Skip to content

docs: verify threat models for completeness and fix silent gaps#1330

Merged
ben-edna merged 1 commit into
mainfrom
claude/threat-models-security-docs-59i5v1
Jul 7, 2026
Merged

docs: verify threat models for completeness and fix silent gaps#1330
ben-edna merged 1 commit into
mainfrom
claude/threat-models-security-docs-59i5v1

Conversation

@spoorcc

@spoorcc spoorcc commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Cross-checking the threat catalog, responses, controls, and generated
reports against each other and the codebase surfaced several gaps:

  • DFT-06 (command injection) and DFT-34 (long-lived stored credential)
    had documented responses and mitigating controls (C-006/C-007,
    C-015/C-017, C-042) but never appeared in any rendered threat table:
    DFT-06's condition no longer matches once parameterized subprocess
    input is modelled, and pytm's resolve() never evaluates threats
    against Data assets (it iterates TM._elements only). Render such
    responses from the threat catalog so every documented risk decision
    stays visible, and fail generation when a finding has no response or
    a response names an unknown threat ID.
  • Asset IDs A-09/A-10 meant different assets in the two models (Remote
    VCS Server / Archive HTTP Server in the usage model, Winget repo /
    WINGET_TOKEN PAT in the supply-chain model). Renumber the Winget
    assets to A-28/A-29 so every asset ID is unique across the doc set.
  • Gap control IDs C-018/C-019/C-020/C-035 cited by the usage model were
    defined nowhere; add an 'Identified Gaps' section to the security
    page so each reserved ID resolves to a description.
  • Fix the SBOM cross-reference in the usage model (A-04 -> A-03) and
    the stale OSCAL version (1.1.2 -> 1.2.2) in security.rst and
    security/README.md.
  • Regenerate both threat-model reports (also picks up the stale
    C-045/C-036 control-row ordering in the usage report).

Summary by CodeRabbit

  • New Features

    • Security report generation now includes every documented risk decision, ensuring responded-to threats aren’t silently omitted.
  • Bug Fixes

    • Improved consistency of supply-chain security mappings by aligning updated Winget asset/credential identifiers across threat models, controls, and documentation.
    • Added stronger validation to detect mismatches between documented threats and rendered responses.
  • Documentation

    • Updated Security Model and CRA compliance materials to reflect the current OSCAL 1.2.2 references.
    • Refreshed threat/usage notes, including SBOM source cross-references and updated threat-to-control/linkage details.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8d47b2f3-0e61-4339-9972-f84a9d6068d2

📥 Commits

Reviewing files that changed from the base of the PR and between c4baf59 and c389926.

📒 Files selected for processing (9)
  • doc/explanation/security.rst
  • doc/explanation/threat_model_supply_chain.rst
  • doc/explanation/threat_model_usage.rst
  • security/README.md
  • security/dfetch.component-definition.json
  • security/tm_controls_data.py
  • security/tm_render.py
  • security/tm_supply_chain.py
  • security/tm_usage.py

Walkthrough

This PR renumbers Winget-related asset identifiers across threat-model sources and generated documentation, adds threat coverage validation in the renderer, and updates OSCAL version references and component-definition metadata. It also adds a reserved-control-IDs section and new threat entries for command injection and credential persistence.

Changes

Threat model updates

Layer / File(s) Summary
Threat coverage validation and rendering logic
security/tm_render.py
Adds _CatalogRow and _validate_threat_coverage(), and updates threat-table rendering to validate response coverage and include catalog-only threats.
Winget asset ID renumbering in model data
security/tm_supply_chain.py, security/tm_controls_data.py, security/tm_usage.py
Renames Winget asset IDs from A-09/A-10 to A-28/A-29 across source data, control mappings, threat responses, SBOM references, and response targets.
Generated supply-chain threat model documentation
doc/explanation/threat_model_supply_chain.rst
Updates Winget diagrams, asset identification, dataflows, and threat entries to use A-28/A-29.
Generated usage threat model documentation
doc/explanation/threat_model_usage.rst
Updates the SBOM note, adds DFT-06, and repositions the C-045 control entry.

