Version: 1.0.0

Risks and Vulnerabilities Tab have longer loading times which gets more significant when there are many risks and vulnerabilities being loaded

Version: 1.0.1-alpha01

Currently, the tooltip is displayed when hovering over each entry of an column rather than the header itself

In 1.0.0-alpha03:

When copying some normal text from a textbox in the Infopath version of the tool, and it is pasted back into the tool, the background color of the text instead of being default, becomes another background color.

Steps to reproduce:

1. In MS Infopath tool write some text in Project description textbox and copy it to the clipboard
2. Paste the copied text into the Project Description textbox of the ISRA Web app, the background color will be wrong.

Version to be tested: 1.0.0-alpha02

On Risks screen, enter some text in order will make the risk screen become abnormal.

Steps to reproduce:

1. On filter search box, enter "a" + ENTER
2. enter "z" + ENTER
3. delete the text manually and ENTER
4. expect all rows in table, Risk description, Risk evaluation, Risk mitigation, and Risk management can be seen

Actual result:
Only can see the table, others cannot be seen, until click the "X" button on the filter search box

Version to be tested: 1.0.0-alpha02

Estimated Cost (md) is expected to be number and it is greater than or equal to 0 (zero).
Because man days (md) cannot be negative value, it should not have + or - sign too.

Version to be tested: 1.1.0-alpha02

In Supporting assets, under list of supporting assets, Network Security Level drop down missing value "3".
Compare to the ISRA which is opened by using InfoPath, it has -2, -1, 1, 2, 3
But in the ISRA app, it only has -2, -1, 1, 2

Version: 1.0.1-alpha01

It should be "THALES GROUP CONFIDENTIAL" instead of "CONFIDENTIAL"

Version to be tested: 1.0.0-alpha02

Steps to reproduce

1. Opening an existing ISRA xml which has file attached on Project Descriptive Document
2. Navigate to Project Context, get error message pop up "Invalid Project Descriptive Document"
3. Click on the attachment link and click Remove
4. Save as to a json file
5. Close this app and open the json file which is saved on step 4
6. Navigate to Project Context, and attach a file in Project Descriptive Document
7. Navigate to Welcome tab and then navigate back to Project Context again
8. Expect to see the file is attached correctly in Project Descriptive Document, but no file is attached and get error message pop up "Invalid Project Descriptive Document"

Version: 1.0.1-alpha01

Date is in YYYY-MM-DD format and hence the column should not be as big as Description

Version: 1.0.1-alpha01

Issue description:
In the risks tab, for security controls implementation, estimated cost (md) accepts a negative number or just a negative sign character.

Expected behavior:
Normally it should not be possible to set negative numbers, as it is impossible.

Version: 1.0.0-alpha03
Platform: win64

Example based on Risks ID (same issue observed on Supporting Asset IDs, not tested on others).

How to reproduce:

• Delete Risk with max ID.
• Save the file and close it.
• Open the file
• Add a new Risk: the deleted ID is reused.

This is a behavior change from previous tool, in which IDs are unique even across sessions, to avoid ambiguous ID values between different assessment iteration. Be able to have different Risks with same ID in different assessment version may lead to ambiguous risk tracking in products.

Version: 1.0.0
Platform: win64

When multiple instances of the SRATool are concurrently run, the performance becomes extremely slow on each of the instances.

How to reproduce:

1. Start one instance of the SRATool and load a risk assessment file.
2. Start a second instance of the SRATool and load a risk assessment file
3. Performance will be very bad in each instance when changing tabs for example

Version 1.0.0 3813418

Platform: win64

When importing XML or JSON data with large files stored as base 64 strings or uploading large files to the application,
JSON validation will fail due to stack overflow as the string is too large for the regex function used in the AJV package's validate function

How to reproduce:

1. Upload Case

• Upload any large files at Project Descriptive Document in the Project Context Tab (Rich text fields would work also but the uploaded image needs to be about 2MB)
• An invalid attachment error would pop up

2. Opening XML Case

• Open any XML generated by ISRA containing large attachments in the application
• An invalid xml file error would pop up and the file cannot be opened

Version to be tested: 1.0.0-alpha02

Threat Agent dropdown value has typo "Operationnal Employee" in both ISRA xml and ISRA tool.
It should be "Operational Employee"

When loading a very complex Risk assessment recalculating and repopulating the data in each tab may take some time but its not clear that the backend is processing data. It may be interesting to popup a "processing/waiting" dialog box or other visual clue if after a certain amount of time has been reached and the backend has not responded yet. Other proposals are also good.

