dev-notes.md

Developer notes for OWASP Threat Dragon

Overview

This is a collection of notes used during development, most of which should be up to date - if not then raise an issue. The recipes are for both Windows and Linux/MacOS; in general the npm and git commands are the same on all platforms, but some of the commands (eg cd ../..) need to be modified if running on a Windows platform.

Documentation

The documentation repo will update documentation at both threatdragon.github.io and docs.threatdragon.org websites.

Install and Run

Install and run web application

git clone --recursive [email protected]:OWASP/threat-dragon.git
cd threat-dragon
npm install
npm test
export GITHUB_CLIENT_ID=<the client id>
export GITHUB_CLIENT_SECRET=<the client secret>
export NODE_ENV=development
export SESSION_STORE=local
export SESSION_SIGNING_KEY=<32 char key>
export SESSION_ENCRYPTION_KEYS='[{"isPrimary": true, "id": 0, "value": "<32 char key>"}]'
npm start

Note that some environment variables need to be set up for the webapp to run. Once these are in place then use npm start to run the threat dragon server.

Navigate in a browser to http://localhost:3000/ to test the app. If there is an error such as 'Cannot GET /' then make sure the environment variables are set up correctly.

Install and run desktop application

Launch the electron-based desktop application using:

git clone [email protected]:OWASP/threat-dragon.git
cd threat-dragon/td.desktop
npm install
npm run build
npm test
npm start

After making changes to code it is usually worth a npm run build before npm run start

You can debug the changes using npm run debug which prints debug messages to the console

Run webapp in docker container

A Dockerfile is provided that can be used to create a docker image:

• checkout the threat dragon source repo
• from the root directory build the docker image using docker build -t owasp-threat-dragon:dev .
• wait for the docker image to build
• create a .env environment variable file using the example example.env as a template
• run a docker container using docker run -it -p 3000:3000 -v $(pwd)/.env:/app/td.server/.env owasp-threat-dragon:dev
• navigate in a browser to http://localhost:3000/
• if there is an error in the browser such as 'Cannot GET /' then make sure .env file is correct

Release process

The steps used during the release process

Tag the release

1. git clone [email protected]:OWASP/threat-dragon.git
2. cd threat-dragon
3. update version declaration, eg "version": "1.6.0",, in package.json, td.desktop/package.json, td.site/package.json and td.server/package.json
4. rebuild the applications using the new semver
5. npm install
6. npm run build
7. npm test
8. git commit -a -m"<some release message>"
9. git push
10. tag the release with appropriate subver git tag v1.6.0
11. git push origin v1.6.0

Publish docker image

1. once tagged the workflow pushes the docker image to docker hub
2. check using docker pull threatdragon/owasp-threat-dragon:v1.6.0

Test the release

Test the release images as above; ideally on all of Windows, linux and MacOS

Ensure the Snap image is available via official snapcraft distribution

Go public

All tests going well then update the release notes for the draft release in the Threat Dragon release area and then mark the release as public

Update the release notification on the OWASP releases page

Finally ensure Threat Dragon tweets the release on Twitter, and announces it on the OWASP slack channels

Legacy demo and dev websites

These public sites are updated from Mike Goodwin's original repo at github.com/mike-goodwin/owasp-threat-dragon, so long as all the pull request checks pass.

• merges to master branch will update the online demo
• merges to development branch will update the snapshot demo

Threat Dragon: making threat models less threatening