ir

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Overview

Package ir provides the intermediate representation for threat models.

Package ir provides the intermediate representation for threat models.

Package ir provides the intermediate representation for threat models.

Package ir provides the intermediate representation for threat models.

Package ir provides the intermediate representation for threat models.

Package ir provides the intermediate representation for threat models.

Package ir provides the intermediate representation for threat models.

Package ir provides the intermediate representation for threat modeling diagrams. All types are designed to be Go-friendly and generate clean JSON schemas without polymorphic anyOf/oneOf constructs.

Index

Constants

This section is empty.

Variables

View Source 
var OWASPAPITop10 = map[string]OWASPEntry{
	"API1:2023": {
		ID:          "API1:2023",
		Name:        "Broken Object Level Authorization",
		Description: "APIs expose endpoints that handle object identifiers, creating a wide attack surface for object level access control issues.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/",
	},
	"API2:2023": {
		ID:          "API2:2023",
		Name:        "Broken Authentication",
		Description: "Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or exploit implementation flaws.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/",
	},
	"API3:2023": {
		ID:          "API3:2023",
		Name:        "Broken Object Property Level Authorization",
		Description: "APIs expose endpoints that return or accept data objects with properties that require different levels of authorization.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa3-broken-object-property-level-authorization/",
	},
	"API4:2023": {
		ID:          "API4:2023",
		Name:        "Unrestricted Resource Consumption",
		Description: "APIs do not restrict the size or number of resources that can be requested by the client/user.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/",
	},
	"API5:2023": {
		ID:          "API5:2023",
		Name:        "Broken Function Level Authorization",
		Description: "Complex access control policies with different hierarchies, groups, and roles lead to authorization flaws.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/",
	},
	"API6:2023": {
		ID:          "API6:2023",
		Name:        "Unrestricted Access to Sensitive Business Flows",
		Description: "APIs expose business flows that can be exploited when accessed without restrictions.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa6-unrestricted-access-to-sensitive-business-flows/",
	},
	"API7:2023": {
		ID:          "API7:2023",
		Name:        "Server Side Request Forgery",
		Description: "SSRF flaws occur when an API fetches a remote resource without validating the user-supplied URL.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa7-server-side-request-forgery/",
	},
	"API8:2023": {
		ID:          "API8:2023",
		Name:        "Security Misconfiguration",
		Description: "APIs and supporting systems typically contain complex configurations that can be misconfigured.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa8-security-misconfiguration/",
	},
	"API9:2023": {
		ID:          "API9:2023",
		Name:        "Improper Inventory Management",
		Description: "APIs expose more endpoints than traditional web applications, making proper documentation and inventory management crucial.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/",
	},
	"API10:2023": {
		ID:          "API10:2023",
		Name:        "Unsafe Consumption of APIs",
		Description: "Developers trust data from third-party APIs more than user input, often adopting weaker security standards.",
		Category:    OWASPCategoryAPI,
		URL:         "https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/",
	},
}

OWASP API Security Top 10 (2023) https://owasp.org/API-Security/editions/2023/en/0x11-t10/

View Source 
var OWASPAgenticTop10 = map[string]OWASPEntry{
	"ASI01:2026": {
		ID:          "ASI01:2026",
		Name:        "Agentic Prompt Injection",
		Description: "Malicious instructions are injected into an agent's context through various input channels, causing unintended actions.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI02:2026": {
		ID:          "ASI02:2026",
		Name:        "Tool Misuse & Exploitation",
		Description: "Attackers exploit an agent's access to tools (file systems, APIs, databases) to perform unauthorized actions.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI03:2026": {
		ID:          "ASI03:2026",
		Name:        "Agent Identity & Privilege Abuse",
		Description: "Attackers assume or inherit an agent's identity and elevated privileges to perform unauthorized operations.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI04:2026": {
		ID:          "ASI04:2026",
		Name:        "Agentic Supply Chain Compromise",
		Description: "Compromised dependencies, plugins, or integrations in the agentic system introduce vulnerabilities.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI05:2026": {
		ID:          "ASI05:2026",
		Name:        "Unexpected Code Execution",
		Description: "Agents execute unintended code through sandbox escapes, container breakouts, or code injection.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI06:2026": {
		ID:          "ASI06:2026",
		Name:        "Guardrail Bypass",
		Description: "Safety mechanisms and guardrails are bypassed through adversarial techniques or edge cases.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI07:2026": {
		ID:          "ASI07:2026",
		Name:        "Agentic Memory & Context Manipulation",
		Description: "An agent's memory, context, or state is manipulated to influence future decisions.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI08:2026": {
		ID:          "ASI08:2026",
		Name:        "Cascading Agent Failures",
		Description: "Failures in one agent propagate through interconnected agents or systems, amplifying impact.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI09:2026": {
		ID:          "ASI09:2026",
		Name:        "Human-Agent Trust Exploitation",
		Description: "Attackers exploit the trust relationship between humans and agents to bypass security controls.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
	"ASI10:2026": {
		ID:          "ASI10:2026",
		Name:        "Inadequate Audit & Observability",
		Description: "Insufficient logging, monitoring, and auditability of agent actions prevents detection and response.",
		Category:    OWASPCategoryAgentic,
		URL:         "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/",
	},
}

OWASP Agentic Applications Top 10 (ASI 2026) https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/

View Source 
var OWASPLLMTop10 = map[string]OWASPEntry{
	"LLM01:2025": {
		ID:          "LLM01:2025",
		Name:        "Prompt Injection",
		Description: "Manipulating LLMs via crafted inputs can lead to unauthorized access, data breaches, and compromised decision-making.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm01-prompt-injection/",
	},
	"LLM02:2025": {
		ID:          "LLM02:2025",
		Name:        "Sensitive Information Disclosure",
		Description: "LLMs may inadvertently reveal confidential data in their responses, leading to privacy violations and security breaches.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm02-sensitive-information-disclosure/",
	},
	"LLM03:2025": {
		ID:          "LLM03:2025",
		Name:        "Supply Chain Vulnerabilities",
		Description: "Dependencies and external components in LLM systems can introduce vulnerabilities affecting integrity and security.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm03-supply-chain/",
	},
	"LLM04:2025": {
		ID:          "LLM04:2025",
		Name:        "Data and Model Poisoning",
		Description: "Corrupted training data or fine-tuning processes can impair LLM security, accuracy, and ethical behavior.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm04-data-and-model-poisoning/",
	},
	"LLM05:2025": {
		ID:          "LLM05:2025",
		Name:        "Improper Output Handling",
		Description: "Insufficient validation of LLM outputs can lead to XSS, CSRF, SSRF, and other injection attacks in downstream systems.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm05-improper-output-handling/",
	},
	"LLM06:2025": {
		ID:          "LLM06:2025",
		Name:        "Excessive Agency",
		Description: "LLMs with excessive autonomy or capability may perform harmful actions due to unexpected or ambiguous outputs.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm06-excessive-agency/",
	},
	"LLM07:2025": {
		ID:          "LLM07:2025",
		Name:        "System Prompt Leakage",
		Description: "System prompts or instructions may be inadvertently exposed through model outputs or side channels.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm07-system-prompt-leakage/",
	},
	"LLM08:2025": {
		ID:          "LLM08:2025",
		Name:        "Vector and Embedding Weaknesses",
		Description: "Vulnerabilities in vector databases and embeddings can be exploited to manipulate RAG systems.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm08-vector-and-embedding-weaknesses/",
	},
	"LLM09:2025": {
		ID:          "LLM09:2025",
		Name:        "Misinformation",
		Description: "LLMs can generate false or misleading information, causing reputational damage and legal liability.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm09-misinformation/",
	},
	"LLM10:2025": {
		ID:          "LLM10:2025",
		Name:        "Unbounded Consumption",
		Description: "LLMs can be exploited to consume excessive resources, leading to denial of service and financial impact.",
		Category:    OWASPCategoryLLM,
		URL:         "https://genai.owasp.org/llmrisk/llm10-unbounded-consumption/",
	},
}

OWASP LLM Top 10 (2025) https://genai.owasp.org/llm-top-10/

View Source 
var OWASPWebTop10 = map[string]OWASPEntry{
	"A01:2021": {
		ID:          "A01:2021",
		Name:        "Broken Access Control",
		Description: "Access control enforces policy such that users cannot act outside of their intended permissions.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
	},
	"A02:2021": {
		ID:          "A02:2021",
		Name:        "Cryptographic Failures",
		Description: "Failures related to cryptography which often lead to exposure of sensitive data.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/",
	},
	"A03:2021": {
		ID:          "A03:2021",
		Name:        "Injection",
		Description: "User-supplied data is not validated, filtered, or sanitized by the application.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A03_2021-Injection/",
	},
	"A04:2021": {
		ID:          "A04:2021",
		Name:        "Insecure Design",
		Description: "Missing or ineffective control design; different from implementation bugs.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A04_2021-Insecure_Design/",
	},
	"A05:2021": {
		ID:          "A05:2021",
		Name:        "Security Misconfiguration",
		Description: "Missing security hardening, improperly configured permissions, unnecessary features enabled.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/",
	},
	"A06:2021": {
		ID:          "A06:2021",
		Name:        "Vulnerable and Outdated Components",
		Description: "Using components with known vulnerabilities or failing to update them timely.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/",
	},
	"A07:2021": {
		ID:          "A07:2021",
		Name:        "Identification and Authentication Failures",
		Description: "Confirmation of the user's identity, authentication, and session management failures.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/",
	},
	"A08:2021": {
		ID:          "A08:2021",
		Name:        "Software and Data Integrity Failures",
		Description: "Code and infrastructure that does not protect against integrity violations.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/",
	},
	"A09:2021": {
		ID:          "A09:2021",
		Name:        "Security Logging and Monitoring Failures",
		Description: "Without logging and monitoring, breaches cannot be detected.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/",
	},
	"A10:2021": {
		ID:          "A10:2021",
		Name:        "Server-Side Request Forgery (SSRF)",
		Description: "SSRF flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL.",
		Category:    OWASPCategoryWeb,
		URL:         "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/",
	},
}

OWASP Web Application Top 10 (2021) https://owasp.org/Top10/

Functions

func GetAtomicTestURL added in v0.6.0 

func GetAtomicTestURL(techniqueID string) string

GetAtomicTestURL returns the GitHub URL for an Atomic Red Team test.

func GetLINDDUNDescription added in v0.4.0 

func GetLINDDUNDescription(t LINDDUNThreat) string

GetLINDDUNDescription returns a description for a LINDDUN category.

func GetLINDDUNName added in v0.4.0 

func GetLINDDUNName(t LINDDUNThreat) string

GetLINDDUNName returns the full name for a LINDDUN category.

func GetSTRIDEName 

func GetSTRIDEName(s STRIDEThreat) string

GetSTRIDEName returns the full name for a STRIDE category.

func LINDDUNThreatToColors added in v0.4.0 

func LINDDUNThreatToColors(t LINDDUNThreat) (fill, stroke string)

LINDDUNThreatToColors returns fill and stroke colors for LINDDUN threat types. This can be used by external rendering tools.

func ValidateAtomicTestID added in v0.6.0 

func ValidateAtomicTestID(id string) bool

ValidateAtomicTestID validates an Atomic Red Team test ID format. Valid formats: T1234-1, T1234.001-1, T1234.001-12

func ValidateOWASPID added in v0.6.0 

func ValidateOWASPID(id string) bool

ValidateOWASPID checks if an OWASP ID is recognized.

func ValidateTechniqueID added in v0.6.0 

func ValidateTechniqueID(id string) bool

ValidateTechniqueID validates a MITRE ATT&CK technique ID format. Valid formats: T1234, T1234.001, T1234.001

Types

type Actor 

type Actor struct {
	// ID is the unique identifier.
	ID string `json:"id"`

	// Label is the display name.
	Label string `json:"label"`

	// Type identifies the actor type (for styling).
	Type ElementType `json:"type,omitempty"`

	// Malicious indicates if this is an attacker-controlled actor.
	Malicious bool `json:"malicious,omitempty"`
}

Actor represents a lifeline in a sequence diagram.

type AgentCapabilities added in v0.7.0 

type AgentCapabilities struct {
	// Tools lists the tools available to the agent.
	Tools []AgentTool `json:"tools,omitempty"`

	// Permissions lists the permissions granted to the agent.
	Permissions []AgentPermission `json:"permissions,omitempty"`

	// SandboxLevel indicates the agent's isolation level.
	SandboxLevel AgentSandboxLevel `json:"sandboxLevel,omitempty"`

	// RequiresApproval indicates which actions require human approval.
	RequiresApproval []string `json:"requiresApproval,omitempty"`

	// ApprovalBypassable indicates whether approval requirements can be bypassed.
	// This is a critical security control for agentic systems.
	ApprovalBypassable bool `json:"approvalBypassable,omitempty"`

	// MaxExecutionTime is the maximum execution time per action (e.g., "30s", "5m").
	MaxExecutionTime string `json:"maxExecutionTime,omitempty"`

	// ResourceLimits describes resource constraints.
	ResourceLimits *AgentResourceLimits `json:"resourceLimits,omitempty"`

	// NetworkRestrictions describes network access limitations.
	NetworkRestrictions *AgentNetworkRestrictions `json:"networkRestrictions,omitempty"`

	// IntegratedServices lists external services the agent can access.
	IntegratedServices []AgentIntegration `json:"integratedServices,omitempty"`

	// EscalationPaths describes how the agent's capabilities could be escalated.
	EscalationPaths []AgentEscalationPath `json:"escalationPaths,omitempty"`
}

AgentCapabilities describes the capabilities and permissions of an AI agent. This is essential for threat modeling agentic systems to understand what an attacker could do if they compromise or manipulate the agent.

func (*AgentCapabilities) CanExecuteCode added in v0.7.0 

func (ac *AgentCapabilities) CanExecuteCode() bool

CanExecuteCode returns true if the agent has code execution capabilities.

func (*AgentCapabilities) GetHighRiskTools added in v0.7.0 

func (ac *AgentCapabilities) GetHighRiskTools() []AgentTool

GetHighRiskTools returns tools with risk level high or critical.

func (*AgentCapabilities) GetToolsWithoutApproval added in v0.7.0 

func (ac *AgentCapabilities) GetToolsWithoutApproval() []AgentTool

GetToolsWithoutApproval returns enabled tools that don't require approval.

func (*AgentCapabilities) HasUnrestrictedNetworkAccess added in v0.7.0 

func (ac *AgentCapabilities) HasUnrestrictedNetworkAccess() bool

HasUnrestrictedNetworkAccess returns true if the agent has unrestricted network access.

type AgentCapabilityType added in v0.7.0 

type AgentCapabilityType string

AgentCapabilityType categorizes the types of capabilities an agent may have. 

const (
	// AgentCapabilityCodeExecution allows the agent to execute code.
	AgentCapabilityCodeExecution AgentCapabilityType = "code-execution"

	// AgentCapabilityFileAccess allows the agent to read/write files.
	AgentCapabilityFileAccess AgentCapabilityType = "file-access"

	// AgentCapabilityNetworkAccess allows the agent to make network requests.
	AgentCapabilityNetworkAccess AgentCapabilityType = "network-access"

	// AgentCapabilityShellAccess allows the agent to execute shell commands.
	AgentCapabilityShellAccess AgentCapabilityType = "shell-access"

	// AgentCapabilityDatabaseAccess allows the agent to query databases.
	AgentCapabilityDatabaseAccess AgentCapabilityType = "database-access"

	// AgentCapabilityAPIAccess allows the agent to call external APIs.
	AgentCapabilityAPIAccess AgentCapabilityType = "api-access"

	// AgentCapabilityBrowserControl allows the agent to control a browser.
	AgentCapabilityBrowserControl AgentCapabilityType = "browser-control"

	// AgentCapabilityMessaging allows the agent to send messages (email, Slack, etc.).
	AgentCapabilityMessaging AgentCapabilityType = "messaging"

	// AgentCapabilityMemoryAccess allows the agent to access persistent memory.
	AgentCapabilityMemoryAccess AgentCapabilityType = "memory-access"

	// AgentCapabilityToolInvocation allows the agent to invoke other tools/agents.
	AgentCapabilityToolInvocation AgentCapabilityType = "tool-invocation"
)

func (AgentCapabilityType) JSONSchema added in v0.7.0 

func (AgentCapabilityType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for AgentCapabilityType.

type AgentEscalationPath added in v0.7.0 

type AgentEscalationPath struct {
	// Name is a short name for this escalation path.
	Name string `json:"name"`

	// Description describes how escalation could occur.
	Description string `json:"description,omitempty"`

	// SourceCapability is the starting capability.
	SourceCapability AgentCapabilityType `json:"sourceCapability"`

	// TargetCapability is the escalated capability.
	TargetCapability AgentCapabilityType `json:"targetCapability"`

	// Mechanism describes the escalation mechanism.
	Mechanism string `json:"mechanism,omitempty"`

	// Mitigations lists controls that prevent this escalation.
	Mitigations []string `json:"mitigations,omitempty"`

	// ASIIds lists applicable OWASP Agentic Security categories.
	ASIIds []string `json:"asiIds,omitempty"`
}

AgentEscalationPath describes how an agent's capabilities could be escalated.

type AgentIntegration added in v0.7.0 

type AgentIntegration struct {
	// Service is the service name (e.g., "slack", "github", "jira").
	Service string `json:"service"`

	// Permissions lists the permissions granted for this integration.
	Permissions []string `json:"permissions,omitempty"`

	// CredentialID links to the credential used for this integration.
	CredentialID string `json:"credentialId,omitempty"`

	// Scopes lists the OAuth scopes or API permissions.
	Scopes []string `json:"scopes,omitempty"`
}

AgentIntegration describes an external service integration.

type AgentNetworkRestrictions added in v0.7.0 

type AgentNetworkRestrictions struct {
	// AllowedHosts lists hosts the agent can connect to.
	// Empty list with InternetAccess=true means unrestricted.
	AllowedHosts []string `json:"allowedHosts,omitempty"`

	// BlockedHosts lists hosts the agent cannot connect to.
	BlockedHosts []string `json:"blockedHosts,omitempty"`

	// AllowedPorts lists ports the agent can connect to.
	AllowedPorts []int `json:"allowedPorts,omitempty"`

	// InternetAccess indicates whether the agent can access the internet.
	InternetAccess bool `json:"internetAccess,omitempty"`

	// LocalhostAccess indicates whether the agent can access localhost.
	LocalhostAccess bool `json:"localhostAccess,omitempty"`

	// InternalNetworkAccess indicates whether the agent can access internal networks.
	InternalNetworkAccess bool `json:"internalNetworkAccess,omitempty"`
}

AgentNetworkRestrictions describes network access limitations.

type AgentPermission added in v0.7.0 

type AgentPermission struct {
	// Resource is the resource being accessed (e.g., "filesystem", "network", "api:slack").
	Resource string `json:"resource"`

	// Actions lists the permitted actions (e.g., "read", "write", "execute").
	Actions []string `json:"actions,omitempty"`

	// Scope limits the permission scope (e.g., "/home/user/workspace/*").
	Scope string `json:"scope,omitempty"`

	// Conditions describes conditions that must be met.
	Conditions string `json:"conditions,omitempty"`
}

AgentPermission describes a permission granted to the agent.

type AgentResourceLimits added in v0.7.0 

type AgentResourceLimits struct {
	// MaxMemoryMB is the maximum memory in megabytes.
	MaxMemoryMB int `json:"maxMemoryMb,omitempty"`

	// MaxCPUPercent is the maximum CPU percentage.
	MaxCPUPercent int `json:"maxCpuPercent,omitempty"`

	// MaxDiskMB is the maximum disk space in megabytes.
	MaxDiskMB int `json:"maxDiskMb,omitempty"`

	// MaxOpenFiles is the maximum number of open file descriptors.
	MaxOpenFiles int `json:"maxOpenFiles,omitempty"`

	// MaxProcesses is the maximum number of spawned processes.
	MaxProcesses int `json:"maxProcesses,omitempty"`
}

AgentResourceLimits describes resource constraints for the agent.

type AgentSandboxLevel added in v0.7.0 

type AgentSandboxLevel string

AgentSandboxLevel indicates the isolation level of an agent's execution environment. 

const (
	// AgentSandboxNone indicates no sandboxing (full host access).
	AgentSandboxNone AgentSandboxLevel = "none"

	// AgentSandboxProcess indicates process-level isolation.
	AgentSandboxProcess AgentSandboxLevel = "process"

	// AgentSandboxContainer indicates container-level isolation.
	AgentSandboxContainer AgentSandboxLevel = "container"

	// AgentSandboxVM indicates VM-level isolation.
	AgentSandboxVM AgentSandboxLevel = "vm"

	// AgentSandboxRemote indicates execution on a remote/isolated system.
	AgentSandboxRemote AgentSandboxLevel = "remote"
)

func (AgentSandboxLevel) JSONSchema added in v0.7.0 

func (AgentSandboxLevel) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for AgentSandboxLevel.

type AgentTool added in v0.7.0 

type AgentTool struct {
	// Name is the tool name (e.g., "system.run", "file.read", "web.browse").
	Name string `json:"name"`

	// Description describes what the tool does.
	Description string `json:"description,omitempty"`

	// CapabilityType categorizes the tool's capability.
	CapabilityType AgentCapabilityType `json:"capabilityType"`

	// Enabled indicates whether the tool is currently enabled.
	Enabled bool `json:"enabled,omitempty"`

	// RequiresApproval indicates whether using this tool requires human approval.
	RequiresApproval bool `json:"requiresApproval,omitempty"`

	// RiskLevel indicates the risk associated with this tool.
	RiskLevel RiskLevel `json:"riskLevel,omitempty"`

	// Parameters describes the tool's parameters.
	Parameters []AgentToolParameter `json:"parameters,omitempty"`

	// ASIIds lists applicable OWASP Agentic Security categories.
	ASIIds []string `json:"asiIds,omitempty"`
}

AgentTool describes a tool available to the agent.

type AgentToolParameter added in v0.7.0 

type AgentToolParameter struct {
	// Name is the parameter name.
	Name string `json:"name"`

	// Type is the parameter type (e.g., "string", "file-path", "url").
	Type string `json:"type,omitempty"`

	// Required indicates whether the parameter is required.
	Required bool `json:"required,omitempty"`

	// Validation describes validation rules applied to this parameter.
	Validation string `json:"validation,omitempty"`

	// SensitiveData indicates whether this parameter may contain sensitive data.
	SensitiveData bool `json:"sensitiveData,omitempty"`
}

AgentToolParameter describes a parameter for an agent tool.

type AlertThreshold added in v0.6.0 

type AlertThreshold struct {
	// Metric is the metric being monitored.
	Metric string `json:"metric"`

	// Threshold is the threshold value.
	Threshold string `json:"threshold"`

	// Window is the time window for evaluation (e.g., "5m", "1h").
	Window string `json:"window,omitempty"`

	// Severity is the alert severity when threshold is exceeded.
	Severity string `json:"severity,omitempty"`

	// Description explains this threshold.
	Description string `json:"description,omitempty"`
}

AlertThreshold defines when to trigger an alert.

type Asset added in v0.5.0 

type Asset struct {
	// ID is the unique identifier for the asset.
	ID string `json:"id"`

	// Name is the human-readable asset name.
	Name string `json:"name"`

	// Description provides details about the asset.
	Description string `json:"description,omitempty"`

	// Type categorizes the asset.
	Type AssetType `json:"type,omitempty"`

	// Classification indicates the sensitivity level.
	Classification SensitivityLevel `json:"classification"`

	// Owner is the person or team responsible for the asset.
	Owner string `json:"owner,omitempty"`

	// ElementIDs links the asset to diagram elements that contain or process it.
	ElementIDs []string `json:"elementIds,omitempty"`

	// DataTypes describes what kind of data this asset contains.
	// Examples: "PII", "PHI", "financial", "credentials", "source-code"
	DataTypes []string `json:"dataTypes,omitempty"`