OSCAL compliance documentation update

Layer / File(s) Summary
OSCAL version and component-definition metadata
doc/explanation/security.rst, security/README.md, security/dfetch.component-definition.json
Updates OSCAL references from 1.1.2 to 1.2.2 and adjusts component-definition metadata and software version fields.
Reserved control IDs gaps section
doc/explanation/security.rst
Adds a new section listing reserved control IDs C-018, C-019, C-020, and C-035.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant TM as TM._threats
  participant Render as _render_threat_rows
  participant Validate as _validate_threat_coverage
  participant Output as Rendered Table

  Render->>TM: build threat catalog
  Render->>Validate: validate(findings, responses)
  Validate-->>Render: raise ValueError or pass
  Render->>Output: render findings and catalog-only threats
Loading

Possibly related PRs

  • dfetch-org/dfetch#1182: Introduced the threat-model source modules and control/asset wiring that this PR updates.
  • dfetch-org/dfetch#1205: Added the RST report/template pipeline that consumes the threat-model rendering changes in this PR.
  • dfetch-org/dfetch#1263: Previously updated Winget-related asset IDs and threat/control wiring that this PR renumbers and extends.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main documentation changes: validating threat-model completeness and filling previously silent gaps.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/threat-models-security-docs-59i5v1

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@security/tm_render.py`:
- Around line 178-197: The early return in tm_render’s findings handling skips
_validate_threat_coverage() and prevents response-only rows from being rendered.
In the tm_render flow, move coverage validation before the empty-findings exit
and only return immediately when both tm.findings and responses are empty. Keep
the existing representative-building logic in tm_render so response threat IDs
not present in findings still get catalog-backed rows and unknown IDs still
trigger validation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 709dfd35-5fa0-4670-9c26-7e6764cd5156

📥 Commits

Reviewing files that changed from the base of the PR and between 8c8a595 and c4baf59.

📒 Files selected for processing (9)
  • doc/explanation/security.rst
  • doc/explanation/threat_model_supply_chain.rst
  • doc/explanation/threat_model_usage.rst
  • security/README.md
  • security/dfetch.component-definition.json
  • security/tm_controls_data.py
  • security/tm_render.py
  • security/tm_supply_chain.py
  • security/tm_usage.py

Comment thread security/tm_render.py
@spoorcc spoorcc force-pushed the claude/threat-models-security-docs-59i5v1 branch from c4baf59 to be98353 Compare July 6, 2026 19:25
Cross-checking the threat catalog, responses, controls, and generated
reports against each other and the codebase surfaced several gaps:

- DFT-06 (command injection) and DFT-34 (long-lived stored credential)
  had documented responses and mitigating controls (C-006/C-007,
  C-015/C-017, C-042) but never appeared in any rendered threat table:
  DFT-06's condition no longer matches once parameterized subprocess
  input is modelled, and pytm's resolve() never evaluates threats
  against Data assets (it iterates TM._elements only). Render such
  responses from the threat catalog so every documented risk decision
  stays visible, and fail generation when a finding has no response or
  a response names an unknown threat ID.
- Asset IDs A-09/A-10 meant different assets in the two models (Remote
  VCS Server / Archive HTTP Server in the usage model, Winget repo /
  WINGET_TOKEN PAT in the supply-chain model). Renumber the Winget
  assets to A-28/A-29 so every asset ID is unique across the doc set.
- Gap control IDs C-018/C-019/C-020/C-035 cited by the usage model were
  defined nowhere; add an 'Identified Gaps' section to the security
  page so each reserved ID resolves to a description.
- Fix the SBOM cross-reference in the usage model (A-04 -> A-03) and
  the stale OSCAL version (1.1.2 -> 1.2.2) in security.rst and
  security/README.md.
- Regenerate both threat-model reports (also picks up the stale
  C-045/C-036 control-row ordering in the usage report).
@spoorcc spoorcc force-pushed the claude/threat-models-security-docs-59i5v1 branch from be98353 to c389926 Compare July 6, 2026 19:26
@spoorcc

spoorcc commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@ben-edna ben-edna merged commit 68899b3 into main Jul 7, 2026
35 checks passed
@ben-edna ben-edna deleted the claude/threat-models-security-docs-59i5v1 branch July 7, 2026 04:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants