### Quick Start: Clone and Install Source: https://github.com/owasp/threat-dragon/blob/main/docs/development/contributing.md Clones the Threat Dragon repository from GitHub and installs the necessary Node.js dependencies using npm. ```bash git clone git@github.com:OWASP/threat-dragon.git cd threat-dragon npm install ``` -------------------------------- ### Run Web Application (Windows) Source: https://github.com/owasp/threat-dragon/blob/main/docs/install/web.md Starts the front-end and back-end servers separately for the Threat Dragon web application on Windows. ```bash npm run dev:server npm run dev:vue ``` -------------------------------- ### Install Node.js using NVM (Linux) Source: https://github.com/owasp/threat-dragon/blob/main/docs/development/development.md Installs Node.js version 20.14.0 using Node Version Manager (nvm) on Linux systems. This is a prerequisite for running the Threat Dragon development server. ```bash # Download and install nvm curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash # follow the on-screen instructions, usually just restart the terminal # then use nvm to select the correct version of node, eg 20.14.0 nvm install 20.14.0 nvm use 20.14.0 node --version ``` -------------------------------- ### Run Web Application (Linux/MacOS) Source: https://github.com/owasp/threat-dragon/blob/main/docs/install/web.md Starts the Node.js web server for the Threat Dragon application on Linux and macOS. ```bash npm start ``` -------------------------------- ### Install and Serve Threat Dragon Docs Locally Source: https://github.com/owasp/threat-dragon/blob/main/docs/README.md Commands to install dependencies and serve the Threat Dragon documentation site locally using Jekyll. Requires Ruby and Bundler to be installed. ```bash npm add --location=global bundle bundle update bundle exec jekyll serve ``` -------------------------------- ### Docker Build and Run Source: https://github.com/owasp/threat-dragon/blob/main/docs/development/development.md Commands to build a Docker image for OWASP Threat Dragon and run a container. This includes setting up environment variables and port mapping. ```bash docker build -t owasp-threat-dragon:dev . docker run -it --rm -p 8080:3000 -v $(pwd)/.env:/app/.env owasp-threat-dragon:dev ``` -------------------------------- ### Windows Download Warning Workaround Source: https://github.com/owasp/threat-dragon/wiki/FAQs Details how to handle the 'OWASP-Threat-Dragon-Setup isn't commonly downloaded' warning on Windows. It guides users to click 'show more', 'Keep anyway', and then proceed with the installation. ```markdown Click on the 'show more' and agree to keep the file. You will have to agree again 'Keep anyway' before Windows accepts that you really want to keep the file. You can then double click on the download to install Threat Dragon. ``` -------------------------------- ### Quick Start: Run Tests Source: https://github.com/owasp/threat-dragon/blob/main/docs/development/contributing.md Commands to start the application and run various test suites for the Threat Dragon project. ```bash npm start npm test npm run test:vue ``` -------------------------------- ### Install Node.js using NVM (macOS) Source: https://github.com/owasp/threat-dragon/blob/main/docs/development/development.md Installs Node.js version 20.12.2 using Node Version Manager (nvm) on macOS systems. This is a prerequisite for running the Threat Dragon development server. ```bash brew install nvm nvm install 20.12.2 nvm use 20.12.2 node --version ``` -------------------------------- ### Build and Run Threat Dragon Desktop from Source Source: https://github.com/owasp/threat-dragon/blob/main/docs/install/desktop.md Instructions for cloning the Threat Dragon repository, installing dependencies using npm, and running the desktop application in development mode or building an installer. This method allows access to the latest code updates. ```bash git clone https://github.com/owasp/threat-dragon cd threat-dragon npm install ``` ```bash npm run start:desktop ``` ```bash npm run build:desktop ``` -------------------------------- ### OWASP Threat Dragon Desktop CLI Commands Source: https://github.com/owasp/threat-dragon/wiki/FAQs Provides examples of using the command-line interface (CLI) for OWASP Threat Dragon desktop versions 1.6.x. Shows how to get help and export a threat model to PDF. ```bash OWASP-Threat-Dragon --help ``` ```bash OWASP-Threat-Dragon --pdf ./threat-model.json --verbose ``` ```bash OWASP-Threat-Dragon.exe --pdf .