-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3 show a summary of the attack graph for a consequence in the web UI #18
3 show a summary of the attack graph for a consequence in the web UI #18
Conversation
…in-the-web-ui' of github.com:SPYDERISK/system-modeller into 3-show-a-summary-of-the-attack-graph-for-a-consequence-in-the-web-ui
…in-the-web-ui' of github.com:SPYDERISK/system-modeller into 3-show-a-summary-of-the-attack-graph-for-a-consequence-in-the-web-ui
… associated threats; this avoids a console error
…ummary-of-the-attack-graph-for-a-consequence-in-the-web-ui
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've checked out the branch and tested SSM. All seems generally fine with the new functionality. I confirmed that you can get a different attack path on different consequences and that the results are cached. Also, results are cleared when running risk calc, so that's good. No major issues that I can see.
For the code itself, I've been through the code changes and made comments on various files. Nothing major - generally a bt of tidying up, removing commented out code, fixing copyright headers, etc.
I have not looked at the attack path algorithm code in great detail, but quick scan looks OK.
src/main/java/uk/ac/soton/itinnovation/security/systemmodeller/rest/ModelController.java
Outdated
Show resolved
Hide resolved
src/main/webapp/app/modeller/components/panes/details/accordion/panels/ThreatsPanel.js
Show resolved
Hide resolved
src/test/java/uk/ac/soton/itinnovation/security/modelvalidator/test/AttackPathTester.java
Show resolved
Hide resolved
src/test/java/uk/ac/soton/itinnovation/security/modelvalidator/test/AttackPathTester.java
Outdated
Show resolved
Hide resolved
src/test/java/uk/ac/soton/itinnovation/security/modelvalidator/test/AttackPathTester.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SonarLint highlights many cases of defined but unused variables and methods which should be removed.
There are unused imports which should be removed (e.g. in LogicalExpression.java).
There is also quite a lot of unnecessary commented out code so please see what could be deleted there.
It would be nice to have more consistent formatting in the new code at least (so for example many cases of "for(" rather than "for (" (the later is to be used surely). Perhaps you can run the new files through a basic code formatter?
…e-attack-graph-for-a-consequence-in-the-web-ui
Minor points:
More serious:
The default risk calculation mode is the future risk so if we are to have just one button for the attack path then we should be consistent and the attack graph calculation should also be future risk. Not sure why we're not calculating the shortest path tree? |
The exposed API for shortest path takes two parameters:
The UI button for "Calculate Attack Path" invokes the shortest path calculation with allPaths=TRUE and normalOperations=FALSE. Internally the AttackTree object is initialised with As a temporary fix futureRisk will be fixed to |
Following further team discussions, the following strategy was agreed:
To avoid the situation where the web UI gets a threat graph calculation error:
It is not necessary to change the RiskCalculator behaviour: we do not need to clear the results of any previous risk calculation from the triple store before loading the model for a new calculation. |
I suggest we also store (though not display) the timestamp for the last saved risk calculation in the U/I, and include this as an argument. That way if there is a saved risk calculation at the service, system-modeller can check if it is the same one the client is using. This could be done instead of checking the risk calculation mode. If the timestamp doesn't match, then we return the error, as described by Stephen. If the timestamp does match, then the risk calculation mode should also match. The advantage this brings is that it detects the case where a different client runs a saved risk calculation after the one that requested the attack graph analysis. If this other client changed risk calculation inputs (e.g., control selection or coverage, or assumed TW levels), then the attack graph wouldn't be correct for the displayed likelihood data. The timestamp we would need is a property of the system model graph ( This extension could be done separately, if desired. It should be a minor change on what @scp93ch proposed above. |
Just checked - it seems (based on code comments) that |
…are set directly by the risk calc, so that immediiately returend results are correct
…in-the-web-ui' of github.com:SPYDERISK/system-modeller into 3-show-a-summary-of-the-attack-graph-for-a-consequence-in-the-web-ui
…her menu options accordingly
…in-the-web-ui' of https://github.com/SPYDERISK/system-modeller into 3-show-a-summary-of-the-attack-graph-for-a-consequence-in-the-web-ui
…in-the-web-ui' of github.com:SPYDERISK/system-modeller into 3-show-a-summary-of-the-attack-graph-for-a-consequence-in-the-web-ui
…ot persisted when user selects to NOT save risk calc results. Validation now clears these flags. Fix corresponding unit test code.
…in-the-web-ui' of github.com:SPYDERISK/system-modeller into 3-show-a-summary-of-the-attack-graph-for-a-consequence-in-the-web-ui
…nt spinner from persisting
…in-the-web-ui' of github.com:SPYDERISK/system-modeller into 3-show-a-summary-of-the-attack-graph-for-a-consequence-in-the-web-ui
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new code still has some issues but it's well worth getting it merged in as it's a great new feature. 👍
No description provided.