classpath reader fix, report edit, embedded library edit, CLI scripts…

… add, notice file add

NOTICE.txt

@@ -0,0 +1,7 @@
+tic-taac
+
+Copyright (c) 2021-2022 Mikhail Rusakovich. All Rights Reserved.
+
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
+
+This product uses Microsoft STRIDE methodology for threats classification: https://en.wikipedia.org/wiki/STRIDE_(security)

cli/tic-taac.bat

@@ -0,0 +1,110 @@
+@REM
+@REM Copyright (c) 2021-2022 Mikhail Rusakovich.  All rights reserved.
+@REM
+@REM Licensed under the Apache License, Version 2.0 (the "License");
+@REM you may not use this file except in compliance with the License.
+@REM You may obtain a copy of the License at
+@REM
+@REM     http://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing, software
+@REM distributed under the License is distributed on an "AS IS" BASIS,
+@REM WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@REM See the License for the specific language governing permissions and
+@REM limitations under the License.
+@REM ----------------------------------------------------------------------------
+
+@echo off
+
+set ERROR_CODE=0
+
+:init
+@REM Decide how to startup depending on the version of windows
+
+@REM -- Win98ME
+if NOT "%OS%"=="Windows_NT" goto Win9xArg
+
+@REM set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" @setlocal
+
+@REM -- 4NT shell
+if "%eval[2+2]" == "4" goto 4NTArgs
+
+@REM -- Regular WinNT shell
+set CMD_LINE_ARGS=%*
+goto WinNTGetScriptDir
+
+@REM The 4NT Shell from jp software
+:4NTArgs
+set CMD_LINE_ARGS=%$
+goto WinNTGetScriptDir
+
+:Win9xArg
+@REM Slurp the command line arguments.  This loop allows for an unlimited number
+@REM of arguments (up to the command line limit, anyway).
+set CMD_LINE_ARGS=
+:Win9xApp
+if %1a==a goto Win9xGetScriptDir
+set CMD_LINE_ARGS=%CMD_LINE_ARGS% %1
+shift
+goto Win9xApp
+
+:Win9xGetScriptDir
+set SAVEDIR=%CD%
+%0\
+cd %0\..\..
+set BASEDIR=%CD%
+cd %SAVEDIR%
+set SAVE_DIR=
+goto repoSetup
+
+:WinNTGetScriptDir
+for %%i in ("%~dp0..") do set "BASEDIR=%%~fi"
+
+:repoSetup
+set REPO=
+
+
+if "%JAVACMD%"=="" set JAVACMD=java
+
+if "%REPO%"=="" set REPO=%BASEDIR%\lib
+
+set CLASSPATH="%BASEDIR%"\plugins\*;"%REPO%"\*
+
+set ENDORSED_DIR=
+if NOT "%ENDORSED_DIR%" == "" set CLASSPATH="%BASEDIR%"\%ENDORSED_DIR%\*;%CLASSPATH%
+
+if NOT "%CLASSPATH_PREFIX%" == "" set CLASSPATH=%CLASSPATH_PREFIX%;%CLASSPATH%
+
+@REM Reaching here means variables are defined and arguments have been captured
+:endInit
+
+%JAVACMD% %JAVA_OPTS%  -classpath %CLASSPATH% -Dapp.name="tic-taac" -Dapp.repo="%REPO%" -Dapp.home="%BASEDIR%" -Dbasedir="%BASEDIR%" com.github.rusakovichma.tictaac.Launcher %CMD_LINE_ARGS%
+if %ERRORLEVEL% NEQ 0 goto error
+goto end
+
+:error
+if "%OS%"=="Windows_NT" @endlocal
+set ERROR_CODE=%ERRORLEVEL%
+
+:end
+@REM set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" goto endNT
+
+@REM For old DOS remove the set variables from ENV - we assume they were not set
+@REM before we started - at least we don't leave any baggage around
+set CMD_LINE_ARGS=
+goto postExec
+
+:endNT
+@REM If error code is set to 1 then the endlocal was done already in :error.
+if %ERROR_CODE% EQU 0 @endlocal
+
+
+:postExec
+
+if "%FORCE_EXIT_ON_ERROR%" == "on" (
+  if %ERROR_CODE% NEQ 0 exit %ERROR_CODE%
+)
+
+exit /B %ERROR_CODE%

