Update fork with upstream changes (#14)

* update browserstack platform and browser list

* Graph factory spec updates

* Removing outdated test

* Addressing linting errors

* browserstack available platforms and browsers

* update to latest browserstack-cypress-cli for workflows

* allow magnet for diagram components

* Removing temporary test runner from package.json

* remove ports from text box

* Removing unused references / addressing linting violations

* use File System Access API if supported on the browser

* check for cancel by user when saving to local filesystem

* update link checker in workflow

* update and enable trivy in workflows

* update cache action in workflows

* provide reason for out of scope in the reports

* provide showAttributes to report components

* add properties to report

* tidy up of entity description in reports

* update cookie version

* Bump github/codeql-action from 3.26.6 to 3.27.0 in /.github/workflows

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.6 to 3.27.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v3.26.6...v3.27.0)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump actions/setup-node from 4.0.2 to 4.1.0 in /.github/workflows

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.0.2 to 4.1.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4.0.2...v4.1.0)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* enable contextual threat suggestions only when new threat button is enabled

* release version 2.3.0-RC1

* Bump rexml from 3.3.6 to 3.3.9 in /docs

Bumps [rexml](https://github.com/ruby/rexml) from 3.3.6 to 3.3.9.
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](ruby/rexml@v3.3.6...v3.3.9)

---
updated-dependencies:
- dependency-name: rexml
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump elliptic from 6.5.7 to 6.6.0 in /td.vue

Bumps [elliptic](https://github.com/indutny/elliptic) from 6.5.7 to 6.6.0.
- [Commits](indutny/elliptic@v6.5.7...v6.6.0)

---
updated-dependencies:
- dependency-name: elliptic
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* signing of windows executables now done manually

* minimum version of elliptic set to 6.6.0

* use notarytool for MacOS images

* disable trivy until it can be reliably downloaded

* release version 2.3.0-RC2

* Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 in /.github/workflows

Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.2 to 2.1.0.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](lycheeverse/lychee-action@v2.0.2...v2.1.0)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* move environment to top of jobs

* fix for the notarization variables

* add app bundle ID for MacOS notarization

* try appId in MacOS electron builder options

* provide appBundleId to packages

* Bump aquasecurity/trivy-action in /.github/workflows

Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.28.0 to 0.29.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@0.28.0...0.29.0)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* staple electron-builder to version 24.12.0

* re-enable Trivy in workflow pipelines

* fix for cross-spawn

* ensure cross-spawn is at latest version

* use electron-builder version 24.12.0

* manual macos notarization

* upate macos signing

* add electron builder package

* allow macos notarization to fail

* update zaproxy/action-full-scan to version 0.12.0 in workflows

* update build-push-action  to version 6.10.0 in workflows

* release version 2.3.0-RC3

* release version 2.3.0

* add to ZAP rules

* add release snap workflow

* update release note template

* provide open-source software certs for Windows signing

* open-source software certs for Windows signing pipeline

* add publisher name to Windows installer

* add digest definitions for Windows installer

* add time stamp server for Windows installer

* add sha256 digest for Windows installer

* update release instructions

* Bump actions/cache from 4.1.1 to 4.2.0 in /.github/workflows

Bumps [actions/cache](https://github.com/actions/cache) from 4.1.1 to 4.2.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v4.1.1...v4.2.0)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update release process

* set latest build version

* Update actions/download-artifact to consistently use 4.1.8

* update version of path-to-regexp

* Include new values Critical and TBA to priority field. Change the default value to TBA. Fix I18N files.

* Fix unit test

* Fix NODE_VERSION in Dockerfile

* Fix typo in the fi.js file.

* fixup app-builder-lib link

* Upgrading to Express v5

* Updating package-lock

* Upgrading express to v5

* Restoring parsers test to original test, the update was not needed

* update action-gh-release to version 2.2.0

* update setup-buildx-action to version 3.8.0 in workflows

* update purge-deprecated-workflow-runs to version 2.2.0 in workflows

* update upload-artifact to version 4.5.0 in workflows

* update lychee-action version 2.2.0 in workflows

* update systeminformation package to version 5.23.23

* update build-push-action to version 6.11.0 in workflow pipelines

* update setup-qemu-action to version 3.3.0 in workflow pipelines

* update upload-artifact to version 4.6.0 in workflow pipelines

* update codeql-action to version 3.28.1 in workflow pipelines

* update ZAP rules

* overwrite model version with app version on save file

* provide both diagram description and icon in threat model view

* Bump docker/build-push-action in /.github/workflows

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.11.0 to 6.13.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@v6.11.0...v6.13.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix: if a repository is now searched for, a call is made against the Git provider to get a new list of repositories.

