TMBOM: Support in parallel to Threat Dragon model format

[jgadsden]

Describe what problem your feature request solves:

It is best not to change the underlying file format for Threat Dragon, so TM-BOM needs to be supported in parallel with Threat Dragon version 2.x which will remain the underlying file format

Use cases:

1. I want to import a TM-BOM file into Threat Dragon, with the TM-BOM objects merged into the description of diagram components and the description + mitigation of threats. I may or may not want to export as TM-BOM in the future, but primarily I want to convert a TM-BOM file to a Threat Dragon file
2. I want to export an existing Threat Dragon file to TM-BOM file format. I understand that many of the objects provided by TM-BOM format do not map to existing Threat Dragon objects so that the TM-BOM export will provide a subset of the potential TM-BOM objects
3. I want to read a TM-BOM file and expect to be able to update, create and delete TM-BOM objects within Threat Dragon. I understand that the underlying model is still Threat Dragon file format but that is abstracted away from the user interface
4. I want to write a TM-BOM file and expect all provided TM-BOM objects to be preserved. I expect that extensions to TM-BOM, such as placement and size of diagram components, to be preserved so that when this TM-BOM model is read back into Threat Dragon I have not lost any detail

Describe the solution you'd like:

This needs several features to be in place, split out into tasks:

1. extend the existing read of TM-BOM migration service to include all objects of TM-BOM format, rename it to something like 'import'
2. provide a new TM-BOM migration service to export in TM-BOM file format those objects that correspond (reasonably) 1:1, other details should be stored under the TM-BOM 'extensions'
3. provide a new TM-BOM migration service to read TM-BOM and provide extended objects within Threat Dragon version 2.x models, so that the TM-BOM objects can be CRUD by new Threat Dragon dialogs and displayed on diagrams
4. provide a new TM-BOM migration service to write TM-BOM files using the TM-BOM objects CRUD by Threat Dragon. Use TM-BOM 'extensions' for properties that do not correspond to TM-BOM objects such as placement and size of diagram components

Declaration:

By submitting this issue you have:

• read the contribution guide and agree to the Code of Conduct
• not used agentic or generative AI in creating this feature request

Additional context:

Consider use of cyclonedx-javascript-library as discussed below by @jkowalleck

supersedes #850

[jkowalleck]

FYI: for CycloneDX in JavaScript, there is this library: https://github.com/CycloneDX/cyclonedx-javascript-library. In its current state, it might not be usable for TM-BOM -- needs enhancements

• Pro:
  • provides validators for CycloneDX
  • provides datamodels for for CycloneDX
  • provides serializers for CycloneDX
• Con:
  • does not provide the TM-BOM data models, yet
    • pullrequest for adding them are welcome
    • maybe added by static code generators, eventually -- chore: Automate data model generation from upcoming CycloneDX 2.0 machine-readable specification CycloneDX/cyclonedx-javascript-library#1417
  • does not provide any deserializers, yet
    • pullrequests are welcome
    • maybe added by static code generators, eventually -- feat: Deserializer/Denormalizer CycloneDX/cyclonedx-javascript-library#1436

[jgadsden]

Many thanks @jkowalleck , and I have edited the issue summary to highlight what you have said.

also I have used the term TM-BOM very loosely here, as it is technically Threat Model Library format

I know that you and @P3tra-WP and @jmehnle are working on TM-BOM and then back-porting to TML format, and the intention is to shadow your work so that the 'TM-BOM-like' format described in this issue will converge as we go along