Not obvious how to enter a threat model in / Documentation of first time user perspective

[ddevz]

Describe the bug:
It is not obvious how to enter a threat model in. As a example threat model, I attached a excerpt of the threat model from TS 103 701 V1.1.1 . (well I tried to attach it)
(Note: full version available at: https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf (threat model starts on page 131))
(Note: I've attempted to attach a excerpt of the threat model, but github has given no feedback if it actually worked or not, you may need to get it from the above link)

So for example, as you can see in Table D.1, Attacker characterization, we have "Description" and "Baseline Attacker Potential" fields for

• Elapsed time for identification and exploitation
• Expertise
• Knowledge of the DUT (design and operation)
• Opportunity
• Equipment required for exploitation

But it is not obvious how one can enter the threat model in. I assume that humans would be "actors", and we can create a "actor" and change its name to "attacker", then add a new threat for the (of the) attacker, but the only options for type are "Repudation" and "Spoofing", and the only real fields about the threat seem to be Description.

One could cut and paste the entire D.2 section into the Description field of the threat of that actor, but this does not feel right as threat dragon is supposed to be a threat modeling system not a word processor.

Expected behaviour:
Be able to figure out how to enter the threat model in by clicking around

Environment:
The screen looks reasonably similar to the screen in your video, so I'm guessing it's running as expected (except for possibly that the "suggest threats" button seems to be missing for mine), so all environments

• Version: v2.2.0
• Platform: Desktop App
• OS: Linux
• Browser: ps -aux reports that chromium is running in the background via systemd, so maybe it launched chromium through systemd?
  Confirmed: clicking Help->Documentation does nothing visually, but it does add more chromium processes in the background. (if it's trying to get the documentation from the internet then it wont be able to, as I'm not planning to run downloaded code on a system with internet access :)

To Reproduce:
Start with no threat dragon knowledge, then start threat dragon. Load the example. Then try to click on things to construct the mentioned threat model in threat dragon.

Any additional context, screenshots, etc:

One possibility is that it might be related to: #220 ?
(I.E. it's possible the templates not being there is whats causing the confusion (depending on what would have been in the templates))

Another possibility that I see is that your going to come back with something like "threat dragon is only supposed allow you to solve a specific type of threat model"

I saw that you were hoping to have "great UX" eventually, so I wrote this in a way that you can get the perspective of what its like for someone looking at threat dragon for the very first time. (which each person only gets once chance to do)

FOLLOWUP:

• I don't see the difference between File->New model and samples->Version 2 New Model (I skipped samples->Version 2 New Model because it sounded like it was no different then
• I eventually found the answer to "only showing Spoofing and Repudiation" was to do File->New model with a "generic" type diagram.

I would recommend providing several samples (instead of just one) of as diverse of situations as possible

[jgadsden]

Thanks @ddevz , this seems to be mostly documentation issues? We welcome any contributions to the documentation which is provided in repo : OWASP/www-project-threat-dragon

We can try and sort some of the issues out in the next release version 2.4, if not earlier, but we are all unpaid volunteers doing this in our spare time - so no guarantees :)

[ddevz]

Thanks @ddevz , this seems to be mostly documentation issues?

Maybe? I still dont know how one would enter it in, so I don't know yet. More precisely, i dont know how one would fit it into your data model.

I guess the first question i should ask is this: Is the threat model at https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf (starting page 131) a threat model that Threat Dragon is intended to be able to handle, or is that threat model "out of scope" for Threat Dragon? If the intention of Threat Dragon is to be able to handle threat models of that nature, I can try to make some kind of proposal for how one might be able to enter it.

We can try and sort some of the issues out in the next release version 2.4, if not earlier,

Well first we need to nail down if the problem is that the data model does not fit that threat model, or if the problem is my understanding of how to use threat dragon :)

but we are all unpaid volunteers doing this in our spare time - so no guarantees :)

No problem. It would be great to be able to have a standard application that everyone uses for these types of thing.