\threat-model.json --verbose ``` ```bash ./OWASP-Threat-Dragon-1.3.1.AppImage --pdf ./threat-model.json --verbose ``` -------------------------------- ### Example Threat Dragon Server Log Error Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/github.md An example of a server log entry indicating a failure to start due to a missing required environment variable, specifically ENCRYPTION_JWT_REFRESH_SIGNING_KEY. ```text 2023-12-16 08:08:18 ENCRYPTION_JWT_REFRESH_SIGNING_KEY is a required property, Threat Dragon server cannot start without it. Please see docs/development/environment.md for more information 2023-12-16 08:08:18 OWASP Threat Dragon failed to start ``` -------------------------------- ### Project Setup and Commands Source: https://github.com/owasp/threat-dragon/blob/main/td.server/README.md Provides essential commands for setting up the project, compiling for development and production, cleaning the distribution, running unit tests (including watch mode), and linting files. ```bash npm install npm run dev npm run build npm run clean npm run test:unit npm run test:unit -- --watch npm run lint ``` -------------------------------- ### Install from Source Code Source: https://github.com/owasp/threat-dragon/wiki/FAQs Instructions for installing OWASP Threat Dragon from source code using npm. It mentions potential network issues during package downloads and suggests using a VPN or checking network configurations. ```bash npm install ``` -------------------------------- ### Troubleshooting Log Example Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/google.md An example log output indicating a startup failure due to a missing required environment variable, specifically `ENCRYPTION_JWT_REFRESH_SIGNING_KEY`. This highlights the importance of correctly defining all necessary configuration parameters. ```text 2023-12-16 08:08:18 ENCRYPTION_JWT_REFRESH_SIGNING_KEY is a required property, Threat Dragon server cannot start without it. Please see docs/development/environment.md for more information 2023-12-16 08:08:18 OWASP Threat Dragon failed to start ``` -------------------------------- ### Windows Installer Command Source: https://github.com/owasp/threat-dragon/wiki/Home Demonstrates how to run the Windows installer silently with a specified installation directory. ```powershell .\OWASP-Threat-Dragon-Setup-1.6.1.exe /S /D=C:\\Test ``` -------------------------------- ### Encryption Keys Example Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/bitbucket.md Example of setting encryption-related environment variables for Threat Dragon. ```javascript process.env.ENCRYPTION_JWT_REFRESH_SIGNING_KEY = '00112233445566778899aabbccddeeff'; process.env.ENCRYPTION_JWT_SIGNING_KEY = 'deadbeef112233445566778899aabbcc'; process.env.ENCRYPTION_KEYS = JSON.stringify([{"isPrimary": true, "id": 0, "value": "0123456789abcdef0123456789abcdef"}]); ``` -------------------------------- ### Install and Run Threat Dragon via npm Source: https://github.com/owasp/threat-dragon/wiki/Home Provides commands to clone the Threat Dragon repository, install dependencies using npm, and run the application. ```bash git clone https://github.com/owasp/threat-dragon cd threat-dragon/td.desktop npm install ``` ```bash npm run start ``` ```bash npm run start:desktop ``` -------------------------------- ### Bitbucket Workspace and Scope Example Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/bitbucket.md Example of setting the BITBUCKET_WORKSPACE and BITBUCKET_SCOPE environment variables for Threat Dragon. ```javascript process.env.BITBUCKET_WORKSPACE = 'threat-dragon-test'; process.env.BITBUCKET_SCOPE = 'repository:write'; ``` -------------------------------- ### Threat Dragon Development Scripts Source: https://github.com/owasp/threat-dragon/blob/main/docs/development/development.md Common npm scripts for building, developing, and testing the OWASP Threat Dragon project. These scripts manage the server and Vue components. ```javascript npm build npm run dev npm run dev:vue npm run dev:server npm start npm run start:desktop npm run test:vue npm test ``` -------------------------------- ### Install Application Dependencies Source: https://github.com/owasp/threat-dragon/blob/main/docs/install/web.md Installs the necessary Node.js dependencies for the Threat Dragon web application using npm. ```bash npm install ``` -------------------------------- ### Minimal .env file example Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/configure.md An example of a minimal .env file for Threat Dragon configuration, including encryption keys and server settings. Real keys should be generated securely. ```text ENCRYPTION_KEYS='[{"isPrimary": true, "id": 0, "value": "11223344556677889900aabbccddeeff"}]' ENCRYPTION_JWT_SIGNING_KEY=asdfasdfasdf ENCRYPTION_JWT_REFRESH_SIGNING_KEY=fljasdlfkjadf NODE_ENV=development SERVER_API_PROTOCOL=http ``` -------------------------------- ### Install Node.js Dependencies Source: https://github.com/owasp/threat-dragon/blob/main/README.md After cloning the repository, this command installs all the necessary Node.js packages for both the back-end (td.server) and front-end (td.vue) applications from the project's top directory. ```bash npm install ``` -------------------------------- ### Server API Protocol Example Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/bitbucket.md Example of setting the SERVER_API_PROTOCOL environment variable to 'http' for Threat Dragon. ```javascript process.env.SERVER_API_PROTOCOL = 'http'; ``` -------------------------------- ### OWASP Threat Dragon Installation Files Source: https://github.com/owasp/threat-dragon/blob/main/.release-note-template.md Links to download OWASP Threat Dragon installers and checksums for various platforms. ```plaintext Web Application: .tar.gz: https://github.com/OWASP/threat-dragon/archive/refs/tags/v2.x.x.tar.gz .zip: https://github.com/OWASP/threat-dragon/archive/refs/tags/v2.x.x.zip Desktop Versions: Windows NSIS installer: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/Threat-Dragon-ng-Setup-2.x.x.exe Windows checksum: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/checksum.yml MacOS x86 installer: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/Threat-Dragon-ng-2.x.x.dmg MacOS x86 checksum: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/checksum-mac.yml MacOS ARM64 installer: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/Threat-Dragon-ng-2.x.x-arm64.dmg MacOS ARM64 checksum: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/checksum-mac-arm64.yml Linux AppImage: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/Threat-Dragon-ng-2.x.x.AppImage Linux checksum: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/checksum-linux.yml Debian package (AMD64): https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/threat-dragon_2.x.x_amd64.deb Redhat package (x86_64): https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/threat-dragon-2.x.x.x86_64.rpm Snapcraft: https://snapcraft.io/threat-dragon Software Bill of Materials (SBOMs): Server: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/sboms-server.zip Frontend/Desktop: https://github.com/OWASP/threat-dragon/releases/download/v2.x.x/sboms.zip ``` -------------------------------- ### Environment Error Example Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/configure.md An example of an error message indicating a missing required environment variable during Threat Dragon server startup. ```text ENCRYPTION_KEYS is a required property. Threat Dragon server cannot start without it. Refer to development/environment.md for more information ``` -------------------------------- ### Cloning and Building Docker Image Source: https://github.com/owasp/threat-dragon/blob/main/docs/install/docker.md Steps to clone the Threat Dragon GitHub repository and build a local Docker image. This is useful for testing changes to the application or documentation. ```bash git init git clone https://github.com/owasp/threat-dragon.git cd threat-dragon docker build -t owasp-threat-dragon:local . ``` -------------------------------- ### Node Environment Variable Example Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/bitbucket.md Example of setting the NODE_ENV environment variable to 'development' for Threat Dragon. ```javascript process.env.NODE_ENV = 'development'; ``` -------------------------------- ### GitLab Environment Variables Example Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/gitlab.md An example set of environment variables required for configuring GitLab access in Threat Dragon. These variables are used for authentication and integration with GitLab. ```text GITLAB_CLIENT_ID=00112233445566778899aabbccddeeff GITLAB_CLIENT_SECRET=gloas-deadbeef0123456789abcdefdeadbeef GITLAB_SCOPE=read_user read_repository