Version 1.3 from OWASP

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Environment:**
+ - Platform: [e.g. Desktop, WebApp]
+ - OS: [e.g. MacOS]
+ - Browser [e.g. chrome, safari]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,28 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe what problem your feature request solves**
+<!--
+A clear and concise description of what the problem is
+-->
+
+**Describe the solution you'd like**
+<!--
+A clear and concise description of what you want to happen.
+-->
+
+**Describe alternatives you've considered**
+<!--
+A clear and concise description of any alternative solutions or features you've considered.
+-->
+
+**Additional context**
+<!--
+Add any other context or screenshots about the feature request here.
+-->

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,34 @@
+<!--
+Please provide enough information so that others can review your pull request.
+If this is a bug fix, make sure your description includes "fixes #xxxx", or
+"closes #xxxx", where #xxxx is the issue number.
+The first three fields are mandatory:
+-->
+**- Summary**
+
+<!--
+Explain the motivation for making this change.
+What existing issue does the pull request solve?
+-->
+
+**- Tests**
+
+<!--
+Demonstrate the code is solid.
+Ensure the the code passes the `npm run-script pretest` and the `npm test` stages.
+-->
+
+**- Description for the changelog**
+
+<!--
+Write a short (one line) summary that describes the changes in this
+pull request for inclusion in the changelog:
+-->
+
+**- Any other info**
+
+<!--
+Thanks for submitting a pull request!
+Please make sure you've read and understood our contributing guidelines;
+https://github.com/OWASP/threat-dragon/blob/main/CONTRIBUTING.md
+-->

.travis.yml

@@ -1,30 +1,7 @@
 language: node_js
 node_js:
-  - "6.10"
+  - "14.6.0"
 before_script:
+  # add display environment for firefox
   - export DISPLAY=':99.0'
   - Xvfb :99 -screen 0 1024x768x24 > /dev/null 2>&1 &
-script: if [ ${COVERITY_SCAN_BRANCH} != 1 ]; then npm test ; fi
-after_success:
-  - npm run-script codecov
-
-env:
-  global:
-   # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created
-   #   via the "travis encrypt" command using the project repo's public key
-   - secure: "dedGDBAcFlo9sVzERbwbgJC9NNF/wfkJBd8Zma7kZ3cW8OBvEJSvznBhhxiAL+c79LO9M8VxyVqrgAdhI5ih/E0xnu1Gom4pDoml3eiBGIPg1f7sqYNpf0u5toKG1WwORBYPFOD8OOD2BWH3/oI0CfpnnU5GPKxV5fG9yYx0dehLB+Bx4SYt+xPhWs5APocBah75/jDY8twX/6vX64S3xdLHb0ro979p1qKSZGWPk5GpH6QkBF/KSli0zEYkJfZZmbpo2PUbynX21Uf6R5Gv8W8NGUC/fkCJl82p9eJkKT8sGZHSegJ7+Sk3wc1NjdWcjyey7tlkCc/mM4zbZXdaey4k4YAvaqBX8FkdfHpgiZZemwlIW6g6p+Q+IVaobvhlY6r8O7oannGU+fJrdeVDv/ZmjXkHeZMdsX33x3C76KLRO9Pcl/ANGbUAPrxD39fdrGtIEUVb2yWc07aSu6qiucsVZ50n3nXbgsFNkykKZSBe3Vvtghhp+BmXZv3hEohjdb4Ce7+VAnn4SBIdT2n2q73iazWZGWNSliVAyGG4OlACndKLCsn7ip+0B16WUYHB53Sve6vgXKEBushJII0pFy6RbqROQUD2VaKNP/YOdWj1OyJR/r+k94Lmsh3eXhVkHt7+FpqwEFzla0jvati7Q0WFVoKvlrrYYzLbYzdqPRU="
-
-before_install:
-      - echo -n | openssl s_client -connect scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca-
-
-addons:
-  coverity_scan:
-    project:
-      name: "mike-goodwin/owasp-threat-dragon-core"
-      description: "Core file for OWASP Threat Dragon"
-    notification_email: [email protected]
-    build_command_prepend: ""
-    build_command:   "--no-command --fs-capture-search src"
-    branch_pattern: sast
-    packages:
-      - xvfb

CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [email protected]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

CONTRIBUTING.md

@@ -0,0 +1,46 @@
+# Contributing to OWASP Threat Dragon
+Threat Dragon is a community project, and we are always delighted to welcome new contributors!
+
+There are several ways you can contribute:
+
+## Got a Question or Problem?
+If you have a question or problem relating to using Threat Dragon then the first thing to do is to check the
+[Frequently Asked Questions](https://owasp.org/www-project-threat-dragon/#div-faqs) tab on the [OWASP project page](https://owasp.org/www-project-threat-dragon/).
+Threat Dragon documentation is [available online](http://docs.threatdragon.org).
+
+If this does not help then ask one of the [leaders / collaborators](https://github.com/OWASP/www-project-threat-dragon/blob/master/leaders.md).
+
+## Found an Issue?
+If you have found a bug then raise an issue on the Threat Dragon 
+[core repo](https://github.com/OWASP/threat-dragon-core/issues/new?assignees=&labels=bug&template=bug_report.md&title=).
+
+It is worth checking to see if its [already been reported](https://github.com/OWASP/threat-dragon-core/issues),
+and including as much information as you can to help us diagnose your problem.
+
+## Found a Vulnerability?
+If you think you have found a vulnerability in Threat Dragon then please report it to our
+[leaders / collaborators](https://github.com/OWASP/www-project-threat-dragon/blob/master/leaders.md).
+
+We are always very grateful to researchers who report vulnerabilities responsibly and will be very happy
+to give any credit for the valuable assistance they provide.
+
+## Have a Feature Request?
+If you have a suggestion for new functionality then you can raise this request in an issue on the Threat Dragon
+[core repo](https://github.com/OWASP/threat-dragon-core/issues/new?assignees=&labels=enhancement&template=feature_request.md&title=).
+
+Again it is worth checking to see if its [already been reported](https://github.com/OWASP/threat-dragon-core/issues), 
+and include as much information as you can so that we can fully understand your requirements.
+
+## Coding
+There is always lots of coding to be done! Threat Dragon is split into 3 repos, all of which need contributions:
+* [TD webapp repo](https://github.com/OWASP/threat-dragon/issues)
+* [TD desktop app repo](https://github.com/OWASP/threat-dragon-desktop/issues)
+* [TD core repo](https://github.com/OWASP/threat-dragon-core/issues)
+
+There are some [Development Notes](dev-notes.md) that should help you to get started, as well as a template for the [Pull Requests](.github/PULL_REQUEST_TEMPLATE.md).
+
+### Improve Existing Threat Engine or Write New Ones
+The threat engines define how Threat Dragon can automatically suggest threats which could uncover vulnerabilities.
+
+We are always looking to improve [existing engine rules](src/services/threatengine.js)
+and add new ones, so this is a great place to start helping with the Threat Dragon code base.

README.md

@@ -1,11 +1,14 @@
+Note that this repository has been migrated from Mike Goodwin's [original](https://github.com/mike-goodwin/owasp-threat-dragon-core) , which has the issues and pull requests from June 2016 up to June 2020.
+
 <p align="center">
-  <img src="http://mike-goodwin.github.io/owasp-threat-dragon/content/images/threatdragon_logo_image.svg" width="200" alt="Threat Dragon Logo"/>
+  <img src="https://raw.githubusercontent.com/owasp/threat-dragon-desktop/main/content/images/threatdragon_logo_image.svg" width="200" alt="Threat Dragon Logo"/>
 </p>
 
