Feature/lab2

.github/pull_request_template.md

@@ -0,0 +1,21 @@
+# Goal
+
+<!-- Describe the objective of this PR -->
+
+## Changes
+
+<!-- List the key changes made -->
+
+## Testing
+
+<!-- Describe how you tested the changes -->
+
+## Artifacts & Screenshots
+
+<!-- Include screenshots, test results, or other relevant artifacts -->
+
+---
+
+- [ ] Clear, descriptive PR title
+- [ ] Documentation updated if needed
+- [ ] No secrets or large temporary files included

labs/lab2.md

@@ -1,142 +1,151 @@
-# Lab 2 — Threat Modeling (Threat Dragon + Threagile)
+# Lab 2 — Threat Modeling with Threagile
 
 ![difficulty](https://img.shields.io/badge/difficulty-beginner–intermediate-yellow)
-![topic](https://img.shields.io/badge/topic-Threat%20Modeling%20%26%20Security%20Requirements-blue)
+![topic](https://img.shields.io/badge/topic-Threat%20Modeling%20(Threagile)-blue)
 ![points](https://img.shields.io/badge/points-10-orange)
 
-> **Goal:** Model the **OWASP Juice Shop `bkimminich/juice-shop:19.0.0`** deployment, identify top risks, and produce both a **diagram-first** and an **automation-first** threat model.  
-> **Deliverable:** A PR from `feature/lab2` with a Threat Dragon model + Threagile outputs and a short risk summary.
+> **Goal:** Model the **OWASP Juice Shop `bkimminich/juice-shop:19.0.0`** deployment and generate an **automation-first** threat model with Threagile.  
+> **Deliverable:** A PR from `feature/lab2` with Threagile outputs and a short risk summary.
 
 ---
 
 ## Overview
 
 In this lab you will practice:
 
-* Building a **data flow diagram (DFD)** and capturing threats with **OWASP Threat Dragon** (supports STRIDE and auto-suggests threats via a rule engine).
-* Creating an **as-code** model with **Threagile** to automatically generate a **risk report + diagrams** from YAML (great for CI).
+* Creating an **as-code** model with **Threagile** and automatically generating a **risk report + diagrams** from YAML (great for CI).
+* Making a small, security-relevant model change and demonstrating how it **changes the risk set**.
 
 > Keep using the Juice Shop from Lab 1 (`:19.0.0`).
 
 ---
 
 ## Tasks
 
-### Task 1 — Threagile model & automated report (2 pts)
+### Task 1 — Threagile model & automated report (6 pts)
 
 **Objective:** Use the provided Threagile model to generate a PDF report + diagrams and document the results in `labs/submission2.md`.
 
-1. **Use the provided YAML**
+1) **Use the provided YAML**
 
 - `labs/lab2/threagile-model.yaml` is provided. Do not restructure it for this task.
-- You may make a small change for the “Delta Run” step (e.g., switch one link to HTTPS).
 
-2. **Generate outputs (risks + diagrams + PDF)**
+2) **Generate outputs (risks + diagrams + PDF)**
 
-Run Threagile against the model and write all artifacts into `lab2`:
+Create output folders and run Threagile:
 
-  ```bash
-  docker run --rm -it -v "$(pwd)":/app/work threagile/threagile \
-    -verbose \
-    -model /app/work/labs/labs/lab2/threagile-model.yaml \
-    -output /app/work/labs/lab2 \
-    -generate-risks-excel=false \
-    -generate-tags-excel=false
-  ```
+```bash
+mkdir -p labs/lab2/baseline labs/lab2/secure
+docker run --rm -v "$(pwd)":/app/work threagile/threagile \
+  -model /app/work/labs/lab2/threagile-model.yaml \
+  -output /app/work/labs/lab2/baseline \
+  -generate-risks-excel=false -generate-tags-excel=false
+```
 
-What you get in `labs/lab2/`:
+What you get in `labs/lab2/baseline/`:
 
-- `report.pdf` — full PDF report (includes diagrams) generated by default.
-- Diagrams: data-flow & data-asset diagrams (PNG).
-- Risk outputs: `risks.json` and also `stats.json`, `technical-assets.json`.
+* `report.pdf` — full PDF report (includes diagrams)
+* Diagrams: data-flow & data-asset diagrams (PNG)
+* Risk exports: `risks.json`, plus `stats.json`, `technical-assets.json`
 
 3. **Create `labs/submission2.md`**
 
-Include the following sections:
+Include:
 
-- Top 5 Risks (from `labs/lab2/risks.json`): create a table with columns — Severity, Category, Asset, Likelihood, Impact.
-  - Ranking: Sort risks by these weights to pick the Top 5:
-    - Severity order: critical (5) > elevated (4) > high (3) > medium (2) > low (1)
-    - Likelihood order: very-likely (4) > likely (3) > possible (2) > unlikely (1)
-    - Impact order: high (3) > medium (2) > low (1)
-    - Composite score = Severity*100 + Likelihood*10 + Impact. Sort descending; use score to break ties.
-  - Practical way:
-    - Manual read: open `labs/lab2/risks.json`, scan fields `severity`, `exploitation_likelihood`, `exploitation_impact`, `category`, `most_relevant_technical_asset`, apply the weights above, and pick the top 5.
-- **Delta Run**: change one thing in the YAML (e.g., set Reverse Proxy → App link to HTTPS), re-run, and paste a before/after of the relevant counts (e.g., unencrypted-communication dropped). Add a one-sentence reason why.
+* **Top 5 Risks** (from `labs/lab2/baseline/risks.json`): table with — Severity, Category, Asset, Likelihood, Impact.
 
-4. **Deliverables**
+  * Ranking: Sort by these weights:
 
-Commit/push:
+    * Severity: critical (5) > elevated (4) > high (3) > medium (2) > low (1)
+    * Likelihood: very-likely (4) > likely (3) > possible (2) > unlikely (1)
+    * Impact: high (3) > medium (2) > low (1)
+    * **Composite score** = `Severity*100 + Likelihood*10 + Impact` (sort desc; use to break ties)
 
-- `labs/lab2/threagile-model.yaml`
-- `labs/lab2/*diagram*.png` (at least the data-flow diagram)
-- `labs/submission2.md` (the write-up described above)
+> Practical: open `labs/lab2/baseline/risks.json`, scan fields `severity`, `exploitation_likelihood`, `exploitation_impact`, `category`, `most_relevant_technical_asset`, and pick the Top 5 using the weights.
 
-5. **Quality checklist (pass/fail hints)**
+---
 
-- Report opens and diagrams render.
-- Top 5 risks table present and legible; ties broken sensibly.
-- Stats snapshot included (from `stats.json`).
-- Clear overlap/difference vs Threat Dragon.
-- Delta Run shows before/after evidence and a short explanation.
+### Task 2 — HTTPS Variant & Risk Diff (4 pts)
 
-> Resources: Threagile site (auto risk rules, diagrams, CI-friendly), CLI usage (Docker examples), sample outputs. ([threagile.io][3], [GitHub][6], [juanvvc.github.io][4])
----
+**Objective:** Create a secure variant of the model and show how risk categories change.
+
+* Secure communications
+* Unencrypted asset
+
+1. **Create a secure variant YAML**
 
-### Task 2 — Threat Dragon Web Model (4 pts)
+Copy the baseline model and make exactly these edits:
 
-**Objective:** Create a diagram-based threat model of your local Juice Shop setup using the web UI at `threatdragon.com`, and extract the top 5 risks.
+* **User Browser → communication_links → Direct to App (no proxy)**: set `protocol: https`
+* **Reverse Proxy → communication_links**: set `protocol: https`
+* **Persistent Storage**: set `encryption: transparent` (to represent disk-level encryption)
 
-1. **Use the Threat Dragon web UI**
-   - Go to `threatdragon.com` → New Model (GitHub login required).
-   - Select a repo/branch where models are stored (optional).
-   - Provide metadata: title = “Juice Shop Lab”, owner = your GitHub handle.
-   - Add a diagram: place trust boundaries, actors, components, and flows.
-   - Assign STRIDE categories to each element/flow (via the properties pane).
-   - Run the rule engine and review auto-generated threats.
-   - Triage: keep, edit, or drop threats. Add mitigation notes (e.g., TLS via proxy, authz on sensitive routes, rate limiting).
+Save as: `labs/lab2/threagile-model.secure.yaml`.
 