* Bump actions/setup-node from 4.1.0 to 4.2.0 in /.github/workflows

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4.1.0...v4.2.0)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* feat: It is now possible to create a new branch when selecting the branch.

* feat: add tests

* Bump otto-de/purge-deprecated-workflow-runs in /.github/workflows

Bumps [otto-de/purge-deprecated-workflow-runs](https://github.com/otto-de/purge-deprecated-workflow-runs) from 2.2.0 to 3.0.1.
- [Release notes](https://github.com/otto-de/purge-deprecated-workflow-runs/releases)
- [Commits](otto-de/purge-deprecated-workflow-runs@v2.2.0...v3.0.1)

---
updated-dependencies:
- dependency-name: otto-de/purge-deprecated-workflow-runs
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* feat: display whether the branch is protected with an icon (only works under gitlab and github)

* Fix id duplication on threatsuggestdialog

* Bump lycheeverse/lychee-action from 2.2.0 to 2.3.0 in /.github/workflows

Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](lycheeverse/lychee-action@v2.2.0...v2.3.0)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* TLS without proxy

* updated example.env

* handling APP_PORT check

* link checker ignores redirects to Docker

* Adding ability to export the graph as PNG, JPEG and SVG.  Not tested on desktop, no tests written.  WIP

* Adding unit tests

* Added search functionality for language selection dropdown

* Fix test : Replaced 'English' with 'eng'

* Fixed locale selection and filtering, all tests passing

* provide locale name in locale display

* make label visible for trust boundary box

* trivy scan update

* remove client webSocketURL devServer config

* add passive events support to touchstart and mousewheel events

* add passive-events-support to Jest ignore pattern

* updated the example env

* reinstate diagram node resizing

* Format example.env

Removed extra whitespace

* first steps for edge labels being selectable

* consolidating hostname variable

* trust boundary and flow labels legible and selectable

* responsive name update for flows and trust boundaries

* improve selection for flows and trust boundary stencils

* update new threat model template to include SRIDE diagram

* update new threat model template to include Generic diagram

* components are selected when added

* identify events that need to convert edge cell to data flow

* convert edge to flow on attach or select events

* revert changes to new threat model, removing added STRIDE diagram

* update actions in workflows

* update dependencies in front-end and server

* update front-end dependencies

* release candidate 2.4.0-RC1

* identify line that cuts off diagram components on save

* remove version 1.x demo models

* add demo model for Three Tier Web Application

* provide demo models for renting-car and generic-cms

* move version back to latest from RC1

* reserve places for other demo models to be added later

* schema allows version string to include -RCxx

* schema now allows text box not to have a description

* big fix for trust boundar box name

* provide a minimal set of env vars

* provide confirmation that save has taken place

* preserves existing data flows and boundaries that do not have labels

* add Payments Processing Platform demo

* update workflows for latest versions of actions

* Fixing label issue for flows and boundary curves

* Reverting unnecessary updateName call

* Fixing errant deletion

* Rename "PORT" environment variable to "SERVER_API_PORT"

Prefers the environment variable named "SERVER_API_PORT".  If this value is falsy, then uses the environment variable "PORT" for backwards compatibility.  If this value is falsy, then use the default value of 3000.

* provide label to individual edges

* add demo model for online game

* remove duplicate in back-end test spec

* release version 2.4.0

* set build version to latest

* Fixed up everywhere that PORT was referenced to include SERVER_API_PORT

* renamed js variable PORT for clarity

* Added error checking for TLS cert/key file access

* Reordered and commented example.env file

* Update example.env to fix failing test

* removing potential variable name conflict

* Fixing test error

* bug fix for data flow and trust boundary labels overwritten by curve

* fix for unexpected label on Trust Boundary Box

* priority level TBD instead of TBA

* debug for snap release action

* Revert "Clean up, add error checking, remove ambiguity around term "port""

* release version 2.4.1

* set build version to latest

* add IoT and CMS demo models along with JSON versions

* update main demo model

* configure lint to be maximally strict

* emphasis the use of unit tests and e2e tests when contributing

* update qemu-action to version 3.6.0 in workflows

* update axios to latest version 1.8.2

* fix links in pull request template

fix links to CoCand contributors notes

* fix bootstrap broken link

* update workflow actions

* initial Jekyll page with theme owasp-td-jekyll

* update lychee-action in workflow

* compatible Jekyll version for Alpine Ruby

* documentation files restored

* provide image float and links to docs

* redirect docs page from project pages to demo docs site

* update babel to latest

* Updating owasp-td-jekyll to the latest version, re-adding Gemfile.lock

* Dockerfile: using ruby image to build docs

* Ignoring secret detection in bitbucket.html (false positives)