The objective is for the user to know that processing is still going on and that the application has simply not crashed / finished. The threshold when this appears on the screen is if the processing for the tab has not completed in X seconds, then display the popup until the task is completed.

Requirements:

• The value X, in seconds, can be configured through the configuration file. A value of 0 means always displayed.

It seems that the name of the business asset space is very small compared to the other elements in the table on the Business asset tab. Would it be possible to slightly make the fonts smaller of the other columns for Asset Values so as to make more space for the asset name, so asset names becomes wider.

Use-case:
Imported a complex XML and switched from different tabs and when switching to project context tab, I get a dialog box with the following information: Invalid Attachment: Invalid Project Descriptive Document.

Version: 1.0.1-alpha01

Steps to reproduce:

1. Open ISRA xml which has vulnerability item which is linked to a supporting asset (checkbox is ticked)
2. Navigate the Vulnerability
3. click on the vulnerability item and scroll to supporting asset, check if the specific checkbox is ticked for the supporting asset

Actual result:
the checkbox is not ticked, but opening the same ISRA xml with InfoPath, the checkbox is ticked.

Version to be tested: 1.1.0-alpha02

The "AND" text position is incorrect when there are multiple items in the same attack path. It should be some kind like "item1 AND item2", but now is "item1 item2 AND"

Steps to reproduce:

1. On the attack path which only have 1 item, it is expected that don't have "AND" text.
2. Click on add button, 2nd item is added, it is expected to have "AND" text beside the 1st item.

Actual result
The "AND" text is beside the 2nd item.

Version: 1.0.1-alpha01

Steps to reproduce:

• Create an ISRA project and fill up the tracking date in YYYY-M-D format
• Save the ISRA project
• Import the ISRA project

Actual result:

• The import would fail due to wrong date format

Version: 1.0.0 0f30b88
Platform: win64

The application will close on its own in some instances when either file, edit or window menu was left opened while dialog box is active after responding to the same dialog box

How to reproduce:

• Trigger a dialog box (Eg. Save or print)
• Ignore the dialog box and click on file, edit, or window
• Respond to the dialog box, application will crash after this

Version: 1.0.0

Use-case:

We need to make sure that either the final PDF report or the ISRA itself can be digitally signed to indicate that is has been approved and finalized for a specific version and not modified after review.

Technical requirements:

• It should support signing with hardware tokens such as smartcards as well as standard signing keys such as PGP.
• If it is decided that digital signature is going to protect the actual risk data assessment file and not the PDF report:
  • When a data risk assessment file is opened if there is a digital signature:
    • It is verified to check for tampering and if tampered an error is shown in a dialog box, but data can still be viewed.
    • The digital signature should be displayed with who signed and date (in welcome page?), otherwise indicate not signed.
    • If data is modified then a dialog box indicating that signature will be lost, and it should be cleared and user can continue working on it (maybe do it on export)
  • There should be a menu option to 'export' (To be discussed) the risk data assessment file and this would prompt the actual signature.

Additional requirements

• Try to base digital signature on standard way for signing JSON files if they exist.

Version 1.0

When opening xml or json ISRA, the old classification is being displayed and saved, the config does not override it

Version 1.0.0

Project iteration is not updated accordingly in the ISRA Meta json data and it is inaccurately reflecting it in the Reports tab

1.0.0-alpha02:
When exporting the ISRA to a PDF, the page numbers and total page numbers should be added to the footer of each page. Position could be in center or other location in footer.

This is more a long term improvement:

Some auditors may require proof that the file has not been tampered, there should probably be a digital signature mechanism for the file to ensure that its not been modified when outside of the tool.

Supporting asset, risks and vulnerabilities add/delete buttons should be at bottom of table, not at beginning of table. This permits to make it easier to delete and add rows especially in very big tables. This is a UX improvement.