-2. **Model the deployment (minimum elements)**
-   - **Actors:** User (Browser), Attacker (Internet)
-   - **Components:** Reverse Proxy (optional), Juice Shop Container (`:19.0.0`), Persistent Storage (e.g., container volume), Email/SMS provider (if configured)
-   - **Flows:**
-     - `HTTP 3000/tcp` Browser ↔ Juice Shop (or Browser ↔ Proxy ↔ Juice Shop)
-     - Outbound flows from Juice Shop (Email/SMS API, webhook, etc.)
-     - Persistent storage ↔ Juice Shop
-   - **Trust Boundaries:** Internet ⇢ Host; Host ⇢ Container Network
+2. **Run Threagile: secure variant**
 
-3. **Folder & files**
-   - Create in your repo:
-     - `labs/lab2/threat-dragon.json` — download/export the JSON model from the web UI.
-     - `labs/lab2/dfd.png` — export your diagram as PNG/SVG.
-     - `labs/lab2/THREATS.md` — markdown summary of your top risks.
+```bash
+docker run --rm -v "$(pwd)":/app/work threagile/threagile \
+  -model /app/work/labs/lab2/threagile-model.secure.yaml \
+  -output /app/work/labs/lab2/secure \
+  -generate-risks-excel=false -generate-tags-excel=false
+```
 
-4. **Write `labs/lab2/THREATS.md`**
-   - **Top 5 risks:** one-liners with STRIDE tags (e.g., “Injection [Tampering] — unsanitized input can corrupt DB”).
-   - Cross-check vs Threagile: 2 overlaps + 1 difference (one-liners).
+3. **Produce a Markdown delta table (Category: Baseline vs Secure vs Δ)**
 
-> Resources: Threat Dragon docs & project page (DFDs, STRIDE, rule engine, desktop/web options).
+Paste this **jq** command (works on jq 1.6+), then copy the output table into `labs/submission2.md`:
+
+```bash
+jq -n \
+  --slurpfile b labs/lab2/baseline/risks.json \
+  --slurpfile s labs/lab2/secure/risks.json '
+  def tally(x):
+    (x | group_by(.category) | map({ (.[0].category): length }) | add) // {};
+  (tally($b[0])) as $B |
+  (tally($s[0])) as $S |
+  (($B + $S) | keys | sort) as $cats |
+  [
+    "| Category | Baseline | Secure | Δ |",
+    "|---|---:|---:|---:|"
+  ] + (
+    $cats | map(
+      "| " + . + " | " +
+      (($B[.] // 0) | tostring) + " | " +
+      (($S[.] // 0) | tostring) + " | " +
+      (((($S[.] // 0) - ($B[.] // 0))) | tostring) + " |"
+    )
+  ) | .[]'
+```
+
+4. **Write a 2–4 line “Delta Run” explanation**
+
+* Change made:
+* Result (example):
+* Why:
 
 ---
 
-### Bonus — GitHub Social Interactions (optional)
+## Deliverables
 
-**Objective**: Explore GitHub’s social features and how they support collaboration.
+Commit/push:
 
-1. Star the course repository.  
-2. Follow your professor, TAs, and at least 3 classmates.
-3. In `labs/submission2.md`, add 1–2 sentences on why stars/follows matter in open source and team projects.
+* `labs/lab2/threagile-model.yaml` (baseline)
+* `labs/lab2/threagile-model.secure.yaml` (your secure variant)
+* `labs/lab2/baseline/*diagram*.png` (at least the data-flow diagram)
+* `labs/lab2/secure/*diagram*.png` (at least the data-flow diagram)
+* `labs/submission2.md` (Top 5 table + Delta table + short explanations)
 
 ---
 
-### Acceptance Criteria
+## Quality checklist (pass/fail hints)
+
+* Report opens and diagrams render in both **baseline** and **secure** runs.
+* Top 5 risks table present and legible; ties broken sensibly.
+* Category **Markdown delta table** included (baseline/secure/Δ).
+* Delta explanation is short and accurate (only the two intended changes).
+* Folder structure present: `labs/lab2/baseline/` and `labs/lab2/secure/`.
 
