No description
  • Clojure 96%
  • Python 2.9%
  • Dockerfile 0.7%
  • Shell 0.4%
Find a file
2026-06-29 08:33:03 +00:00
doc update doc 2026-06-18 17:04:37 +02:00
infrastructure bump version to: 3.1.1-SNAPSHOT 2026-06-26 18:52:47 +02:00
report fix: make report folder able for report generation 2026-01-30 15:16:45 +01:00
src feat/downstream-api-improvement (#5) 2026-06-26 16:52:03 +00:00
.gitignore ignore 2026-01-30 15:18:08 +01:00
.gitlab-ci.yml ci: use new build container 2026-01-23 13:24:08 +01:00
build.py rename 2026-02-27 11:13:40 +01:00
LICENSE initial 2025-10-13 09:41:33 +02:00
project.clj bump version to: 3.1.1-SNAPSHOT 2026-06-26 18:52:47 +02:00
README.md Update README.md 2026-06-29 08:33:03 +00:00

dda-tara

Clojars Project pipeline status

DeltaChat chat over e-mail | M meissa@social.meissa-gmbh.de | Blog | Website

Rational

First of all: Kudos for the real cool idea implemented in https://github.com/Threagile/threagile

Threagile provides a very DevOps way to do Threat Analysis and Risk Assessment. But threagile also has room for improvement. For this reason we reimplemented & enhanced.

Declare id only once

dda-tara uses the threagile model as foundation. But there where some sanitation to make live easier:

Use key as id:

data_assets:
    star-count:
        description: stars belonging to an repository & given by local and distant users
        usage: business

will result in

data_assets:
    star-count:
        id: "star-count"
        description: stars belonging to an repository & given by local and distant users
        usage: business

Enhanced include & yaml 1.2 support

threagile supports include. But with yaml 1.2 we need an improved include support to distinguishe clearlay wether include is just a text include or a merge operation. includes-as-text just includes the file as text, aliases are preserved.

Given a file well-known-attack-tree-lib/injection.yaml

sql-injection: &sql-injection
  title: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  stride: ElevationOfPrivilege
  cwe: 89

You can use the include and refer to declared anchors.

includes-as-text:
  - well-known-attack-tree-lib/injection.yaml

attacks_used:
  sql-injection: 
    <<: *sql-injection
    description: >
      Experienced hacker sends a Like Activity containing an actor url pointing to an 
      evil forgejo instance. Our repository server sends an `get Person Actor` 
      request to this instance and gets a person having sth. like `; drop database;` 
      in its name. If our server tries to create a new user out of this person, the db 
      might be dropped.
    score: 
      Damage: 99
      AffectedUsers: 99

include or includes-to-merge will do a deep merge on all listed yamls.

Given a files to-be-included-deep1.yaml and to-be-included-deep2.yaml with

key: 
  this-was-included1: {}
key: 
  this-was-included2: {}

can be used as

includes-to-merge:
  - to-be-included1.yaml
  - to-be-included2.yaml

key-below: []

and will result in:

key:
  this-was-included1: {}
  this-was-included2: {}

key-below: []

collect common attacks

We think, collected domain knowledge is the real value of a tool. We provide an attack trees in well-known-attack-tree-lib. You can find commonly used attack trees in src/main/resources.

This common knowledge is part of this library.

cli first

We think it is important to be able to provide a binary cli tool ready to use. For this reason our tool generates adoc & dot sources. This sources can be converted by any adoc generator set to pdf & html.

Adapt to your Product TARA in your own Application

It is intended to collect all the common knowledge in this library and to adjust to your product in a application by its own. Find an example application here: https://repo.prod.meissa.de/meissa/forgejo-tara

Reference

application

To build your own application you can use the predefinde application main function.

