Bug: Missing Communication Link Reference in individual_risk_categories Despite Proper Definition in technical_assets #102
Description
Issue Summary: I'm experiencing an issue where Threagile fails to recognize a communication link defined in technical_assets within the individual_risk_categories. Specifically, the communication link process-to-db is reported as missing in the risk category internal-fault-risk, even though it is correctly defined in the technical_assets.
Error message:
2024/10/22 00:24:58 missing referenced communication link at individual risk 'internal-fault-risk': process-to-db
threagile.yaml
threagile_version: "1.0"
title: "Test Threagile Model"
date: "2024-10-21"
author:
name: "Jane Doe"
homepage: "https://janedoe.example.com"
business_criticality: "critical"
tags_available:
- "finance"
- "user-data"
- "compliance"
- "confidential"
- "backend"
- "api"
- "database"
- "persistent-storage"
- "internal"
- "runtime"
- "web"
data_assets:
data-asset-db:
id: "data-asset-db"
description: "Primary database containing user financial data."
usage: "business"
tags:
- "finance"
origin: "internal"
owner: "Database Team"
quantity: "many"
confidentiality: "confidential"
integrity: "critical"
availability: "critical"
justification_cia_rating: "Essential for financial transactions and user trust."
technical_assets:
process-server:
id: "process-server"
description: "Handles business logic and processes user transactions."
type: "process"
usage: "business"
used_as_client_by_human: false
out_of_scope: false
size: "application"
technology: "web-application"
tags:
- "backend"
- "api"
internet: false
machine: "virtual"
encryption: "data-with-symmetric-shared-key"
owner: "DevOps Team"
confidentiality: "confidential"
integrity: "critical"
availability: "important"
multi_tenant: false
redundant: true
custom_developed_parts: true
data_assets_processed:
- "data-asset-db"
data_assets_stored:
- "data-asset-db"
data_formats_accepted:
- "json"
- "xml"
communication_links:
process-to-db:
target: "database-server"
description: "Connects the process server to the main database."
protocol: "jdbc"
authentication: "credentials"
authorization: "technical-user"
vpn: true
ip_filtered: true
readonly: false
usage: "business"
data_assets_sent:
- "data-asset-db"
data_assets_received:
- "data-asset-db"
database-server:
id: "database-server"
description: "Stores and manages all financial user data."
type: "datastore"
usage: "business"
used_as_client_by_human: false
out_of_scope: false
size: "system"
technology: "database"
tags:
- "database"
- "persistent-storage"
internet: false
machine: "virtual"
encryption: "data-with-symmetric-shared-key"
owner: "Database Team"
confidentiality: "confidential"
integrity: "critical"
availability: "critical"
multi_tenant: false
redundant: true
custom_developed_parts: false
data_assets_processed:
- "data-asset-db"
data_assets_stored:
- "data-asset-db"
data_formats_accepted:
- "json"
- "xml"
communication_links: {} # No outgoing communication links from the database server
shared_runtimes:
shared-runtime-web:
id: "shared-runtime-web"
description: "Shared runtime environment for web applications."
tags:
- "runtime"
- "web"
technical_assets_running:
- "process-server"
individual_risk_categories:
internal-fault-risk:
id: "internal-fault-risk"
description: "Risk associated with the communication between process server and database server."
impact: "High impact on data integrity and availability."
asvs: "ASVS Level 2"
cheat_sheet: "Use secure communication protocols and strong authentication mechanisms."
action: "Implement encryption and robust authentication for all database connections."
mitigation: "Use encrypted JDBC connections with strong credentials and regularly rotate them."
check: "Regularly audit database access logs and monitor for unusual activities."
function: "development"
stride: "information-disclosure"
detection_logic: "Monitor and alert on abnormal access patterns and failed login attempts."
risk_assessment: "High likelihood of data breach due to sensitive financial data."
false_positives: "Low"
model_failure_possible_reason: false
cwe: 200
risks_identified:
data_exposure:
severity: "high"
exploitation_likelihood: "likely"
exploitation_impact: "high"
data_breach_probability: "probable"
data_breach_technical_assets:
- "database-server"
most_relevant_data_asset: "data-asset-db"
most_relevant_technical_asset: "database-server"
most_relevant_communication_link: "process-to-db"
most_relevant_trust_boundary: "internal-network"
most_relevant_shared_runtime: "shared-runtime-web"
trust_boundaries:
internal-network:
id: "internal-network"
description: "Internal network trust boundary."
type: "network-on-prem"
tags:
- "internal"
technical_assets_inside:
- "process-server"
- "database-server"
trust_boundaries_nested: []
risk_tracking:
internal-fault-risk:
status: "in-progress"
justification: "Addressing the encryption and authentication vulnerabilities."
ticket: "TICKET-1234"
date: "2024-10-20"
checked_by: "Security Team Lead"
Expected Behavior: Threagile should recognize the process-to-db communication link defined within technical_assets and associate it correctly with the internal-fraud-risk in individual_risk_categories without any missing reference errors.
Actual Behavior: Despite the correct definition of process-to-db in technical_assets and proper referencing in individual_risk_categories, Threagile reports that the communication link is missing.