-
-
Notifications
You must be signed in to change notification settings - Fork 260
FAQs
- Why do the earlier releases come from Mike Goodwin's repo, not the OWASP repo?
- Why do I get 'Apple cannot check it for malicious software' errors after installing on MacOS?
- Why do I get 'developer can not be verified' errors after installing on MacOS?
- Can I run Threat Dragon from a command line?
- Is there a command line interface for Threat Dragon?
- What browsers can be used for Threat Dragon
- Hold on...isn't this the same as Mozilla's SeaSponge
For more than 4 years Mike hosted Threat Dragon on his github area, and in mid-2020 he felt that the time was right for it to migrate to the OWASP organisation github space. This was done through June and July 2020 and with version 1.3 (released September 2020) the migration is complete. The demo threat model is still sourced from Mike's github area, which gives continuity to the origins of Threat Dragon.
From version 1.4.0 onwards the MacOS images are code signed, but they are not notarised. We are working on this but until that happens you will probably get a pop-up dialog box declaring '“OWASP-Threat-Dragon” can’t be opened because Apple cannot check it for malicious software'
To resolve this (and you only need to do this once):
- On the error pop-up dialog box click on 'Show in Finder'
- From Finder, right click on 'OWASP-Threat-Dragon' and select 'Open'
- A pop-up dialog will display, select 'Open' and Threat Dragon will run
- this needs to be done just once, on the first run, and then MacOS remembers the decision
Before release 1.4.0 the Threat Dragon .dmg files were not code signed, so when running for the first time an error message will probably be shown in a pop-up window. This is along the lines of 'OWASP Threat Dragon cannot be opened because the developer cannot be verified' or '“OWASP ZAP” cannot be opened because the developer cannot be verified, macOS cannot verify that this app is free from malware'.
To resolve this:
- close the error message popup
- from the MacOS 'Apple', top left of display, go to "System Preferences" > "Security & Privacy"
- at the bottom of the dialog, see message saying that "OWASP-Threat-Dragon" was blocked. Next to it, click "Open anyway"
- the initial error message will pop up again, but this time have the option to click "Open" to run Threat Dragon despite the warning
- click 'Open' and Threat Dragon now runs OK
- this only has to be done once, after this Threat Dragon can be run as normal
Threat Dragon is now saved as an exception to your security settings, and you can run it in the future by double-clicking it just as you can any registered app.
With the desktop version of Threat Dragon installed, and if the executable is in the environment path, then it can be run from the command line.
For example on Windows:
OWASP-Threat-Dragon.exe
or on MacOS and Linux:
OWASP-Threat-Dragon
AppImage does not need installation, so after downloading version 1.3.1 for example:
./OWASP-Threat-Dragon-1.3.1.AppImage
With the desktop version of Threat Dragon installed there is a command line interface which can be used if the executable is in the environment path. For example run this command to get help :
OWASP-Threat-Dragon --help
And to export a given threat model file to pdf :
OWASP-Threat-Dragon --pdf ./threat-model.json --verbose
or on Windows:
OWASP-Threat-Dragon.exe --pdf .\threat-model.json --verbose
or using AppImage (using version 1.3.1 for example):
./OWASP-Threat-Dragon-1.3.1.AppImage --pdf ./threat-model.json --verbose
Note that the path to the JSON file needs to be resolvable, so use the full path or the './' if the file is in the working directory.
Threat Dragon has been tested on these browsers, and for sure it will work on more than these:
| Platform | Browser | Tested |
|---|---|---|
| Windows | Edge | Microsoft Edge 38 for Windows 10 |
| Windows | IE | Internet Explorer 11 for Windows 10 |
| Windows | Chrome | Windows 10 |
| Windows | Firefox | Windows 10 |
| Linux | Abrowser | Mozilla 68.0.2 for Trisquel / Gnu Linux trisquel 8.0 |
| MacOS | Firefox | Firefox 73.0.1 for macOS version 10.15 |
| MacOS | Safari | Safari 13.0.2 for macOS 10.15 |
| MacOS | Chrome | Google Chrome 80.0 for macOS 10.15 |
Hold on...isn't this the same as Mozilla's SeaSponge?
As Mike was working on prototyping this, mostly as a way of getting himself properly up to speed with javascript, he found out about SeaSponge via the OWASP leaders mailing list. SeaSponge has a lot in common with this project and Mike based his implementation of the threat model file download feature on theirs. Maybe they could be merged in the future? Who knows?