	// ComplianceFrameworks lists regulations that govern this asset.
	// Examples: "GDPR", "HIPAA", "PCI-DSS", "SOC2"
	ComplianceFrameworks []string `json:"complianceFrameworks,omitempty"`

	// Value describes the business value or impact if compromised.
	Value string `json:"value,omitempty"`

	// RetentionPeriod indicates how long the asset is retained.
	RetentionPeriod string `json:"retentionPeriod,omitempty"`
}

Asset represents a valuable resource that needs protection.

type AssetClassification 

type AssetClassification string

AssetClassification identifies the value/sensitivity of an asset. 

const (
	AssetClassificationCrownJewel AssetClassification = "crown-jewel"
	AssetClassificationHigh       AssetClassification = "high"
	AssetClassificationMedium     AssetClassification = "medium"
	AssetClassificationLow        AssetClassification = "low"
)

func (AssetClassification) JSONSchema 

func (AssetClassification) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for AssetClassification.

type AssetType added in v0.5.0 

type AssetType string

AssetType categorizes the type of asset. 

const (
	// AssetTypeData represents data assets (databases, files, secrets).
	AssetTypeData AssetType = "data"

	// AssetTypeService represents service assets (APIs, microservices).
	AssetTypeService AssetType = "service"

	// AssetTypeInfrastructure represents infrastructure assets (servers, networks).
	AssetTypeInfrastructure AssetType = "infrastructure"

	// AssetTypeCredential represents credential assets (keys, tokens, passwords).
	AssetTypeCredential AssetType = "credential"

	// AssetTypeIdentity represents identity assets (user accounts, service accounts).
	AssetTypeIdentity AssetType = "identity"

	// AssetTypeIntellectualProperty represents IP assets (source code, algorithms).
	AssetTypeIntellectualProperty AssetType = "intellectual-property"
)

func (AssetType) JSONSchema added in v0.5.0 

func (AssetType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for AssetType.

type Assumption added in v0.4.0 

type Assumption struct {
	// ID is the unique identifier for the assumption.
	ID string `json:"id"`

	// Title is a brief statement of the assumption.
	Title string `json:"title"`

	// Description provides detailed context about the assumption.
	Description string `json:"description,omitempty"`

	// Type categorizes the assumption.
	Type AssumptionType `json:"type,omitempty"`

	// Rationale explains why this assumption is made.
	Rationale string `json:"rationale,omitempty"`

	// Impact describes what happens if the assumption is violated.
	Impact string `json:"impact,omitempty"`

	// ImpactSeverity rates the impact severity (critical, high, medium, low).
	ImpactSeverity string `json:"impactSeverity,omitempty"`

	// ValidationStatus indicates whether the assumption has been validated.
	ValidationStatus ValidationStatus `json:"validationStatus,omitempty"`

	// ValidationMethod describes how the assumption can be or was validated.
	ValidationMethod string `json:"validationMethod,omitempty"`

	// ValidatedDate is when the assumption was validated (RFC 3339 format).
	ValidatedDate string `json:"validatedDate,omitempty"`

	// Owner is the person or team responsible for validating this assumption.
	Owner string `json:"owner,omitempty"`

	// RelatedComponentIDs lists components that depend on this assumption.
	RelatedComponentIDs []string `json:"relatedComponentIds,omitempty"`

	// Notes provides additional context or caveats.
	Notes string `json:"notes,omitempty"`
}

Assumption represents a security assumption that underlies the threat model.

type AssumptionType added in v0.4.0 

type AssumptionType string

AssumptionType categorizes the type of assumption. 

const (
	// AssumptionTypeTrust relates to trust relationships.
	AssumptionTypeTrust AssumptionType = "trust"

	// AssumptionTypeSecurity relates to security controls in place.
	AssumptionTypeSecurity AssumptionType = "security"

	// AssumptionTypeOperational relates to operational procedures.
	AssumptionTypeOperational AssumptionType = "operational"

	// AssumptionTypeEnvironment relates to the deployment environment.
	AssumptionTypeEnvironment AssumptionType = "environment"

	// AssumptionTypeThreat relates to threat actor capabilities.
	AssumptionTypeThreat AssumptionType = "threat"

	// AssumptionTypeCompliance relates to compliance requirements.
	AssumptionTypeCompliance AssumptionType = "compliance"

	// AssumptionTypeDependency relates to external dependencies.
	AssumptionTypeDependency AssumptionType = "dependency"
)

func (AssumptionType) JSONSchema added in v0.4.0 

func (AssumptionType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for AssumptionType.

type AtomicTestMapping added in v0.6.0 

type AtomicTestMapping struct {
	// TechniqueID is the MITRE ATT&CK technique ID (e.g., "T1059.001").
	TechniqueID string `json:"techniqueId"`

	// AtomicTests lists specific Atomic test IDs (e.g., ["T1059.001-1", "T1059.001-2"]).
	AtomicTests []string `json:"atomicTests,omitempty"`

	// Validated indicates if the tests have been validated in the environment.
	Validated bool `json:"validated,omitempty"`

	// LastRun is the timestamp of the last test execution (ISO 8601).
	LastRun string `json:"lastRun,omitempty"`

	// Result is the outcome of the last test run.
	Result AtomicTestResult `json:"result,omitempty"`

	// Notes provides additional context about the test execution.
	Notes string `json:"notes,omitempty"`

	// Platform specifies the target platform (windows, linux, macos).
	Platform string `json:"platform,omitempty"`

	// ExecutionTime is the time taken to run the tests (in seconds).
	ExecutionTime int `json:"executionTime,omitempty"`
}

AtomicTestMapping maps MITRE ATT&CK techniques to Atomic Red Team tests. Atomic Red Team provides pre-built tests for adversary emulation.

type AtomicTestResult added in v0.6.0 

type AtomicTestResult string

AtomicTestResult represents the outcome of an Atomic Red Team test. 

const (
	// AtomicTestResultPassed indicates the test executed successfully and the technique was demonstrated.
	AtomicTestResultPassed AtomicTestResult = "passed"

	// AtomicTestResultFailed indicates the test failed to execute or demonstrate the technique.
	AtomicTestResultFailed AtomicTestResult = "failed"

	// AtomicTestResultBlocked indicates the test was blocked by security controls.
	AtomicTestResultBlocked AtomicTestResult = "blocked"

	// AtomicTestResultSkipped indicates the test was skipped (e.g., wrong platform).
	AtomicTestResultSkipped AtomicTestResult = "skipped"

	// AtomicTestResultError indicates an error occurred during test execution.
	AtomicTestResultError AtomicTestResult = "error"
)

func (AtomicTestResult) JSONSchema added in v0.6.0 

func (AtomicTestResult) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for AtomicTestResult.

type AtomicTestSummary added in v0.6.0 

type AtomicTestSummary struct {
	TotalTests int     `json:"totalTests"`
	Passed     int     `json:"passed"`
	Failed     int     `json:"failed"`
	Blocked    int     `json:"blocked"`
	Skipped    int     `json:"skipped"`
	Errors     int     `json:"errors"`
	PassRate   float64 `json:"passRate"`
	BlockRate  float64 `json:"blockRate"`
}

AtomicTestSummary provides a summary of Atomic Red Team test results.

func CalculateAtomicTestSummary added in v0.6.0 

func CalculateAtomicTestSummary(tests []AtomicTestMapping) *AtomicTestSummary

CalculateSummary calculates test summary statistics from a list of test mappings.

type Attack 

type Attack struct {
	// Step is the sequence number (1, 2, 3...).
	Step int `json:"step"`

	// From is the source element ID.
	From string `json:"from"`

	// To is the destination element ID.
	To string `json:"to"`

	// Label describes the attack step.
	Label string `json:"label"`

	// Action describes what the attacker does in this step.
	// More specific than Label when both are provided.
	Action string `json:"action,omitempty"`

	// Outcome describes the result of this attack step.
	Outcome string `json:"outcome,omitempty"`

	// MITRETactic is the MITRE ATT&CK tactic ID.
	MITRETactic MITRETactic `json:"mitreTactic,omitempty"`

	// MITRETechnique is the MITRE ATT&CK technique ID (e.g., T1110).
	MITRETechnique string `json:"mitreTechnique,omitempty"`

	// ATLASTechnique is the MITRE ATLAS technique ID for AI/ML-specific attacks.
	ATLASTechnique string `json:"atlasTechnique,omitempty"`

	// OWASPIds lists applicable OWASP categories (e.g., "API01", "LLM01", "A01:2021").
	// Supports multiple IDs as one step may map to several OWASP categories.
	OWASPIds []string `json:"owaspIds,omitempty"`

	// ASIIds lists applicable OWASP Agentic Security categories (e.g., "ASI02:2026", "ASI03:2026").
	// Supports multiple IDs as one step may map to several ASI categories.
	ASIIds []string `json:"asiIds,omitempty"`

	// STRIDEThreats lists applicable STRIDE threats.
	STRIDEThreats []STRIDEThreat `json:"strideThreats,omitempty"`

	// LINDDUNThreats lists applicable LINDDUN privacy threats.
	LINDDUNThreats []LINDDUNThreat `json:"linddunThreats,omitempty"`

	// Description provides additional context.
	Description string `json:"description,omitempty"`

	// RedTeamNotes provides exploitation guidance for this specific step.
	RedTeamNotes string `json:"redTeamNotes,omitempty"`

	// BlueTeamNotes provides detection guidance for this specific step.
	BlueTeamNotes string `json:"blueTeamNotes,omitempty"`

	// RemediationNote provides fix guidance for this specific step.
	RemediationNote string `json:"remediationNote,omitempty"`

	// TestRef links this attack step to an app-test-spec test case.
	TestRef *TestReference `json:"testRef,omitempty"`

	// ComponentRefs links this attack step to vulnerable software components.
	ComponentRefs []ComponentReference `json:"componentRefs,omitempty"`
}

Attack represents an attack step in an attack chain.

func (*Attack) ToSTIXAttackPattern added in v0.6.0 

func (a *Attack) ToSTIXAttackPattern(createdByRef string) *STIXAttackPattern

ToSTIXAttackPattern converts an Attack to a STIX 2.1 Attack Pattern object.

type AttackGraph added in v0.6.0 

type AttackGraph struct {
	// ID is the unique identifier for this graph
	ID string `json:"id,omitempty"`

	// ThreatModelID links to the source threat model
	ThreatModelID string `json:"threatModelId,omitempty"`

	// Nodes contains all nodes in the graph
	Nodes []GraphNode `json:"nodes"`

	// Edges contains all edges in the graph
	Edges []GraphEdge `json:"edges"`

	// EntryPoints lists node IDs that are potential entry points
	EntryPoints []string `json:"entryPoints,omitempty"`

	// Targets lists node IDs that are high-value targets
	Targets []string `json:"targets,omitempty"`
	// contains filtered or unexported fields
}

AttackGraph represents a directed graph of attack paths

func BuildAttackGraphFromDiagram added in v0.6.0 

func BuildAttackGraphFromDiagram(diagram *DiagramIR) *AttackGraph

BuildAttackGraphFromDiagram creates an attack graph from a DiagramIR

func NewAttackGraph added in v0.6.0 

func NewAttackGraph(id string) *AttackGraph

NewAttackGraph creates a new empty attack graph

func (*AttackGraph) AddEdge added in v0.6.0 

func (g *AttackGraph) AddEdge(edge GraphEdge)

AddEdge adds an edge to the graph

func (*AttackGraph) AddNode added in v0.6.0 

func (g *AttackGraph) AddNode(node GraphNode)

AddNode adds a node to the graph

func (*AttackGraph) AnalyzePaths added in v0.6.0 

func (g *AttackGraph) AnalyzePaths() *PathAnalysisResult

AnalyzePaths performs comprehensive path analysis

func (*AttackGraph) CalculatePathRisk added in v0.6.0 

func (g *AttackGraph) CalculatePathRisk(path *AttackPath) float64

CalculatePathRisk calculates the cumulative risk for a given path

func (*AttackGraph) EdgeCount added in v0.6.0 

func (g *AttackGraph) EdgeCount() int

EdgeCount returns the number of edges in the graph

func (*AttackGraph) FindAllPaths added in v0.6.0 

func (g *AttackGraph) FindAllPaths(source, target string, maxDepth int) []AttackPath

FindAllPaths finds all paths between source and target nodes Uses DFS with cycle detection; maxDepth limits search depth (0 = unlimited)

func (*AttackGraph) FindCriticalPaths added in v0.6.0 

func (g *AttackGraph) FindCriticalPaths(limit int) []AttackPath

FindCriticalPaths finds the paths with highest risk scores

func (*AttackGraph) FindShortestPath added in v0.6.0 

func (g *AttackGraph) FindShortestPath(source, target string) *AttackPath

FindShortestPath finds the shortest path using Dijkstra's algorithm

func (*AttackGraph) GetNeighbors added in v0.6.0 

func (g *AttackGraph) GetNeighbors(nodeID string) []string

GetNeighbors returns all nodes directly reachable from a given node

func (*AttackGraph) GetNode added in v0.6.0 

func (g *AttackGraph) GetNode(id string) *GraphNode

GetNode returns a node by ID

func (*AttackGraph) GetOutgoingEdges added in v0.6.0 

func (g *AttackGraph) GetOutgoingEdges(nodeID string) []GraphEdge

GetOutgoingEdges returns all edges leaving from a node

func (*AttackGraph) NodeCount added in v0.6.0 

func (g *AttackGraph) NodeCount() int

NodeCount returns the number of nodes in the graph

func (*AttackGraph) ReachabilityAnalysis added in v0.6.0 

func (g *AttackGraph) ReachabilityAnalysis() *PathAnalysisResult

ReachabilityAnalysis determines which nodes are reachable from entry points

type AttackPath added in v0.6.0 

type AttackPath struct {
	// Nodes contains the ordered list of node IDs in the path
	Nodes []string `json:"nodes"`

	// Edges contains the edge IDs traversed (len = len(Nodes) - 1)
	Edges []string `json:"edges,omitempty"`

	// TotalWeight is the sum of all edge weights in the path
	TotalWeight float64 `json:"totalWeight"`

	// RiskScore is the cumulative risk score for the path
	RiskScore float64 `json:"riskScore"`

	// Length is the number of edges (hops) in the path
	Length int `json:"length"`
}

AttackPath represents a sequence of nodes and edges forming an attack path

type AttackPattern added in v0.7.0 

type AttackPattern struct {
	// ID is the unique identifier for this pattern.
	ID string `json:"id"`

	// Name is the human-readable pattern name.
	Name string `json:"name"`

	// Type categorizes the attack pattern.
	Type AttackPatternType `json:"type"`

	// Description provides an overview of the attack pattern.
	Description string `json:"description,omitempty"`

	// Prerequisites lists conditions required for this attack.
	Prerequisites []string `json:"prerequisites,omitempty"`

	// AttackSteps provides the template attack chain.
	AttackSteps []AttackPatternStep `json:"attackSteps,omitempty"`

	// VulnerablePatterns contains code patterns that are vulnerable.
	VulnerablePatterns []PatternCodeExample `json:"vulnerablePatterns,omitempty"`

	// SecurePatterns contains secure code patterns.
	SecurePatterns []PatternCodeExample `json:"securePatterns,omitempty"`

	// DetectionPatterns contains patterns for detecting this attack.
	DetectionPatterns []PatternDetection `json:"detectionPatterns,omitempty"`

	// CWEIDs lists applicable CWE identifiers.
	CWEIDs []string `json:"cweIds,omitempty"`

	// MITRETechniques lists applicable MITRE ATT&CK techniques.
	MITRETechniques []string `json:"mitreTechniques,omitempty"`

	// OWASPIds lists applicable OWASP categories.
	OWASPIds []string `json:"owaspIds,omitempty"`

	// ASIIds lists applicable OWASP Agentic Security categories.
	ASIIds []string `json:"asiIds,omitempty"`

	// References contains links to additional information.
	References []Reference `json:"references,omitempty"`
}

AttackPattern represents a reusable attack pattern template. These patterns can be instantiated for specific vulnerabilities.

func AgentToolAbusePattern added in v0.7.0 

func AgentToolAbusePattern() AttackPattern

AgentToolAbusePattern returns the agent tool abuse attack pattern.

func BuiltinAttackPatterns added in v0.7.0 

func BuiltinAttackPatterns() []AttackPattern

BuiltinAttackPatterns returns the built-in attack pattern library.

func CSWSHPattern added in v0.7.0 

func CSWSHPattern() AttackPattern

CSWSHPattern returns the Cross-Site WebSocket Hijacking attack pattern.

func GetAttackPattern added in v0.7.0 

func GetAttackPattern(id string) *AttackPattern

GetAttackPattern returns a built-in attack pattern by ID.

func GetAttackPatternsByType added in v0.7.0 

func GetAttackPatternsByType(patternType AttackPatternType) []AttackPattern

GetAttackPatternByType returns all patterns of a given type.

func SandboxEscapePattern added in v0.7.0 

func SandboxEscapePattern() AttackPattern

SandboxEscapePattern returns the sandbox escape attack pattern.

func TokenExfiltrationPattern added in v0.7.0 

func TokenExfiltrationPattern() AttackPattern

TokenExfiltrationPattern returns the token exfiltration attack pattern.

func URLParameterInjectionPattern added in v0.7.0 

func URLParameterInjectionPattern() AttackPattern

URLParameterInjectionPattern returns the URL parameter injection attack pattern.

type AttackPatternStep added in v0.7.0 

type AttackPatternStep struct {
	// Step is the sequence number.
	Step int `json:"step"`

	// Name is a short name for this step.
	Name string `json:"name"`

	// Description describes what happens in this step.
	Description string `json:"description,omitempty"`

	// Action is the specific action taken.
	Action string `json:"action,omitempty"`

	// Outcome is the expected result.
	Outcome string `json:"outcome,omitempty"`

	// MITRETactic is the MITRE ATT&CK tactic.
	MITRETactic MITRETactic `json:"mitreTactic,omitempty"`

	// MITRETechnique is the MITRE ATT&CK technique ID.
	MITRETechnique string `json:"mitreTechnique,omitempty"`

	// CWEIDs lists applicable CWE identifiers.
	CWEIDs []string `json:"cweIds,omitempty"`
}

AttackPatternStep represents a step in an attack pattern template.

type AttackPatternType added in v0.7.0 

type AttackPatternType string

AttackPatternType categorizes the type of attack pattern. 

const (
	// AttackPatternCSWSH represents Cross-Site WebSocket Hijacking.
	AttackPatternCSWSH AttackPatternType = "cswsh"

	// AttackPatternTokenExfiltration represents credential/token exfiltration.
	AttackPatternTokenExfiltration AttackPatternType = "token-exfiltration"

	// AttackPatternSandboxEscape represents sandbox/container escape.
	AttackPatternSandboxEscape AttackPatternType = "sandbox-escape"

	// AttackPatternLocalPrivEsc represents local privilege escalation.
	AttackPatternLocalPrivEsc AttackPatternType = "local-priv-esc"

	// AttackPatternAgentManipulation represents AI agent manipulation.
	AttackPatternAgentManipulation AttackPatternType = "agent-manipulation"

	// AttackPatternSSRF represents Server-Side Request Forgery.
	AttackPatternSSRF AttackPatternType = "ssrf"

	// AttackPatternPromptInjection represents prompt injection attacks.
	AttackPatternPromptInjection AttackPatternType = "prompt-injection"

	// AttackPatternToolAbuse represents abuse of agent tools.
	AttackPatternToolAbuse AttackPatternType = "tool-abuse"

	// AttackPatternSessionHijacking represents session hijacking.
	AttackPatternSessionHijacking AttackPatternType = "session-hijacking"

	// AttackPatternURLParameterInjection represents URL parameter injection.
	AttackPatternURLParameterInjection AttackPatternType = "url-param-injection"
)

func (AttackPatternType) JSONSchema added in v0.7.0 

func (AttackPatternType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for AttackPatternType.

type AttackTree added in v0.4.0 

type AttackTree struct {
	// RootID is the ID of the root goal node.
	RootID string `json:"rootId"`

	// Nodes contains all nodes in the attack tree.
	Nodes []AttackTreeNode `json:"nodes"`
}

AttackTree represents the root of an attack tree structure.

func (*AttackTree) GetChildren added in v0.4.0 

func (t *AttackTree) GetChildren(node *AttackTreeNode) []*AttackTreeNode

GetChildren returns the child nodes of the given node.

func (*AttackTree) GetNode added in v0.4.0 

func (t *AttackTree) GetNode(id string) *AttackTreeNode

GetNode returns the node with the given ID, or nil if not found.

func (*AttackTree) GetRoot added in v0.4.0 

func (t *AttackTree) GetRoot() *AttackTreeNode

GetRoot returns the root node of the attack tree.

type AttackTreeNode added in v0.4.0 

type AttackTreeNode struct {
	// ID is the unique identifier for the node.
	ID string `json:"id"`

	// Label is the display name or goal description.
	Label string `json:"label"`

	// NodeType identifies the logic type (AND, OR, LEAF).
	NodeType AttackTreeNodeType `json:"nodeType"`

	// Description provides additional context about this attack step.
	Description string `json:"description,omitempty"`

	// Children contains the child node IDs (for AND/OR nodes).
	Children []string `json:"children,omitempty"`

	// MITRETechnique is the MITRE ATT&CK technique ID (for leaf nodes).
	MITRETechnique string `json:"mitreTechnique,omitempty"`

	// STRIDEThreats lists applicable STRIDE threats.
	STRIDEThreats []STRIDEThreat `json:"strideThreats,omitempty"`

	// Probability is the estimated probability of success (0.0 - 1.0).
	Probability float64 `json:"probability,omitempty"`

	// Cost estimates the attacker cost (low, medium, high).
	Cost string `json:"cost,omitempty"`

	// Difficulty estimates the attack difficulty (trivial, low, medium, high, expert).
	Difficulty string `json:"difficulty,omitempty"`

	// Countermeasure describes how to prevent this attack step.
	Countermeasure string `json:"countermeasure,omitempty"`

	// Mitigated indicates if this attack path is mitigated.
	Mitigated bool `json:"mitigated,omitempty"`
}

AttackTreeNode represents a node in an attack tree. Attack trees are hierarchical decompositions of attack goals.

func (*AttackTreeNode) GetNodeTypeSymbol added in v0.4.0 

func (n *AttackTreeNode) GetNodeTypeSymbol() string

GetNodeTypeSymbol returns the D2-friendly symbol for the node type.

func (*AttackTreeNode) IsLeaf added in v0.4.0 

func (n *AttackTreeNode) IsLeaf() bool

IsLeaf returns true if the node has no children.

type AttackTreeNodeType added in v0.4.0 

type AttackTreeNodeType string

AttackTreeNodeType identifies the logic type of an attack tree node. 

const (
	// AttackTreeNodeTypeAND requires all child nodes to be true.
	AttackTreeNodeTypeAND AttackTreeNodeType = "AND"

	// AttackTreeNodeTypeOR requires any child node to be true.
	AttackTreeNodeTypeOR AttackTreeNodeType = "OR"

	// AttackTreeNodeTypeLeaf is a leaf node with no children.
	AttackTreeNodeTypeLeaf AttackTreeNodeType = "LEAF"
)

func (AttackTreeNodeType) JSONSchema added in v0.4.0 

func (AttackTreeNodeType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for AttackTreeNodeType.

type Author added in v0.2.0 

type Author struct {
	// Name is the author's name.
	Name string `json:"name"`

	// Email is the author's email address.
	Email string `json:"email,omitempty"`

	// URL is a link to the author's profile or website.
	URL string `json:"url,omitempty"`
}

Author represents a contributor to the threat model.

type Boundary 

type Boundary struct {
	// ID is the unique identifier for the boundary.
	ID string `json:"id"`

	// Label is the display name.
	Label string `json:"label"`

	// Type identifies the boundary type.
	Type BoundaryType `json:"type"`

	// ParentID is the ID of a containing boundary (for nested boundaries).
	ParentID string `json:"parentId,omitempty"`

	// Description provides additional context.
	Description string `json:"description,omitempty"`