cli/tic-taac.sh

@@ -0,0 +1,135 @@
+#!/usr/bin/env sh
+#
+# Copyright (c) 2021-2022 Mikhail Rusakovich.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+
+
+# resolve links - $0 may be a softlink
+PRG="$0"
+
+while [ -h "$PRG" ]; do
+  ls=`ls -ld "$PRG"`
+  link=`expr "$ls" : '.*-> \(.*\)$'`
+  if expr "$link" : '/.*' > /dev/null; then
+    PRG="$link"
+  else
+    PRG=`dirname "$PRG"`/"$link"
+  fi
+done
+
+PRGDIR=`dirname "$PRG"`
+BASEDIR=`cd "$PRGDIR/.." >/dev/null; pwd`
+
+# Reset the REPO variable. If you need to influence this use the environment setup file.
+REPO=
+
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false;
+mingw=false;
+darwin=false;
+case "`uname`" in
+  CYGWIN*) cygwin=true ;;
+  MINGW*) mingw=true ;;
+  Darwin*) darwin=true
+           if [ -z "$JAVA_VERSION" ] ; then
+             JAVA_VERSION="CurrentJDK"
+           else
+             echo "Using Java version: $JAVA_VERSION"
+           fi
+		   if [ -z "$JAVA_HOME" ]; then
+		      if [ -x "/usr/libexec/java_home" ]; then
+			      JAVA_HOME=`/usr/libexec/java_home`
+			  else
+			      JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/${JAVA_VERSION}/Home
+			  fi
+           fi       
+           ;;
+esac
+
+if [ -z "$JAVA_HOME" ] ; then
+  if [ -r /etc/gentoo-release ] ; then
+    JAVA_HOME=`java-config --jre-home`
+  fi
+fi
+
+# For Cygwin and MINGW, ensure paths are in UNIX format before anything is touched
+if $cygwin || $mingw; then
+  [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+fi
+
+# If a specific java binary isn't specified search for the standard 'java' binary
+if [ -z "$JAVACMD" ] ; then
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD=`which java`
+  fi
+fi
+
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly." 1>&2
+  echo "  We cannot execute $JAVACMD" 1>&2
+  exit 1
+fi
+
+if [ -z "$REPO" ]
+then
+  REPO="$BASEDIR"/lib
+fi
+
+CLASSPATH="$BASEDIR"/plugins/*:"$REPO"/*
+
+ENDORSED_DIR=
+if [ -n "$ENDORSED_DIR" ] ; then
+  CLASSPATH=$BASEDIR/$ENDORSED_DIR/*:$CLASSPATH
+fi
+
+if [ -n "$CLASSPATH_PREFIX" ] ; then
+  CLASSPATH=$CLASSPATH_PREFIX:$CLASSPATH
+fi
+
+# For Cygwin and Mingw, switch paths to Windows format before running java
+if $cygwin || $mingw; then
+  [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+  [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+  [ -n "$HOME" ] && HOME=`cygpath --path --windows "$HOME"`
+  [ -n "$BASEDIR" ] && BASEDIR=`cygpath --path --windows "$BASEDIR"`
+  [ -n "$REPO" ] && REPO=`cygpath --path --windows "$REPO"`
+fi
+
+DEBUG=""
+for var in "$@"
+do
+if [ "$var" = "--debug" ]; then
+    DEBUG="-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000"
+fi
+done
+
+exec "$JAVACMD" $JAVA_OPTS $DEBUG  \
+  -classpath "$CLASSPATH" \
+  -Dapp.name="tic-taac" \
+  -Dapp.pid="$$" \
+  -Dapp.repo="$REPO" \
+  -Dapp.home="$BASEDIR" \
+  -Dbasedir="$BASEDIR" \
+  com.github.rusakovichma.tictaac.Launcher \
+  "$@"

src/main/java/com/github/rusakovichma/tictaac/Launcher.java

@@ -79,7 +79,7 @@ private static ThreatEngine getThreatEngine(ThreatRulesProvider rulesProvider, M
     private static ThreatsReporter getThreatsReporter(Map<String, String> params) {
         String outPath = params.get("out");
         if (outPath == null || outPath.isEmpty()) {
-            throw new IllegalStateException("Report output path: '--out %output_report_rid%' parameter should be provided");
+            throw new IllegalStateException("Report output path: '--out %output_report_dir%' parameter should be provided");
         }
         ReportFormat outFormat = ReportFormat.fromString(params.get("outFormat"));
         if (outFormat == null) {

src/main/java/com/github/rusakovichma/tictaac/provider/reader/ClassPathReader.java

@@ -19,9 +19,10 @@
 
 import com.github.rusakovichma.tictaac.parser.impl.NodeTreeParser;
 import com.github.rusakovichma.tictaac.parser.model.NodeTree;
+import com.github.rusakovichma.tictaac.util.ResourceUtil;
 
 import java.io.IOException;
-import java.io.InputStream;
+import java.net.URL;
 
 class ClassPathReader implements Reader {
 
@@ -32,8 +33,8 @@ public NodeTree read(String path) {
                 path = path.replaceFirst("classpath:", "");
             }
 
-            InputStream inputStream = ClassLoader.class.getResourceAsStream(path);
-            return new NodeTreeParser().getNodeTree(inputStream);
+            URL resource = ResourceUtil.class.getResource(path);
+            return new NodeTreeParser().getNodeTree(resource.openStream());
         } catch (IOException ex) {
             ex.printStackTrace();
             throw new RuntimeException("Cannot init classpath file[" + path + "]", ex);

src/main/resources/report-templates/html/threat-model-report-entry

@@ -1,9 +1,9 @@
 <tr>
-    <td>%s</td>
-	<td>%s</td>
-	<td>%s</td>
+    <td>&nbsp;%s&nbsp;</td>
 	<td>%s</td>
+	<td>&nbsp;&nbsp;&nbsp;%s&nbsp;&nbsp;&nbsp;</td>
 	<td>%s</td>
 	<td>%s</td>
 	<td>%s</td>
+	<td>&nbsp;%s&nbsp;</td>
 </tr>

src/main/resources/threats-library/default-threats-library.yml

@@ -1,4 +1,12 @@
 name: Default Threats Library
 version: 1.0.0
 
-rules:
+rules:
+  - information-discosure-in-transit
+    title: Information Disclosure and Tampering in Transit for {flow.name}
+    severity: High
+    categories: information-disclosure, tampering
+    expression: flow.encryption == no
+    exclude: flow.inScope == false
+    description: In network eavesdropping attacks, hackers look for weak connections between clients and servers. By exploiting these weak connections, hackers intercept data packets traversing the network. Any network, web or email traffic, if not encrypted, can be read by the hacker.
+    remediation: Ensure strong TLS is configured for the {flow.name} connection

src/test/resources/threat-model-engine-context-test.yml

@@ -75,7 +75,7 @@ data-flows:
 		title: Database query
 		authentication-method: credentials
 		authorization: admin
-		encryption: yes
+		encryption: no
 		account-management: local-account
 		transferred-assets:
 			- personal-data