/** * ######## ######## ## ## ####### * ## ## ## ### ### ## ## * ## ## ## #### #### ## ## * ## ## ###### ## ### ## ## ## * ## ## ## ## ## ## ## * ## ## ## ## ## ## ## * ######## ######## ## ## ####### * * Write or edit JavaScript in this editor and annotate the code with ThreatSpec tags. * * See below for details. * * @alias threat @cwe_319_cleartext_transmission to cleartext transmission of data * @describe threat @cwe_319_cleartext_transmission as The software transmits sensitive or \ security-critical data in cleartext in a communication channel that can be sniffed by \ unauthorized actors * * @alias boundary @webapp to WebApp * @describe boundary @webapp as Customer facing web application * * @alias component @app to App * @describe component @app as Core application */ class Story { /** * Represents a book. * @constructor * @param {string} title - The title of the book. * @param {string} author - The author of the book. * * @mitigates @webapp:FileSystem against unauthorised access with strict file permissions (#122) * @exposes @webapp:App to XSS injection with insufficient input validation (#124,#133) * @transfers @cwe_319_cleartext_transmission to User:Browser with non-sensitive information (#125) * @accepts arbitrary file writes to @webapp:FileSystem with filename restrictions (#106) */ Book(title, author) { } }

Not implemented (yet)

Not implemented (yet)

Using the demo

Write or edit JavaScript in the editor on the left and annotate the code with ThreatSpec tags. Then run Parse & Report to generate the HTML report on the right. You can also view the intermediate JSON file.

Tag formats

  • @alias boundary|component|threat ID to NAME
  • @describe boundary|component|threat ID as DESCRIPTION
  • @mitigates BOUNDARY:COMPONENT against THREAT with MITIGATION [(REFERENCES)]
  • @exposes BOUNDARY:COMPONENT to THREAT with EXPOSURE [(REFERENCES)]
  • @transfers THREAT to BOUNDARY:COMPONENT with TRANSFER [(REFERENCES)]
  • @accepts THREAT to BOUNDARY:COMPONENT with ACCEPTANCE [(REFERENCES)]

The \ character can be used to split the DESCRIPTION, MITIGATION, EXPOSURE, TRANSFER and ACCEPTANCE values into multiple lines for readability. Multiple lines are joined together into a single value.

REFERENCES are optional and must enclosed by ( ). Multiple REFERENCES are supported using comma separation.