-
-
Notifications
You must be signed in to change notification settings - Fork 251
FAQs
- Where are the arrows that allow me to create dataflows?
- When is Threat Dragon's birthday? And does Threat Dragon have a theme tune?
- I get failures when installing from source code
- I get a failure when printing a report
- Why do I get 'OWASP-Threat-Dragon-Setup isn't commonly downloaded' warnings after downloading on Windows?
- Why do I get 'Apple cannot check it for malicious software' errors after installing on MacOS?
- Why do I get 'developer can not be verified' errors after installing on MacOS?
- Why do I get 'Permissions failure opening Mac desktop app' when installing from the zip file?
- Can I run Threat Dragon from a command line?
- Is there a command line interface for Threat Dragon?
- What browsers can be used for Threat Dragon
- Why do the earlier releases come from Mike Goodwin's repo, not the OWASP repo?
- Hold on...isn't this the same as Mozilla's SeaSponge
If you view youtube videos on TD you will see that all the diagram objects have arrows in the corener; clicking on these creates relationships / data flows between the diagram objects. We have now moved to Threat Dragon version 2.x which has a different way of adding the data flows, so now if you double click on the diagram component then it will start a data flow for you, or you can drag one across from the stencil pane on the left hand side.
Mike Goodwin is the originator, founder and leader of OWASP Threat Dragon. The first commit to the original threat dragon repository was made on 9th October 2015, so that is Threat Dragon's birthday. Cupcake has a birthday as well: DЯΣΛMƧVΣЯƧΣ uploaded the original artwork on 7th May 2012.
At the moment there is no Threat Dragon song ... but if you can compose one we would be most grateful.
The Threat Dragon source code can be downloaded from github, and installed using pnpm install.
If you are running off main branch then it really should install cleanly,
so if you get errors along the lines of Running postinstall script failed then some package downloads my be blocked by your network.
Try using a VPN, or find out if your router / network can allow the traffic.
We have some issues when printing from the desktop version of Threat Dragon for Linux.
This results in an error reported on the console: Crashing due to FD ownership violation, and is due to known bug in
Electron.
The work-around is to use the web app version of Threat Dragon, run command pnpm start, and then use a browser to access the application.
Why do I get 'OWASP-Threat-Dragon-Setup isn't commonly downloaded' warnings after downloading on Windows?
This is due to the way we sign the Windows images, choosing it to be verified by the community rather than going through a process with Microsoft. Eventually there will be enough downloads for it to become fully trusted ... until then we have to put up with this irritation on first install.
Click on the 'show more' and agree to keep the file. You will have to agree again 'Keep anyway' before Windows accepts that you really want to keep the file. You can then double click on the download to install Threat Dragon.
From version 1.4.0 onwards the MacOS images are code signed, but they are not notarised. We are working on this but until that happens you will probably get a pop-up dialog box declaring '“OWASP-Threat-Dragon” can’t be opened because Apple cannot check it for malicious software'
To resolve this (and you only need to do this once):
- On the error pop-up dialog box click on 'Show in Finder'
- From Finder, right click on 'OWASP-Threat-Dragon' and select 'Open'
- A pop-up dialog will display, select 'Open' and Threat Dragon will run
- this needs to be done just once, on the first run, and then MacOS remembers the decision
Before release 1.4.0 the Threat Dragon .dmg files were not code signed, so when running for the first time an error message will probably be shown in a pop-up window. This is along the lines of 'OWASP Threat Dragon cannot be opened because the developer cannot be verified' or '“OWASP Threat Dragon” cannot be opened because the developer cannot be verified, macOS cannot verify that this app is free from malware'.
To resolve this:
- close the error message popup
- from the MacOS 'Apple', top left of display, go to "System Preferences" > "Security & Privacy"
- at the bottom of the dialog, see message saying that "OWASP-Threat-Dragon" was blocked. Next to it, click "Open anyway"
- the initial error message will pop up again, but this time have the option to click "Open" to run Threat Dragon despite the warning
- click 'Open' and Threat Dragon now runs OK
- this only has to be done once, after this Threat Dragon can be run as normal
Threat Dragon is now saved as an exception to your security settings, and you can run it in the future by double-clicking it just as you can any registered app.
If you download and unpack the MacOS zip file from the downloads area, you may get the message "You do not have permission to open the application" when opening the unzipped application.
Your MacOS has a security policy that does not allow the zip archive to run directly, which is the case for the majority (but not all) MacOS these days. Try the .dmg installer from the Threat Dragon release area. This then should install directly without any need for a security exception.
With the desktop version of Threat Dragon installed, and if the executable is in the environment path, then it can be run from the command line.
For example on Windows:
OWASP-Threat-Dragon.exe
or on MacOS and Linux:
OWASP-Threat-Dragon
AppImage does not need installation, so after downloading version 1.3.1 for example:
./OWASP-Threat-Dragon-1.3.1.AppImage
With the desktop versions 1.6.x of Threat Dragon installed there is a command line interface which can be used if the executable is in the environment path. For example run this command to get help :
OWASP-Threat-Dragon --help
And to export a given threat model file to pdf :
OWASP-Threat-Dragon --pdf ./threat-model.json --verbose
or on Windows:
OWASP-Threat-Dragon.exe --pdf .\threat-model.json --verbose
or using AppImage (using version 1.3.1 for example):
./OWASP-Threat-Dragon-1.3.1.AppImage --pdf ./threat-model.json --verbose
Note that the path to the JSON file needs to be resolvable, so use the full path or the './' if the file is in the working directory.
Versions 2.x of Threat Dragon do not (yet) have a command line interface, but this is due to be added sometime in 2024.
Threat Dragon has been tested on these browsers, and for sure it will work on more than these:
| Platform | Browser | Tested |
|---|---|---|
| Windows | Edge | Microsoft Edge 38 for Windows 10 |
| Windows | IE | Internet Explorer 11 for Windows 10 |
| Windows | Chrome | Windows 10 |
| Windows | Firefox | Windows 10 |
| Linux | Abrowser | Mozilla 68.0.2 for Trisquel / Gnu Linux trisquel 8.0 |
| MacOS | Firefox | Firefox 73.0.1 for macOS version 10.15 |
| MacOS | Safari | Safari 13.0.2 for macOS 10.15 |
| MacOS | Chrome | Google Chrome 80.0 for macOS 10.15 |
For more than 4 years Mike hosted Threat Dragon on his github area, and in mid-2020 he felt that the time was right for it to migrate to the OWASP organisation github space. This was done through June and July 2020 and with version 1.3 (released September 2020) the migration was completed.
Hold on...isn't this the same as Mozilla's SeaSponge?
As Mike Goodwin was working on prototyping Threat Dragon, mostly as a way of getting himself properly up to speed with javascript, he found out about Mozilla SeaSponge via the OWASP leaders mailing list. SeaSponge has a lot in common with this project and Mike based his implementation of the threat model file download feature on theirs. Maybe they could be merged in the future? Who knows?