you want to create an example model (via docker) as a starting point to learn about Threagile just run: docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -create-example-model -output /app/work - - If you want to create a minimal stub model (via docker) as a starting point for your own model just run: + + If you want to create a minimal stub model (via docker) as a starting point for your own model just run: docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -create-stub-model -output /app/work - - If you want to execute Threagile on a model yaml file (via docker): + + If you want to execute Threagile on a model yaml file (via docker): docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -verbose -model /app/work/threagile.yaml -output /app/work - - If you want to run Threagile as a server (REST API) on some port (here 8080): + + If you want to run Threagile as a server (REST API) on some port (here 8080): docker run --rm -it --shm-size=256m -p 8080:8080 --name threagile-server --mount 'type=volume,src=threagile-storage,dst=/data,readonly=false' threagile/threagile -server 8080 - - If you want to find out about the different enum values usable in the model yaml file: + + If you want to find out about the different enum values usable in the model yaml file: docker run --rm -it threagile/threagile -list-types - - If you want to use some nice editing help (syntax validation, autocompletion, and live templates) in your favourite IDE: + + If you want to use some nice editing help (syntax validation, autocompletion, and live templates) in your favourite IDE: docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -create-editing-support -output /app/work - - If you want to list all available model macros (which are macros capable of reading a model yaml file, asking you questions in a wizard-style and then update the model yaml file accordingly): + + If you want to list all available model macros (which are macros capable of reading a model yaml file, asking you questions in a wizard-style and then update the model yaml file accordingly): docker run --rm -it threagile/threagile -list-model-macros - - If you want to execute a certain model macro on the model yaml file (here the macro add-build-pipeline): + + If you want to execute a certain model macro on the model yaml file (here the macro add-build-pipeline): docker run --rm -it -v "$(pwd)":/app/work threagile/threagile -model /app/work/threagile.yaml -output /app/work -execute-model-macro add-build-pipeline diff --git a/cmd/raa_dummy/main.go b/cmd/raa_dummy/main.go deleted file mode 100644 index c43779a4..00000000 --- a/cmd/raa_dummy/main.go +++ /dev/null @@ -1,59 +0,0 @@ -package main - -import ( - "bufio" - "crypto/rand" - "encoding/json" - "fmt" - "github.com/threagile/threagile/pkg/security/types" - "io" - "math/big" - "os" - "time" -) - -// JUST A DUMMY TO HAVE AN ALTERNATIVE PLUGIN TO USE/TEST - -func main() { - reader := bufio.NewReader(os.Stdin) - - inData, outError := io.ReadAll(reader) - if outError != nil { - _, _ = fmt.Fprintf(os.Stderr, "failed to read model data from stdin\n") - os.Exit(-2) - } - - var input types.Model - inError := json.Unmarshal(inData, &input) - if inError != nil { - _, _ = fmt.Fprintf(os.Stderr, "failed to parse model: %v\n", inError) - os.Exit(-2) - } - - text := CalculateRAA(&input) - outData, marshalError := json.Marshal(input) - if marshalError != nil { - _, _ = fmt.Fprintf(os.Stderr, "failed to print model: %v\n", marshalError) - os.Exit(-2) - } - - _, _ = fmt.Fprint(os.Stdout, outData) - _, _ = fmt.Fprint(os.Stderr, text) - os.Exit(0) -} - -// used from run caller: - -func CalculateRAA(input *types.Model) string { - for techAssetID, techAsset := range input.TechnicalAssets { - nBig, randError := rand.Int(rand.Reader, big.NewInt(100)) - if randError != nil { - nBig.SetInt64(time.Now().UnixMilli()) - } - techAsset.RAA = float64(nBig.Int64()) - fmt.Println("Using dummy RAA random calculation (just to test the usage of other shared object files as plugins)") - input.TechnicalAssets[techAssetID] = techAsset - } - // return intro text (for reporting etc., can be short summary-like) - return "Just some dummy algorithm implementation for demo purposes of pluggability..." -} diff --git a/internal/threagile/flags.go b/internal/threagile/flags.go index 38c61166..0103e0c9 100644 --- a/internal/threagile/flags.go +++ b/internal/threagile/flags.go @@ -22,7 +22,6 @@ const ( serverPortFlagName = "server-port" inputFileFlagName = "model" - raaPluginFlagName = "raa-run" customRiskRulesPluginFlagName = "custom-risk-rules-plugin" diagramDpiFlagName = "diagram-dpi" @@ -49,7 +48,6 @@ type Flags struct { outputDirFlag string tempDirFlag string inputFileFlag string - raaPluginFlag string serverPortFlag int serverDirFlag string diff --git a/internal/threagile/root.go b/internal/threagile/root.go index 5d47a8e5..c985d2b3 100644 --- a/internal/threagile/root.go +++ b/internal/threagile/root.go @@ -63,7 +63,6 @@ func (what *Threagile) initRoot() *Threagile { what.rootCmd.PersistentFlags().StringVar(&what.flags.tempDirFlag, tempDirFlagName, defaultConfig.TempFolder, "temporary folder location") what.rootCmd.PersistentFlags().StringVar(&what.flags.inputFileFlag, inputFileFlagName, defaultConfig.InputFile, "input model yaml file") - what.rootCmd.PersistentFlags().StringVar(&what.flags.raaPluginFlag, raaPluginFlagName, defaultConfig.RAAPlugin, "RAA calculation run file name") what.rootCmd.PersistentFlags().BoolVarP(&what.flags.interactiveFlag, interactiveFlagName, interactiveFlagShorthand, defaultConfig.Interactive, "interactive mode") what.rootCmd.PersistentFlags().BoolVarP(&what.flags.verboseFlag, verboseFlagName, verboseFlagShorthand, defaultConfig.Verbose, "verbose output") @@ -256,9 +255,6 @@ func (what *Threagile) readConfig(cmd *cobra.Command, buildTimestamp string) *co if isFlagOverridden(flags, inputFileFlagName) { cfg.InputFile = cfg.CleanPath(what.flags.inputFileFlag) } - if isFlagOverridden(flags, raaPluginFlagName) { - cfg.RAAPlugin = what.flags.raaPluginFlag - } if isFlagOverridden(flags, customRiskRulesPluginFlagName) { cfg.RiskRulesPlugins = strings.Split(what.flags.customRiskRulesPluginFlag, ",") diff --git a/pkg/common/config.go b/pkg/common/config.go index 39320603..3ff6dc3c 100644 --- a/pkg/common/config.go +++ b/pkg/common/config.go @@ -37,7 +37,6 @@ type Config struct { TemplateFilename string TechnologyFilename string - RAAPlugin string RiskRulesPlugins []string SkipRiskRules []string ExecuteModelMacro string @@ -91,7 +90,6 @@ func (c *Config) Defaults(buildTimestamp string) *Config { TemplateFilename: TemplateFilename, TechnologyFilename: "", - RAAPlugin: RAAPluginName, RiskRulesPlugins: make([]string, 0), SkipRiskRules: make([]string, 0), ExecuteModelMacro: "", @@ -286,9 +284,6 @@ func (c *Config) Merge(config Config, values map[string]any) { case strings.ToLower("TechnologyFilename"): c.TechnologyFilename = config.TechnologyFilename - case strings.ToLower("RAAPlugin"): - c.RAAPlugin = config.RAAPlugin - case strings.ToLower("RiskRulesPlugins"): c.RiskRulesPlugins = config.RiskRulesPlugins diff --git a/pkg/common/consts.go b/pkg/common/consts.go index 65a35791..c5ca2cd0 100644 --- a/pkg/common/consts.go +++ b/pkg/common/consts.go @@ -24,8 +24,6 @@ const ( DataAssetDiagramFilenameDOT = "data-asset-diagram.gv" DataAssetDiagramFilenamePNG = "data-asset-diagram.png" - RAAPluginName = "raa_calc" - DefaultDiagramDPI = 100 DefaultGraphvizDPI = 120 MinGraphvizDPI = 20 diff --git a/cmd/raa/main.go b/pkg/model/raa.go similarity index 80% rename from cmd/raa/main.go rename to pkg/model/raa.go index e8f3e388..f249e1b6 100644 --- a/cmd/raa/main.go +++ b/pkg/model/raa.go @@ -1,81 +1,14 @@ -package main +package model import ( - "flag" - "fmt" - "gopkg.in/yaml.v3" - "io" - "os" "sort" "github.com/threagile/threagile/pkg/security/types" ) -// used from run caller: +func applyRAA(input *types.Model, progressReporter types.ProgressReporter) string { + progressReporter.Infof("Applying RAA calculation") -func main() { - inputFilename := flag.String("in", "", "input file") - outputFilename := flag.String("out", "", "output file") - flag.Parse() - - var data []byte - var inputError error - if len(*inputFilename) > 0 { - data, inputError = os.ReadFile(*inputFilename) - if inputError != nil { - _, _ = fmt.Fprintf(os.Stderr, "failed to read input file %q: %v\n", *inputFilename, inputError) - os.Exit(-2) - } - } else { - data, inputError = io.ReadAll(os.Stdin) - if inputError != nil { - _, _ = fmt.Fprintf(os.Stderr, "failed to read input from stdin: %v\n", inputError) - os.Exit(-2) - } - } - - // _ = os.WriteFile("raa_in.yaml", data, 0644) - - var input types.Model - parseError := yaml.Unmarshal(data, &input) - if parseError != nil { - _, _ = fmt.Fprintf(os.Stderr, "failed to parse model: %v\n", parseError) - os.Exit(-2) - } - - text := CalculateRAA(&input) - outData, marshalError := yaml.Marshal(input) - if marshalError != nil { - _, _ = fmt.Fprintf(os.Stderr, "failed to print model: %v\n", marshalError) - os.Exit(-2) - } - - // _ = os.WriteFile("raa_out.yaml", outData, 0644) - - var outputFile io.Writer = os.Stdout - if len(*outputFilename) > 0 { - file, outputError := os.Open(*outputFilename) - if outputError != nil { - _, _ = fmt.Fprintf(os.Stderr, "failed to open output file %q: %v\n", *outputFilename, outputError) - os.Exit(-2) - } - - defer closeFile(file) - outputFile = file - } - - _, _ = fmt.Fprint(outputFile, string(outData)) - _ = text - // _, _ = fmt.Fprint(os.Stderr, text) - - os.Exit(0) -} - -func closeFile(file io.Closer) { - _ = file.Close() -} - -func CalculateRAA(input *types.Model) string { for techAssetID, techAsset := range input.TechnicalAssets { aa := calculateAttackerAttractiveness(input, techAsset) aa += calculatePivotingNeighbourEffectAdjustment(input, techAsset) @@ -92,10 +25,9 @@ func CalculateRAA(input *types.Model) string { "attacker-attractive technical assets:" } -var attackerAttractivenessMinimum, attackerAttractivenessMaximum, spread float64 = 0, 0, 0 - // set the concrete value in relation to the minimum and maximum of all func calculateRelativeAttackerAttractiveness(input *types.Model, attractiveness float64) float64 { + var attackerAttractivenessMinimum, attackerAttractivenessMaximum, spread float64 = 0, 0, 0 if attackerAttractivenessMinimum == 0 || attackerAttractivenessMaximum == 0 { attackerAttractivenessMinimum, attackerAttractivenessMaximum = 9223372036854775807, -9223372036854775808 // determine (only one time required) the min/max of all diff --git a/pkg/model/read.go b/pkg/model/read.go index bcc53867..8f654ca7 100644 --- a/pkg/model/read.go +++ b/pkg/model/read.go @@ -2,7 +2,6 @@ package model import ( "fmt" - "path/filepath" "strings" "github.com/threagile/threagile/pkg/common" @@ -43,15 +42,7 @@ func ReadAndAnalyzeModel(config *common.Config, progressReporter types.ProgressR return nil, fmt.Errorf("unable to parse model yaml: %v", parseError) } - /** - jsonData, _ := json.MarshalIndent(parsedModel, "", " ") - _ = os.WriteFile("parsed-model.json", jsonData, 0600) - - yamlData, _ := yaml.Marshal(parsedModel) - _ = os.WriteFile("parsed-model.yaml", yamlData, 0600) - /**/ - - introTextRAA := applyRAA(parsedModel, config.PluginFolder, config.RAAPlugin, progressReporter) + introTextRAA := applyRAA(parsedModel, progressReporter) applyRiskGeneration(parsedModel, builtinRiskRules.Merge(customRiskRules), config.SkipRiskRules, progressReporter) err := parsedModel.ApplyWildcardRiskTrackingEvaluation(config.IgnoreOrphanedRiskTracking, progressReporter) @@ -123,21 +114,3 @@ func applyRiskGeneration(parsedModel *types.Model, rules types.RiskRules, } } } - -func applyRAA(parsedModel *types.Model, binFolder, raaPlugin string, progressReporter types.ProgressReporter) string { - progressReporter.Infof("Applying RAA calculation: %v", raaPlugin) - - runner, loadError := new(runner).Load(filepath.Join(binFolder, raaPlugin)) - if loadError != nil { - progressReporter.Warnf("raa %q not loaded: %v\n", raaPlugin, loadError) - return "" - } - - runError := runner.Run(parsedModel, parsedModel) - if runError != nil { - progressReporter.Warnf("raa %q not applied: %v\n", raaPlugin, runError) - return "" - } - - return runner.ErrorOutput -} diff --git a/pkg/server/execute.go b/pkg/server/execute.go index d3c29d5c..cabd0ab4 100644 --- a/pkg/server/execute.go +++ b/pkg/server/execute.go @@ -179,7 +179,7 @@ func (s *server) doItViaRuntimeCall(modelFile string, outputDir string, dpi int) { // Remember to also add the same args to the exec based sub-process calls! var cmd *exec.Cmd - args := []string{"-model", modelFile, "-output", outputDir, "-execute-model-macro", s.config.ExecuteModelMacro, "-raa-run", s.config.RAAPlugin, "-custom-risk-rules-plugins", strings.Join(s.config.RiskRulesPlugins, ","), "-skip-risk-rules", strings.Join(s.config.SkipRiskRules, ","), "-diagram-dpi", strconv.Itoa(dpi)} + args := []string{"-model", modelFile, "-output", outputDir, "-execute-model-macro", s.config.ExecuteModelMacro, "-custom-risk-rules-plugins", strings.Join(s.config.RiskRulesPlugins, ","), "-skip-risk-rules", strings.Join(s.config.SkipRiskRules, ","), "-diagram-dpi", strconv.Itoa(dpi)} if s.config.Verbose { args = append(args, "-verbose") }