Collects meta-information about conducted threat modeling activities from Confluence wiki pages.
In the OWASP Foundation community article (Nov 2023) Threat Modeling Process, lists following meta-information for a threat model:
Information identifying the threat model typically includes the following:
- Application Name: The name of the application examined.
- Application Version: The version of the application examined.
- Description: A high level description of the application.
- Document Owner: The owner of the threat modeling document.
- Participants: The participants involved in the threat modeling process for this application.
- Reviewer: The reviewer(s) of the threat model.
However, for the purpose of metric collection for DSOMM we adjusted our information demand to:
- Application Name: The name of the application examined.
- Team Name: The name of the team that owns/maintains the application.
- Title: The title summarizing the scope or question of the threat modeling.
- Date: The date when the threat modeling activity was conducted.
- Links: The list of links to the threat modeling document (main source)
and to supplementary reference material like:
- recorded drawings or pictures from physical/virtual whiteboards (e.g. Miro boards)
- resulting tickets (e.g. JIRA issues)
See also:
- Sample threat modeling documentations
- Blog "Let's Talk About MedSec" (24 Apr 2022): Threat Modeling Knowledge Bases and Templates
- GitHub Repository from Izar Tarandach: izar/pytm : A Pythonic framework for threat modeling
Prerequisite: Python 3 must be installed.
Steps:
- Clone the repository source-code
- Make sure all required packages are installed
Example:
git clone https://github.com/devsecopsmaturitymodel/collector-confluence.git
cd collector-confluence
pip install -r requirements.txt
We recommend to prepare a .env
file and specify the confluence URL, account and credentials there.
Example file .env
(with anonymized data):
CONFLUENCE_URL='https://example.atlassian.net/wiki' # change to your Confluence cloud URL
CONFLUENCE_LOGIN='username@example.com' # change to your account name/email
CONFLUENCE_PASSWORD='' # fill in your API token from your Atlassian profile
However, you can also set those environment-variables separately.
In case both are present, the .env
file and environment-variables, then the environment-variables are finally used.
Use a YAML file to configure the label for the Confluence-search and the Confluence-space to application/team mapping,
The key-value pair for space_mapping
is required, the search_label
defaults to 'threat-modeling'
.
See example scraping_config.yaml
:
space_mapping:
MR:
application_name: 'magic-records'
team_name: 'magic-team'
EK: { application_name: 'elastic-kube', team_name: 'elastic-kubernauts' }
BED: { application_name: 'bed-beats' }
search_label: 'threat-modeling'
activity_name: 'Threat Modeling'
The application is based on Github and easily adaoptable for github enterprise.
Example file .env
:
GIT_HUB_REPO='metricca-data'
GIT_HUB_OWNER='devsecopsmaturitymodel'
GIT_HUB_APP_ID=''
GIT_HUB_APP_PRIVATE_KEY_BASE64=''
# or
GIT_HUB_ACCESS_TOKEN='' # fine granted
Run the CLI app with your prepared Scraping configuration YAML as argument (e.g. on Linux and macOS):
./confluence_collector.py example/scraping_config.yaml
To see the CLI help for more options (like e.g. --out-path
or --debug
):
./confluence_collector.py --help
Help screen:
Usage: confluence_collector.py [OPTIONS] SCRAPING_CONFIG
╭─ Arguments ───────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * scraping_config PATH [default: None] [required] │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Options ─────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --out-path PATH [default: /tmp/collector-confluence] │
│ --debug --no-debug [default: debug] │
│ --help Show this message and exit. │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
# Please cd into this directory and fill out .env
docker build -t wurstbrot/collector-confluence .
docker run --env-file .env --volume ./scraping_config.yaml:/app/scraping_config.yaml wurstbrot/collector-confluence
TODO: Kustomize