* Reverting trivyignore rule

* PR Action: skipping bitbucket docs for Trivy

* fixup docs image links

* fix links within the docs

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jon Gadsden <jon.gadsden@owasp.org>
Co-authored-by: Leo Reading <leo.reading@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Rick M <kingthorin@users.noreply.github.com>
Co-authored-by: fparuce <felipe_costacurta@hotmail.com>
Co-authored-by: Felipe Costacurta Paruce <88634279+fparuce@users.noreply.github.com>
Co-authored-by: Florian Schmidt <florian1.schmidt@enviam.de>
Co-authored-by: Marc Catrisse <marc.catrisse@upc.edu>
Co-authored-by: syedtalha <syed.talha@devflovv.com>
Co-authored-by: Eric Fitzgerald <github@efitz.net>
Co-authored-by: Anvita Prasad <cs23b1059.iiitdm.ac.in>

Author: 10 people

.github/pull_request_template.md

@@ -3,17 +3,20 @@
 What existing issue does the pull request solve?
 Please provide enough information so that others can review your pull request
 -->
+If this closes an existing issue then add "closes #xxxx", where xxxx is the issue number
 
 **Description for the changelog**:
-<!--
-A short (one line) summary that describes the changes in this pull request for inclusion in the change log
--->
+<!-- A short (one line) summary that describes the changes in this pull request for inclusion in the change log -->
+
+**Declaration**:
+
+- [ ] appropriate unit tests have been created / modified
+- [ ] functional tests created / modified for changes in functionality
+- [ ] any use of AI has been declared in this pull request
 
 **Other info**:
-<!--
-Add here any other information that may be of help to the reviewer
-If this closes an existing issue then add "closes #xxxx", where xxxx is the issue number
--->
+<!-- Add here any other information that may be of help to the reviewer -->
 
 Thanks for submitting a pull request!
-Please make sure you follow our code_of_conduct.md and our contributing guidelines contributing.md
+Please make sure you follow our [Code of Conduct](../code_of_conduct.md)
+and our [contributing guidelines](../contributing.md)

.github/workflows/.trivyignore

@@ -0,0 +1,15 @@
+# ignoring these vulnerabilities in zlib,
+# there are no updates to zlib and so these are unlikely to be fixed
+CVE-2018-25032
+CVE-2022-37434
+
+# https://avd.aquasec.com/nvd/cve-2023-28155
+# request version prior to 2.88.2
+# this vulnerability is for the build system, not run time, so ignore
+CVE-2023-28155
+
+# https://avd.aquasec.com/nvd/cve-2024-9143 
+# alpine 3.20.3 is pulling in a Low priority vuln for libcrypto3 version 3.3.2-r2,
+# ignore for now until alpine is updated
+CVE-2024-9143
+

.github/workflows/.zap-rules-web.tsv

@@ -1,19 +1,14 @@
-10110	OUTOFSCOPE	.*vendor.*\.js
-10110	OUTOFSCOPE	.*graph-test.*\.js
+10062	OUTOFSCOPE	.*_bom\..*
+10094	OUTOFSCOPE	.*_bom\..*
 10099	OUTOFSCOPE	.*vendor.*\.js
 10099	OUTOFSCOPE	.*diagram-edit.*\.js
 10099	OUTOFSCOPE	.*app.*\.js
+10110	OUTOFSCOPE	.*vendor.*\.js
+10110	OUTOFSCOPE	.*graph-test.*\.js
 10110	OUTOFSCOPE	.*diagram-edit.*\.js
-10062	OUTOFSCOPE	.*_bom\..*
-10094	OUTOFSCOPE	.*_bom\..*
 10110	OUTOFSCOPE	.*jquery\.min\.js
-10003	IGNORE	(docs/assets/js/jquery.dataTables.min.js)
-10094	IGNORE	Base64 Disclosure
-10027	IGNORE	Information Disclosure - Suspicious Comments
-10096	IGNORE	Timestamp Disclosure - Unix
-10099	IGNORE	Source Code Disclosure - SQL
-10109	IGNORE	Modern Web Application
-10049	IGNORE	Non-Storable Content
-10055	IGNORE	(CSP: style-src unsafe-inline)
-10063	IGNORE	(Feature Policy Header Not Set)
-90005	IGNORE	(Sec-Fetch-Dest Header is Missing)
+10003	IGNORE	Javascript libraries handled by dependabot
+10055	IGNORE	CSP: script-src unsafe-eval
+10063	IGNORE	Permissions Policy Header Not Set
+40039	IGNORE	Web Cache Deception
+90004	IGNORE	Set the Cross-Origin-Opener-Policy header

