Bug: Missing Communication Link Reference in individual_risk_categories Despite Proper Definition in technical_assets

[DavidCheuk]

Issue Summary: I'm experiencing an issue where Threagile fails to recognize a communication link defined in technical_assets within the individual_risk_categories. Specifically, the communication link process-to-db is reported as missing in the risk category internal-fault-risk, even though it is correctly defined in the technical_assets.

Error message:
2024/10/22 00:24:58 missing referenced communication link at individual risk 'internal-fault-risk': process-to-db

threagile.yaml

threagile_version: "1.0"
title: "Test Threagile Model"
date: "2024-10-21"
author:
  name: "Jane Doe"
  homepage: "https://janedoe.example.com"
business_criticality: "critical"
tags_available:
  - "finance"
  - "user-data"
  - "compliance"
  - "confidential"
  - "backend"
  - "api"
  - "database"
  - "persistent-storage"
  - "internal"
  - "runtime"
  - "web"
data_assets:
  data-asset-db:
    id: "data-asset-db"
    description: "Primary database containing user financial data."
    usage: "business"
    tags:
      - "finance"
    origin: "internal"
    owner: "Database Team"
    quantity: "many"
    confidentiality: "confidential"
    integrity: "critical"
    availability: "critical"
    justification_cia_rating: "Essential for financial transactions and user trust."

technical_assets:
  process-server:
    id: "process-server"
    description: "Handles business logic and processes user transactions."
    type: "process"
    usage: "business"
    used_as_client_by_human: false
    out_of_scope: false
    size: "application"
    technology: "web-application"
    tags:
      - "backend"
      - "api"
    internet: false
    machine: "virtual"
    encryption: "data-with-symmetric-shared-key"
    owner: "DevOps Team"
    confidentiality: "confidential"
    integrity: "critical"
    availability: "important"
    multi_tenant: false
    redundant: true
    custom_developed_parts: true
    data_assets_processed:
      - "data-asset-db"
    data_assets_stored:
      - "data-asset-db"
    data_formats_accepted:
      - "json"
      - "xml"
    communication_links:
      process-to-db:
        target: "database-server"
        description: "Connects the process server to the main database."
        protocol: "jdbc"
        authentication: "credentials"
        authorization: "technical-user"
        vpn: true
        ip_filtered: true
        readonly: false
        usage: "business"
        data_assets_sent:
          - "data-asset-db"
        data_assets_received:
          - "data-asset-db"

  database-server:
    id: "database-server"
    description: "Stores and manages all financial user data."
    type: "datastore"
    usage: "business"
    used_as_client_by_human: false
    out_of_scope: false
    size: "system"
    technology: "database"
    tags:
      - "database"
      - "persistent-storage"
    internet: false
    machine: "virtual"
    encryption: "data-with-symmetric-shared-key"
    owner: "Database Team"
    confidentiality: "confidential"
    integrity: "critical"
    availability: "critical"
    multi_tenant: false
    redundant: true
    custom_developed_parts: false
    data_assets_processed:
      - "data-asset-db"
    data_assets_stored:
      - "data-asset-db"
    data_formats_accepted:
      - "json"
      - "xml"
    communication_links: {}  # No outgoing communication links from the database server

shared_runtimes:
  shared-runtime-web:
    id: "shared-runtime-web"
    description: "Shared runtime environment for web applications."
    tags:
      - "runtime"
      - "web"
    technical_assets_running:
      - "process-server"

individual_risk_categories:
 internal-fault-risk:
    id: "internal-fault-risk"
    description: "Risk associated with the communication between process server and database server."
    impact: "High impact on data integrity and availability."
    asvs: "ASVS Level 2"
    cheat_sheet: "Use secure communication protocols and strong authentication mechanisms."
    action: "Implement encryption and robust authentication for all database connections."
    mitigation: "Use encrypted JDBC connections with strong credentials and regularly rotate them."
    check: "Regularly audit database access logs and monitor for unusual activities."
    function: "development"
    stride: "information-disclosure"
    detection_logic: "Monitor and alert on abnormal access patterns and failed login attempts."
    risk_assessment: "High likelihood of data breach due to sensitive financial data."
    false_positives: "Low"
    model_failure_possible_reason: false
    cwe: 200
    risks_identified:
      data_exposure:
        severity: "high"
        exploitation_likelihood: "likely"
        exploitation_impact: "high"
        data_breach_probability: "probable"
        data_breach_technical_assets:
          - "database-server"
        most_relevant_data_asset: "data-asset-db"
        most_relevant_technical_asset: "database-server"
        most_relevant_communication_link: "process-to-db"
        most_relevant_trust_boundary: "internal-network"
        most_relevant_shared_runtime: "shared-runtime-web"
trust_boundaries:
  internal-network:
    id: "internal-network"
    description: "Internal network trust boundary."
    type: "network-on-prem"
    tags:
      - "internal"
    technical_assets_inside:
      - "process-server"
      - "database-server"
    trust_boundaries_nested: []
risk_tracking:
  internal-fault-risk:
    status: "in-progress"
    justification: "Addressing the encryption and authentication vulnerabilities."
    ticket: "TICKET-1234"
    date: "2024-10-20"
    checked_by: "Security Team Lead"

Expected Behavior: Threagile should recognize the process-to-db communication link defined within technical_assets and associate it correctly with the internal-fraud-risk in individual_risk_categories without any missing reference errors.