-[![Build Status](https://travis-ci.org/mike-goodwin/owasp-threat-dragon-core.svg?branch=master)](https://travis-ci.org/mike-goodwin/owasp-threat-dragon-core) [![codecov.io](http://codecov.io/github/mike-goodwin/owasp-threat-dragon-core/coverage.svg?branch=master)](http://codecov.io/github/mike-goodwin/owasp-threat-drago-core?branch=master) [![Code Climate](https://codeclimate.com/github/mike-goodwin/owasp-threat-dragon-core/badges/gpa.svg)](https://codeclimate.com/github/mike-goodwin/owasp-threat-dragon-core)
-[![GitHub license](https://img.shields.io/github/license/mike-goodwin/owasp-threat-dragon-core.svg)](LICENSE.txt)
-[![Dependency Status](https://dependencyci.com/github/mike-goodwin/owasp-threat-dragon-core/badge)](https://dependencyci.com/github/mike-goodwin/owasp-threat-dragon-core)
-[![Known Vulnerabilities](https://snyk.io/test/github/mike-goodwin/owasp-threat-dragon-core/badge.svg)](https://snyk.io/test/github/mike-goodwin/owasp-threat-dragon-core)
+[![Build Status](https://travis-ci.org/owasp/threat-dragon-core.svg?branch=main)](https://travis-ci.org/owasp/threat-dragon-core)
+[![codecov.io](http://codecov.io/github/owasp/threat-dragon-core/coverage.svg?branch=main)](http://codecov.io/github/owasp/threat-dragon-core?branch=main)
+[![GitHub license](https://img.shields.io/github/license/owasp/threat-dragon-core.svg)](LICENSE.txt)
+[![Known Vulnerabilities](https://snyk.io/test/github/owasp/threat-dragon-core/badge.svg)](https://snyk.io/test/github/owasp/threat-dragon-core)
+[![Language grade: JavaScript](https://img.shields.io/lgtm/grade/javascript/g/OWASP/threat-dragon-core.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/OWASP/threat-dragon-core/context:javascript)
 
 # [OWASP](https://www.owasp.org) Threat Dragon #
 
@@ -15,18 +18,22 @@ The focus of the project is on great UX, a powerful rule engine and integration
 
 The application comes in two variants:
 
-1. [**A web application**](https://github.com/mike-goodwin/owasp-threat-dragon): For the web application, models files
+1. [**A web application**](https://github.com/owasp/threat-dragon): For the web application, models files
 are stored in GitHub (other storage will become available). We are currently maintaining
 [a working protoype](https://threatdragon.org) in synch with the master code branch.
 
-2. [**A desktop application**](https://github.com/mike-goodwin/owasp-threat-dragon-desktop): This is based on
+2. [**A desktop application**](https://github.com/owasp/threat-dragon-desktop): This is based on
 [Electron](https://electron.atom.io/). There are installers available for both Windows and Mac OSX, as well as
 rpm and debian packages for Linux. For this variant models are stored on the local filesystem.
 
 [End user help](http://docs.threatdragon.org/) is available for both variants.
 
 This repository contains the core files and modules that are shared between both the web and desktop variant.
 
+## Code of Conduct ##
+
+We ask that everyone who contributes to the Threat Dragon project follow the [Code of Conduct](CODE_OF_CONDUCT.md).
+
 # Installing and building #
 
 Clone the repo and run
@@ -55,80 +62,17 @@ Both of these can be run together using
 
 # Contributing #
 
-PRs, feature requests, bug reports and feedback of any kind are very welcome. We are trying to keep the test coverage
-relatively high, so please try to include tests in any PRs and make PRs on the development branch.
+Pull requests, feature requests, bug reports and feedback of any kind are very welcome, please refer to the page for [contributors](CONTRIBUTING.md). 
 
+We are trying to keep the test coverage relatively high, so please try to include tests in any PRs and make PRs on the development branch.
+There are some [developer notes](dev-notes.md) to help get started.
 