Version: 1.0.0

Use-case: I wish to pre-populate datasets for supporting vulnerabilities, risks or supporting assets for example which can be reused by other users. Today the only way to do this is to open an existing risk assessment data file, which is not very clean. Instead it would be interesting to have an import option that imports datasets from selected tabs into an existing risk assessment data file.

Exact steps for a possible use-case:

1. User create a new risk assessment and populates the welcome, project context and business assets fields.
2. User imports existing known supporting assets and vulnerabilities for this technology by opening the import menu item in File and selecting an existing JSON data file and then a dialog both appears permitting to select tabs to import: he selects supporting assets and vulnerabilities to be imported and all of these are imported into current JSON data file.

Some extra information that needs to be discussed for the design for each tab:

• Welcome tab should either not be able to be imported, or if imported, it should overwrite everything after a warning to user through a dialog box if data is already present and that it will be overwritten.
• Project tab should either not be able to be imported, or if imported, it should overwrite everything after a warning to user through a dialog box if data is already present and that it will be overwritten.
• Business assets tab: It should append to existing data but not append data that is equal to existing data.
• Supporting assets tab: It should append to existing supporting assets definition table and ignore the rest? Only append data that do not already exist
• Risks tab: It should append to existing risks, Only append risks that do not already exist
• Vulnerabilities tab: It should append to existing vulnerabilities, Only append vulnerabilities that do not already exist

The issue here is how to compare data for equality such as risks, vulnerabilities and supporting assets, do we need to create a special range of ID's that is reserved or create a UUID to define equality?

Revision to be tested : 3f8077a

Use case 1:

1. There is a risk which decision details is like

Transfer:
It is highly recommended for the application layer to protect all the xxx API that is used with anti hooking.

2. Navigate to ISRA Report tab and find the same risk
3. Expect to see the same decision text, but it is shown as

It is highly recommended for the application layer to protect all the XXX API Transfer:
that is used with anti hooking.

Use case 2:

1. There is a risk which decision details is like

Mitigation:
xxx will only delay attacker to understand the program flow and critical function.
Transfer:
It is highly recommended for the application layer to protect all the xxx that is used with anti hooking.

2. Navigate to ISRA Report tab and find the same risk
3. Expect to see the same decision text, but it is shown as

xxx will only delay attacker to understand the program flow Mitigation:
and critical function.
It is highly recommended for the application layer to protect all the xxx Transfer:
is used with anti hooking.

Version to be tested : 1.0.0-alpha02

There are some projects which ISRA xml for the 1st risk Id is empty Id
<my:riskId xsi:nil="true"></my:riskId>
Opening this kind of ISRA xml file will not show correctly.

Steps to reproduce:

1. Open ISRA xml which 1st risk is empty Id
2. Expect this xml is opened correctly, able to see all risks in this file.

Actual result:
Only see the 1st risk in table, others are not shown.

From master:

This issue may difficult to reproduce, when running the executable, i did print to PDF then switched to the PDF and opened it in windows and then came back to the SRA and could not switch tabs anymore, and no dialog box occurred. See attached image for more information. I am running Windows 10 with Electron Windows executable electron-v21.3.3-win32-x64

Only solution is to restart the application.

Version: 1.0.1-alpha01

Steps to reproduce:

• Go to Vulnerabilities tab and go to CVE Official CVSS Score
• Set the Score to 10 either manually or via the arrows
• Vulnerability Scoring would not update to 10 when CVSS Score reaches 10
• Reload the tab, CVSS Score will be at 9 instead of 10

From 1.0.0-alpha02:

Create an XML with some risks which are non-chronological, then import them in the new tool. They will be displayed in the original order, and not in chronological order, maybe it would be nice to sort them or in the header of the table to be able to sort them in chronological order.

When you have unsaved data and open a JSON file, it does not ask to save before opening the other file, so you may lose everything in case of inattention.