	// ImplicitlyTrusted indicates whether elements inside this boundary
	// are implicitly trusted without validation. This is common for localhost
	// boundaries where services assume local connections are safe.
	ImplicitlyTrusted bool `json:"implicitlyTrusted,omitempty"`

	// TrustAssumption describes the security assumption for this boundary.
	// Example: "Localhost connections are trusted without authentication"
	TrustAssumption string `json:"trustAssumption,omitempty"`

	// TrustViolationRisk describes how the trust assumption could be violated.
	// Example: "Cross-Site WebSocket Hijacking can bypass localhost restriction"
	TrustViolationRisk string `json:"trustViolationRisk,omitempty"`

	// BreachVector describes how this boundary was/could be breached.
	// Applicable when Type is "breached" or for threat modeling.
	BreachVector string `json:"breachVector,omitempty"`

	// AuthenticationRequired indicates whether authentication is required
	// to cross this boundary.
	AuthenticationRequired bool `json:"authenticationRequired,omitempty"`

	// AuthorizationEnforced indicates whether authorization is checked
	// at this boundary.
	AuthorizationEnforced bool `json:"authorizationEnforced,omitempty"`
}

Boundary represents a trust boundary containing elements.

type BoundaryType 

type BoundaryType string

BoundaryType identifies the type of trust boundary. 

const (
	BoundaryTypeBrowser   BoundaryType = "browser"
	BoundaryTypeLocalhost BoundaryType = "localhost"
	BoundaryTypeNetwork   BoundaryType = "network"
	BoundaryTypeCloud     BoundaryType = "cloud"
	BoundaryTypeBreached  BoundaryType = "breached"

	// BoundaryTypeContainer represents a container boundary.
	BoundaryTypeContainer BoundaryType = "container"

	// BoundaryTypeSandbox represents an application sandbox boundary.
	BoundaryTypeSandbox BoundaryType = "sandbox"

	// BoundaryTypeAgent represents an AI agent execution boundary.
	BoundaryTypeAgent BoundaryType = "agent"

	// BoundaryTypeOrigin represents a browser same-origin boundary.
	BoundaryTypeOrigin BoundaryType = "origin"
)

func (BoundaryType) JSONSchema 

func (BoundaryType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for BoundaryType.

type BrowserExecutionInfo added in v0.7.0 

type BrowserExecutionInfo struct {
	// Origin is the JavaScript origin (e.g., "https://example.com").
	Origin string `json:"origin,omitempty"`

	// SameSite indicates the SameSite cookie attribute.
	SameSite string `json:"sameSite,omitempty"`

	// CrossOriginIsolated indicates whether the context is cross-origin isolated.
	CrossOriginIsolated bool `json:"crossOriginIsolated,omitempty"`

	// ServiceWorker indicates whether this is a service worker context.
	ServiceWorker bool `json:"serviceWorker,omitempty"`

	// WebWorker indicates whether this is a web worker context.
	WebWorker bool `json:"webWorker,omitempty"`

	// LocalStorageAccess indicates whether local storage is accessible.
	LocalStorageAccess bool `json:"localStorageAccess,omitempty"`

	// CookieAccess indicates whether cookies are accessible.
	CookieAccess bool `json:"cookieAccess,omitempty"`

	// LocalhostAccess indicates whether localhost can be accessed.
	// This is relevant for Cross-Site WebSocket Hijacking attacks.
	LocalhostAccess bool `json:"localhostAccess,omitempty"`
}

BrowserExecutionInfo contains browser-specific execution details.

type BusinessImpact added in v0.6.0 

type BusinessImpact struct {
	// Financial impacts
	RevenueImpact *LossEstimate `json:"revenueImpact,omitempty"` // Direct revenue loss

	// Non-financial impacts (descriptive)
	CustomerImpact    string `json:"customerImpact,omitempty"`    // Impact on customers
	RegulatoryImpact  string `json:"regulatoryImpact,omitempty"`  // Regulatory/compliance impact
	ReputationImpact  string `json:"reputationImpact,omitempty"`  // Brand/reputation impact
	OperationalImpact string `json:"operationalImpact,omitempty"` // Business operations impact
	LegalImpact       string `json:"legalImpact,omitempty"`       // Legal liability impact

	// Severity classification
	Criticality Criticality `json:"criticality,omitempty"` // Overall criticality level

	// Recovery estimates
	RecoveryTimeEstimate *Duration `json:"recoveryTimeEstimate,omitempty"` // Estimated time to recover
}

BusinessImpact represents the broader business impact of a threat, beyond direct monetary loss.

type CISControlMapping added in v0.4.0 

type CISControlMapping struct {
	// ControlID is the control number (e.g., "1", "2", "16").
	ControlID string `json:"controlId"`

	// ControlName is the control title (e.g., "Inventory and Control of Enterprise Assets").
	ControlName string `json:"controlName,omitempty"`

	// SafeguardID is the specific safeguard ID (e.g., "1.1", "16.4").
	SafeguardID string `json:"safeguardId,omitempty"`

	// SafeguardName is the safeguard description.
	SafeguardName string `json:"safeguardName,omitempty"`

	// ImplementationGroup indicates the implementation group (IG1, IG2, IG3).
	ImplementationGroup string `json:"implementationGroup,omitempty"`

	// AssetType indicates the asset type (Devices, Software, Network, Data, Users).
	AssetType string `json:"assetType,omitempty"`

	// SecurityFunction indicates the security function (Identify, Protect, Detect, Respond, Recover).
	SecurityFunction string `json:"securityFunction,omitempty"`

	// Description explains how this control applies to the threat model.
	Description string `json:"description,omitempty"`

	// URL is a link to the CIS Controls documentation.
	URL string `json:"url,omitempty"`
}

CISControlMapping represents a CIS Critical Security Controls reference.

type CVEMapping added in v0.4.0 

type CVEMapping struct {
	// ID is the CVE ID (e.g., "CVE-2024-12345").
	ID string `json:"id"`

	// Description provides a summary of the vulnerability.
	Description string `json:"description,omitempty"`

	// AffectedComponents lists the component IDs affected by this CVE.
	AffectedComponents []string `json:"affectedComponents,omitempty"`

	// AffectedVersions lists the software versions affected.
	AffectedVersions []string `json:"affectedVersions,omitempty"`

	// CVSS contains the CVSS score for this CVE.
	CVSS *CVSSMapping `json:"cvss,omitempty"`

	// URL is the link to the CVE page.
	URL string `json:"url,omitempty"`

	// References provides additional URLs related to this CVE.
	References []string `json:"references,omitempty"`
}

CVEMapping represents a Common Vulnerabilities and Exposures reference.

type CVSSMapping 

type CVSSMapping struct {
	// Version is the CVSS version (e.g., "3.1", "4.0").
	Version string `json:"version"`

	// Vector is the CVSS vector string (e.g., "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N").
	Vector string `json:"vector"`

	// BaseScore is the calculated base score (0.0 - 10.0).
	BaseScore float64 `json:"baseScore"`

	// Severity is the qualitative severity rating.
	Severity CVSSSeverity `json:"severity"`

	// Description provides context for the scoring.
	Description string `json:"description,omitempty"`
}

CVSSMapping represents a CVSS (Common Vulnerability Scoring System) assessment.

type CVSSSeverity 

type CVSSSeverity string

CVSSSeverity represents the qualitative severity rating. 

const (
	CVSSSeverityNone     CVSSSeverity = "None"
	CVSSSeverityLow      CVSSSeverity = "Low"
	CVSSSeverityMedium   CVSSSeverity = "Medium"
	CVSSSeverityHigh     CVSSSeverity = "High"
	CVSSSeverityCritical CVSSSeverity = "Critical"
)

func (CVSSSeverity) JSONSchema 

func (CVSSSeverity) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for CVSSSeverity.

type CWEMapping 

type CWEMapping struct {
	// ID is the CWE ID (e.g., "CWE-346").
	ID string `json:"id"`

	// Name is the human-readable name (e.g., "Origin Validation Error").
	Name string `json:"name,omitempty"`

	// Description explains how this weakness applies.
	Description string `json:"description,omitempty"`

	// URL is the link to the CWE page.
	URL string `json:"url,omitempty"`
}

CWEMapping represents a Common Weakness Enumeration reference.

type ChecklistItem added in v0.6.0 

type ChecklistItem struct {
	// Item is the checklist item description.
	Item string `json:"item"`

	// Required indicates if this item is required for the fix to be complete.
	Required bool `json:"required,omitempty"`

	// Notes provides additional context for reviewers.
	Notes string `json:"notes,omitempty"`

	// Category categorizes the item (e.g., "validation", "authentication", "logging").
	Category string `json:"category,omitempty"`

	// Severity indicates how critical this item is (critical, high, medium, low).
	Severity string `json:"severity,omitempty"`
}

ChecklistItem is a single item in a code review checklist.

type CloudInfo added in v0.5.0 

type CloudInfo struct {
	// Provider is the cloud provider (aws, gcp, azure, etc.).
	Provider string `json:"provider,omitempty"`

	// Region is the cloud region.
	Region string `json:"region,omitempty"`

	// VPC is the VPC/VNet identifier.
	VPC string `json:"vpc,omitempty"`

	// Subnet is the subnet identifier.
	Subnet string `json:"subnet,omitempty"`

	// ResourceID is the cloud resource identifier.
	ResourceID string `json:"resourceId,omitempty"`
}

CloudInfo contains cloud provider specific details.

type CodePattern added in v0.6.0 

type CodePattern struct {
	// Language is the programming language (e.g., "go", "python", "javascript").
	Language string `json:"language"`

	// Description explains this code pattern.
	Description string `json:"description"`

	// Code is the actual code snippet.
	Code string `json:"code"`

	// Explanation provides detailed explanation of why this is vulnerable/secure.
	Explanation string `json:"explanation,omitempty"`

	// CWE is the CWE ID for the vulnerability type (for vulnerable patterns).
	CWE string `json:"cwe,omitempty"`

	// Framework specifies the framework (e.g., "net/http", "gin", "express").
	Framework string `json:"framework,omitempty"`

	// FilePath suggests where this pattern typically appears.
	FilePath string `json:"filePath,omitempty"`

	// LineRange indicates relevant line numbers (e.g., "45-60").
	LineRange string `json:"lineRange,omitempty"`
}

CodePattern represents a code pattern (vulnerable or secure).

type ComplianceFramework added in v0.4.0 

type ComplianceFramework string

ComplianceFramework identifies the regulatory or compliance framework. 

const (
	// ComplianceFrameworkSOC2 is the AICPA SOC 2 framework.
	ComplianceFrameworkSOC2 ComplianceFramework = "soc2"

	// ComplianceFrameworkPCIDSS is the Payment Card Industry Data Security Standard.
	ComplianceFrameworkPCIDSS ComplianceFramework = "pci-dss"

	// ComplianceFrameworkHIPAA is the Health Insurance Portability and Accountability Act.
	ComplianceFrameworkHIPAA ComplianceFramework = "hipaa"

	// ComplianceFrameworkGDPR is the General Data Protection Regulation.
	ComplianceFrameworkGDPR ComplianceFramework = "gdpr"

	// ComplianceFrameworkCCPA is the California Consumer Privacy Act.
	ComplianceFrameworkCCPA ComplianceFramework = "ccpa"

	// ComplianceFrameworkFedRAMP is the Federal Risk and Authorization Management Program.
	ComplianceFrameworkFedRAMP ComplianceFramework = "fedramp"

	// ComplianceFrameworkNISTSP80053 is NIST Special Publication 800-53.
	ComplianceFrameworkNISTSP80053 ComplianceFramework = "nist-sp-800-53"

	// ComplianceFrameworkNISTSP800171 is NIST Special Publication 800-171.
	ComplianceFrameworkNISTSP800171 ComplianceFramework = "nist-sp-800-171"

	// ComplianceFrameworkSOX is the Sarbanes-Oxley Act.
	ComplianceFrameworkSOX ComplianceFramework = "sox"

	// ComplianceFrameworkGLBA is the Gramm-Leach-Bliley Act.
	ComplianceFrameworkGLBA ComplianceFramework = "glba"
)

func (ComplianceFramework) JSONSchema added in v0.4.0 

func (ComplianceFramework) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ComplianceFramework.

type ComplianceMapping added in v0.4.0 

type ComplianceMapping struct {
	// Framework identifies the compliance framework.
	Framework ComplianceFramework `json:"framework"`

	// RequirementID is the specific requirement or control reference.
	// Examples: "CC6.1" (SOC 2), "3.5.1" (PCI-DSS), "164.312(a)(1)" (HIPAA).
	RequirementID string `json:"requirementId"`

	// RequirementName is the human-readable requirement title.
	RequirementName string `json:"requirementName,omitempty"`

	// Category groups related requirements (e.g., "Common Criteria", "Access Control").
	Category string `json:"category,omitempty"`

	// Description explains how this requirement applies to the threat model.
	Description string `json:"description,omitempty"`

	// Status indicates compliance status (compliant, non-compliant, partial, not-assessed).
	Status string `json:"status,omitempty"`

	// Evidence provides references to compliance evidence or documentation.
	Evidence string `json:"evidence,omitempty"`

	// URL is a link to the compliance documentation.
	URL string `json:"url,omitempty"`
}

ComplianceMapping represents a regulatory or compliance framework reference.

type ComponentReference added in v0.6.0 

type ComponentReference struct {
	// ID is the component identifier from the SBOM (purl, cpe, or internal ID)
	ID string `json:"id,omitempty"`

	// PURL is the Package URL for the component (e.g., pkg:npm/lodash@4.17.21)
	PURL string `json:"purl,omitempty"`

	// CPE is the Common Platform Enumeration for the component
	CPE string `json:"cpe,omitempty"`

	// Name is the human-readable component name
	Name string `json:"name,omitempty"`

	// Version is the component version
	Version string `json:"version,omitempty"`

	// Supplier is the component supplier/vendor
	Supplier string `json:"supplier,omitempty"`

	// License is the component license (SPDX identifier)
	License string `json:"license,omitempty"`

	// VulnerabilityIDs lists CVE or other vulnerability IDs affecting this component
	VulnerabilityIDs []string `json:"vulnerabilityIds,omitempty"`
}

ComponentReference links a threat or attack to a specific software component

type Confidence added in v0.6.0 

type Confidence string

Confidence represents confidence level in an estimate. 

const (
	ConfidenceVeryLow  Confidence = "very-low"  // < 20% confidence
	ConfidenceLow      Confidence = "low"       // 20-40% confidence
	ConfidenceMedium   Confidence = "medium"    // 40-60% confidence
	ConfidenceHigh     Confidence = "high"      // 60-80% confidence
	ConfidenceVeryHigh Confidence = "very-high" // > 80% confidence
)

type ConfigChange added in v0.6.0 

type ConfigChange struct {
	// Setting is the configuration setting name.
	Setting string `json:"setting"`

	// Value is the recommended value.
	Value string `json:"value"`

	// Description explains why this change is needed.
	Description string `json:"description,omitempty"`

	// Platform specifies the platform or application this applies to.
	Platform string `json:"platform,omitempty"`

	// File is the configuration file path.
	File string `json:"file,omitempty"`

	// CurrentValue shows the vulnerable/default value (for comparison).
	CurrentValue string `json:"currentValue,omitempty"`

	// Impact describes the impact of this change.
	Impact string `json:"impact,omitempty"`

	// RestartRequired indicates if a restart is needed.
	RestartRequired bool `json:"restartRequired,omitempty"`
}

ConfigChange represents a configuration change to fix a vulnerability.

type Contact added in v0.6.0 

type Contact struct {
	// Name is the contact name.
	Name string `json:"name"`

	// Role is the contact's role (e.g., "Security Lead", "On-Call Engineer").
	Role string `json:"role,omitempty"`

	// Email is the contact's email address.
	Email string `json:"email,omitempty"`

	// Phone is the contact's phone number.
	Phone string `json:"phone,omitempty"`

	// Slack is the contact's Slack handle or channel.
	Slack string `json:"slack,omitempty"`

	// PagerDuty is the PagerDuty schedule or escalation policy.
	PagerDuty string `json:"pagerDuty,omitempty"`

	// Availability describes when this contact is available.
	Availability string `json:"availability,omitempty"`

	// Primary indicates if this is the primary contact.
	Primary bool `json:"primary,omitempty"`
}

Contact represents a person or team to contact during an incident.

type ContainerExecutionInfo added in v0.7.0 

type ContainerExecutionInfo struct {
	// Runtime is the container runtime (docker, containerd, podman, etc.).
	Runtime string `json:"runtime,omitempty"`

	// Image is the container image.
	Image string `json:"image,omitempty"`

	// Privileged indicates whether the container runs in privileged mode.
	Privileged bool `json:"privileged,omitempty"`

	// HostPID indicates whether the container shares the host PID namespace.
	HostPID bool `json:"hostPid,omitempty"`

	// HostNetwork indicates whether the container shares the host network.
	HostNetwork bool `json:"hostNetwork,omitempty"`

	// Volumes lists mounted volumes.
	Volumes []string `json:"volumes,omitempty"`

	// ReadOnlyRootFS indicates whether the root filesystem is read-only.
	ReadOnlyRootFS bool `json:"readOnlyRootFs,omitempty"`

	// DropCapabilities lists dropped Linux capabilities.
	DropCapabilities []string `json:"dropCapabilities,omitempty"`
}

ContainerExecutionInfo contains container-specific execution details.

type ControlFramework added in v0.4.0 

type ControlFramework string

ControlFramework identifies which control framework a mapping belongs to. 

const (
	ControlFrameworkNISTCSF  ControlFramework = "nist-csf"
	ControlFrameworkCIS      ControlFramework = "cis"
	ControlFrameworkISO27001 ControlFramework = "iso27001"
)

func (ControlFramework) JSONSchema added in v0.4.0 

func (ControlFramework) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ControlFramework.

type Controls added in v0.4.0 

type Controls struct {
	// NISTCSF contains NIST Cybersecurity Framework mappings.
	NISTCSF []NISTCSFMapping `json:"nistCsf,omitempty"`

	// CIS contains CIS Critical Security Controls mappings.
	CIS []CISControlMapping `json:"cis,omitempty"`

	// ISO27001 contains ISO/IEC 27001 control mappings.
	ISO27001 []ISO27001Mapping `json:"iso27001,omitempty"`
}

Controls aggregates control framework mappings.

type CoverageLevel added in v0.6.0 

type CoverageLevel string

CoverageLevel indicates the level of detection coverage for a technique. 

const (
	// CoverageLevelNone indicates no detection coverage.
	CoverageLevelNone CoverageLevel = "none"

	// CoverageLevelMinimal indicates minimal/basic detection coverage.
	CoverageLevelMinimal CoverageLevel = "minimal"

	// CoverageLevelPartial indicates partial detection coverage.
	CoverageLevelPartial CoverageLevel = "partial"

	// CoverageLevelSubstantial indicates substantial detection coverage.
	CoverageLevelSubstantial CoverageLevel = "substantial"

	// CoverageLevelFull indicates full/comprehensive detection coverage.
	CoverageLevelFull CoverageLevel = "full"
)

func (CoverageLevel) JSONSchema added in v0.6.0 

func (CoverageLevel) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for CoverageLevel.

type CoverageSummary added in v0.6.0 

type CoverageSummary struct {
	// TotalTechniques is the total number of techniques assessed.
	TotalTechniques int `json:"totalTechniques"`

	// CoveredFull is the count of techniques with full coverage.
	CoveredFull int `json:"coveredFull"`

	// CoveredSubstantial is the count with substantial coverage.
	CoveredSubstantial int `json:"coveredSubstantial"`

	// CoveredPartial is the count with partial coverage.
	CoveredPartial int `json:"coveredPartial"`

	// CoveredMinimal is the count with minimal coverage.
	CoveredMinimal int `json:"coveredMinimal"`

	// NotCovered is the count of techniques with no coverage.
	NotCovered int `json:"notCovered"`

	// CoveragePercent is the percentage of techniques with any coverage.
	CoveragePercent float64 `json:"coveragePercent"`

	// EffectiveCoveragePercent weights coverage levels (full=100%, substantial=75%, partial=50%, minimal=25%).
	EffectiveCoveragePercent float64 `json:"effectiveCoveragePercent"`

	// GapsByTactic groups uncovered techniques by MITRE tactic.
	GapsByTactic map[string]int `json:"gapsByTactic,omitempty"`
}

CoverageSummary provides aggregate statistics for detection coverage.

func CalculateCoverage added in v0.6.0 

func CalculateCoverage(techniques []TechniqueCoverage) *CoverageSummary

CalculateCoverage computes coverage summary from technique coverage data.

type CredentialFlow added in v0.7.0 

type CredentialFlow struct {
	// ID is the unique identifier for this credential flow.
	ID string `json:"id"`

	// Name is a human-readable name for the credential.
	Name string `json:"name"`

	// Description provides details about the credential.
	Description string `json:"description,omitempty"`

	// Type categorizes the credential.
	Type CredentialType `json:"type"`

	// AssetID links to the Asset definition for this credential.
	AssetID string `json:"assetId,omitempty"`

	// Stages tracks the credential through its lifecycle.
	Stages []CredentialFlowEvent `json:"stages,omitempty"`

	// ExpirationDuration is how long the credential is valid (e.g., "24h", "7d").
	ExpirationDuration string `json:"expirationDuration,omitempty"`

	// Revocable indicates whether the credential can be revoked.
	Revocable bool `json:"revocable,omitempty"`

	// RotationPolicy describes how often credentials are rotated.
	RotationPolicy string `json:"rotationPolicy,omitempty"`

	// Scope describes what the credential grants access to.
	Scope []string `json:"scope,omitempty"`

	// RiskLevel indicates the risk if this credential is compromised.
	RiskLevel RiskLevel `json:"riskLevel,omitempty"`
}

CredentialFlow tracks the lifecycle of a credential through the system, including both legitimate usage and attack paths where it may be exfiltrated.

func (*CredentialFlow) GetExfiltrationPath added in v0.7.0 

func (cf *CredentialFlow) GetExfiltrationPath() []CredentialFlowEvent

GetExfiltrationPath returns the credential flow events from creation to exfiltration. Returns nil if no exfiltration is recorded.

func (*CredentialFlow) GetVulnerableTransmissions added in v0.7.0 

func (cf *CredentialFlow) GetVulnerableTransmissions() []CredentialFlowEvent

GetVulnerableTransmissions returns transmission events with security issues.

func (*CredentialFlow) IsExfiltrated added in v0.7.0 

func (cf *CredentialFlow) IsExfiltrated() bool

IsExfiltrated returns true if the credential has an exfiltration event.

func (*CredentialFlow) IsReused added in v0.7.0 

func (cf *CredentialFlow) IsReused() bool

IsReused returns true if the credential has a reuse event (indicating replay attack).

type CredentialFlowEvent added in v0.7.0 

type CredentialFlowEvent struct {
	// Stage identifies the lifecycle stage.
	Stage CredentialFlowStage `json:"stage"`

	// ElementID is the diagram element where this event occurs.
	ElementID string `json:"elementId,omitempty"`

	// Description provides context about this event.
	Description string `json:"description,omitempty"`

	// TransportProtocol describes how the credential is transmitted (if applicable).
	// Examples: "https", "wss", "ws", "http"
	TransportProtocol string `json:"transportProtocol,omitempty"`

	// TransportMechanism describes the transport mechanism.
	// Examples: "header", "cookie", "query-param", "body", "websocket-message"
	TransportMechanism string `json:"transportMechanism,omitempty"`

	// Encrypted indicates whether the credential is encrypted at this stage.
	Encrypted bool `json:"encrypted,omitempty"`

	// AttackStep links to an attack step if this is part of an attack chain.
	AttackStep int `json:"attackStep,omitempty"`

	// Vulnerability describes any vulnerability associated with this event.
	Vulnerability string `json:"vulnerability,omitempty"`

	// CWEIDs lists applicable CWE identifiers for vulnerabilities.
	CWEIDs []string `json:"cweIds,omitempty"`
}