write_repository profile read_api api GITLAB_REDIRECT_URI=http://threat-dragon-instance/api/oauth/return GITLAB_HOST=http://gitlab-instance ``` -------------------------------- ### Clone Latest Source Code Source: https://github.com/owasp/threat-dragon/blob/main/docs/install/web.md Clones the latest version of the Threat Dragon source code from the GitHub repository. ```bash git init git clone https://github.com/owasp/threat-dragon.git cd threat-dragon ``` -------------------------------- ### Running Threat Dragon Application Source: https://github.com/owasp/threat-dragon/blob/main/README.md Commands to start the Threat Dragon application. For Windows development, run the front-end and back-end separately. For Linux/macOS, use a single command. Access the application via a browser. ```bash npm run dev:server npm run dev:vue # or npm start # Access at http://localhost:8080/ ``` -------------------------------- ### Minimal DotEnv Configuration Example Source: https://github.com/owasp/threat-dragon/blob/main/docs/development/environment.md An example of a minimal .env file used for configuring the Threat Dragon web application. It includes essential variables like NODE_ENV, encryption keys, and server protocol. Note that actual keys should be generated securely. ```text NODE_ENV=development ENCRYPTION_KEYS='[{"isPrimary": true, "id": 0, "value": "0123456789abcdef0123456789abcdef"}]' ENCRYPTION_JWT_SIGNING_KEY=deadbeef112233445566778899aabbcc ENCRYPTION_JWT_REFRESH_SIGNING_KEY=00112233445566778899aabbccddeeff SERVER_API_PROTOCOL='http' ``` -------------------------------- ### Windows Installer Code Signing Source: https://github.com/owasp/threat-dragon/blob/main/release-process.md Steps to sign a Windows installer using a certificate, including generating a P12 file, converting to Base64, and using signtool for signing. It also covers generating checksums and updating release files. ```bash openssl pkcs12 -export -in WINDOWS_OSS_CERT.pem -nokeys -out WINDOWS_OSS_CERT.p12 -passout pass: openssl pkcs12 -info -in WINDOWS_OSS_CERT.p12 -passin pass: base64 -i WINDOWS_OSS_CERT.p12 -o WINDOWS_OSS_CERT.p12.b64 ``` ```powershell signtool sign /sha1 "" /tr http://time.certum.pl /td sha256 /fd sha256 /v "Threat-Dragon-ng-Setup-2.4.1.exe" ``` ```bash sha512sum Threat-Dragon-ng-Setup-2.4.1.exe > checksum.yml openssl dgst -binary -sha512 Threat-Dragon-ng-Setup-2.4.1.exe | openssl base64 -A ``` -------------------------------- ### Project Setup and Commands Source: https://github.com/owasp/threat-dragon/blob/main/td.vue/README.md Provides essential npm commands for setting up, building, testing, and linting the OWASP Threat Dragon project. Includes commands for development, production builds, desktop application builds, and continuous testing. ```bash npm install npm run serve npm run build npm run electron:build npm run electron:serve npm run clean npm test npm run test:unit -- --watch npm run test:e2e npm run lint ``` -------------------------------- ### macOS Application Signing Check Source: https://github.com/owasp/threat-dragon/blob/main/docs/development/development.md Command to check the notarization status of the macOS application bundle for Threat Dragon. ```bash spctl --assess -vv --type install /Applications/Threat-Dragon-ng.app ``` -------------------------------- ### Threat Dragon Docker Environment Variables Source: https://github.com/owasp/threat-dragon/blob/main/docs/install/docker.md Example of how to set the LOG_LEVEL environment variable within the .env file to increase logging for debugging purposes. ```text LOG_LEVEL=debug ``` -------------------------------- ### Running OWASP Threat Dragon from Command Line Source: https://github.com/owasp/threat-dragon/wiki/FAQs Demonstrates how to execute the OWASP Threat Dragon desktop application from the command line on different operating systems. Includes examples for Windows, macOS, Linux, and AppImage. ```bash OWASP-Threat-Dragon.exe ``` ```bash OWASP-Threat-Dragon ``` ```bash ./OWASP-Threat-Dragon-1.3.1.AppImage ``` -------------------------------- ### Curl Request to Backend API Source: https://github.com/owasp/threat-dragon/blob/main/docs/testing/testing.md Example of using curl to make a GET request to the backend API for retrieving organization data. It specifies the protocol, host, port, endpoint, and sets the Accept header to application/json. ```bash curl -v http://localhost:3000/api/threatmodel/organisation \ -H "Accept: application/json" ``` -------------------------------- ### Debugging Threat Dragon Docker Container Source: https://github.com/owasp/threat-dragon/blob/main/docs/install/docker.md Command to run the Threat Dragon Docker container in interactive mode for debugging, allowing console output to be viewed directly. Also shows example console output with increased logging. ```bash docker run -it -p 8080:3000 -v $(pwd)/.env:/app/.env owasp-threat-dragon:local ``` -------------------------------- ### Run Web App Version Source: https://github.com/owasp/threat-dragon/wiki/FAQs Provides instructions on how to run the web application version of Threat Dragon to work around a printing issue on Linux. This involves starting the application using a specific npm command. ```bash npm start ``` -------------------------------- ### Building and Running Threat Dragon from Local Docker Build Source: https://github.com/owasp/threat-dragon/blob/main/README.md Commands to build a local Docker image for Threat Dragon and then run it. This involves building the image with a tag and then starting a container, mounting the .env file. Supports both Linux/macOS and Windows. ```bash docker build -t owasp-threat-dragon:dev . docker run -it --rm -p 8080:3000 -v $(pwd)/.env:/app/.env owasp-threat-dragon:dev # or if using Windows: docker run -it --rm -p 8080:3000 -v %CD%/.env:/app/.env owasp-threat-dragon:dev # Access at http://localhost:8080/ ``` -------------------------------- ### Stopping Threat Dragon Application Source: https://github.com/owasp/threat-dragon/blob/main/README.md Instructions for stopping the Threat Dragon application. If started with 'npm start', use 'npm stop'. Otherwise, manually stop the server and front-end processes. ```bash npm stop # or manually break out of server and front-end processes ``` -------------------------------- ### Running Threat Dragon with Docker Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/local.md Demonstrates how to pull the OWASP Threat Dragon Docker image and run it with the necessary environment variables and port mapping for local access. Includes a command for M1 Macs. ```dockerfile docker pull owasp/threat-dragon:stable docker pull --platform linux/x86_64 owasp/threat-dragon:stable docker run -it --rm \ -p 8080:3000 \ -e ENCRYPTION_JWT_REFRESH_SIGNING_KEY='00112233445566778899aabbccddeeff' \ -e ENCRYPTION_JWT_SIGNING_KEY='deadbeef112233445566778899aabbcc' \ -e ENCRYPTION_KEYS='[{"isPrimary": true, "id": 0, "value": "0123456789abcdef0123456789abcdef"}]' \ -e NODE_ENV='development' \ -e SERVER_API_PROTOCOL='http' \ owasp/threat-dragon:stable ``` -------------------------------- ### Install Vue CLI and Run E2E Tests Source: https://github.com/owasp/threat-dragon/blob/main/docs/testing/e2e.md Installs the Vue CLI globally if not found and then executes the end-to-end tests using npm. This command opens the Cypress runner for interactive test selection. ```bash npm install -g @vue/cli cd td.vue npm install npm run test:e2e ``` -------------------------------- ### Threat Dragon .env File Configuration Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/github.md Example content for a .env file used to configure the Threat Dragon server, including GitHub credentials and encryption keys. Highlights that quotation marks are only needed for complex values like JSON strings. ```text GITHUB_CLIENT_ID=deadbeef0123456789ab GITHUB_CLIENT_SECRET=deadbeef0123456789abcdef01234567deadbeef ENCRYPTION_JWT_REFRESH_SIGNING_KEY=00112233445566778899aabbccddeeff ENCRYPTION_JWT_SIGNING_KEY=deadbeef112233445566778899aabbcc' ENCRYPTION_KEYS='[{"isPrimary": true, "id": 0, "value": "0123456789abcdef0123456789abcdef"}]' NODE_ENV=development SERVER_API_PROTOCOL=http ``` -------------------------------- ### Set Environment Variable (Windows) Source: https://github.com/owasp/threat-dragon/blob/main/docs/configure/configure.md Example of how to set an environment variable from the command prompt on Windows systems. ```bash set GITHUB_CLIENT_ID=deadbeef0123456789ab ``` -------------------------------- ### Snapcraft Credential Management Source: https://github.com/owasp/threat-dragon/blob/main/release-process.md Commands to manage Snapcraft login credentials. This includes logging in and exporting credentials, which are necessary for publishing updates to the Snapcraft store. ```bash snapcraft login snapcraft export-login --snaps threat-dragon --channels edge,latest,stable - ```