In the project context in the threat modeling there is this text and may not be known to users:

"the result of the TLOT assessment: if the TLOT is low it may not be necessary to use a threat modeling tool"

It is proposed to replace it by:
"the result of the Targeted level of trust assessment (as defined in ISO 27034): if the TLOT falls within a certain minimum threshold it may not be necessary to use a threat modeling tool." which is clearer and defines what is TLOT

@sebptt : In agreement with this?

When supporting assets have empty labels, they can still be selected in the vulnerabilities tab as well as in the table where they are linked with the business assets.

1. Create a supporting asset
   1a.. They are displayed and linked to vulnerabilities in the vulnerability tab.
   1b. They are displayed in the supporting assets when they must be linked to business assets

Version: 1.0.0-alpha03
Platform: win64

When importing a file from a previous format (XML), vulnerability scoring are displayed with 11 digits precision after comma.
We should limit to one digit precision after the comma.

The JSON Schema contains some data that should not be present or seems wrong:

From 1.0.0-alpha03:

• 'description' element should be renamed to 'classification' as it represents the security classification of the document. Also in our implementation it should contain our organization name at the beginning.
• appVersion: Should this not be hard-coded in the application? I am unsure this should probably be discussed
• what is the useNewDecode usage? It is found in 2 places in the Schema
• what is the isAutomaticRiskName usage?
• vulnerabilityCVE: Probably the default value should be a CVSS3.0 string, not a CVSS2.0 string, or it should simply be left empty.
• cveScore: Why is the default 4.37, should it not be 0?

Version: 1.0.1-alpha01

Description

When a risk is invalid, it should be displayed in red color so that third-parties understand that these risks are not correctly defined.

Version: 1.0.1-alpha01

Whenever the user switches across tabs, a loading dialog will pop-up and very quickly go away, which can be disruptive if the user has to switch across tabs frequently

Version: 1.0.1-alpha01

Steps to reproduce:

1. open an existing project ISRA xml file
2. navigate to Vulnerabilities
3. click on any item in the table
4. expect to get CVSS score to be same as opening the same file with same item by using InfoPath

Actual result:
The value of CVSS is 0

Version: 1.0.1-alpha01

Steps to reproduce:

• Go to any table in any tab and drag to adjust the last column to the left
• A grey area is shown

Version 1.0.0

UI elements and related code should not be placed in the backend and should be in the frontend instead

Remediation for Version 1.1:

• Shift all html element code in render-{tab name}.js to the respective html files in the tabs directory

Version: 1.0.0

Use-case:
Currently where there is a data validation error, the information displayed to the user does not lead to a very good user experience, as it does not indicate enough information to fix it.

This could be improved by adding more information.

Version 1.0.0 3813418

Platform: win64

The text fields for Project Context, Business Assets, Supporting Assets will become empty if the user clicks on the respective tab while it is reloading

How to reproduce:

• Key in some text in the rich text fields for any of the three tabs
• Click on the tab to reload and click on it again while it is reloading
• The text fields will become empty

Version: 1.0.0

Use-case:
We should be able to configure what type of files can be uploaded as attachments for the project description document and vulnerability description document

1.0.0-alpha02:

Each page of the exported PDF should include the classification label in the page footer for security reasons. The classification label is the configured text at bottom of each tab ... confidential {Project} .

Version: 1.0.0

Use-case:

We should be able to configure the User Interface elements without modifying the schema used to validate the JSON risk assessment data format. For example some typical elements that should be configurable by organizations are the following:

• Organization in Welcome tab
• Document classification label

Technical proposals

• The configuration data elements should be required for packaging? If not present a warning is displayed to user when packaging and default values are used. Default values for organization in welcome tab could be an edit box instead of a listbox. And for label, it would be CONFIDENTIAL {Project} like it is now.

Version: 1.0.1-alpha01

Steps to reproduce:

• Create a vulnerability with a long name such as "Replacement of the device"
• Create another vulnerability with a shorter name that is a substring of the first vulnerability such as "Replacement"
• In the attack path in the risks tab, select the vulnerability with the shorter name

Actual result:
The longer vulnerability name, "Replacement of the device" is being set instead.

Version 1.0.0 3813418

Platform: win64

After launching the app, launching subsequent instances of it would be significantly slower, the startup time takes about an average of 5 - 6 seconds