CredentialFlowEvent represents a single event in the credential lifecycle.

type CredentialFlowStage added in v0.7.0 

type CredentialFlowStage string

CredentialFlowStage represents a stage in the credential lifecycle. 

const (
	// CredentialStageCreated indicates the credential was created/issued.
	CredentialStageCreated CredentialFlowStage = "created"

	// CredentialStageStored indicates the credential was stored.
	CredentialStageStored CredentialFlowStage = "stored"

	// CredentialStageTransmitted indicates the credential was transmitted.
	CredentialStageTransmitted CredentialFlowStage = "transmitted"

	// CredentialStageExfiltrated indicates the credential was exfiltrated by an attacker.
	CredentialStageExfiltrated CredentialFlowStage = "exfiltrated"

	// CredentialStageReused indicates the credential was reused/replayed by an attacker.
	CredentialStageReused CredentialFlowStage = "reused"

	// CredentialStageRevoked indicates the credential was revoked.
	CredentialStageRevoked CredentialFlowStage = "revoked"

	// CredentialStageExpired indicates the credential expired.
	CredentialStageExpired CredentialFlowStage = "expired"
)

func (CredentialFlowStage) JSONSchema added in v0.7.0 

func (CredentialFlowStage) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for CredentialFlowStage.

type CredentialType added in v0.7.0 

type CredentialType string

CredentialType categorizes the type of credential. 

const (
	// CredentialTypeAPIKey represents an API key.
	CredentialTypeAPIKey CredentialType = "api-key"

	// CredentialTypeBearerToken represents a bearer/access token.
	CredentialTypeBearerToken CredentialType = "bearer-token"

	// CredentialTypeRefreshToken represents a refresh token.
	CredentialTypeRefreshToken CredentialType = "refresh-token"

	// CredentialTypeJWT represents a JSON Web Token.
	CredentialTypeJWT CredentialType = "jwt"

	// CredentialTypeSessionToken represents a session token/cookie.
	CredentialTypeSessionToken CredentialType = "session-token"

	// CredentialTypePassword represents a password.
	CredentialTypePassword CredentialType = "password"

	// CredentialTypePrivateKey represents a private key.
	CredentialTypePrivateKey CredentialType = "private-key"

	// CredentialTypeCertificate represents an X.509 certificate.
	CredentialTypeCertificate CredentialType = "certificate"

	// CredentialTypeOAuth represents OAuth credentials.
	CredentialTypeOAuth CredentialType = "oauth"

	// CredentialTypeWebSocketToken represents a WebSocket authentication token.
	CredentialTypeWebSocketToken CredentialType = "websocket-token"
)

func (CredentialType) JSONSchema added in v0.7.0 

func (CredentialType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for CredentialType.

type Criticality added in v0.6.0 

type Criticality string

Criticality represents business criticality level. 

const (
	CriticalityCritical Criticality = "critical" // Business-threatening impact
	CriticalityHigh     Criticality = "high"     // Significant business impact
	CriticalityMedium   Criticality = "medium"   // Moderate business impact
	CriticalityLow      Criticality = "low"      // Minor business impact
)

type Currency added in v0.6.0 

type Currency struct {
	Amount float64 `json:"amount"`           // Monetary amount
	Code   string  `json:"code,omitempty"`   // ISO 4217 currency code (default: USD)
	Symbol string  `json:"symbol,omitempty"` // Currency symbol for display (e.g., "$")
}

Currency represents a monetary value with its currency code.

type DataCategory added in v0.4.0 

type DataCategory string

DataCategory represents categories of personal or sensitive data. 

const (
	DataCategoryPII        DataCategory = "pii"        // Personally Identifiable Information
	DataCategoryPHI        DataCategory = "phi"        // Protected Health Information
	DataCategoryFinancial  DataCategory = "financial"  // Financial data
	DataCategoryBiometric  DataCategory = "biometric"  // Biometric data
	DataCategoryLocation   DataCategory = "location"   // Location data
	DataCategoryBehavioral DataCategory = "behavioral" // Behavioral/tracking data
	DataCategoryGenetic    DataCategory = "genetic"    // Genetic data
	DataCategoryMinor      DataCategory = "minor"      // Data about minors
	DataCategorySensitive  DataCategory = "sensitive"  // Other sensitive categories
)

func (DataCategory) JSONSchema added in v0.4.0 

func (DataCategory) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for DataCategory.

type DataSourceType added in v0.4.0 

type DataSourceType string

DataSourceType identifies the type of data source for detection. 

const (
	DataSourceTypeLogs           DataSourceType = "logs"
	DataSourceTypeSIEM           DataSourceType = "siem"
	DataSourceTypeEDR            DataSourceType = "edr"
	DataSourceTypeNDR            DataSourceType = "ndr"
	DataSourceTypeIDS            DataSourceType = "ids"
	DataSourceTypeWAF            DataSourceType = "waf"
	DataSourceTypeCloudTrail     DataSourceType = "cloudtrail"
	DataSourceTypeAPIGateway     DataSourceType = "api-gateway"
	DataSourceTypeNetworkCapture DataSourceType = "network-capture"
	DataSourceTypeUserBehavior   DataSourceType = "user-behavior"
	DataSourceTypeAuditLog       DataSourceType = "audit-log"
)

func (DataSourceType) JSONSchema added in v0.4.0 

func (DataSourceType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for DataSourceType.

type DefenseGuidance added in v0.6.0 

type DefenseGuidance struct {
	// DetectionRules contains detection rules in various formats.
	DetectionRules []DetectionRule `json:"detectionRules,omitempty"`

	// IOCs contains Indicators of Compromise.
	IOCs []IOC `json:"iocs,omitempty"`

	// LogSources lists log sources useful for detection.
	LogSources []LogSource `json:"logSources,omitempty"`

	// HuntingQueries provides proactive threat hunting queries.
	HuntingQueries []HuntingQuery `json:"huntingQueries,omitempty"`

	// MonitoringRecommendations provides general monitoring guidance.
	MonitoringRecommendations []string `json:"monitoringRecommendations,omitempty"`

	// AlertThresholds describes when to trigger alerts.
	AlertThresholds []AlertThreshold `json:"alertThresholds,omitempty"`

	// Notes provides additional guidance for SOC analysts.
	Notes string `json:"notes,omitempty"`
}

DefenseGuidance provides blue team/defensive security guidance for detecting and hunting for threats.

type DependencyRisk added in v0.6.0 

type DependencyRisk struct {
	// ComponentRef references the component in the SBOM
	ComponentRef ComponentReference `json:"componentRef,omitempty"`

	// RiskLevel is the overall risk level (critical, high, medium, low)
	RiskLevel RiskLevel `json:"riskLevel,omitempty"`

	// VulnerabilityCount is the number of known vulnerabilities
	VulnerabilityCount int `json:"vulnerabilityCount,omitempty"`

	// CriticalCount is the number of critical severity vulnerabilities
	CriticalCount int `json:"criticalCount,omitempty"`

	// HighCount is the number of high severity vulnerabilities
	HighCount int `json:"highCount,omitempty"`

	// OutdatedBy indicates how many versions behind the latest
	OutdatedBy int `json:"outdatedBy,omitempty"`

	// LastUpdated is when the component was last updated
	LastUpdated string `json:"lastUpdated,omitempty"`

	// Deprecated indicates if the component is deprecated
	Deprecated bool `json:"deprecated,omitempty"`

	// Unmaintained indicates if the component appears unmaintained
	Unmaintained bool `json:"unmaintained,omitempty"`

	// DirectDependency indicates if this is a direct or transitive dependency
	DirectDependency bool `json:"directDependency,omitempty"`

	// Notes provides additional context about the dependency risk
	Notes string `json:"notes,omitempty"`
}

DependencyRisk represents risk information for a software dependency

type Detection added in v0.4.0 

type Detection struct {
	// ID is the unique identifier for the detection.
	ID string `json:"id"`

	// Title is a brief description of what is detected.
	Title string `json:"title"`

	// Description provides detailed information about the detection.
	Description string `json:"description,omitempty"`

	// ThreatIDs lists the IDs of threats this detection covers.
	ThreatIDs []string `json:"threatIds,omitempty"`

	// AttackSteps lists the attack step numbers this detection covers.
	AttackSteps []int `json:"attackSteps,omitempty"`

	// MITRETechniques lists MITRE ATT&CK techniques this detection covers.
	MITRETechniques []string `json:"mitreTechniques,omitempty"`

	// Method describes how the threat is detected.
	Method string `json:"method,omitempty"`

	// DataSources lists the data sources used for detection.
	DataSources []DataSourceType `json:"dataSources,omitempty"`

	// Coverage indicates the detection coverage level.
	Coverage DetectionCoverage `json:"coverage"`

	// LatencySeconds is the typical time to detect (in seconds).
	LatencySeconds int `json:"latencySeconds,omitempty"`

	// FalsePositiveRate describes the expected false positive rate (high, medium, low).
	FalsePositiveRate string `json:"falsePositiveRate,omitempty"`

	// DetectionLogic contains the query, rule, or signature logic.
	DetectionLogic string `json:"detectionLogic,omitempty"`

	// Tool identifies the detection tool or platform.
	Tool string `json:"tool,omitempty"`

	// PlaybookID references a response playbook for this detection.
	PlaybookID string `json:"playbookId,omitempty"`

	// AlertSeverity indicates the alert severity when triggered.
	AlertSeverity string `json:"alertSeverity,omitempty"`

	// Enabled indicates if this detection is currently active.
	Enabled bool `json:"enabled,omitempty"`
}

Detection represents detection capabilities for a threat or attack.

type DetectionCoverage added in v0.4.0 

type DetectionCoverage string

DetectionCoverage indicates the level of detection coverage. 

const (
	DetectionCoverageNone    DetectionCoverage = "none"
	DetectionCoveragePartial DetectionCoverage = "partial"
	DetectionCoverageFull    DetectionCoverage = "full"
)

func (DetectionCoverage) JSONSchema added in v0.4.0 

func (DetectionCoverage) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for DetectionCoverage.

type DetectionCoverageMatrix added in v0.6.0 

type DetectionCoverageMatrix struct {
	// Techniques contains coverage data for each technique.
	Techniques []TechniqueCoverage `json:"techniques"`

	// Summary provides aggregate statistics.
	Summary *CoverageSummary `json:"summary,omitempty"`

	// LastUpdated is the timestamp when coverage was last calculated.
	LastUpdated string `json:"lastUpdated,omitempty"`

	// Source identifies where the coverage data came from.
	Source string `json:"source,omitempty"`
}

DetectionCoverageMatrix represents MITRE ATT&CK detection coverage. This enables heatmap visualization and gap analysis.

func (*DetectionCoverageMatrix) GetCoverageByTactic added in v0.6.0 

func (m *DetectionCoverageMatrix) GetCoverageByTactic() map[string][]TechniqueCoverage

GetCoverageByTactic returns techniques grouped by tactic.

func (*DetectionCoverageMatrix) GetGaps added in v0.6.0 

func (m *DetectionCoverageMatrix) GetGaps() []TechniqueCoverage

GetGaps returns all techniques with no coverage.

func (*DetectionCoverageMatrix) GetTechniqueCoverage added in v0.6.0 

func (m *DetectionCoverageMatrix) GetTechniqueCoverage(techniqueID string) *TechniqueCoverage

GetTechniqueCoverage returns coverage for a specific technique ID.

type DetectionEfficiency added in v0.6.0 

type DetectionEfficiency struct {
	// AlertsPerIncident is the average number of alerts per incident.
	AlertsPerIncident float64 `json:"alertsPerIncident,omitempty"`

	// Precision is the ratio of true positives to all positive predictions.
	Precision float64 `json:"precision,omitempty"`

	// Recall is the ratio of true positives to all actual positives (same as DetectionRate).
	Recall float64 `json:"recall,omitempty"`

	// F1Score is the harmonic mean of precision and recall.
	F1Score float64 `json:"f1Score,omitempty"`
}

DetectionEfficiency provides derived efficiency metrics.

type DetectionFormat added in v0.6.0 

type DetectionFormat string

DetectionFormat identifies the format of a detection rule. 

const (
	DetectionFormatSigma    DetectionFormat = "sigma"
	DetectionFormatYara     DetectionFormat = "yara"
	DetectionFormatSplunk   DetectionFormat = "splunk"
	DetectionFormatElastic  DetectionFormat = "elastic"
	DetectionFormatKQL      DetectionFormat = "kql"
	DetectionFormatSnort    DetectionFormat = "snort"
	DetectionFormatSuricata DetectionFormat = "suricata"
	DetectionFormatCustom   DetectionFormat = "custom"
)

func (DetectionFormat) JSONSchema added in v0.6.0 

func (DetectionFormat) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for DetectionFormat.

type DetectionRule added in v0.6.0 

type DetectionRule struct {
	// ID is the unique identifier for this rule.
	ID string `json:"id"`

	// Name is the rule name.
	Name string `json:"name"`

	// Format identifies the rule format (sigma, yara, splunk, etc.).
	Format DetectionFormat `json:"format"`

	// Rule is the actual detection rule content.
	Rule string `json:"rule"`

	// Description explains what this rule detects.
	Description string `json:"description,omitempty"`

	// Severity indicates the alert severity (informational, low, medium, high, critical).
	Severity string `json:"severity,omitempty"`

	// FalsePositives lists known false positive scenarios.
	FalsePositives []string `json:"falsePositives,omitempty"`

	// References lists external resources about this detection.
	References []string `json:"references,omitempty"`

	// MITRETechniques lists MITRE ATT&CK techniques this rule detects.
	MITRETechniques []string `json:"mitreTechniques,omitempty"`

	// Tags are metadata tags for categorization.
	Tags []string `json:"tags,omitempty"`

	// Status indicates the rule status (experimental, testing, stable, deprecated).
	Status string `json:"status,omitempty"`

	// Author is the rule author.
	Author string `json:"author,omitempty"`

	// Date is the rule creation or update date.
	Date string `json:"date,omitempty"`

	// TestRefs links to app-test-spec tests that validate this detection.
	TestRefs []TestReference `json:"testRefs,omitempty"`
}

DetectionRule represents a detection rule for SIEM/EDR/IDS.

func (*DetectionRule) ToSTIXCourseOfAction added in v0.6.0 

func (dr *DetectionRule) ToSTIXCourseOfAction(createdByRef string) *STIXCourseOfAction

ToSTIXCourseOfAction converts a DetectionRule to a STIX 2.1 Course of Action object.

type DiagramIR 

type DiagramIR struct {
	// Type identifies the diagram type (dfd, attack-chain, sequence).
	Type DiagramType `json:"type"`

	// Title is the diagram title.
	Title string `json:"title"`

	// Description provides additional context about the diagram.
	Description string `json:"description,omitempty"`

	// Direction specifies the layout direction (right, down, etc.).
	Direction Direction `json:"direction,omitempty"`

	// Legend controls whether to show the legend.
	Legend *Legend `json:"legend,omitempty"`

	// Mappings contains references to external security frameworks
	// (MITRE ATT&CK, ATLAS, OWASP, CWE, CVSS, STRIDE).
	Mappings *Mappings `json:"mappings,omitempty"`

	// Elements are the DFD elements (processes, datastores, external entities).
	Elements []Element `json:"elements,omitempty"`

	// Boundaries are the trust boundaries containing elements.
	Boundaries []Boundary `json:"boundaries,omitempty"`

	// Flows are the data flows between elements (for DFD).
	Flows []Flow `json:"flows,omitempty"`

	// Attacks are the attack steps (for attack-chain type).
	Attacks []Attack `json:"attacks,omitempty"`

	// Targets are the high-value assets being targeted.
	Targets []Target `json:"targets,omitempty"`

	// Actors are the lifelines in a sequence diagram.
	Actors []Actor `json:"actors,omitempty"`

	// Phases group messages into logical attack phases.
	Phases []Phase `json:"phases,omitempty"`

	// Messages are the interactions between actors (for sequence type).
	Messages []Message `json:"messages,omitempty"`

	// AttackTree contains the attack tree structure (for attack-tree type).
	AttackTree *AttackTree `json:"attackTree,omitempty"`

	// Threats contains identified threats with status tracking.
	Threats []ThreatEntry `json:"threats,omitempty"`

	// Mitigations contains countermeasures addressing identified threats.
	Mitigations []Mitigation `json:"mitigations,omitempty"`

	// Detections contains detection capabilities for threats and attacks.
	Detections []Detection `json:"detections,omitempty"`

	// ResponseActions contains incident response actions.
	ResponseActions []ResponseAction `json:"responseActions,omitempty"`
}

DiagramIR is the intermediate representation for all threat modeling diagrams. It uses a non-polymorphic structure where the Type field identifies the diagram kind, and different fields are used depending on the type.

For DFD: Uses Elements, Boundaries, Flows For Attack Chain: Uses Elements, Boundaries, Attacks, Targets For Sequence: Uses Actors, Phases, Messages

func LoadFromFile 

func LoadFromFile(path string) (*DiagramIR, error)

LoadFromFile loads a DiagramIR from a JSON file.

func (*DiagramIR) IsValid 

func (d *DiagramIR) IsValid() bool

IsValid returns true if the diagram passes validation.

func (*DiagramIR) MustValidate 

func (d *DiagramIR) MustValidate()

MustValidate panics if validation fails.

func (*DiagramIR) RenderD2 

func (d *DiagramIR) RenderD2() string

RenderD2 renders the DiagramIR to D2 format.

func (*DiagramIR) Validate 

func (d *DiagramIR) Validate() error

Validate checks that the DiagramIR is internally consistent. It verifies that fields are appropriate for the diagram type and that required fields are present.

func (*DiagramIR) ValidateOWASPMappings added in v0.6.0 

func (d *DiagramIR) ValidateOWASPMappings() []string

ValidateOWASPMappings checks that OWASP IDs in mappings and attacks are recognized. Returns warnings (not errors) for unrecognized IDs to allow forward compatibility.

func (*DiagramIR) ValidateStrict 

func (d *DiagramIR) ValidateStrict() error

ValidateStrict performs additional strict validation checks. This includes checks that may be warnings rather than errors.

type DiagramType 

type DiagramType string

DiagramType identifies the type of diagram. 

const (
	DiagramTypeDFD        DiagramType = "dfd"
	DiagramTypeAttack     DiagramType = "attack-chain"
	DiagramTypeSequence   DiagramType = "sequence"
	DiagramTypeAttackTree DiagramType = "attack-tree"
)

func (DiagramType) JSONSchema 

func (DiagramType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for DiagramType.

type DiagramView added in v0.2.0 

type DiagramView struct {
	// Type identifies the diagram type (dfd, attack-chain, sequence).
	Type DiagramType `json:"type"`

	// Title is the diagram-specific title. If empty, inherits from ThreatModel.
	Title string `json:"title,omitempty"`

	// Description provides diagram-specific context.
	Description string `json:"description,omitempty"`

	// Direction specifies the layout direction (right, down, etc.).
	Direction Direction `json:"direction,omitempty"`

	// Legend controls whether to show the legend.
	Legend *Legend `json:"legend,omitempty"`

	// Mappings contains diagram-specific framework mappings.
	// If nil, the diagram inherits from the parent ThreatModel.
	// If set, these mappings apply only to this diagram view.
	Mappings *Mappings `json:"mappings,omitempty"`

	// Elements are the DFD elements (processes, datastores, external entities).
	Elements []Element `json:"elements,omitempty"`

	// Boundaries are the trust boundaries containing elements.
	Boundaries []Boundary `json:"boundaries,omitempty"`

	// Flows are the data flows between elements (for DFD).
	Flows []Flow `json:"flows,omitempty"`

	// Attacks are the attack steps (for attack-chain type).
	Attacks []Attack `json:"attacks,omitempty"`

	// Targets are the high-value assets being targeted.
	Targets []Target `json:"targets,omitempty"`

	// Actors are the lifelines in a sequence diagram.
	Actors []Actor `json:"actors,omitempty"`

	// Phases group messages into logical attack phases.
	Phases []Phase `json:"phases,omitempty"`

	// Messages are the interactions between actors (for sequence type).
	Messages []Message `json:"messages,omitempty"`

	// AttackTree contains the attack tree structure for attack-tree type.
	AttackTree *AttackTree `json:"attackTree,omitempty"`

	// Threats contains identified threats with status tracking.
	Threats []ThreatEntry `json:"threats,omitempty"`

	// Mitigations contains countermeasures addressing identified threats.
	Mitigations []Mitigation `json:"mitigations,omitempty"`

	// Detections contains detection capabilities for threats and attacks.
	Detections []Detection `json:"detections,omitempty"`

	// ResponseActions contains incident response actions.
	ResponseActions []ResponseAction `json:"responseActions,omitempty"`
}

DiagramView represents a single diagram within a ThreatModel. It embeds DiagramIR but allows the diagram to inherit or override the parent ThreatModel's mappings.

func (*DiagramView) ToDiagramIR added in v0.2.0 

func (dv *DiagramView) ToDiagramIR(parent *ThreatModel) *DiagramIR

ToDigramIR converts a DiagramView to a standalone DiagramIR, inheriting mappings from the parent ThreatModel if not overridden.

type Direction 

type Direction string

Direction specifies the layout direction of the diagram. 

const (
	DirectionRight Direction = "right"
	DirectionDown  Direction = "down"
	DirectionLeft  Direction = "left"
	DirectionUp    Direction = "up"
)

func (Direction) JSONSchema 

func (Direction) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for Direction.

type Duration added in v0.6.0 

type Duration struct {
	Value int          `json:"value"` // Numeric value
	Unit  DurationUnit `json:"unit"`  // Time unit
}

Duration represents a time duration with unit.

type DurationUnit added in v0.6.0 

type DurationUnit string

DurationUnit represents time measurement units. 

const (
	DurationUnitSeconds DurationUnit = "seconds"
	DurationUnitMinutes DurationUnit = "minutes"
	DurationUnitHours   DurationUnit = "hours"
	DurationUnitDays    DurationUnit = "days"
	DurationUnitWeeks   DurationUnit = "weeks"
)

type EPSSCatalog added in v0.6.0 

type EPSSCatalog struct {
	Entries     map[string]EPSSData `json:"entries"`               // CVE ID -> EPSS data
	LastUpdated string              `json:"lastUpdated,omitempty"` // Date catalog was last updated
	Source      string              `json:"source,omitempty"`      // Data source (e.g., "FIRST EPSS API")
}

EPSSCatalog provides lookup functionality for EPSS scores. This can be populated from the FIRST EPSS API or embedded data.

func (*EPSSCatalog) GetEPSSScore added in v0.6.0 

func (c *EPSSCatalog) GetEPSSScore(cveID string) *EPSSData

GetEPSSScore returns EPSS data for a given CVE ID, or nil if not found.

func (*EPSSCatalog) GetHighPriorityCVEs added in v0.6.0 

func (c *EPSSCatalog) GetHighPriorityCVEs() []EPSSData

GetHighPriorityCVEs returns all CVEs with EPSS score >= 0.3.

func (*EPSSCatalog) GetPriorityCVEs added in v0.6.0 

func (c *EPSSCatalog) GetPriorityCVEs() []EPSSData

GetPriorityCVEs returns all CVEs with EPSS score >= 0.1.

type EPSSData added in v0.6.0 

type EPSSData struct {
	CVE        string  `json:"cve"`                  // CVE identifier (e.g., "CVE-2024-1234")
	EPSSScore  float64 `json:"epssScore"`            // EPSS probability score (0.0 to 1.0)
	Percentile float64 `json:"percentile"`           // Percentile rank (0.0 to 100.0)
	DateScored string  `json:"dateScored,omitempty"` // Date the score was calculated (ISO 8601)
}

EPSSData represents Exploit Prediction Scoring System (EPSS) data from FIRST (Forum of Incident Response and Security Teams). EPSS provides a probability score indicating the likelihood that a vulnerability will be exploited in the wild within the next 30 days.

func (*EPSSData) IsHighPriority added in v0.6.0 

func (e *EPSSData) IsHighPriority() bool

IsHighPriority returns true if the vulnerability is high priority based on EPSS score (threshold: >= 0.3).

func (*EPSSData) IsPriority added in v0.6.0 

func (e *EPSSData) IsPriority() bool

IsPriority returns true if the vulnerability should be prioritized for remediation based on EPSS score (commonly used threshold: >= 0.1).

func (*EPSSData) RiskLevel added in v0.6.0 

func (e *EPSSData) RiskLevel() EPSSRiskLevel

RiskLevel returns a categorical risk level based on the EPSS score. This uses commonly recommended thresholds for prioritization.

func (*EPSSData) RiskLevelByPercentile added in v0.6.0 

func (e *EPSSData) RiskLevelByPercentile() EPSSRiskLevel

RiskLevelByPercentile returns a categorical risk level based on percentile. This is useful when comparing relative risk across all known CVEs.

type EPSSRiskLevel added in v0.6.0 

type EPSSRiskLevel string

EPSSRiskLevel represents categorical risk levels derived from EPSS scores. 

const (
	// EPSSRiskCritical indicates very high likelihood of exploitation (> 0.7 / top 1%)
	EPSSRiskCritical EPSSRiskLevel = "critical"
	// EPSSRiskHigh indicates high likelihood of exploitation (0.3 - 0.7 / top 5%)
	EPSSRiskHigh EPSSRiskLevel = "high"
	// EPSSRiskMedium indicates moderate likelihood of exploitation (0.1 - 0.3 / top 20%)
	EPSSRiskMedium EPSSRiskLevel = "medium"
	// EPSSRiskLow indicates lower likelihood of exploitation (< 0.1)
	EPSSRiskLow EPSSRiskLevel = "low"
)

type Element 

type Element struct {
	// ID is the unique identifier for the element.
	ID string `json:"id"`

	// Label is the display name.
	Label string `json:"label"`

	// Type identifies the element type.
	Type ElementType `json:"type"`

	// ParentID is the ID of the containing boundary (if any).
	ParentID string `json:"parentId,omitempty"`

	// Classification indicates the asset value/sensitivity.
	Classification AssetClassification `json:"classification,omitempty"`

	// STRIDEThreats lists applicable STRIDE threats.
	STRIDEThreats []STRIDEThreat `json:"strideThreats,omitempty"`

	// Description provides additional context.
	Description string `json:"description,omitempty"`

	// Network contains optional network topology details.
	Network *NetworkInfo `json:"network,omitempty"`

	// AssetIDs links this element to Asset definitions.
	AssetIDs []string `json:"assetIds,omitempty"`

	// AgentCapabilities describes the capabilities of an AI agent element.
	// Only applicable when Type is "agent".
	AgentCapabilities *AgentCapabilities `json:"agentCapabilities,omitempty"`

	// ExecutionContext describes the execution environment for this element.
	// Useful for understanding RCE impact and sandbox escape potential.
	ExecutionContext *ExecutionContext `json:"executionContext,omitempty"`
}

Element represents a DFD element (process, datastore, external entity, etc.).

type ElementType 

type ElementType string

ElementType identifies the type of DFD element. 

const (
	ElementTypeProcess        ElementType = "process"
	ElementTypeDatastore      ElementType = "datastore"
	ElementTypeExternalEntity ElementType = "external-entity"
	ElementTypeGateway        ElementType = "gateway"
	ElementTypeBrowser        ElementType = "browser"
	ElementTypeAgent          ElementType = "agent"
	ElementTypeAPI            ElementType = "api"
)

func (ElementType) JSONSchema 

func (ElementType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ElementType.

type EscapeVector added in v0.7.0 

type EscapeVector struct {
	// Name is a short name for this escape vector.
	Name string `json:"name"`

	// Description describes how the escape could occur.
	Description string `json:"description,omitempty"`

	// SourceContext is the starting execution context type.
	SourceContext ExecutionEnvironmentType `json:"sourceContext"`

	// TargetContext is the escaped-to execution context type.
	TargetContext ExecutionEnvironmentType `json:"targetContext"`

	// TargetPrivilegeLevel is the privilege level after escape.
	TargetPrivilegeLevel ExecutionPrivilegeLevel `json:"targetPrivilegeLevel,omitempty"`

	// Mechanism describes the technical mechanism of escape.
	Mechanism string `json:"mechanism,omitempty"`

	// Prerequisites lists conditions required for the escape.
	Prerequisites []string `json:"prerequisites,omitempty"`

	// CWEIDs lists applicable CWE identifiers.
	CWEIDs []string `json:"cweIds,omitempty"`

	// MITRETechnique is the MITRE ATT&CK technique ID.
	MITRETechnique string `json:"mitreTechnique,omitempty"`

	// Mitigations lists controls that prevent this escape.
	Mitigations []string `json:"mitigations,omitempty"`
}

EscapeVector describes a potential escape path from a sandboxed context.

type ExecutionContext added in v0.7.0 

type ExecutionContext struct {
	// EnvironmentType indicates where the code executes.
	EnvironmentType ExecutionEnvironmentType `json:"environmentType"`

	// PrivilegeLevel indicates the execution privileges.
	PrivilegeLevel ExecutionPrivilegeLevel `json:"privilegeLevel"`

	// User is the user account under which code executes.
	User string `json:"user,omitempty"`

	// Groups lists the groups the execution context belongs to.
	Groups []string `json:"groups,omitempty"`

	// ProcessName is the name of the executing process.
	ProcessName string `json:"processName,omitempty"`

	// WorkingDirectory is the working directory for execution.
	WorkingDirectory string `json:"workingDirectory,omitempty"`

	// EnvironmentVariables lists environment variables available.
	EnvironmentVariables []string `json:"environmentVariables,omitempty"`

	// Capabilities lists Linux capabilities (if applicable).
	Capabilities []string `json:"capabilities,omitempty"`

	// SELinuxContext is the SELinux context (if applicable).
	SELinuxContext string `json:"selinuxContext,omitempty"`

	// AppArmorProfile is the AppArmor profile (if applicable).
	AppArmorProfile string `json:"appArmorProfile,omitempty"`

	// SeccompProfile indicates the seccomp profile (if applicable).
	SeccompProfile string `json:"seccompProfile,omitempty"`

	// ContainerInfo contains container-specific details.
	ContainerInfo *ContainerExecutionInfo `json:"containerInfo,omitempty"`

	// BrowserInfo contains browser-specific details.
	BrowserInfo *BrowserExecutionInfo `json:"browserInfo,omitempty"`

	// NetworkAccess describes network access from this context.
	NetworkAccess *ExecutionNetworkAccess `json:"networkAccess,omitempty"`

	// FilesystemAccess describes filesystem access from this context.
	FilesystemAccess *ExecutionFilesystemAccess `json:"filesystemAccess,omitempty"`

	// EscapeVectors describes potential escape paths from this context.
	EscapeVectors []EscapeVector `json:"escapeVectors,omitempty"`
}

ExecutionContext describes the context in which code is executed, which is critical for understanding the impact of RCE vulnerabilities.

func (*ExecutionContext) CanEscapeToHost added in v0.7.0 

func (ec *ExecutionContext) CanEscapeToHost() bool

CanEscapeToHost returns true if there's a known escape vector to host context.

func (*ExecutionContext) GetPrivilegeEscalationPaths added in v0.7.0 

func (ec *ExecutionContext) GetPrivilegeEscalationPaths() []EscapeVector

GetPrivilegeEscalationPaths returns escape vectors that result in higher privileges.

func (*ExecutionContext) IsPrivileged added in v0.7.0 

func (ec *ExecutionContext) IsPrivileged() bool

IsPrivileged returns true if the execution context has elevated privileges.

func (*ExecutionContext) IsSandboxed added in v0.7.0 

func (ec *ExecutionContext) IsSandboxed() bool

IsSandboxed returns true if the execution context has some form of sandboxing.

type ExecutionEnvironmentType added in v0.7.0 

type ExecutionEnvironmentType string

ExecutionEnvironmentType indicates the type of execution environment. 

const (
	// EnvTypeHost indicates execution directly on the host OS.
	EnvTypeHost ExecutionEnvironmentType = "host"

	// EnvTypeContainer indicates execution within a container.
	EnvTypeContainer ExecutionEnvironmentType = "container"

	// EnvTypeVM indicates execution within a virtual machine.
	EnvTypeVM ExecutionEnvironmentType = "vm"

	// EnvTypeBrowser indicates execution within a browser context.
	EnvTypeBrowser ExecutionEnvironmentType = "browser"

	// EnvTypeServerless indicates execution in a serverless environment.
	EnvTypeServerless ExecutionEnvironmentType = "serverless"

	// EnvTypeSandbox indicates execution in an application sandbox.
	EnvTypeSandbox ExecutionEnvironmentType = "sandbox"
)

func (ExecutionEnvironmentType) JSONSchema added in v0.7.0 

func (ExecutionEnvironmentType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ExecutionEnvironmentType.

type ExecutionFilesystemAccess added in v0.7.0 

type ExecutionFilesystemAccess struct {
	// ReadPaths lists paths with read access.
	ReadPaths []string `json:"readPaths,omitempty"`

	// WritePaths lists paths with write access.
	WritePaths []string `json:"writePaths,omitempty"`

	// ExecutePaths lists paths with execute access.
	ExecutePaths []string `json:"executePaths,omitempty"`

	// MountPoints lists accessible mount points.
	MountPoints []string `json:"mountPoints,omitempty"`

	// TempDirectory is the temporary directory path.
	TempDirectory string `json:"tempDirectory,omitempty"`
}

ExecutionFilesystemAccess describes filesystem capabilities.

type ExecutionNetworkAccess added in v0.7.0 

type ExecutionNetworkAccess struct {
	// CanAccessInternet indicates whether the context can reach the internet.
	CanAccessInternet bool `json:"canAccessInternet,omitempty"`

	// CanAccessLocalhost indicates whether the context can access localhost.
	CanAccessLocalhost bool `json:"canAccessLocalhost,omitempty"`

	// CanAccessInternalNetwork indicates whether internal networks are reachable.
	CanAccessInternalNetwork bool `json:"canAccessInternalNetwork,omitempty"`

	// AllowedPorts lists ports that can be accessed.
	AllowedPorts []int `json:"allowedPorts,omitempty"`

	// BlockedPorts lists ports that are blocked.
	BlockedPorts []int `json:"blockedPorts,omitempty"`

	// DNSAccess indicates whether DNS resolution is available.
	DNSAccess bool `json:"dnsAccess,omitempty"`
}

ExecutionNetworkAccess describes network capabilities from an execution context.

type ExecutionPrivilegeLevel added in v0.7.0 

type ExecutionPrivilegeLevel string

ExecutionPrivilegeLevel indicates the privilege level of code execution. 

const (
	// PrivilegeLevelRoot indicates root/administrator privileges.
	PrivilegeLevelRoot ExecutionPrivilegeLevel = "root"

	// PrivilegeLevelAdmin indicates administrator privileges (non-root).
	PrivilegeLevelAdmin ExecutionPrivilegeLevel = "admin"

	// PrivilegeLevelUser indicates standard user privileges.
	PrivilegeLevelUser ExecutionPrivilegeLevel = "user"

	// PrivilegeLevelService indicates service account privileges.
	PrivilegeLevelService ExecutionPrivilegeLevel = "service"

	// PrivilegeLevelRestricted indicates restricted/sandboxed privileges.
	PrivilegeLevelRestricted ExecutionPrivilegeLevel = "restricted"

	// PrivilegeLevelNone indicates no code execution capability.
	PrivilegeLevelNone ExecutionPrivilegeLevel = "none"
)

func (ExecutionPrivilegeLevel) JSONSchema added in v0.7.0 

func (ExecutionPrivilegeLevel) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ExecutionPrivilegeLevel.

type ExploitDifficulty added in v0.6.0 

type ExploitDifficulty string

ExploitDifficulty indicates how difficult it is to exploit a vulnerability. 

const (
	ExploitDifficultyTrivial ExploitDifficulty = "trivial"
	ExploitDifficultyLow     ExploitDifficulty = "low"
	ExploitDifficultyMedium  ExploitDifficulty = "medium"
	ExploitDifficultyHigh    ExploitDifficulty = "high"
	ExploitDifficultyExpert  ExploitDifficulty = "expert"
)

func (ExploitDifficulty) JSONSchema added in v0.6.0 

func (ExploitDifficulty) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ExploitDifficulty.

type ExploitationGuidance added in v0.6.0 

type ExploitationGuidance struct {
	// Prerequisites lists conditions that must be true for exploitation.
	// Example: "Target must have WebSocket gateway enabled on localhost:9999"
	Prerequisites []string `json:"prerequisites,omitempty"`

	// ExploitationSteps provides ordered steps for exploiting the vulnerability.
	ExploitationSteps []ExploitationStep `json:"exploitationSteps,omitempty"`

	// Tools lists offensive security tools useful for testing.
	Tools []OffensiveTool `json:"tools,omitempty"`

	// PayloadPatterns provides generic payload templates for testing.
	// Note: These are patterns, not actual exploits.
	PayloadPatterns []PayloadPattern `json:"payloadPatterns,omitempty"`

	// SuccessIndicators describes how to verify successful exploitation.
	SuccessIndicators []string `json:"successIndicators,omitempty"`

	// Difficulty indicates the overall exploitation difficulty.
	Difficulty ExploitDifficulty `json:"difficulty,omitempty"`

	// TestRefs links to app-test-spec test cases for automated validation.
	TestRefs []TestReference `json:"testRefs,omitempty"`

	// Notes provides additional guidance for penetration testers.
	Notes string `json:"notes,omitempty"`

	// TimeToExploit is an estimate of exploitation time (e.g., "< 1 minute").
	TimeToExploit string `json:"timeToExploit,omitempty"`

	// SkillLevel indicates the required attacker skill level.
	SkillLevel string `json:"skillLevel,omitempty"`
}

ExploitationGuidance provides red team/offensive security guidance for testing and validating vulnerabilities.

type ExploitationStep added in v0.6.0 

type ExploitationStep struct {
	// Step is the sequence number (1, 2, 3...).
	Step int `json:"step"`

	// Action describes what the attacker does.
	Action string `json:"action"`

	// Description provides detailed explanation of this step.
	Description string `json:"description,omitempty"`

	// Tool identifies the tool used for this step (if any).
	Tool string `json:"tool,omitempty"`

	// Example provides a concrete command or code example.
	// Note: Examples should be educational, not weaponized.
	Example string `json:"example,omitempty"`

	// ExpectedResult describes what should happen after this step.
	ExpectedResult string `json:"expectedResult,omitempty"`

	// MITRETechnique is the MITRE ATT&CK technique ID (e.g., T1110).
	MITRETechnique string `json:"mitreTechnique,omitempty"`
}

ExploitationStep represents a single step in an exploitation process.

type FAIRAssessment added in v0.6.0 

type FAIRAssessment struct {
	// Loss Event Frequency (LEF) components
	ThreatEventFrequency *FrequencyEstimate `json:"threatEventFrequency,omitempty"`
	Vulnerability        *Percentage        `json:"vulnerability,omitempty"`

	// Loss Magnitude (LM) components
	PrimaryLoss   *LossEstimate `json:"primaryLoss,omitempty"`
	SecondaryLoss *LossEstimate `json:"secondaryLoss,omitempty"`

	// Derived values (can be calculated or provided)
	AnnualizedLossExpectancy *Currency `json:"annualizedLossExpectancy,omitempty"`
	RiskScore                float64   `json:"riskScore,omitempty"`

	// Metadata
	AssessmentDate string `json:"assessmentDate,omitempty"`
	Assessor       string `json:"assessor,omitempty"`
	Notes          string `json:"notes,omitempty"`
}

FAIRAssessment represents a Factor Analysis of Information Risk (FAIR) assessment for quantifying risk in monetary or probabilistic terms.

func (*FAIRAssessment) CalculateALE added in v0.6.0 

func (f *FAIRAssessment) CalculateALE() *Currency

CalculateALE calculates the Annualized Loss Expectancy from FAIR components. ALE = TEF × Vulnerability × (Primary LM + Secondary LM) This uses the "most likely" values for a simple point estimate. For Monte Carlo simulation, use the full distributions.

func (*FAIRAssessment) CalculateALERange added in v0.6.0 

func (f *FAIRAssessment) CalculateALERange() (*Currency, *Currency)

CalculateALERange calculates the min/max range for ALE. Returns (min ALE, max ALE).

type Flow 

type Flow struct {
	// From is the source element ID.
	From string `json:"from"`

	// To is the destination element ID.
	To string `json:"to"`

	// Label describes the flow.
	Label string `json:"label,omitempty"`

	// Type identifies the flow type (normal, attack, exfil).
	Type FlowType `json:"type,omitempty"`

	// Bidirectional indicates if the flow goes both ways.
	Bidirectional bool `json:"bidirectional,omitempty"`

	// Protocol specifies the transport protocol (http, https, ws, wss, grpc, tcp, etc.).
	Protocol string `json:"protocol,omitempty"`

	// Encrypted indicates whether the flow is encrypted.
	Encrypted bool `json:"encrypted,omitempty"`

	// Authenticated indicates whether the flow requires authentication.
	Authenticated bool `json:"authenticated,omitempty"`

	// CrossOrigin indicates whether this is a cross-origin flow.
	// Relevant for browser-initiated flows like WebSocket connections.
	CrossOrigin bool `json:"crossOrigin,omitempty"`

	// CredentialFlowID links this flow to a CredentialFlow for token tracking.
	CredentialFlowID string `json:"credentialFlowId,omitempty"`

	// DataClassification indicates the sensitivity of data in this flow.
	DataClassification AssetClassification `json:"dataClassification,omitempty"`

	// CWEIDs lists applicable CWE identifiers if this flow has vulnerabilities.
	CWEIDs []string `json:"cweIds,omitempty"`
}

Flow represents a data flow between elements.

type FlowType 

type FlowType string

FlowType identifies the type of data flow or attack flow. 

const (
	FlowTypeNormal FlowType = "normal"
	FlowTypeAttack FlowType = "attack"
	FlowTypeExfil  FlowType = "exfil"

	// FlowTypeCredential indicates credential/token transmission.
	FlowTypeCredential FlowType = "credential"

	// FlowTypeWebSocket indicates a WebSocket connection.
	FlowTypeWebSocket FlowType = "websocket"

	// FlowTypeCSWSH indicates a Cross-Site WebSocket Hijacking flow.
	FlowTypeCSWSH FlowType = "cswsh"

	// FlowTypeLateral indicates lateral movement within a network.
	FlowTypeLateral FlowType = "lateral"
)

func (FlowType) JSONSchema 

func (FlowType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for FlowType.

type FrequencyEstimate added in v0.6.0 

type FrequencyEstimate struct {
	Min        float64    `json:"min"`                  // Minimum expected occurrences per year
	Max        float64    `json:"max"`                  // Maximum expected occurrences per year
	MostLikely float64    `json:"mostLikely"`           // Most likely occurrences per year
	Confidence Confidence `json:"confidence,omitempty"` // Confidence level in the estimate
}

FrequencyEstimate represents a probabilistic estimate for event frequency. Used for Threat Event Frequency (TEF) and other frequency components.

type GraphEdge added in v0.6.0 

type GraphEdge struct {
	// ID is the unique identifier for this edge
	ID string `json:"id"`

	// Source is the ID of the source node
	Source string `json:"source"`

	// Target is the ID of the target node
	Target string `json:"target"`

	// Type identifies the edge relationship type
	Type GraphEdgeType `json:"type"`

	// Label describes the edge
	Label string `json:"label,omitempty"`

	// Weight represents the traversal cost/risk (higher = more costly/risky)
	Weight float64 `json:"weight,omitempty"`

	// Properties contains additional edge-specific data
	Properties map[string]interface{} `json:"properties,omitempty"`
}

GraphEdge represents a directed edge in the attack graph

type GraphEdgeType added in v0.6.0 

type GraphEdgeType string

GraphEdgeType represents the type of edge in an attack graph 

const (
	GraphEdgeTypeFlow       GraphEdgeType = "flow"
	GraphEdgeTypeAttack     GraphEdgeType = "attack"
	GraphEdgeTypeMitigation GraphEdgeType = "mitigation"
	GraphEdgeTypeThreat     GraphEdgeType = "threat"
	GraphEdgeTypeAccess     GraphEdgeType = "access"
)

type GraphNode added in v0.6.0 

type GraphNode struct {
	// ID is the unique identifier for this node
	ID string `json:"id"`

	// Type identifies what kind of node this is
	Type GraphNodeType `json:"type"`

	// Label is the human-readable name
	Label string `json:"label"`

	// RiskScore is the node's inherent risk (0-10)
	RiskScore float64 `json:"riskScore,omitempty"`

	// Properties contains additional node-specific data
	Properties map[string]interface{} `json:"properties,omitempty"`
}

GraphNode represents a node in the attack graph

type GraphNodeType added in v0.6.0 

type GraphNodeType string

GraphNodeType represents the type of node in an attack graph 

const (
	GraphNodeTypeElement GraphNodeType = "element"
	GraphNodeTypeThreat  GraphNodeType = "threat"
	GraphNodeTypeControl GraphNodeType = "control"
	GraphNodeTypeAsset   GraphNodeType = "asset"
	GraphNodeTypeActor   GraphNodeType = "actor"
)

type HuntingQuery added in v0.6.0 

type HuntingQuery struct {
	// Name is the query name.
	Name string `json:"name"`

	// Description explains what this query hunts for.
	Description string `json:"description,omitempty"`

	// Platform identifies the query platform (splunk, elastic, kql, etc.).
	Platform DetectionFormat `json:"platform"`

	// Query is the actual query string.
	Query string `json:"query"`

	// Hypothesis describes the threat hypothesis being tested.
	Hypothesis string `json:"hypothesis,omitempty"`

	// DataSources lists required data sources.
	DataSources []string `json:"dataSources,omitempty"`

	// MITRETechniques lists related MITRE ATT&CK techniques.
	MITRETechniques []string `json:"mitreTechniques,omitempty"`

	// ExpectedResults describes what results indicate a positive finding.
	ExpectedResults string `json:"expectedResults,omitempty"`

	// Author is the query author.
	Author string `json:"author,omitempty"`
}

HuntingQuery provides a proactive threat hunting query.

type IOC added in v0.6.0 

type IOC struct {
	// Type identifies the IOC type (ip, domain, hash, etc.).
	Type IOCType `json:"type"`

	// Value is the IOC value.
	Value string `json:"value"`

	// Description explains what this IOC indicates.
	Description string `json:"description,omitempty"`

	// Confidence indicates the confidence level (high, medium, low).
	Confidence string `json:"confidence,omitempty"`

	// ValidUntil is the expiration date for this IOC (ISO 8601 format).
	ValidUntil string `json:"validUntil,omitempty"`

	// Source identifies where this IOC came from.
	Source string `json:"source,omitempty"`

	// MalwareFamily identifies the associated malware family (if any).
	MalwareFamily string `json:"malwareFamily,omitempty"`

	// ThreatActor identifies the associated threat actor (if any).
	ThreatActor string `json:"threatActor,omitempty"`

	// Tags are metadata tags for categorization.
	Tags []string `json:"tags,omitempty"`
}

IOC represents an Indicator of Compromise.

func (*IOC) ToSTIXIndicator added in v0.6.0 

func (ioc *IOC) ToSTIXIndicator(createdByRef string) *STIXIndicator

ToSTIXIndicator converts an IOC to a STIX 2.1 Indicator object.

type IOCType added in v0.6.0 

type IOCType string

IOCType identifies the type of Indicator of Compromise. 

const (
	IOCTypeIP       IOCType = "ip"
	IOCTypeDomain   IOCType = "domain"
	IOCTypeURL      IOCType = "url"
	IOCTypeHash     IOCType = "hash"
	IOCTypeFilepath IOCType = "filepath"
	IOCTypeEmail    IOCType = "email"
	IOCTypeRegistry IOCType = "registry"
	IOCTypeProcess  IOCType = "process"
	IOCTypeCert     IOCType = "certificate"
	IOCTypePattern  IOCType = "pattern"
)

func (IOCType) JSONSchema added in v0.6.0 

func (IOCType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for IOCType.