-* ✅ `labs/lab2/threat-dragon.json` exported and `labs/lab2/dfd.png` exported (diagram shows actors, Juice Shop container, flows, and trust boundaries).
-* ✅ `labs/lab2/THREATS.md` lists **Top 5** STRIDE-tagged risks.
-* ✅ `labs/lab2/threagile-model.yaml` models the same architecture at a reasonable fidelity.
-* ✅ `labs/lab2/*diagram*.png` includes at least the data-flow diagram.
-* ✅ `labs/submission2.md` includes: Artifacts list, Top 5 risks table, Stats snapshot, 2 overlaps + 1 difference Threagile vs Threat Dragon, and a Delta Run with before/after evidence.
-* ✅ PR from `feature/lab2` → `main` is open with artifacts attached/linked in the description.
+> Resources: Threagile site (auto risk rules, diagrams, CI-friendly), CLI usage (Docker examples), sample outputs. ([threagile.io][3], [GitHub][6], [juanvvc.github.io][4])
 
 ---
 
@@ -145,37 +154,37 @@ Commit/push:
 1. Create `feature/lab2`, commit the new files, push, and open a PR.
 2. In the PR description, fill your template sections and include:
 
-   ```text
-   - [x] Task 1: Threagile YAML + report + diagrams + submission2.md
-   - [x] Task 2: Threat Dragon model + THREATS.md
-   ```
+```text
+- [x] Task 1: Threagile baseline model + report + diagrams + submission2.md (Top 5)
+- [x] Task 2: HTTPS Variant + secure run + Category delta table + delta explanation
+```
 
 ---
 
 ## Rubric (10 pts)
 
-| Criterion                                                          | Points |
-| ------------------------------------------------------------------ | -----: |
-| Task 1 — Threat Dragon DFD + **Top 5** risks in `THREATS.md`       |  **6** |
-| Task 2 — Threagile YAML + generated report/diagrams + submission2  |  **4** |
-| **Total**                                                          | **10** |
+| Criterion                                                                 | Points |
+| ------------------------------------------------------------------------- | -----: |
+| **Task 1** — Threagile baseline: report/diagrams + Top 5 risks table      |  **6** |
+| **Task 2** — HTTPS Variant & Risk Diff: secure run + Markdown delta table |  **4** |
+| **Total**                                                                 | **10** |
 
 ---
 
 ## Hints
 
 > 🧭 **Model the lab reality.** Use exactly the architecture you’re running from Lab 1 (localhost, optional proxy).
-> 🧠 **Threat Dragon tip:** Start with STRIDE per **flow** first (S/T/I for auth, R/E for data tampering/DoS), then per **asset**. The tool’s rule engine can suggest threats you can triage. ([OWASP][5])
+>
 > ⚙️ **Threagile flags:** You can generate a stub (`-create-stub-model`), list enums (`-list-types`), and run analysis with `-model ... -output ...`; it emits report/DFDs and risk exports—handy for CI. ([Go Packages][1], [Kali Linux Tutorials][2])
-> 📑 **Keep it short:** One-page summaries beat walls of text—use bullets and link the artifacts.
-> 🔁 **Consistent IDs:** Use the same risk names/IDs across both tasks where they overlap—this helps later when we create CI gates and dashboards.
+>
+> 📑 **Keep it short:** One-page summaries beat walls of text—use bullets and paste the tables.
+>
+> 🔁 **Consistent IDs:** Use the same asset/link names between baseline and secure models so your diffs line up.
 
 ---
 
-[1]: https://pkg.go.dev/github.com/threagile/threagile?utm_source=chatgpt.com "threagile command - github.com/threagile/threagile - Go ... - Go Packages"
+[1]: https://pkg.go.dev/github.com/threagile/threagile?utm_source=chatgpt.com "threagile command - github.com/threagile/threagile - Go Packages"
 [2]: https://kalilinuxtutorials.com/threagile/?utm_source=chatgpt.com "Threagile : Agile Threat Modeling Toolkit 2020!Kalilinuxtutorials"
 [3]: https://threagile.io/?utm_source=chatgpt.com "Threagile — Agile Threat Modeling Toolkit"
 [4]: https://juanvvc.github.io/securecoding/images/threatmod/threagile/report.pdf?utm_source=chatgpt.com "Threat Model Report: Some Example Application"
-[5]: https://owasp.org/www-project-threat-dragon/?utm_source=chatgpt.com "OWASP Threat Dragon"
 [6]: https://github.com/Threagile/threagile "GitHub - Threagile/threagile: Agile Threat Modeling Toolkit"
-[7]: https://github.com/Threagile/threagile/blob/master/demo/example/threagile.yaml "threagile/demo/example/threagile.yaml at master - GitHub"