 # Vulnerability disclosure #
 
 If you find a vulnerability in this project please let us know ASAP and we will fix it as a priority.
-For secure disclosure, please email [email protected] using the following PGP key:
-
-```-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: FlowCrypt 5.1.8 Gmail Encryption flowcrypt.com
-Comment: Seamlessly send, receive and search encrypted email
-
-xsFNBFpiJ5sBEAC6AhZh14eYwGQJZaUPAapquUYeEJjBEpoR8CyKLTkDVOwP
-fyPRQ9ca9Fe1D9X/XohmvxJPscftmQo+b+FJYjB3hes1mGD0X0XszY/fzAkY
-XNOxSSowKPbysmTA5JpLjTBUW8c7lSFBD1h8xcYOoE3HVeMEP5ni3hw4i+et
-cjlcS6LsmtbyOgkLjwcZEiw5DLJEtnVzTNTaUAIeoh1nZ6w1QVOFdLw7ccAG
-On/PF0hVqQk8K6VQ/Bm8iCq3/MSZa24OBvh+PIPw+EAYC/hxQuC+zxgV57gC
-71quF89/uuNL875YBAMSmMKOTf/0Nh3deP0P7shaRLqs8OtqmanUCW4PY1d3
-eYaDNA5YkaPfAOjeomy+xcLhnDSjh6ibs6wQH3frX8i5N7z9Pzxf9g7dHd+z
-uXIWqvfmTqh/Qnki37gQS8B5otHiwX/rVr0O6lnl1TecPUripreRzwarswG4
-pWPLY9uSoN118kMs4stwj64P5KWsDhLXZRsAqCjmgOgq34y0VSkmhXvqWL6h
-oyavTbFn01f27ZzhHUBM4M0yZ7XDq69VoMEd5oZBveUq1hcjT3+fwARbiHDZ
-0RtgZ0Aac6ntDIgaN2z4IsRSt4pk/WglV72Mo3v4b5IfikxeaxbgvFpUDEoq
-BniKWEhQ7Ygo28ou4nwbIhzq9Pkde/RMHZ2WTQARAQABzSVNaWtlIEdvb2R3
-aW4gPG1pa2UuZ29vZHdpbkBvd2FzcC5vcmc+wsF1BBABCAApBQJaYiefBgsJ
-BwgDAgkQMBf67EDz6zMEFQgKAgMWAgECGQECGwMCHgEAALN7D/48eZWQmWKS
-LOHuRHjFi/ED4x5dF3Og2xCbTEN4ZMJZCtQjqHqLdMdVMjZZgDwmfNKMlSwL
-LJf0YyrKbNmp+7XUSr6JEsWwMaFxVmKkepAyphVL036YJifdKmIwVhwY8D2T
-fG6ijmbya4SLyufkGmzbYChNXDD5mHqe73gt4Mv2EMgW2sIehLk+WNGFtY/V
-weLlEzaZk61v/IOgh2P2mw2TyA2cGV18QVbxvoudANXfkOoy5akIn31sPPom
-BbCNr3RZRsHxeFvRJTQ3GX7ECFEbhzmWUAlwpGBvzNgyc4295TuEJFwcvlaG
-FcCwcyUZ90A+YzwWJ5dvpdRMNpjEyNEBYcjW4twcm8PJgJG6Mw4Va8QzV1l9
-hYb3EB0ZgS+G5boRr9qut8V0QxyKjIS+MRzJ9ZMGq4S6At42xyCGRb/Qj2m2
-kZZNqJeSLcJETfmxZw36Zql0CIdrAHZvMJNzoZ7vpMAQ+Elv9fvHeJ6MFLvV
-CcrVqBH22Kk3A7MmPfncVf5XlM9SJsHUIySMjepTbs4LgVHoQXQpku0VudLw
-wSZT79WItQ6liAr/57yhseXBfj0PNqdG4KJ7/u1WIAP7ggVd32m8stp6X2MS