(ns dda.forgejo-threats.application
  (:gen-class)
  (:require
   [my-project.dda-threats.application :as app]
   [my-project.domain.rule :as ru]))

(defn -main [& cmd-args]
  (app/main "dda-threats"
      []
      ru/example-technical-asset-related-rule-fkts
      cmd-args))

To handle the general technical assets threats, you can iterate all the technical assets declared with the technical-asset-related-threats hook. You can declare a sequence of functions which are handed over to application.

Technical assets hook function should be declared as follows. The function should either return nil or a threat recognized. Example:

(ns my-project.domain.rule
  (:require
   [orchestra.core :refer [defn-spec]]
   [dda.dda-threats.domain.rule.model :as m]
   [dda.dda-threats.domain.scored-attack-tree :as sat]
   [dda.dda-threats.domain.threagile :as ta]))

(def example-technical-asset-related-rule-fkts
  [user-input-data-assets])

(defn-spec user-input-data-assets ::m/threat
  [technical-asset ::ta/technical-asset
   threagile ::ta/threagile
   attacks ::sat/attacks]
  (let [processed-asset-set (:data_assets_processed technical-asset)
        assets-under-threat (ta/data-asset-filtered
                             processed-asset-set
                             (fn [x] (some #(= "user-input" %) (:tags x)))
                             threagile)
        first-asset (first assets-under-threat)]
    (when (not-empty assets-under-threat)
      {:id (str "silent-typo-squatting: " (:id technical-asset))
       :data-asset first-asset
       :attack (get-in attacks [:attacks_used :silent-typo-squatting])})))

To handle the communication related threats, you can iterate all the communications assets declared with the communication-related-threats hook. You can declare a sequence of functions which are handed over to application.

As the threagile model allows to declare two directions, communications are handed over normalized to this function.

Communication related hook function should be declared as follows. The function should either return nil or a threat recognized. Example:

(ns my-project.domain.rule
  (:require
   [orchestra.core :refer [defn-spec]]
   [dda.dda-threats.domain.rule.model :as m]
   [dda.dda-threats.domain.scored-attack-tree :as sat]
   [dda.dda-threats.domain.threagile :as ta]))

(def example-communication-related-rule-fkts
  [incoming-data-assets])

(defn-spec incoming-data-assets ::m/threat
  [source ::ta/technical-asset
   target ::ta/technical-asset
   link ::ta/link
   assets-affected ::m/data-asset-ids
   threagile ::ta/threagile
   attacks ::sat/attacks]
  (let [persistent-asset-set (set (:data_assets_stored target))
        assets-under-threat (ta/data-asset-filtered
                             assets-affected
                             (fn [x] (contains? persistent-asset-set (:id x)))
                             threagile)]
    (when (not-empty assets-under-threat)
      {:id (str "sql-injection: " (:id source) " -> " (:id target))
       :data-assets assets-under-threat
       :link link
       :attack (get-in attacks [:attacks_used :sql-injection])})))

data-asset-filtered

Get data-assets filtered by e.g. tags:

(def processed-asset-set (:data_assets_processed technical-asset))

(ta/data-asset-filtered processed-asset-set
                        (fn [x] (some #(= "user-input" %) (:tags x)))
                         threagile)

cross-boundary?

Test whether the technical assets are cross boundary.

(def source { ... technical-asset ...})
(def target { ... technical-asset ...})

is-cross-boundary? (ta/cross-boundary?
                    source target threagile)

Video

movie.mp4

Generate Pdf Report

Generate report from test outputs:

podman run -v ./report:/documents \
    domaindrivenarchitecture/asciidoctor-mermaid -r asciidoctor-pdf -b pdf report.adoc

Development & mirrors

Development happens at: https://repo.prod.meissa.de/meissa/dda-tara

Mirrors are:

For more details about our repository model see: https://repo.prod.meissa.de/meissa/federate-your-repos

License

Copyright © 2023-2026 meissa GmbH Licensed under the Apache License, Version 2.0 (the "License") Pls. find licenses of our subcomponents here