type ISO27001Mapping added in v0.4.0 

type ISO27001Mapping struct {
	// ControlID is the control reference (e.g., "A.5.1", "A.9.2.3").
	ControlID string `json:"controlId"`

	// ControlName is the control title.
	ControlName string `json:"controlName,omitempty"`

	// Domain is the control domain (e.g., "A.5 Information security policies").
	Domain string `json:"domain,omitempty"`

	// Objective is the control objective.
	Objective string `json:"objective,omitempty"`

	// Description explains how this control applies to the threat model.
	Description string `json:"description,omitempty"`

	// URL is a link to the ISO 27001 documentation.
	URL string `json:"url,omitempty"`
}

ISO27001Mapping represents an ISO/IEC 27001 control reference.

type IncidentPlaybook added in v0.6.0 

type IncidentPlaybook struct {
	// ID is the unique identifier for this playbook.
	ID string `json:"id"`

	// Name is the playbook name.
	Name string `json:"name"`

	// Description provides an overview of this playbook.
	Description string `json:"description,omitempty"`

	// ThreatType identifies the type of threat this playbook addresses.
	ThreatType string `json:"threatType,omitempty"`

	// Severity indicates the incident severity this playbook handles.
	Severity string `json:"severity,omitempty"`

	// Steps contains the ordered response steps.
	Steps []PlaybookStep `json:"steps,omitempty"`

	// Contacts lists people/teams to contact during the incident.
	Contacts []Contact `json:"contacts,omitempty"`

	// Tools lists tools needed for incident response.
	Tools []string `json:"tools,omitempty"`

	// References lists external resources.
	References []string `json:"references,omitempty"`

	// MITRETechniques lists MITRE ATT&CK techniques this playbook addresses.
	MITRETechniques []string `json:"mitreTechniques,omitempty"`

	// SLAMinutes is the expected response time SLA in minutes.
	SLAMinutes int `json:"slaMinutes,omitempty"`

	// LastReviewed is the date this playbook was last reviewed.
	LastReviewed string `json:"lastReviewed,omitempty"`

	// Owner is the team or person responsible for this playbook.
	Owner string `json:"owner,omitempty"`

	// Tags are metadata tags for categorization.
	Tags []string `json:"tags,omitempty"`
}

IncidentPlaybook describes incident response procedures for a threat.

type KEVCatalog added in v0.6.0 

type KEVCatalog struct {
	Entries       map[string]KEVEntry `json:"entries"`                 // CVE ID -> KEV entry
	CatalogDate   string              `json:"catalogDate,omitempty"`   // Date of catalog snapshot
	CatalogSource string              `json:"catalogSource,omitempty"` // Source URL or identifier
	Count         int                 `json:"count,omitempty"`         // Total number of entries
}

KEVCatalog provides lookup functionality for CISA KEV entries. This can be populated from the CISA KEV JSON feed or embedded data.

func NewKEVCatalog added in v0.6.0 

func NewKEVCatalog() *KEVCatalog

NewKEVCatalog creates a new empty KEV catalog.

func NewSampleKEVCatalog added in v0.6.0 

func NewSampleKEVCatalog() *KEVCatalog

NewSampleKEVCatalog creates a KEV catalog with sample entries for testing.

func (*KEVCatalog) AddEntry added in v0.6.0 

func (c *KEVCatalog) AddEntry(entry KEVEntry)

AddEntry adds a KEV entry to the catalog.

func (*KEVCatalog) GetKEVEntry added in v0.6.0 

func (c *KEVCatalog) GetKEVEntry(cveID string) *KEVEntry

GetKEVEntry returns the KEV entry for a given CVE ID, or nil if not found.

func (*KEVCatalog) GetKEVStatus added in v0.6.0 

func (c *KEVCatalog) GetKEVStatus(cveID string) *KEVStatus

GetKEVStatus returns the KEV status for a CVE ID. This provides a summary suitable for inclusion in threat model reports.

func (*KEVCatalog) GetPastDueVulnerabilities added in v0.6.0 

func (c *KEVCatalog) GetPastDueVulnerabilities() []KEVEntry

GetPastDueVulnerabilities returns all KEV entries that are past their due date.

func (*KEVCatalog) GetRansomwareVulnerabilities added in v0.6.0 

func (c *KEVCatalog) GetRansomwareVulnerabilities() []KEVEntry

GetRansomwareVulnerabilities returns all KEV entries used in ransomware campaigns.

func (*KEVCatalog) GetVulnerabilitiesByVendor added in v0.6.0 

func (c *KEVCatalog) GetVulnerabilitiesByVendor(vendor string) []KEVEntry

GetVulnerabilitiesByVendor returns all KEV entries for a specific vendor.

func (*KEVCatalog) IsInKEV added in v0.6.0 

func (c *KEVCatalog) IsInKEV(cveID string) bool

IsInKEV returns true if the CVE is in the KEV catalog.

type KEVEntry added in v0.6.0 

type KEVEntry struct {
	CVEID             string `json:"cveId"`                      // CVE identifier (e.g., "CVE-2024-1234")
	VendorProject     string `json:"vendorProject"`              // Vendor or project name
	Product           string `json:"product"`                    // Product name
	VulnerabilityName string `json:"vulnerabilityName"`          // Brief vulnerability name
	DateAdded         string `json:"dateAdded"`                  // Date added to KEV catalog (YYYY-MM-DD)
	ShortDescription  string `json:"shortDescription"`           // Brief vulnerability description
	RequiredAction    string `json:"requiredAction"`             // Required remediation action
	DueDate           string `json:"dueDate"`                    // Federal agency due date for remediation (YYYY-MM-DD)
	KnownRansomware   bool   `json:"knownRansomwareCampaignUse"` // Used in ransomware campaigns
	Notes             string `json:"notes,omitempty"`            // Additional notes
}

KEVEntry represents an entry from CISA's Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog contains vulnerabilities that have been actively exploited in the wild.

func (*KEVEntry) DaysUntilDue added in v0.6.0 

func (k *KEVEntry) DaysUntilDue() int

DaysUntilDue returns the number of days until the due date. Returns negative values if past due, 0 if due today.

func (*KEVEntry) IsPastDue added in v0.6.0 

func (k *KEVEntry) IsPastDue() bool

IsPastDue returns true if the due date has passed.

type KEVStatus added in v0.6.0 

type KEVStatus struct {
	InKEV           bool   `json:"inKev"`                     // Whether the CVE is in KEV
	KnownRansomware bool   `json:"knownRansomware,omitempty"` // Used in ransomware campaigns
	DateAdded       string `json:"dateAdded,omitempty"`       // Date added to KEV
	DueDate         string `json:"dueDate,omitempty"`         // Remediation due date
	IsPastDue       bool   `json:"isPastDue,omitempty"`       // Whether past due date
	RequiredAction  string `json:"requiredAction,omitempty"`  // Required action
}

KEVStatus represents the KEV status for a CVE.

type LINDDUNMapping added in v0.4.0 

type LINDDUNMapping struct {
	// Category is the LINDDUN category (L, I, N, D, Di, U, Nc).
	Category LINDDUNThreat `json:"category"`

	// Name is the full name (e.g., "Linkability", "Identifiability").
	Name string `json:"name,omitempty"`

	// Description explains how this privacy threat applies.
	Description string `json:"description,omitempty"`

	// AffectedDataTypes lists the types of personal data affected.
	// Examples: "PII", "PHI", "financial", "biometric", "location".
	AffectedDataTypes []string `json:"affectedDataTypes,omitempty"`

	// AffectedComponents lists the component IDs affected by this threat.
	AffectedComponents []string `json:"affectedComponents,omitempty"`

	// DataSubjects identifies the categories of data subjects affected.
	// Examples: "customers", "employees", "patients", "minors".
	DataSubjects []string `json:"dataSubjects,omitempty"`

	// PrivacyPrinciple identifies the privacy principle violated.
	// Examples: "data minimization", "purpose limitation", "consent".
	PrivacyPrinciple string `json:"privacyPrinciple,omitempty"`
}

LINDDUNMapping represents a LINDDUN privacy threat mapping with details.

type LINDDUNThreat added in v0.4.0 

type LINDDUNThreat string

LINDDUNThreat identifies a LINDDUN privacy threat category. LINDDUN is a privacy threat modeling framework that complements STRIDE. 

const (
	// LINDDUNLinkability - Ability to link two or more items of interest.
	LINDDUNLinkability LINDDUNThreat = "L"

	// LINDDUNIdentifiability - Ability to identify a subject from a set of subjects.
	LINDDUNIdentifiability LINDDUNThreat = "I"

	// LINDDUNNonRepudiation - Inability to deny an action or involvement.
	LINDDUNNonRepudiation LINDDUNThreat = "N"

	// LINDDUNDetectability - Ability to detect the existence of an item of interest.
	LINDDUNDetectability LINDDUNThreat = "D"

	// LINDDUNDisclosure - Exposure of information to unauthorized parties.
	LINDDUNDisclosure LINDDUNThreat = "Di"

	// LINDDUNUnawareness - Lack of awareness of data processing activities.
	LINDDUNUnawareness LINDDUNThreat = "U"

	// LINDDUNNonCompliance - Failure to comply with legislation, regulation, or policy.
	LINDDUNNonCompliance LINDDUNThreat = "Nc"
)

func (LINDDUNThreat) JSONSchema added in v0.4.0 

func (LINDDUNThreat) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for LINDDUNThreat.

type Legend 

type Legend struct {
	// Show controls whether the legend is displayed.
	Show bool `json:"show"`

	// ShowSTRIDE includes STRIDE threat legend.
	ShowSTRIDE bool `json:"showStride,omitempty"`

	// ShowLINDDUN includes LINDDUN privacy threat legend.
	ShowLINDDUN bool `json:"showLinddun,omitempty"`

	// ShowMITRE includes MITRE ATT&CK tactic legend.
	ShowMITRE bool `json:"showMitre,omitempty"`

	// ShowAssets includes asset classification legend.
	ShowAssets bool `json:"showAssets,omitempty"`

	// ShowElements includes element type legend.
	ShowElements bool `json:"showElements,omitempty"`

	// ShowBoundaries includes boundary type legend.
	ShowBoundaries bool `json:"showBoundaries,omitempty"`

	// ShowMitigations includes mitigation status legend.
	ShowMitigations bool `json:"showMitigations,omitempty"`
}

Legend configures the diagram legend.

type Library added in v0.6.0 

type Library struct {
	// Name is the library name (e.g., "validator", "helmet", "sanitize-html").
	Name string `json:"name"`

	// Language is the programming language.
	Language string `json:"language"`

	// Purpose describes what the library helps with.
	Purpose string `json:"purpose"`

	// URL is a link to the library's website or repository.
	URL string `json:"url,omitempty"`

	// Examples shows example usage of the library.
	Examples []string `json:"examples,omitempty"`

	// Version is the recommended minimum version.
	Version string `json:"version,omitempty"`

	// InstallCommand shows how to install the library.
	InstallCommand string `json:"installCommand,omitempty"`

	// License is the library's license.
	License string `json:"license,omitempty"`

	// Alternatives lists alternative libraries.
	Alternatives []string `json:"alternatives,omitempty"`
}

Library represents a recommended library for vulnerability mitigation.

type LogSource added in v0.6.0 

type LogSource struct {
	// Name is the log source name.
	Name string `json:"name"`

	// Description explains what this log source contains.
	Description string `json:"description,omitempty"`

	// EventIDs lists relevant event IDs (e.g., Windows Event IDs).
	EventIDs []string `json:"eventIds,omitempty"`

	// Fields lists important fields to examine in logs.
	Fields []string `json:"fields,omitempty"`

	// Category categorizes the log source (e.g., "webserver", "authentication", "process").
	Category string `json:"category,omitempty"`

	// Platform indicates the platform (e.g., "windows", "linux", "cloud").
	Platform string `json:"platform,omitempty"`

	// RetentionDays is the recommended log retention period.
	RetentionDays int `json:"retentionDays,omitempty"`
}

LogSource describes a log source useful for detection.

type LossEstimate added in v0.6.0 

type LossEstimate struct {
	Min        float64  `json:"min"`                // Minimum expected loss
	Max        float64  `json:"max"`                // Maximum expected loss
	MostLikely float64  `json:"mostLikely"`         // Most likely loss
	Currency   Currency `json:"currency,omitempty"` // Currency for loss values (defaults to USD)
}

LossEstimate represents a monetary loss estimate with uncertainty bounds. Used for Primary Loss Magnitude (PLM) and Secondary Loss Magnitude (SLM).

type MITREATLASMapping 

type MITREATLASMapping struct {
	// TacticID is the tactic ID (e.g., "AML.TA0002").
	TacticID string `json:"tacticId"`

	// TacticName is the human-readable tactic name.
	TacticName string `json:"tacticName,omitempty"`

	// TechniqueID is the technique ID (e.g., "AML.T0024").
	TechniqueID string `json:"techniqueId"`

	// TechniqueName is the human-readable technique name.
	TechniqueName string `json:"techniqueName,omitempty"`

	// Description explains how this technique applies.
	Description string `json:"description,omitempty"`

	// URL is the link to the ATLAS page.
	URL string `json:"url,omitempty"`
}

MITREATLASMapping represents a MITRE ATLAS (AI/ML) technique reference.

type MITREAttackMapping 

type MITREAttackMapping struct {
	// TacticID is the tactic ID (e.g., "TA0001").
	TacticID string `json:"tacticId"`

	// TacticName is the human-readable tactic name (e.g., "Initial Access").
	TacticName string `json:"tacticName,omitempty"`

	// TechniqueID is the technique ID (e.g., "T1189").
	TechniqueID string `json:"techniqueId"`

	// TechniqueName is the human-readable technique name (e.g., "Drive-by Compromise").
	TechniqueName string `json:"techniqueName,omitempty"`

	// SubTechniqueID is the sub-technique ID (e.g., "T1189.001"), if applicable.
	SubTechniqueID string `json:"subTechniqueId,omitempty"`

	// Description explains how this technique applies to the threat model.
	Description string `json:"description,omitempty"`

	// URL is the link to the ATT&CK page.
	URL string `json:"url,omitempty"`
}

MITREAttackMapping represents a MITRE ATT&CK technique reference.

type MITRETactic 

type MITRETactic string

MITRETactic identifies a MITRE ATT&CK tactic. 

const (
	MITREInitialAccess     MITRETactic = "TA0001"
	MITREExecution         MITRETactic = "TA0002"
	MITREPersistence       MITRETactic = "TA0003"
	MITREPrivilegeEsc      MITRETactic = "TA0004"
	MITREDefenseEvasion    MITRETactic = "TA0005"
	MITRECredentialAccess  MITRETactic = "TA0006"
	MITREDiscovery         MITRETactic = "TA0007"
	MITRELateralMovement   MITRETactic = "TA0008"
	MITRECollection        MITRETactic = "TA0009"
	MITREExfiltration      MITRETactic = "TA0010"
	MITRECommandAndControl MITRETactic = "TA0011"
	MITREImpact            MITRETactic = "TA0040"
)

func (MITRETactic) JSONSchema 

func (MITRETactic) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for MITRETactic.

type Mappings 

type Mappings struct {
	// MITREAttack contains MITRE ATT&CK technique mappings.
	MITREAttack []MITREAttackMapping `json:"mitreAttack,omitempty"`

	// MITREATLAS contains MITRE ATLAS (AI-specific) technique mappings.
	MITREATLAS []MITREATLASMapping `json:"mitreAtlas,omitempty"`

	// OWASP contains OWASP Top 10 mappings (API, LLM, Web).
	OWASP []OWASPMapping `json:"owasp,omitempty"`

	// CWE contains Common Weakness Enumeration mappings.
	CWE []CWEMapping `json:"cwe,omitempty"`

	// CVE contains Common Vulnerabilities and Exposures references.
	CVE []CVEMapping `json:"cve,omitempty"`

	// CVSS contains the CVSS vector string and score.
	CVSS *CVSSMapping `json:"cvss,omitempty"`

	// STRIDE contains STRIDE threat category mappings.
	STRIDE []STRIDEMapping `json:"stride,omitempty"`

	// LINDDUN contains LINDDUN privacy threat mappings.
	LINDDUN []LINDDUNMapping `json:"linddun,omitempty"`

	// Controls contains security control framework mappings (NIST CSF, CIS, ISO 27001).
	Controls *Controls `json:"controls,omitempty"`

	// Compliance contains regulatory compliance framework mappings.
	Compliance []ComplianceMapping `json:"compliance,omitempty"`
}

Mappings contains references to external security frameworks. This allows threat models to be mapped to industry-standard frameworks for compliance, reporting, and interoperability.

type Message 

type Message struct {
	// Seq is the sequence number (1, 2, 3...).
	Seq int `json:"seq"`

	// From is the source actor ID.
	From string `json:"from"`

	// To is the destination actor ID.
	To string `json:"to"`

	// Label describes the message.
	Label string `json:"label"`

	// Type identifies the message type (normal, attack, exfil).
	Type FlowType `json:"type,omitempty"`

	// MITRETechnique is the MITRE ATT&CK technique ID (if applicable).
	MITRETechnique string `json:"mitreTechnique,omitempty"`

	// Note is a self-message note (when From == To).
	Note bool `json:"note,omitempty"`
}

Message represents an interaction between actors in a sequence diagram.

type MetricDuration added in v0.6.0 

type MetricDuration struct {
	// Value is the numeric duration value.
	Value float64 `json:"value"`

	// Unit is the time unit.
	Unit MetricTimeUnit `json:"unit"`

	// Source describes where this measurement came from.
	Source string `json:"source,omitempty"`

	// Confidence indicates confidence in the measurement.
	Confidence string `json:"confidence,omitempty"`
}

MetricDuration represents a time duration for security metrics.

func (*MetricDuration) ToHours added in v0.6.0 

func (d *MetricDuration) ToHours() float64

ToHours converts the duration to hours for comparison.

func (*MetricDuration) ToMinutes added in v0.6.0 

func (d *MetricDuration) ToMinutes() float64

ToMinutes converts the duration to minutes for comparison.

type MetricTimeUnit added in v0.6.0 

type MetricTimeUnit string

MetricTimeUnit represents time units for metrics. 

const (
	MetricTimeUnitSeconds MetricTimeUnit = "seconds"
	MetricTimeUnitMinutes MetricTimeUnit = "minutes"
	MetricTimeUnitHours   MetricTimeUnit = "hours"
	MetricTimeUnitDays    MetricTimeUnit = "days"
	MetricTimeUnitWeeks   MetricTimeUnit = "weeks"
)

func (MetricTimeUnit) JSONSchema added in v0.6.0 

func (MetricTimeUnit) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for MetricTimeUnit.

type MetricsBenchmark added in v0.6.0 

type MetricsBenchmark struct {
	// Category describes the industry/organization type.
	Category string `json:"category"`

	// AverageMTTD is the industry average MTTD.
	AverageMTTD *MetricDuration `json:"averageMttd,omitempty"`

	// AverageMTTR is the industry average MTTR.
	AverageMTTR *MetricDuration `json:"averageMttr,omitempty"`

	// Source is the source of benchmark data.
	Source string `json:"source,omitempty"`

	// Year is the year of the benchmark data.
	Year int `json:"year,omitempty"`
}

MetricsBenchmark provides industry benchmark comparisons for security metrics.

type MetricsComparison added in v0.6.0 

type MetricsComparison struct {
	// MTTDDelta is the difference from benchmark (negative = better).
	MTTDDelta float64 `json:"mttdDelta,omitempty"`

	// MTTDBetterThanAverage indicates if MTTD is better than benchmark.
	MTTDBetterThanAverage bool `json:"mttdBetterThanAverage,omitempty"`

	// MTTRDelta is the difference from benchmark (negative = better).
	MTTRDelta float64 `json:"mttrDelta,omitempty"`

	// MTTRBetterThanAverage indicates if MTTR is better than benchmark.
	MTTRBetterThanAverage bool `json:"mttrBetterThanAverage,omitempty"`
}

MetricsComparison holds the results of comparing metrics to benchmarks.

type Mitigation added in v0.4.0 

type Mitigation struct {
	// ID is the unique identifier for the mitigation.
	ID string `json:"id"`

	// Title is a brief description of the mitigation.
	Title string `json:"title"`

	// Description provides detailed information about the mitigation.
	Description string `json:"description,omitempty"`

	// ThreatIDs lists the IDs of threats this mitigation addresses.
	// These can reference Attack steps, Flow IDs, or Element IDs.
	ThreatIDs []string `json:"threatIds,omitempty"`

	// STRIDECategories lists the STRIDE categories this mitigation addresses.
	STRIDECategories []STRIDEThreat `json:"strideCategories,omitempty"`

	// ControlID references the security control implementing this mitigation.
	// Can reference NIST CSF, CIS, or ISO 27001 control IDs.
	ControlID string `json:"controlId,omitempty"`

	// Status indicates the current implementation status.
	Status MitigationStatus `json:"status"`

	// Owner is the person or team responsible for the mitigation.
	Owner string `json:"owner,omitempty"`

	// VerifiedDate is when the mitigation was verified as effective (RFC 3339 format).
	VerifiedDate string `json:"verifiedDate,omitempty"`

	// Effectiveness describes how effective the mitigation is (high, medium, low).
	Effectiveness string `json:"effectiveness,omitempty"`

	// Notes provides additional context or implementation details.
	Notes string `json:"notes,omitempty"`
}

Mitigation represents a countermeasure or control that addresses one or more threats.

type MitigationStatus added in v0.4.0 

type MitigationStatus string

MitigationStatus represents the current state of a mitigation. 

const (
	// MitigationStatusPlanned indicates the mitigation is planned but not implemented.
	MitigationStatusPlanned MitigationStatus = "planned"

	// MitigationStatusImplemented indicates the mitigation is fully implemented.
	MitigationStatusImplemented MitigationStatus = "implemented"

	// MitigationStatusPartial indicates the mitigation is partially implemented.
	MitigationStatusPartial MitigationStatus = "partial"

	// MitigationStatusAccepted indicates the risk is accepted without mitigation.
	MitigationStatusAccepted MitigationStatus = "accepted"

	// MitigationStatusTransferred indicates the risk is transferred (e.g., insurance).
	MitigationStatusTransferred MitigationStatus = "transferred"

	// MitigationStatusNotApplicable indicates the mitigation does not apply.
	MitigationStatusNotApplicable MitigationStatus = "not-applicable"
)

func (MitigationStatus) JSONSchema added in v0.4.0 

func (MitigationStatus) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for MitigationStatus.

type ModelPhase added in v0.5.0 

type ModelPhase string

ModelPhase indicates the SDLC phase of the threat model. 

const (
	// ModelPhaseDesign indicates pre-implementation threat modeling.
	ModelPhaseDesign ModelPhase = "design"

	// ModelPhaseDevelopment indicates threat modeling during implementation.
	ModelPhaseDevelopment ModelPhase = "development"

	// ModelPhaseReview indicates a security review phase.
	ModelPhaseReview ModelPhase = "review"

	// ModelPhaseProduction indicates threat modeling of a live system.
	ModelPhaseProduction ModelPhase = "production"

	// ModelPhaseIncident indicates post-incident threat analysis.
	ModelPhaseIncident ModelPhase = "incident"
)

func (ModelPhase) JSONSchema added in v0.5.0 

func (ModelPhase) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ModelPhase.

type Motivation added in v0.4.0 

type Motivation string

Motivation identifies the primary motivation of a threat actor. 

const (
	MotivationFinancial   Motivation = "financial"
	MotivationEspionage   Motivation = "espionage"
	MotivationDisruption  Motivation = "disruption"
	MotivationDestruction Motivation = "destruction"
	MotivationIdeological Motivation = "ideological"
	MotivationRevenge     Motivation = "revenge"
	MotivationNotoriety   Motivation = "notoriety"
	MotivationCuriosity   Motivation = "curiosity"
	MotivationCompetitive Motivation = "competitive"
)

func (Motivation) JSONSchema added in v0.4.0 

func (Motivation) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for Motivation.