-dtxrKiBwGe96qdTb2wQidPtIgY/wxgvLFrgOQ9pgl1Q1X40f34wUkAzEAesE
-MLsprifq3gMUns7BTQRaYiebARAAj0vtQbpZlZRM3/AoPrlwvLUh8t7cs5Oo
-DtKoJJhQPfMfGbEPvdnfB/EXVIY+6DuW/q/RiIAXfDG57u5qBBM55JVAFr94
-030kGF9BAjBOriS93LFGrZDcvQrGY69HfIjiE3QiE8UvLUz1h8BBu6GXieyg
-BtJznNbeyJ17y18DdecVUihYIEBfsGyB9Mp4WeBWdIcxIHWraNXpBYh6cJAz
-cri09IigO/uw/Ru0j08BJTJs2x5lHKlkYCYXt045i9his8imJ4PMUldxwayc
-wrMyeujq4ur71punfIdfY2lhqPj1d1mQcEOoINNW9n+gxdT99XUc68NMA6uf
-O1az2bMpMZK7ZOr7+AKe/JTrD01duoCwZqoacWh6fWSt+Y+KaOPAeZ+86O80
-P3sziUvVfd4Zq1/tlDFDs6jF46fhPznUCPwVO9vhY/4jkTO0bxOKjDLtc+tX
-TnKKqfOm10kxNibM+rh0Z0tIb9PFJH45TJL5wykI3N5R25EafGn3OAq/mStr
-KzoR4PNgEMSpN/5QhOLP1/dQSC06Gs/e4yXxqg4mGEhMm15/D0Zu2E37ywrf
-F7ATf1R5xBAZ++Ac4wLoSGhjYRkcpjtf2ycHS15REw6MpVNZxX87+qs8JEAt
-SPEMn8l2pHkOjGYv+gi0095Obw6+eA8gSMry5w9X0Ee8Kfr0NXsAEQEAAcLB
-XwQYAQgAEwUCWmInoAkQMBf67EDz6zMCGwwAACEYEACPOAiw3YcYmcNouHMr
-U5zj45t5dlFAkeP8DbL3HG1QH1m0ntW0UGgFyxgy1uhoaVypWv7M3ERlH+Jl
-I9x06W6NzPSUgoslGJEZ7KIpJsQLzgu6LvSCyxwySPLwKd2qbkJ2HVSGsD6r
-K05ceZr+WRkDE9DcWHLcYQsPJfdndotx+PDWmF6kroSWqFA6X10fBQXGjVhi
-AdN/OqNsfkzJXXvcBtOq01HP9N/vdO9IXfg7WFum05aiDlxX4jojSywNj1OY
-96qYxNYc1ZDb08cGw+/51JE41GDK3K2/JNDSMpyt+wtSaHzmrzWJHYgeqB7l
-bKFqFv3FU9z7ay0rftVK1btuOAbitbuRTIh6jtixCkfJzUdXykLMHmEsL4Ow
-NPJDIp3O+mJ9vxem3n9Q7G0TdMyB7iTpYZiXAqnMZ0DdCHWHZnQC1jPRLShm
-AdRdqNBQDfCw4Ch+5saFr5NPedpOmppV/r2hHJUmmZeZLxBX8ERP1uMOt/bZ
-4pfSBVDB9Z6l9kY7n6oQzNNrOcof7O4gQOEQpug1jyBEOA2XnpIqLJMUoKWv
-b+wtoioZPk/sjiJSt6jpbyAVZOjbDhDT/49YwheWY4y7mQ7xAhcav3taAf/k
-FB8VXp235LPcYn5DzHsRbQSCI1AqGIiHBsDvoorfwa/8ccL3mlY8DxuE4ztt
-Odp+4g==
-=8d0U
------END PGP PUBLIC KEY BLOCK-----
-```
-
-If you are not a PGP user, you can easily send an encrypted email from https://flowcrypt.com/me/mikegoodwin
+For secure disclosure, please see the [security policy](SECURITY.md).
 
 # Project leader #
 
 Mike Goodwin ([email protected])
 
-## Main collaborator ##
-
-Jon Gadsden ([email protected])
-