You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I create a threat model and am in the middle of creation, now I need to clean out all stuff i forget. During this journey I encounter some crashes (see #65). Now I have one I can not easily fix myself:
I added (in pkg/security/risks/builtin/server-side-request-forgery-rule.go
// report error if no trustboundary found, this does not fix the crash but at least I know where to fix stuff
if input.TrustBoundaries[technicalAsset.GetTrustBoundaryId(input)] == nil {
_, _ = fmt.Fprintf(os.Stderr, "missing trust boundary for technical asset: %q\n", technicalAsset.Id)
}
before:
// adjust for cloud-based special risks
if impact == types.LowImpact && input.TrustBoundaries[technicalAsset.GetTrustBoundaryId(input)].Type.IsWithinCloud() {
impact = types.MediumImpact
}
This does not fix the crash but at least I got a hint what I need to fix.
I think the bug is somewhere else, there should be some kind of sanatize method after the parse that checks for the existance of technical assets inside of trust boundaries, and even more if there are more dependencies. or the createRisk methods need a way to report an error.
The text was updated successfully, but these errors were encountered:
technical assets may or may not be inside trust boundaries so the code should handle it gracefully. a recent change I made changed internal structures to pointers which is why you likely now see crashes where before it just gave you an empty struct. this change was made so that other items can cross-reference items without having to copy them.
I am happy to help fixing the issue you are having. if you need help resolving the issue, please provide a threat model I can use to reproduce the issue
I fixed it inside my threat model by adding the print line, then seeing whats missing and then fixing it in the yaml. But at least in my opinion the threagile tool should already include such error handling. It would be more helpful if such error appear for example in a pipeline than some strange segmentation fault.
I am not very fluent in go, so "seeing" which variables are pointers is not in my skill set. Otherwise I would have suggested to do it the C++ way, check each pointer and report an error if its not valid.
I create a threat model and am in the middle of creation, now I need to clean out all stuff i forget. During this journey I encounter some crashes (see #65). Now I have one I can not easily fix myself:
I added (in
pkg/security/risks/builtin/server-side-request-forgery-rule.go
before:
This does not fix the crash but at least I got a hint what I need to fix.
I think the bug is somewhere else, there should be some kind of sanatize method after the parse that checks for the existance of technical assets inside of trust boundaries, and even more if there are more dependencies. or the createRisk methods need a way to report an error.
The text was updated successfully, but these errors were encountered: