Multi threat libs

[izar]

Adds capability to select which threat lib to use on the command line:

• nothing in the command line: uses the default library
• --threat-files foo.json : uses the threats in foo.json only
• --threat-files foo.json default : uses the threats in foo.json and the default ones

[raphaelahrens]

Why is the output a string and not a list of strings?

[izar]

that's what varStrings with only one value put out...

[raphaelahrens]

Is this a bug?

[izar]

in the immortal words of just about everybody..."works for me"!

[raphaelahrens]

Ok I had a quick look and the issue is that the default to_serializable is used.

pytm/pytm/pytm.py

Lines 2015 to 2018 in 9dc0f1f

	@singledispatch
	def to_serializable(val):
	"""Used by default."""
	return str(val)

This is just the same as

json.dumps(str(set(["./a.json"])))

The issue is created by

pytm/pytm/pytm.py

Line 2023 in 9dc0f1f

return serialize(obj, nested=True)

Because of this check for not nested in serialize().

pytm/pytm/pytm.py

Line 2064 in 9dc0f1f

not nested

pytm/pytm/pytm.py

Lines 2035 to 2070 in 9dc0f1f

	def serialize(obj, nested=False):
	"""Used if *obj* is an instance of TM, Element, Threat or Finding."""
	klass = obj.__class__
	result = {}
	if isinstance(obj, (Actor, Asset)):
	result["__class__"] = klass.__name__
	for i in dir(obj):
	if (
	i.startswith("__")
	or callable(getattr(klass, i, {}))
	or (
	isinstance(obj, TM)
	and i in ("_sf", "_duplicate_ignored_attrs", "_threats")
	)
	or (isinstance(obj, Element) and i in ("_is_drawn", "uuid"))
	or (isinstance(obj, Finding) and i == "element")
	):
	continue
	value = getattr(obj, i)
	if isinstance(obj, TM) and i == "_elements":
	value = [e for e in value if isinstance(e, (Actor, Asset))]
	if value is not None:
	if isinstance(value, (Element, Data)):
	value = value.name
	elif isinstance(obj, Threat) and i == "target":
	value = [v.__name__ for v in value]
	elif i in ("levels", "sourceFiles", "assumptions"):
	value = list(value)
	elif (
	not nested
	and not isinstance(value, str)
	and isinstance(value, Iterable)
	):
	value = [v.id if isinstance(v, Finding) else v.name for v in value]
	result[i.lstrip("_")] = value
	return result

This whole serialize function is a bit overloaded with special handling of member variables and might require a rewrite.
All the checks seem to be for specific classes which are all handle in the same function.
Also why is there the check for nested?
This is basically equivalent to checking if the class is TM.

A quick fix would be something like if instance(obj, TM) and i == "threatsFile" but oh boy that is not nice.

Should this be a new issue?

[izar]

sounds like something to be addressed. @nineinchnick , you there?

[colesmj]

There appears to be only 1 check for nested. If nested is true, the behavior seems to be potentially undefined (if the code reaches the not nested elif).

[raphaelahrens]

Yes. I started to rewrite the code see #268, but it is difficult to understand what the intention here was.
It seems that the default is result[i.lstrip("_")] = value and the cases above only change the value of value.
So setting nested = True means that value will not be touched, except it is a Element, Data, or Threat. Or the name of the member is in ("levels", "sourceFiles", "assumptions").

The last one seems to be a fix for a specific class.

[colesmj]

Are you adding --colormap in this PR also?

[izar]

it should be there already, it is an old one. It appears on the currently checked code on the master branch.

[izar]

oh this is the readme! let me fix that

[colesmj]

Why do extra work on line 791 to load the default when you can just do it here? You will always reach this line at least once, correct?

[izar]

i don't remember the details but there is a timing issue there. Something around things being used before loaded.

[colesmj]

There appears to be only 1 check for nested. If nested is true, the behavior seems to be potentially undefined (if the code reaches the not nested elif).

[colesmj]

Do you have a test for when the default is not included in threatsfile?

[izar]

Hm. No. Gotta do one, you're right.