Actual Behavior: Despite the correct definition of process-to-db in technical_assets and proper referencing in individual_risk_categories, Threagile reports that the communication link is missing.

[ezavgorodniy]

Thanks for raising the issue.
I'd like to ask perhaps one question: which version of Threagile are you using?

I have just tried to run this from source code and it's working absolutely fine with me.

[DavidCheuk]

I am using this docker version, the issue happened both in Windows and Mac

podman run --rm -it threagile/threagile --version
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)

---

|_ | |_ _ __ ___ __ _ __ () | ___
| | | '_ | '/ _ / |/ _ | | |/ _
| | | | | | | | __/ (| | (| | | | __/
|| || ||_| _|_,|_, |||_|
|/
Threagile - Agile Threat Modeling

Documentation: https://threagile.io
Docker Images: https://hub.docker.com/r/threagile/threagile
Sourcecode: https://github.com/threagile
License: Open-Source (MIT License)
Version: 1.0.0 (20240730113903)

[DavidCheuk]

I also tried to run it from the source code, but the risk defined in the "individual risk category" is missing from the reports. see #103.

[ezavgorodniy]

Yeah, individual risks are reworked to use something like this https://github.com/Threagile/threagile/blob/master/pkg/risks/scripts/accidental-secret-leak.yaml

@joreiche may share a bit more about it

[DavidCheuk]

Oh, thanks for the info. As I am using individual risk categories (irc) heavily, just want to clarify that you mean irc would be a rework like the one in https://github.com/Threagile/threagile/blob/master/pkg/risks/scripts/accidental-secret-leak.yaml? If so, I need to temporarily separate those parts in another manual report until your work is done.

It would be better to announce this and turn off the individual risk category functionalities if that is the case. We are serious users of Threagile, and that would impact what we should invest time in. :p

Is there anything I can contribute? I can ping @joreiche

[DavidCheuk]

Thanks for making Threagile an even better tool! Good job!

[joreiche]

@DavidCheuk In the upcoming version 1.0, the native-code custom risk modules have been reworked to enable cross-platform support. I apologize that there isn't any documentation for this yet. We haven't officially released 1.0 yet, one of the main reasons being the lack of documentation of the changes as well as insufficient testing of this functionality. I will try to give you the important bits here but please be aware that this is gathered ad-hoc and likely incomplete.

Please, see cmd/risk_demo/main.go for a working example of what your custom risk modules should look like. The main differences to the previous implementation (off the top of my head) are:

custom risk modules are now regular executables, not shared libraries
they need to read input data in YAML format (e.g. the model) via os.Stdin
they need to write model.CustomRiskCategory in YAML format to os.Stdout when called with command line flag -get-info
they need to write a slice of types.Risk items in YAML format to os.Stdout when called with command line flag -generate-risks
they should write any runtime error messages to os.Stderr (so Threagile can capture and log them)
I reviewed the example in cmd/risk_demo/main.go and noticed that it is actually not correctly implemented (it uses JSON instead of YAML, and it text-formats its output data instead of directly writing it to os.Stdout) at the moment. I will fix it and test it to make sure it works correctly. I will let you know when it is ready.

To Yevhen's point, there is also a script engine to allow writing risk modules. I expect to hook up this functionality into the custom risk modules as well but I don't think this has been done yet. Only the built-in risk modules are currently being loaded and executed using the script engine.

Eventually, native-code scripts (and RAA calculations) will be deprecated in favor of only supporting scripts in the future. We will definitely keep in mind your use case and the fact that you have a number of custom modules that would need to be converted. When we start deprecating support for native-code modules, I'll be happy to help you convert your modules to scripts.

[joreiche]

@DavidCheuk I pushed the fixed risk demo module to branch script-explanations. Since that branch is very far behind master it will take me a while rebasing that branch and merging my changes to master. Please stay tuned :)

Once this branch has been merged, you should be able to run Threagile with a config file like this

threagile  run --config config.json

with config.json looking like this

{
  "PluginFolder": "path_to_plugins",
  "RiskRulesPlugins": [
    "risk_demo"
  ]
}

[joreiche]

The demo risk rule is now merged to master.