type NISTCSFFunction added in v0.4.0 

type NISTCSFFunction string

NISTCSFFunction represents the five core functions of the NIST Cybersecurity Framework. 

const (
	NISTCSFIdentify NISTCSFFunction = "Identify"
	NISTCSFProtect  NISTCSFFunction = "Protect"
	NISTCSFDetect   NISTCSFFunction = "Detect"
	NISTCSFRespond  NISTCSFFunction = "Respond"
	NISTCSFRecover  NISTCSFFunction = "Recover"
)

func (NISTCSFFunction) JSONSchema added in v0.4.0 

func (NISTCSFFunction) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for NISTCSFFunction.

type NISTCSFMapping added in v0.4.0 

type NISTCSFMapping struct {
	// Function is the CSF function (Identify, Protect, Detect, Respond, Recover).
	Function NISTCSFFunction `json:"function"`

	// Category is the category ID (e.g., "ID.AM", "PR.AC").
	Category string `json:"category"`

	// CategoryName is the human-readable category name (e.g., "Asset Management").
	CategoryName string `json:"categoryName,omitempty"`

	// Subcategory is the subcategory ID (e.g., "ID.AM-1", "PR.AC-1").
	Subcategory string `json:"subcategory,omitempty"`

	// SubcategoryName is the human-readable subcategory description.
	SubcategoryName string `json:"subcategoryName,omitempty"`

	// Description explains how this control applies to the threat model.
	Description string `json:"description,omitempty"`

	// URL is a link to the NIST CSF documentation.
	URL string `json:"url,omitempty"`
}

NISTCSFMapping represents a NIST Cybersecurity Framework control reference.

type NetworkInfo added in v0.5.0 

type NetworkInfo struct {
	// Host is the hostname, IP address, or service name.
	Host string `json:"host,omitempty"`

	// Ports lists the ports exposed by this element.
	Ports []int `json:"ports,omitempty"`

	// Protocols lists the protocols used (HTTP, HTTPS, gRPC, TCP, etc.).
	Protocols []string `json:"protocols,omitempty"`

	// Zone indicates the network zone (dmz, internal, cloud, public, etc.).
	Zone string `json:"zone,omitempty"`

	// CIDR is the network CIDR block if applicable.
	CIDR string `json:"cidr,omitempty"`

	// Cloud contains cloud-specific identifiers.
	Cloud *CloudInfo `json:"cloud,omitempty"`

	// WebSocket contains WebSocket-specific security configuration.
	// Use this when the element is a WebSocket endpoint.
	WebSocket *WebSocketConfig `json:"webSocket,omitempty"`

	// AllowedOrigins lists origins permitted to connect.
	// Applicable to WebSocket and CORS-enabled HTTP endpoints.
	AllowedOrigins []string `json:"allowedOrigins,omitempty"`

	// OriginValidation indicates whether origin validation is enforced.
	OriginValidation bool `json:"originValidation,omitempty"`

	// RateLimitRPS is the rate limit in requests per second (0 = no limit).
	RateLimitRPS int `json:"rateLimitRps,omitempty"`

	// RateLimitConnections is the max concurrent connections (0 = no limit).
	RateLimitConnections int `json:"rateLimitConnections,omitempty"`
}

NetworkInfo contains network topology details for an element. This is useful for mapping DFD elements to actual network infrastructure.

type OWASPCategory 

type OWASPCategory string

OWASPCategory identifies which OWASP Top 10 list a mapping belongs to. 

const (
	OWASPCategoryAPI     OWASPCategory = "api"     // API Security Top 10 (2023)
	OWASPCategoryLLM     OWASPCategory = "llm"     // LLM Application Top 10 (2025)
	OWASPCategoryWeb     OWASPCategory = "web"     // Web Application Top 10 (2021)
	OWASPCategoryAgentic OWASPCategory = "agentic" // Agentic Applications Top 10 (ASI 2026)
)

func GetOWASPCategory added in v0.6.0 

func GetOWASPCategory(id string) OWASPCategory

GetOWASPCategory returns the category for an OWASP ID, or empty string if not found.

func (OWASPCategory) JSONSchema 

func (OWASPCategory) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for OWASPCategory.

type OWASPEntry added in v0.6.0 

type OWASPEntry struct {
	ID          string        `json:"id"`
	Name        string        `json:"name"`
	Description string        `json:"description"`
	Category    OWASPCategory `json:"category"`
	URL         string        `json:"url"`
}

OWASPEntry contains reference data for an OWASP Top 10 entry.

func GetAllOWASPEntries added in v0.6.0 

func GetAllOWASPEntries(category OWASPCategory) []OWASPEntry

GetAllOWASPEntries returns all OWASP entries for a given category.

func GetOWASPEntry added in v0.6.0 

func GetOWASPEntry(id string) *OWASPEntry

GetOWASPEntry returns the reference data for an OWASP ID, or nil if not found.

type OWASPMapping 

type OWASPMapping struct {
	// Category identifies which OWASP list (api, llm, web).
	Category OWASPCategory `json:"category"`

	// ID is the OWASP ID (e.g., "API2:2023", "LLM06:2025", "A01:2021").
	ID string `json:"id"`

	// Name is the human-readable name (e.g., "Broken Authentication").
	Name string `json:"name,omitempty"`

	// Description explains how this applies to the threat model.
	Description string `json:"description,omitempty"`

	// URL is the link to the OWASP page.
	URL string `json:"url,omitempty"`
}

OWASPMapping represents an OWASP Top 10 reference.

type OffensiveTool added in v0.6.0 

type OffensiveTool struct {
	// Name is the tool name (e.g., "Burp Suite", "sqlmap", "nuclei").
	Name string `json:"name"`

	// Purpose describes what the tool is used for.
	Purpose string `json:"purpose,omitempty"`

	// URL is a link to the tool's website or repository.
	URL string `json:"url,omitempty"`

	// Template provides a command template or configuration snippet.
	Template string `json:"template,omitempty"`

	// Category categorizes the tool (e.g., "scanner", "proxy", "fuzzer").
	Category string `json:"category,omitempty"`

	// License indicates the tool's license (e.g., "open-source", "commercial").
	License string `json:"license,omitempty"`
}

OffensiveTool describes a security testing tool.

type PathAnalysisResult added in v0.6.0 

type PathAnalysisResult struct {
	// AllPaths contains all paths found between source and target
	AllPaths []AttackPath `json:"allPaths,omitempty"`

	// ShortestPath is the path with minimum weight
	ShortestPath *AttackPath `json:"shortestPath,omitempty"`

	// CriticalPaths are paths with highest risk scores
	CriticalPaths []AttackPath `json:"criticalPaths,omitempty"`

	// ReachableNodes lists all nodes reachable from entry points
	ReachableNodes []string `json:"reachableNodes,omitempty"`

	// UnreachableTargets lists targets that cannot be reached
	UnreachableTargets []string `json:"unreachableTargets,omitempty"`
}

PathAnalysisResult contains the results of attack path analysis

type PatternCodeExample added in v0.7.0 

type PatternCodeExample struct {
	// Language is the programming language.
	Language string `json:"language"`

	// Framework is the framework (if applicable).
	Framework string `json:"framework,omitempty"`

	// Description describes the code example.
	Description string `json:"description,omitempty"`

	// Code is the example code.
	Code string `json:"code"`

	// Explanation provides detailed explanation.
	Explanation string `json:"explanation,omitempty"`
}

PatternCodeExample contains a code example for an attack pattern.

type PatternDetection added in v0.7.0 

type PatternDetection struct {
	// Name is the detection rule name.
	Name string `json:"name"`

	// Format is the detection format (sigma, yara, etc.).
	Format DetectionFormat `json:"format,omitempty"`

	// Rule is the detection rule.
	Rule string `json:"rule,omitempty"`

	// Description describes what this detects.
	Description string `json:"description,omitempty"`

	// FalsePositives lists known false positive scenarios.
	FalsePositives []string `json:"falsePositives,omitempty"`
}

PatternDetection contains a detection pattern.

type PayloadPattern added in v0.6.0 

type PayloadPattern struct {
	// Type categorizes the payload (e.g., "sqli", "xss", "ssrf", "websocket").
	Type string `json:"type"`

	// Pattern is the payload pattern or template.
	// Use placeholders like {TARGET}, {INPUT}, {PAYLOAD} for customization.
	Pattern string `json:"pattern"`

	// Description explains what this payload tests for.
	Description string `json:"description,omitempty"`

	// Variants lists variations of this payload pattern.
	Variants []string `json:"variants,omitempty"`

	// Encoding specifies any encoding applied (e.g., "base64", "url", "none").
	Encoding string `json:"encoding,omitempty"`

	// BypassTarget describes what defense this payload attempts to bypass.
	BypassTarget string `json:"bypassTarget,omitempty"`
}

PayloadPattern provides a generic pattern for security testing payloads. These are educational patterns, not weaponized exploits.

type Percentage added in v0.6.0 

type Percentage struct {
	Min        float64    `json:"min"`                  // Minimum probability (0.0 to 1.0)
	Max        float64    `json:"max"`                  // Maximum probability (0.0 to 1.0)
	MostLikely float64    `json:"mostLikely"`           // Most likely probability (0.0 to 1.0)
	Confidence Confidence `json:"confidence,omitempty"` // Confidence level in the estimate
}

Percentage represents a probability or percentage value (0.0 to 1.0). Used for Vulnerability (probability of loss event given threat event).

type Phase 

type Phase struct {
	// Name is the phase name.
	Name string `json:"name"`

	// MITRETactic is the MITRE ATT&CK tactic for this phase.
	MITRETactic MITRETactic `json:"mitreTactic,omitempty"`

	// Description provides additional context.
	Description string `json:"description,omitempty"`

	// StartMessage is the first message index in this phase.
	StartMessage int `json:"startMessage"`

	// EndMessage is the last message index in this phase.
	EndMessage int `json:"endMessage"`
}

Phase groups messages into a logical attack phase.

type PlaybookPhase added in v0.6.0 

type PlaybookPhase string

PlaybookPhase identifies the phase of incident response. 

const (
	PlaybookPhasePreparation    PlaybookPhase = "preparation"
	PlaybookPhaseIdentification PlaybookPhase = "identification"
	PlaybookPhaseContainment    PlaybookPhase = "containment"
	PlaybookPhaseEradication    PlaybookPhase = "eradication"
	PlaybookPhaseRecovery       PlaybookPhase = "recovery"
	PlaybookPhaseLessonsLearned PlaybookPhase = "lessons-learned"
)

func (PlaybookPhase) JSONSchema added in v0.6.0 

func (PlaybookPhase) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for PlaybookPhase.

type PlaybookStep added in v0.6.0 

type PlaybookStep struct {
	// Step is the sequence number (1, 2, 3...).
	Step int `json:"step"`

	// Phase is the incident response phase (identification, containment, etc.).
	Phase PlaybookPhase `json:"phase,omitempty"`

	// Action describes what to do in this step.
	Action string `json:"action"`

	// Description provides detailed instructions.
	Description string `json:"description,omitempty"`

	// Owner is the team or role responsible for this step.
	Owner string `json:"owner,omitempty"`

	// Automated indicates if this step can be automated.
	Automated bool `json:"automated,omitempty"`

	// AutomationScript is the script or tool to run for automated steps.
	AutomationScript string `json:"automationScript,omitempty"`

	// TimeMinutes is the estimated time for this step in minutes.
	TimeMinutes int `json:"timeMinutes,omitempty"`

	// Dependencies lists step numbers that must complete before this one.
	Dependencies []int `json:"dependencies,omitempty"`

	// EscalationTrigger describes when to escalate from this step.
	EscalationTrigger string `json:"escalationTrigger,omitempty"`

	// Notes provides additional context.
	Notes string `json:"notes,omitempty"`

	// Commands lists specific commands to run.
	Commands []string `json:"commands,omitempty"`

	// Checklist provides items to verify during this step.
	Checklist []string `json:"checklist,omitempty"`
}

PlaybookStep represents a single step in an incident response playbook.

type Prerequisite added in v0.4.0 

type Prerequisite struct {
	// ID is the unique identifier for the prerequisite.
	ID string `json:"id"`

	// Title is a brief description of the prerequisite.
	Title string `json:"title"`

	// Description provides detailed information about the prerequisite.
	Description string `json:"description,omitempty"`

	// Type categorizes the prerequisite.
	Type AssumptionType `json:"type,omitempty"`

	// Required indicates if this prerequisite is mandatory.
	Required bool `json:"required,omitempty"`

	// Status indicates if the prerequisite is met (met, not-met, partial, unknown).
	Status string `json:"status,omitempty"`

	// DependsOn lists other prerequisite IDs that must be met first.
	DependsOn []string `json:"dependsOn,omitempty"`

	// RelatedThreatIDs lists threats that require this prerequisite.
	RelatedThreatIDs []string `json:"relatedThreatIds,omitempty"`

	// Notes provides additional context.
	Notes string `json:"notes,omitempty"`
}

Prerequisite represents a precondition that must be true for the threat model.

type Reference added in v0.2.0 

type Reference struct {
	// Title is the reference title.
	Title string `json:"title"`

	// URL is the link to the resource.
	URL string `json:"url"`

	// Type categorizes the reference (e.g., "advisory", "blog", "paper", "cve").
	Type string `json:"type,omitempty"`
}

Reference is an external resource related to the threat model.

type RemediationGuidance added in v0.6.0 

type RemediationGuidance struct {
	// VulnerablePatterns shows code patterns that are vulnerable.
	VulnerablePatterns []CodePattern `json:"vulnerablePatterns,omitempty"`

	// SecurePatterns shows secure code patterns that fix the vulnerability.
	SecurePatterns []CodePattern `json:"securePatterns,omitempty"`

	// ReviewChecklist provides items to check during code review.
	ReviewChecklist []ChecklistItem `json:"reviewChecklist,omitempty"`

	// RecommendedLibraries lists libraries that help mitigate the vulnerability.
	RecommendedLibraries []Library `json:"recommendedLibraries,omitempty"`

	// ConfigurationChanges lists configuration changes to fix the vulnerability.
	ConfigurationChanges []ConfigChange `json:"configurationChanges,omitempty"`

	// TestingApproach describes how to verify the fix is effective.
	TestingApproach *TestingApproach `json:"testingApproach,omitempty"`

	// TimeToFix estimates how long the fix will take (e.g., "2-4 hours").
	TimeToFix string `json:"timeToFix,omitempty"`

	// Complexity indicates fix complexity (trivial, low, medium, high).
	Complexity string `json:"complexity,omitempty"`

	// BreakingChanges notes any breaking changes introduced by the fix.
	BreakingChanges []string `json:"breakingChanges,omitempty"`

	// Notes provides additional guidance for developers.
	Notes string `json:"notes,omitempty"`
}

RemediationGuidance provides guidance for developers to fix vulnerabilities.

type ResourceLevel added in v0.4.0 

type ResourceLevel string

ResourceLevel represents the resources available to a threat actor. 

const (
	ResourceLevelMinimal   ResourceLevel = "minimal"
	ResourceLevelLimited   ResourceLevel = "limited"
	ResourceLevelModerate  ResourceLevel = "moderate"
	ResourceLevelExtensive ResourceLevel = "extensive"
	ResourceLevelUnlimited ResourceLevel = "unlimited"
)

func (ResourceLevel) JSONSchema added in v0.4.0 

func (ResourceLevel) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ResourceLevel.

type ResponseAction added in v0.4.0 

type ResponseAction struct {
	// ID is the unique identifier for the response action.
	ID string `json:"id"`

	// Title is a brief description of the response action.
	Title string `json:"title"`

	// Description provides detailed information about the response.
	Description string `json:"description,omitempty"`

	// TriggerDetectionIDs lists detection IDs that trigger this response.
	TriggerDetectionIDs []string `json:"triggerDetectionIds,omitempty"`

	// ActionType categorizes the response (isolate, block, alert, investigate, contain).
	ActionType string `json:"actionType,omitempty"`

	// Automated indicates if the response is automated.
	Automated bool `json:"automated,omitempty"`

	// PlaybookURL links to the response playbook.
	PlaybookURL string `json:"playbookUrl,omitempty"`

	// Owner is the team or person responsible for the response.
	Owner string `json:"owner,omitempty"`

	// EscalationPath describes the escalation procedure.
	EscalationPath string `json:"escalationPath,omitempty"`

	// SLAMinutes is the expected response time SLA in minutes.
	SLAMinutes int `json:"slaMinutes,omitempty"`
}

ResponseAction represents an incident response action.

type RiskAssessment added in v0.5.0 

type RiskAssessment struct {
	// Likelihood of exploitation (1-5 scale).
	// 1=Rare, 2=Unlikely, 3=Possible, 4=Likely, 5=Almost Certain
	Likelihood int `json:"likelihood"`

	// Impact if exploited (1-5 scale).
	// 1=Negligible, 2=Minor, 3=Moderate, 4=Major, 5=Severe
	Impact int `json:"impact"`

	// Score is Likelihood × Impact (1-25, can be calculated or provided).
	Score int `json:"score,omitempty"`

	// Level is the categorical risk level (can be calculated from score).
	Level RiskLevel `json:"level,omitempty"`

	// LikelihoodRationale explains why this likelihood was chosen.
	LikelihoodRationale string `json:"likelihoodRationale,omitempty"`

	// ImpactRationale explains why this impact was chosen.
	ImpactRationale string `json:"impactRationale,omitempty"`
}

RiskAssessment provides structured risk scoring based on likelihood and impact. The score is calculated as Likelihood × Impact (1-25 scale).

func (*RiskAssessment) Calculate added in v0.5.0 

func (r *RiskAssessment) Calculate()

Calculate computes the Score and Level from Likelihood and Impact.

func (*RiskAssessment) IsValid added in v0.5.0 

func (r *RiskAssessment) IsValid() bool

IsValid checks if the RiskAssessment has valid values.

type RiskLevel added in v0.5.0 

type RiskLevel string

RiskLevel represents the categorical risk level. 

const (
	// RiskLevelCritical represents critical risk (score 20-25).
	RiskLevelCritical RiskLevel = "critical"

	// RiskLevelHigh represents high risk (score 15-19).
	RiskLevelHigh RiskLevel = "high"

	// RiskLevelMedium represents medium risk (score 8-14).
	RiskLevelMedium RiskLevel = "medium"

	// RiskLevelLow represents low risk (score 4-7).
	RiskLevelLow RiskLevel = "low"

	// RiskLevelInfo represents informational/minimal risk (score 1-3).
	RiskLevelInfo RiskLevel = "info"
)

func CalculateDependencyRiskLevel added in v0.6.0 

func CalculateDependencyRiskLevel(criticalCount, highCount, mediumCount int, deprecated, unmaintained bool) RiskLevel

CalculateDependencyRiskLevel calculates an overall risk level based on vulnerability counts

func ScoreToLevel added in v0.5.0 

func ScoreToLevel(score int) RiskLevel

ScoreToLevel converts a numeric risk score (1-25) to a RiskLevel.

func (RiskLevel) JSONSchema added in v0.5.0 

func (RiskLevel) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for RiskLevel.

type SBOMFormat added in v0.6.0 

type SBOMFormat string

SBOMFormat represents supported SBOM formats 

const (
	SBOMFormatCycloneDX SBOMFormat = "cyclonedx"
	SBOMFormatSPDX      SBOMFormat = "spdx"
)

type SBOMReference added in v0.6.0 

type SBOMReference struct {
	// Format specifies the SBOM format (cyclonedx, spdx)
	Format SBOMFormat `json:"format,omitempty"`

	// Version of the SBOM specification (e.g., "1.5" for CycloneDX, "2.3" for SPDX)
	Version string `json:"version,omitempty"`

	// URI is the location of the SBOM document
	URI string `json:"uri,omitempty"`

	// SerialNumber is the unique identifier for the SBOM (CycloneDX)
	SerialNumber string `json:"serialNumber,omitempty"`

	// DocumentNamespace is the unique identifier for the SBOM (SPDX)
	DocumentNamespace string `json:"documentNamespace,omitempty"`

	// Components lists the software components referenced in this threat model
	Components []ComponentReference `json:"components,omitempty"`
}

SBOMReference links a threat model to an SBOM document

type SOC2TrustServiceCategory added in v0.4.0 

type SOC2TrustServiceCategory string

SOC2TrustServiceCategory represents the SOC 2 Trust Service Categories. 

const (
	SOC2Security            SOC2TrustServiceCategory = "Security"
	SOC2Availability        SOC2TrustServiceCategory = "Availability"
	SOC2ProcessingIntegrity SOC2TrustServiceCategory = "Processing Integrity"
	SOC2Confidentiality     SOC2TrustServiceCategory = "Confidentiality"
	SOC2Privacy             SOC2TrustServiceCategory = "Privacy"
)

func (SOC2TrustServiceCategory) JSONSchema added in v0.4.0 

func (SOC2TrustServiceCategory) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for SOC2TrustServiceCategory.

type SSVCAssessment added in v0.6.0 

type SSVCAssessment struct {
	// VulnerabilityID is the CVE or other vulnerability identifier
	VulnerabilityID string `json:"vulnerabilityId,omitempty"`

	// Exploitation status (none, poc, active)
	Exploitation SSVCExploitation `json:"exploitation,omitempty"`

	// Automatable indicates if exploitation can be automated (no, yes)
	Automatable SSVCAutomatable `json:"automatable,omitempty"`

	// TechnicalImpact of successful exploitation (partial, total)
	TechnicalImpact SSVCTechnicalImpact `json:"technicalImpact,omitempty"`

	// MissionPrevalence indicates mission/business criticality (minimal, support, essential)
	MissionPrevalence SSVCMissionPrevalence `json:"missionPrevalence,omitempty"`

	// PublicWellBeing indicates impact on public safety (minimal, material, irreversible)
	PublicWellBeing SSVCPublicWellBeing `json:"publicWellBeing,omitempty"`

	// Decision is the calculated SSVC decision (track, track*, attend, act)
	Decision SSVCDecision `json:"decision,omitempty"`

	// Notes provides additional context for the assessment
	Notes string `json:"notes,omitempty"`

	// AssessedAt is when this assessment was made
	AssessedAt string `json:"assessedAt,omitempty"`

	// AssessedBy is who performed this assessment
	AssessedBy string `json:"assessedBy,omitempty"`
}

SSVCAssessment represents a Stakeholder-Specific Vulnerability Categorization assessment

func NewSSVCAssessment added in v0.6.0 

func NewSSVCAssessment(
	vulnID string,
	exploitation SSVCExploitation,
	automatable SSVCAutomatable,
	technicalImpact SSVCTechnicalImpact,
	missionPrevalence SSVCMissionPrevalence,
	publicWellBeing SSVCPublicWellBeing,
) *SSVCAssessment

NewSSVCAssessment creates a new SSVC assessment and calculates the decision

func (*SSVCAssessment) Calculate added in v0.6.0 

func (a *SSVCAssessment) Calculate()

Calculate computes and sets the Decision field based on other assessment fields

func (*SSVCAssessment) IsHighPriority added in v0.6.0 

func (a *SSVCAssessment) IsHighPriority() bool

IsHighPriority returns true if the decision is attend or act

func (*SSVCAssessment) RequiresImmediateAction added in v0.6.0 

func (a *SSVCAssessment) RequiresImmediateAction() bool

RequiresImmediateAction returns true if the decision is act

type SSVCAutomatable added in v0.6.0 

type SSVCAutomatable string

SSVCAutomatable represents whether the vulnerability is automatable 

const (
	SSVCAutomatableNo  SSVCAutomatable = "no"
	SSVCAutomatableYes SSVCAutomatable = "yes"
)

type SSVCDecision added in v0.6.0 

type SSVCDecision string

SSVCDecision represents the SSVC decision outcome 

const (
	// SSVCDecisionTrack - continue tracking, no immediate action needed
	SSVCDecisionTrack SSVCDecision = "track"