.github/workflows/browserstack.yaml

@@ -10,27 +10,29 @@ on:
 jobs:
   browserstack_e2e:
     name: Browserstack e2e
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     defaults:
       run:
         working-directory: td.vue
     if: github.repository == 'OWASP/threat-dragon'
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.2.0
 
-      - name: Use Node.js 18.x
-        uses: actions/setup-node@v4.0.0
+      - name: Use node LTS 20.14.0
+        uses: actions/setup-node@v4.3.0
         with:
-          node-version: '18'
+          node-version: '20.14.0'
 
       - name: Cache NPM dir
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4.2.0
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
           restore-keys: |
             ${{ runner.os }}-node-
+            ${{ runner.os }}-
 
       - name: Install packages
         run: |

.github/workflows/housekeeping.yaml

@@ -6,13 +6,13 @@ on:
   workflow_dispatch:
 
 env:
-  IMAGE_NAME: threatdragon/owasp-threat-dragon
+  IMAGE_NAME: threatdragon/owasp-threat-dragon:latest
 
 # for security reasons the github actions are pinned to specific release versions
 jobs:
   chores:
     name: Tidy workflows
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       actions: write
 
@@ -26,13 +26,13 @@ jobs:
           keep_minimum_runs: 10
 
       - name: Delete unused workflows
-        uses: otto-de/purge-deprecated-workflow-runs@v2.0.3
+        uses: otto-de/purge-deprecated-workflow-runs@v3.0.1
         with:
           token: ${{ github.token }}
 
   stale:
     name: Tidy pull requests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       pull-requests: write
       issues: write
@@ -41,45 +41,46 @@ jobs:
       - name: Tidy stale PRs and issues
         uses: actions/stale@v9
         with:
-          days-before-issue-stale: 182
+          days-before-issue-stale: 190
           days-before-issue-close: -1
-          stale-issue-message: 'This issue is stale because it has been open for 6 months with no activity.'
+          stale-issue-message: 'This issue is stale because it has been open for more than 6 months with no activity'
           stale-issue-label: stale
           remove-issue-stale-when-updated: true
           days-before-pr-stale: 21
           days-before-pr-close: 7
-          stale-pr-message: 'This PR is stale because it has been open 21 days with no activity. Remove stale label, or add a comment, otherwise it will be closed in 7 days.'
-          close-pr-message: 'This PR was closed because it has been stalled for 28 days with no activity.'
+          stale-pr-message: 'This PR is stale because it has been open 21 days with no activity. Remove stale label, or add a comment, otherwise it will be closed in 7 days'
+          close-pr-message: 'This PR was closed because it has been stalled for 28 days with no activity'
 
   trivy:
-    name: Scan with trivy
-    runs-on: ubuntu-22.04
+    name: Scan with Trivy
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
       security-events: write
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.2.0
         with:
           ref: main
 
-      - name: Run vulnerability scanner
-        uses: aquasecurity/trivy-action@0.19.0
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.30.0
         with:
-          image-ref: '${{ env.IMAGE_NAME }}:latest'
+          image-ref: '${{ env.IMAGE_NAME }}'
           format: 'template'
           template: '@/contrib/sarif.tpl'
+          trivyignores: '.github/workflows/.trivyignore'
           output: 'trivy-results.sarif'
 
       - name: Upload scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3.25.1
+        uses: github/codeql-action/upload-sarif@v3.28.1
         with:
           sarif_file: 'trivy-results.sarif'
 
   codeql:
     name: Analyze with codeql
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       security-events: write
 
@@ -88,12 +89,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.2.0
         with:
           ref: main
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3.25.1
+        uses: github/codeql-action/init@v3.28.1
         with:
           languages: 'javascript'
           config-file: ./.github/codeql/codeql-config.yml
@@ -102,21 +103,21 @@ jobs:
           # Prefix the list here with "+" to use these queries and those in the config file.
 
       - name: CodeQL autobuild
-        uses: github/codeql-action/autobuild@v3.25.1
+        uses: github/codeql-action/autobuild@v3.28.1
 
       - name: Perform vulnerability analysis
-        uses: github/codeql-action/analyze@v3.25.1
+        uses: github/codeql-action/analyze@v3.28.1
 
   link_checker:
     name: Link checker
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout markdown
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.2.0
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@v1.10.0
+        uses: lycheeverse/lychee-action@v2.4.0
         with:
           fail: true
         env: