FAQs

Threat dragon FAQs

• Failures when installing from source code
• Failure when printing a report
• Why do I get 'Apple cannot check it for malicious software' errors after installing on MacOS?
• Why do I get 'developer can not be verified' errors after installing on MacOS?
• Why do I get 'Permissions failure opening Mac desktop app' when installing from the zip file?
• Can I run Threat Dragon from a command line?
• Is there a command line interface for Threat Dragon?
• What browsers can be used for Threat Dragon
• Why do the earlier releases come from Mike Goodwin's repo, not the OWASP repo?
• Hold on...isn't this the same as Mozilla's SeaSponge

When is Threat Dragon's birthday? And does Threat Dragon have a theme tune?

Mike Goodwin is the originator, founder and leader of OWASP Threat Dragon. The first commit to the original threat dragon repository was made on 9th October 2015, so that is Threat Dragon's birthday. Cupcake has a birthday as well: DЯΣΛMƧVΣЯƧΣ uploaded the original artwork on 7th May 2012.

At the moment there is no Threat Dragon song ... but if you can compose one we would be most grateful.

Failures when installing from source code

The Threat Dragon source code can be downloaded from github, and installed using pnpm install. If you are running off main branch then it really should install cleanly, so if you get errors along the lines of Running postinstall script failed then some package downloads my be blocked by your network. Try using a VPN, or find out if your router / network can allow the traffic.

Failure when printing a report

We have some issues when printing from the desktop version of Threat Dragon for Linux. This results in an error reported on the console: Crashing due to FD ownership violation, and is due to known bug in Electron. The work-around is to use the web app version of Threat Dragon, run command pnpm start, and then use a browser to access the application.

Why do I get 'Apple cannot check it for malicious software' errors after installing on MacOS?

From version 1.4.0 onwards the MacOS images are code signed, but they are not notarised. We are working on this but until that happens you will probably get a pop-up dialog box declaring '“OWASP-Threat-Dragon” can’t be opened because Apple cannot check it for malicious software'

To resolve this (and you only need to do this once):

1. On the error pop-up dialog box click on 'Show in Finder'
2. From Finder, right click on 'OWASP-Threat-Dragon' and select 'Open'
3. A pop-up dialog will display, select 'Open' and Threat Dragon will run
4. this needs to be done just once, on the first run, and then MacOS remembers the decision

Why do I get 'developer can not be verified' errors after installing on MacOS?

Before release 1.4.0 the Threat Dragon .dmg files were not code signed, so when running for the first time an error message will probably be shown in a pop-up window. This is along the lines of 'OWASP Threat Dragon cannot be opened because the developer cannot be verified' or '“OWASP ZAP” cannot be opened because the developer cannot be verified, macOS cannot verify that this app is free from malware'.

To resolve this:

1. close the error message popup
2. from the MacOS 'Apple', top left of display, go to "System Preferences" > "Security & Privacy"
3. at the bottom of the dialog, see message saying that "OWASP-Threat-Dragon" was blocked. Next to it, click "Open anyway"
4. the initial error message will pop up again, but this time have the option to click "Open" to run Threat Dragon despite the warning
5. click 'Open' and Threat Dragon now runs OK
6. this only has to be done once, after this Threat Dragon can be run as normal

Threat Dragon is now saved as an exception to your security settings, and you can run it in the future by double-clicking it just as you can any registered app.

Why do I get 'Permissions failure opening Mac desktop app' when installing from the zip file?

If you download and unpack the MacOS zip file from the downloads area, you may get the message "You do not have permission to open the application" when opening the unzipped application.

Your MacOS has a security policy that does not allow the zip archive to run directly, which is the case for the majority (but not all) MacOS these days. Try the .dmg installer from the Threat Dragon release area. This then should install directly without any need for a security exception.

Can I run Threat Dragon Desktop from a command line?

With the desktop version of Threat Dragon installed, and if the executable is in the environment path, then it can be run from the command line.

For example on Windows:

OWASP-Threat-Dragon.exe

or on MacOS and Linux:

OWASP-Threat-Dragon

AppImage does not need installation, so after downloading version 1.3.1 for example:

./OWASP-Threat-Dragon-1.3.1.AppImage

Is there a command line interface for Threat Dragon Desktop?

With the desktop version of Threat Dragon installed there is a command line interface which can be used if the executable is in the environment path. For example run this command to get help :

OWASP-Threat-Dragon --help

And to export a given threat model file to pdf :

OWASP-Threat-Dragon --pdf ./threat-model.json --verbose

or on Windows:

OWASP-Threat-Dragon.exe --pdf .\threat-model.json --verbose

or using AppImage (using version 1.3.1 for example):

./OWASP-Threat-Dragon-1.3.1.AppImage --pdf ./threat-model.json --verbose

Note that the path to the JSON file needs to be resolvable, so use the full path or the './' if the file is in the working directory.

What browsers can be used for Threat Dragon?

Threat Dragon has been tested on these browsers, and for sure it will work on more than these:

Platform	Browser	Tested
Windows	Edge	Microsoft Edge 38 for Windows 10
Windows	IE	Internet Explorer 11 for Windows 10
Windows	Chrome	Windows 10
Windows	Firefox	Windows 10
Linux	Abrowser	Mozilla 68.0.2 for Trisquel / Gnu Linux trisquel 8.0
MacOS	Firefox	Firefox 73.0.1 for macOS version 10.15
MacOS	Safari	Safari 13.0.2 for macOS 10.15
MacOS	Chrome	Google Chrome 80.0 for macOS 10.15

Why do the earlier releases come from Mike Goodwin's repo, not the OWASP repo?

For more than 4 years Mike hosted Threat Dragon on his github area, and in mid-2020 he felt that the time was right for it to migrate to the OWASP organisation github space. This was done through June and July 2020 and with version 1.3 (released September 2020) the migration is complete. The demo threat model is still sourced from Mike's github area, which gives continuity to the origins of Threat Dragon.

Hold on...isn't this the same as Mozilla's SeaSponge?

As Mike Goodwin was working on prototyping Threat Dragon, mostly as a way of getting himself properly up to speed with javascript, he found out about Mozilla SeaSponge via the OWASP leaders mailing list. SeaSponge has a lot in common with this project and Mike based his implementation of the threat model file download feature on theirs. Maybe they could be merged in the future? Who knows?