docs: verify threat models for completeness and fix silent gaps#1330
docs: verify threat models for completeness and fix silent gaps#1330spoorcc wants to merge 1 commit into
Conversation
|
Warning Review limit reached
Next review available in: 58 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (9)
WalkthroughThis PR renumbers Winget-related asset identifiers from A-09/A-10 to A-28/A-29 across the pytm threat model source files, generated threat model documentation, and control asset lists. It adds a new DFT-06 command-injection threat entry and DFT-34 credential-persistence threat, adds coverage validation logic ( ChangesThreat model updates
OSCAL compliance documentation update
Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)sequenceDiagram
participant Generator as tm_render.py
participant Catalog as TM._threats
participant Validator as _validate_threat_coverage
participant Table as Rendered Threat Table
Generator->>Catalog: build threat catalog from TM._threats
Generator->>Validator: validate(findings, responses)
alt mismatch detected
Validator-->>Generator: raise ValueError
else coverage OK
Validator-->>Generator: pass
Generator->>Table: populate rows from findings (representative map)
Generator->>Table: insert _CatalogRow for responses without findings
end
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@security/tm_render.py`:
- Around line 178-197: The early return in tm_render’s findings handling skips
_validate_threat_coverage() and prevents response-only rows from being rendered.
In the tm_render flow, move coverage validation before the empty-findings exit
and only return immediately when both tm.findings and responses are empty. Keep
the existing representative-building logic in tm_render so response threat IDs
not present in findings still get catalog-backed rows and unknown IDs still
trigger validation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 709dfd35-5fa0-4670-9c26-7e6764cd5156
📒 Files selected for processing (9)
doc/explanation/security.rstdoc/explanation/threat_model_supply_chain.rstdoc/explanation/threat_model_usage.rstsecurity/README.mdsecurity/dfetch.component-definition.jsonsecurity/tm_controls_data.pysecurity/tm_render.pysecurity/tm_supply_chain.pysecurity/tm_usage.py
c4baf59 to
be98353
Compare
Cross-checking the threat catalog, responses, controls, and generated reports against each other and the codebase surfaced several gaps: - DFT-06 (command injection) and DFT-34 (long-lived stored credential) had documented responses and mitigating controls (C-006/C-007, C-015/C-017, C-042) but never appeared in any rendered threat table: DFT-06's condition no longer matches once parameterized subprocess input is modelled, and pytm's resolve() never evaluates threats against Data assets (it iterates TM._elements only). Render such responses from the threat catalog so every documented risk decision stays visible, and fail generation when a finding has no response or a response names an unknown threat ID. - Asset IDs A-09/A-10 meant different assets in the two models (Remote VCS Server / Archive HTTP Server in the usage model, Winget repo / WINGET_TOKEN PAT in the supply-chain model). Renumber the Winget assets to A-28/A-29 so every asset ID is unique across the doc set. - Gap control IDs C-018/C-019/C-020/C-035 cited by the usage model were defined nowhere; add an 'Identified Gaps' section to the security page so each reserved ID resolves to a description. - Fix the SBOM cross-reference in the usage model (A-04 -> A-03) and the stale OSCAL version (1.1.2 -> 1.2.2) in security.rst and security/README.md. - Regenerate both threat-model reports (also picks up the stale C-045/C-036 control-row ordering in the usage report).
be98353 to
c389926
Compare
Cross-checking the threat catalog, responses, controls, and generated
reports against each other and the codebase surfaced several gaps:
had documented responses and mitigating controls (C-006/C-007,
C-015/C-017, C-042) but never appeared in any rendered threat table:
DFT-06's condition no longer matches once parameterized subprocess
input is modelled, and pytm's resolve() never evaluates threats
against Data assets (it iterates TM._elements only). Render such
responses from the threat catalog so every documented risk decision
stays visible, and fail generation when a finding has no response or
a response names an unknown threat ID.
VCS Server / Archive HTTP Server in the usage model, Winget repo /
WINGET_TOKEN PAT in the supply-chain model). Renumber the Winget
assets to A-28/A-29 so every asset ID is unique across the doc set.
defined nowhere; add an 'Identified Gaps' section to the security
page so each reserved ID resolves to a description.
the stale OSCAL version (1.1.2 -> 1.2.2) in security.rst and
security/README.md.
C-045/C-036 control-row ordering in the usage report).
Summary by CodeRabbit
New Features
Bug Fixes
Documentation