	// SSVCDecisionTrackStar - track closely, slightly elevated priority
	SSVCDecisionTrackStar SSVCDecision = "track*"

	// SSVCDecisionAttend - attend to this vulnerability soon
	SSVCDecisionAttend SSVCDecision = "attend"

	// SSVCDecisionAct - act immediately, highest priority
	SSVCDecisionAct SSVCDecision = "act"
)

func CalculateSSVCDecision added in v0.6.0 

func CalculateSSVCDecision(
	exploitation SSVCExploitation,
	automatable SSVCAutomatable,
	technicalImpact SSVCTechnicalImpact,
	missionPrevalence SSVCMissionPrevalence,
	publicWellBeing SSVCPublicWellBeing,
) SSVCDecision

CalculateSSVCDecision calculates the SSVC decision based on input factors This implements the CISA SSVC decision tree for prioritizing vulnerabilities

type SSVCExploitation added in v0.6.0 

type SSVCExploitation string

SSVCExploitation represents the exploitation status in SSVC 

const (
	SSVCExploitationNone   SSVCExploitation = "none"
	SSVCExploitationPOC    SSVCExploitation = "poc"
	SSVCExploitationActive SSVCExploitation = "active"
)

type SSVCMissionPrevalence added in v0.6.0 

type SSVCMissionPrevalence string

SSVCMissionPrevalence represents how prevalent the mission/system is 

const (
	SSVCMissionPrevalenceMinimal   SSVCMissionPrevalence = "minimal"
	SSVCMissionPrevalenceSupport   SSVCMissionPrevalence = "support"
	SSVCMissionPrevalenceEssential SSVCMissionPrevalence = "essential"
)

type SSVCPublicWellBeing added in v0.6.0 

type SSVCPublicWellBeing string

SSVCPublicWellBeing represents impact on public well-being/safety 

const (
	SSVCPublicWellBeingMinimal      SSVCPublicWellBeing = "minimal"
	SSVCPublicWellBeingMaterial     SSVCPublicWellBeing = "material"
	SSVCPublicWellBeingIrreversible SSVCPublicWellBeing = "irreversible"
)

type SSVCTechnicalImpact added in v0.6.0 

type SSVCTechnicalImpact string

SSVCTechnicalImpact represents the technical impact of exploitation 

const (
	SSVCTechnicalImpactPartial SSVCTechnicalImpact = "partial"
	SSVCTechnicalImpactTotal   SSVCTechnicalImpact = "total"
)

type STIXAttackPattern added in v0.6.0 

type STIXAttackPattern struct {
	Type               string                  `json:"type"`
	SpecVersion        string                  `json:"spec_version"`
	ID                 string                  `json:"id"`
	Created            string                  `json:"created"`
	Modified           string                  `json:"modified"`
	CreatedByRef       string                  `json:"created_by_ref,omitempty"`
	Name               string                  `json:"name"`
	Description        string                  `json:"description,omitempty"`
	KillChainPhases    []STIXKillChainPhase    `json:"kill_chain_phases,omitempty"`
	ExternalReferences []STIXExternalReference `json:"external_references,omitempty"`
}

STIXAttackPattern represents a STIX 2.1 Attack Pattern object.

type STIXBundle added in v0.6.0 

type STIXBundle struct {
	Type    string        `json:"type"`
	ID      string        `json:"id"`
	Objects []interface{} `json:"objects"`
}

STIXBundle is a STIX 2.1 Bundle object containing STIX objects.

func NewSTIXBundle added in v0.6.0 

func NewSTIXBundle() *STIXBundle

NewSTIXBundle creates a new STIX Bundle.

func (*STIXBundle) AddObject added in v0.6.0 

func (b *STIXBundle) AddObject(obj interface{})

AddObject adds a STIX object to the bundle.

type STIXCourseOfAction added in v0.6.0 

type STIXCourseOfAction struct {
	Type         string `json:"type"`
	SpecVersion  string `json:"spec_version"`
	ID           string `json:"id"`
	Created      string `json:"created"`
	Modified     string `json:"modified"`
	CreatedByRef string `json:"created_by_ref,omitempty"`
	Name         string `json:"name"`
	Description  string `json:"description,omitempty"`
	ActionType   string `json:"action_type,omitempty"`
}

STIXCourseOfAction represents a STIX 2.1 Course of Action object.

type STIXExportOptions added in v0.6.0 

type STIXExportOptions struct {
	// IncludeIndicators exports IOCs as STIX Indicators
	IncludeIndicators bool `json:"includeIndicators,omitempty"`
	// IncludeAttackPatterns exports Attacks as STIX Attack Patterns
	IncludeAttackPatterns bool `json:"includeAttackPatterns,omitempty"`
	// IncludeThreatActors exports ThreatActors as STIX Threat Actors
	IncludeThreatActors bool `json:"includeThreatActors,omitempty"`
	// IncludeCourseOfAction exports DetectionRules and Mitigations as Courses of Action
	IncludeCourseOfAction bool `json:"includeCourseOfAction,omitempty"`
	// IncludeVulnerabilities exports CVE mappings as STIX Vulnerabilities
	IncludeVulnerabilities bool `json:"includeVulnerabilities,omitempty"`
	// IncludeRelationships adds relationships between STIX objects
	IncludeRelationships bool `json:"includeRelationships,omitempty"`
	// IdentityName is the organization name for created_by_ref (default: "Threat Model Spec")
	IdentityName string `json:"identityName,omitempty"`
}

STIXExportOptions configures what to include in STIX bundle exports.

func DefaultSTIXExportOptions added in v0.6.0 

func DefaultSTIXExportOptions() STIXExportOptions

DefaultSTIXExportOptions returns options that include all exportable content.

type STIXExternalReference added in v0.6.0 

type STIXExternalReference struct {
	SourceName string `json:"source_name"`
	ExternalID string `json:"external_id,omitempty"`
	URL        string `json:"url,omitempty"`
}

STIXExternalReference represents an external reference in STIX objects.

type STIXIdentity added in v0.6.0 

type STIXIdentity struct {
	Type          string `json:"type"`
	SpecVersion   string `json:"spec_version"`
	ID            string `json:"id"`
	Created       string `json:"created"`
	Modified      string `json:"modified"`
	Name          string `json:"name"`
	IdentityClass string `json:"identity_class"`
}

STIXIdentity represents a STIX 2.1 Identity object.

type STIXIndicator added in v0.6.0 

type STIXIndicator struct {
	Type           string   `json:"type"`
	SpecVersion    string   `json:"spec_version"`
	ID             string   `json:"id"`
	Created        string   `json:"created"`
	Modified       string   `json:"modified"`
	CreatedByRef   string   `json:"created_by_ref,omitempty"`
	Name           string   `json:"name,omitempty"`
	Description    string   `json:"description,omitempty"`
	IndicatorTypes []string `json:"indicator_types,omitempty"`
	Pattern        string   `json:"pattern"`
	PatternType    string   `json:"pattern_type"`
	ValidFrom      string   `json:"valid_from"`
	ValidUntil     string   `json:"valid_until,omitempty"`
}

STIXIndicator represents a STIX 2.1 Indicator object.

type STIXKillChainPhase added in v0.6.0 

type STIXKillChainPhase struct {
	KillChainName string `json:"kill_chain_name"`
	PhaseName     string `json:"phase_name"`
}

STIXKillChainPhase represents a kill chain phase.

type STIXThreatActor added in v0.6.0 

type STIXThreatActor struct {
	Type               string                  `json:"type"`
	SpecVersion        string                  `json:"spec_version"`
	ID                 string                  `json:"id"`
	Created            string                  `json:"created"`
	Modified           string                  `json:"modified"`
	CreatedByRef       string                  `json:"created_by_ref,omitempty"`
	Name               string                  `json:"name"`
	Description        string                  `json:"description,omitempty"`
	ThreatActorTypes   []string                `json:"threat_actor_types"`
	Aliases            []string                `json:"aliases,omitempty"`
	Goals              []string                `json:"goals,omitempty"`
	Sophistication     string                  `json:"sophistication,omitempty"`
	ResourceLevel      string                  `json:"resource_level,omitempty"`
	PrimaryMotivation  string                  `json:"primary_motivation,omitempty"`
	ExternalReferences []STIXExternalReference `json:"external_references,omitempty"`
}

STIXThreatActor represents a STIX 2.1 Threat Actor object.

type STIXVulnerability added in v0.6.0 

type STIXVulnerability struct {
	Type               string                  `json:"type"`
	SpecVersion        string                  `json:"spec_version"`
	ID                 string                  `json:"id"`
	Created            string                  `json:"created"`
	Modified           string                  `json:"modified"`
	CreatedByRef       string                  `json:"created_by_ref,omitempty"`
	Name               string                  `json:"name"`
	Description        string                  `json:"description,omitempty"`
	ExternalReferences []STIXExternalReference `json:"external_references,omitempty"`
}

STIXVulnerability represents a STIX 2.1 Vulnerability object.

type STRIDEMapping 

type STRIDEMapping struct {
	// Category is the STRIDE category (S, T, R, I, D, E).
	Category STRIDEThreat `json:"category"`

	// Name is the full name (e.g., "Spoofing", "Tampering").
	Name string `json:"name,omitempty"`

	// Description explains how this threat applies.
	Description string `json:"description,omitempty"`

	// AffectedComponents lists the component IDs affected by this threat.
	AffectedComponents []string `json:"affectedComponents,omitempty"`
}

STRIDEMapping represents a STRIDE threat category mapping with details.

type STRIDEThreat 

type STRIDEThreat string

STRIDEThreat identifies a STRIDE threat category. 

const (
	STRIDESpoofing             STRIDEThreat = "S"
	STRIDETampering            STRIDEThreat = "T"
	STRIDERepudiation          STRIDEThreat = "R"
	STRIDEInformationDisc      STRIDEThreat = "I"
	STRIDEDenialOfService      STRIDEThreat = "D"
	STRIDEElevationOfPrivilege STRIDEThreat = "E"
)

func (STRIDEThreat) JSONSchema 

func (STRIDEThreat) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for STRIDEThreat.

type Scenario added in v0.5.0 

type Scenario struct {
	// ID is the unique identifier for the scenario.
	ID string `json:"id"`

	// Title is a brief description of the scenario.
	Title string `json:"title"`

	// Description provides the full scenario narrative.
	Description string `json:"description,omitempty"`

	// Type categorizes the scenario.
	Type ScenarioType `json:"type,omitempty"`

	// ThreatActorID links to the threat actor profile executing this scenario.
	ThreatActorID string `json:"threatActorId,omitempty"`

	// Preconditions that must be true for this scenario to be viable.
	// Example: "Attacker has network access to DMZ"
	Preconditions []string `json:"preconditions,omitempty"`

	// AttackPath describes the sequence of attack steps.
	// Can reference element IDs, attack IDs, or free-form descriptions.
	AttackPath []string `json:"attackPath,omitempty"`

	// TargetAssetIDs lists the assets targeted in this scenario.
	TargetAssetIDs []string `json:"targetAssetIds,omitempty"`

	// TargetElementIDs lists the diagram elements targeted.
	TargetElementIDs []string `json:"targetElementIds,omitempty"`

	// ThreatIDs links to ThreatEntry IDs relevant to this scenario.
	ThreatIDs []string `json:"threatIds,omitempty"`

	// Risk assessment for this scenario.
	Risk *RiskAssessment `json:"risk,omitempty"`

	// Outcome describes what happens if the attack succeeds.
	Outcome string `json:"outcome,omitempty"`

	// BusinessImpact describes the business consequences.
	BusinessImpact string `json:"businessImpact,omitempty"`

	// MitigationIDs lists mitigations that would prevent this scenario.
	MitigationIDs []string `json:"mitigationIds,omitempty"`

	// DetectionIDs lists detections that would identify this scenario.
	DetectionIDs []string `json:"detectionIds,omitempty"`

	// Notes provides additional analysis or commentary.
	Notes string `json:"notes,omitempty"`
}

Scenario represents a what-if attack scenario for analysis. Scenarios help explore potential attack paths during design-time threat modeling.

type ScenarioType added in v0.5.0 

type ScenarioType string

ScenarioType categorizes the type of attack scenario. 

const (
	// ScenarioTypeExternalAttack represents attacks from external threat actors.
	ScenarioTypeExternalAttack ScenarioType = "external-attack"

	// ScenarioTypeInsiderThreat represents attacks from insiders.
	ScenarioTypeInsiderThreat ScenarioType = "insider-threat"

	// ScenarioTypeSupplyChain represents supply chain compromise scenarios.
	ScenarioTypeSupplyChain ScenarioType = "supply-chain"

	// ScenarioTypeDataBreach represents data breach scenarios.
	ScenarioTypeDataBreach ScenarioType = "data-breach"

	// ScenarioTypePrivacyViolation represents privacy violation scenarios.
	ScenarioTypePrivacyViolation ScenarioType = "privacy-violation"

	// ScenarioTypeDenialOfService represents availability attack scenarios.
	ScenarioTypeDenialOfService ScenarioType = "denial-of-service"

	// ScenarioTypeEscalation represents privilege escalation scenarios.
	ScenarioTypeEscalation ScenarioType = "escalation"
)

func (ScenarioType) JSONSchema added in v0.5.0 

func (ScenarioType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ScenarioType.

type SecurityMetrics added in v0.6.0 

type SecurityMetrics struct {
	// MTTD is the Mean Time to Detect (how long to identify threats).
	MTTD *MetricDuration `json:"mttd,omitempty"`

	// MTTR is the Mean Time to Respond (how long to begin response).
	MTTR *MetricDuration `json:"mttr,omitempty"`

	// MTTC is the Mean Time to Contain (how long to contain threats).
	MTTC *MetricDuration `json:"mttc,omitempty"`

	// MTTRE is the Mean Time to Remediate/Eradicate.
	MTTRE *MetricDuration `json:"mttre,omitempty"`

	// DetectionRate is the percentage of threats detected (0.0 - 1.0).
	DetectionRate float64 `json:"detectionRate,omitempty"`

	// FalsePositiveRate is the percentage of false positive alerts (0.0 - 1.0).
	FalsePositiveRate float64 `json:"falsePositiveRate,omitempty"`

	// TruePositiveRate is the percentage of true positive detections (0.0 - 1.0).
	TruePositiveRate float64 `json:"truePositiveRate,omitempty"`

	// EscalationRate is the percentage of alerts that require escalation (0.0 - 1.0).
	EscalationRate float64 `json:"escalationRate,omitempty"`

	// IncidentCount is the number of security incidents in the measurement period.
	IncidentCount int `json:"incidentCount,omitempty"`

	// AlertVolume is the total number of alerts in the measurement period.
	AlertVolume int `json:"alertVolume,omitempty"`

	// MeasuredAt is the timestamp when metrics were collected.
	MeasuredAt string `json:"measuredAt,omitempty"`

	// MeasurementPeriod describes the time period for these metrics.
	MeasurementPeriod string `json:"measurementPeriod,omitempty"`

	// Notes provides additional context about the metrics.
	Notes string `json:"notes,omitempty"`
}

SecurityMetrics contains key security metrics for a threat model. These metrics help track detection and response effectiveness.

func (*SecurityMetrics) CalculateEfficiency added in v0.6.0 

func (m *SecurityMetrics) CalculateEfficiency() *DetectionEfficiency

CalculateEfficiency calculates detection efficiency metrics.

func (*SecurityMetrics) CompareToIndustry added in v0.6.0 

func (m *SecurityMetrics) CompareToIndustry(benchmark *MetricsBenchmark) *MetricsComparison

CompareToIndustry compares current metrics to industry benchmarks.

type SensitivityLevel added in v0.5.0 

type SensitivityLevel string

SensitivityLevel indicates the sensitivity level of an asset. 

const (
	// SensitivityPublic indicates publicly available data.
	SensitivityPublic SensitivityLevel = "public"

	// SensitivityInternal indicates internal/employee-only data.
	SensitivityInternal SensitivityLevel = "internal"

	// SensitivityConfidential indicates confidential business data.
	SensitivityConfidential SensitivityLevel = "confidential"

	// SensitivityRestricted indicates highly restricted data (PII, financial).
	SensitivityRestricted SensitivityLevel = "restricted"

	// SensitivitySecret indicates secret/classified data.
	SensitivitySecret SensitivityLevel = "secret"
)

func (SensitivityLevel) JSONSchema added in v0.5.0 

func (SensitivityLevel) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for SensitivityLevel.

type Sophistication added in v0.4.0 

type Sophistication string

Sophistication represents the technical sophistication of a threat actor. 

const (
	SophisticationNone     Sophistication = "none"
	SophisticationLow      Sophistication = "low"
	SophisticationMedium   Sophistication = "medium"
	SophisticationHigh     Sophistication = "high"
	SophisticationAdvanced Sophistication = "advanced"
)

func (Sophistication) JSONSchema added in v0.4.0 

func (Sophistication) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for Sophistication.

type Target 

type Target struct {
	// ElementID references the element that is a target.
	ElementID string `json:"elementId"`

	// Classification indicates the asset value.
	Classification AssetClassification `json:"classification"`

	// STRIDEThreats lists applicable STRIDE threats.
	STRIDEThreats []STRIDEThreat `json:"strideThreats,omitempty"`

	// Impact describes the impact if compromised.
	Impact string `json:"impact,omitempty"`
}

Target represents a high-value asset being targeted.

type TechniqueCoverage added in v0.6.0 

type TechniqueCoverage struct {
	// TechniqueID is the MITRE ATT&CK technique ID (e.g., "T1059.001").
	TechniqueID string `json:"techniqueId"`

	// TechniqueName is the human-readable technique name.
	TechniqueName string `json:"techniqueName,omitempty"`

	// Tactic is the MITRE ATT&CK tactic (e.g., "execution").
	Tactic string `json:"tactic,omitempty"`

	// Coverage indicates the level of detection coverage.
	Coverage CoverageLevel `json:"coverage"`

	// DetectionIDs lists the IDs of detection rules covering this technique.
	DetectionIDs []string `json:"detectionIds,omitempty"`

	// DataSources lists the data sources used for detection.
	DataSources []string `json:"dataSources,omitempty"`

	// Notes provides additional context about coverage.
	Notes string `json:"notes,omitempty"`

	// Confidence indicates confidence in the coverage assessment.
	Confidence string `json:"confidence,omitempty"`
}

TechniqueCoverage represents detection coverage for a single MITRE ATT&CK technique.

type TestPurpose added in v0.6.0 

type TestPurpose string

TestPurpose indicates the purpose of a test case reference. 

const (
	// TestPurposeExploitation indicates a test that validates exploitation.
	TestPurposeExploitation TestPurpose = "exploitation"

	// TestPurposeDetection indicates a test that validates detection works.
	TestPurposeDetection TestPurpose = "detection"

	// TestPurposeRemediation indicates a test that validates a fix is effective.
	TestPurposeRemediation TestPurpose = "remediation"

	// TestPurposeRegression indicates a test that prevents vulnerability return.
	TestPurposeRegression TestPurpose = "regression"
)

func (TestPurpose) JSONSchema added in v0.6.0 

func (TestPurpose) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for TestPurpose.

type TestReference added in v0.6.0 

type TestReference struct {
	// TestID is the unique identifier of the test case in app-test-spec.
	TestID string `json:"testId"`

	// TestFile is the path to the app-test-spec test file.
	TestFile string `json:"testFile,omitempty"`

	// Purpose indicates the test's purpose (exploitation, detection, remediation, regression).
	Purpose TestPurpose `json:"purpose"`

	// Description provides context about what this test validates.
	Description string `json:"description,omitempty"`

	// SuiteID is the test suite this test belongs to.
	SuiteID string `json:"suiteId,omitempty"`

	// AttackStep links this test to a specific attack step number.
	AttackStep int `json:"attackStep,omitempty"`

	// Automated indicates if this test can run automatically in CI/CD.
	Automated bool `json:"automated,omitempty"`

	// Tool specifies the test runner (e.g., "agent-dast", "nuclei", "custom").
	Tool string `json:"tool,omitempty"`
}

TestReference links a threat model component to an app-test-spec test case. This enables bidirectional references between threat models and executable tests.

type TestSuiteReference added in v0.6.0 

type TestSuiteReference struct {
	// SuiteID is the unique identifier of the test suite.
	SuiteID string `json:"suiteId"`

	// SuiteFile is the path to the app-test-spec test suite file.
	SuiteFile string `json:"suiteFile,omitempty"`

	// Description provides context about this test suite.
	Description string `json:"description,omitempty"`

	// Tests lists the individual test references within this suite.
	Tests []TestReference `json:"tests,omitempty"`

	// Tags are metadata tags for filtering test suites.
	Tags []string `json:"tags,omitempty"`

	// CIEnabled indicates if this suite runs in CI/CD pipelines.
	CIEnabled bool `json:"ciEnabled,omitempty"`
}

TestSuiteReference links a threat model to an app-test-spec test suite.

type TestingApproach added in v0.6.0 

type TestingApproach struct {
	// UnitTests describes unit tests that should pass after the fix.
	UnitTests []string `json:"unitTests,omitempty"`

	// IntegrationTests describes integration tests.
	IntegrationTests []string `json:"integrationTests,omitempty"`

	// SecurityTests describes security-specific tests.
	SecurityTests []string `json:"securityTests,omitempty"`

	// RegressionTests describes tests to prevent regression.
	RegressionTests []string `json:"regressionTests,omitempty"`

	// ManualTests describes manual testing procedures.
	ManualTests []string `json:"manualTests,omitempty"`

	// TestRefs links to app-test-spec test cases for automated validation.
	TestRefs []TestReference `json:"testRefs,omitempty"`

	// AcceptanceCriteria defines what constitutes a successful fix.
	AcceptanceCriteria []string `json:"acceptanceCriteria,omitempty"`

	// Tools lists testing tools useful for validation.
	Tools []string `json:"tools,omitempty"`
}

TestingApproach describes how to verify a fix is effective.

type ThreatActor added in v0.4.0 

type ThreatActor struct {
	// ID is the unique identifier for the threat actor.
	ID string `json:"id"`

	// Name is the threat actor name or alias.
	Name string `json:"name"`

	// Type categorizes the threat actor.
	Type ThreatActorType `json:"type"`

	// Aliases lists other names this actor is known by.
	Aliases []string `json:"aliases,omitempty"`

	// Description provides context about the threat actor.
	Description string `json:"description,omitempty"`

	// Sophistication indicates the technical capability level.
	Sophistication Sophistication `json:"sophistication,omitempty"`

	// Motivations lists the actor's primary motivations.
	Motivations []Motivation `json:"motivations,omitempty"`

	// Resources indicates the resource level available.
	Resources ResourceLevel `json:"resources,omitempty"`

	// PrimaryGoals describes what the actor is trying to achieve.
	PrimaryGoals []string `json:"primaryGoals,omitempty"`

	// TTPs lists MITRE ATT&CK technique IDs associated with this actor.
	TTPs []string `json:"ttps,omitempty"`

	// TargetedIndustries lists industries this actor targets.
	TargetedIndustries []string `json:"targetedIndustries,omitempty"`

	// TargetedRegions lists geographic regions this actor targets.
	TargetedRegions []string `json:"targetedRegions,omitempty"`

	// KnownCampaigns lists known attack campaigns attributed to this actor.
	KnownCampaigns []string `json:"knownCampaigns,omitempty"`

	// References provides external links about this threat actor.
	References []string `json:"references,omitempty"`
}

ThreatActor represents an adversary or threat source profile.

func (*ThreatActor) ToSTIXThreatActor added in v0.6.0 

func (ta *ThreatActor) ToSTIXThreatActor(createdByRef string) *STIXThreatActor

ToSTIXThreatActor converts an ir.ThreatActor to a STIX 2.1 Threat Actor object.

type ThreatActorType added in v0.4.0 

type ThreatActorType string

ThreatActorType identifies the category of threat actor. 

const (
	// ThreatActorTypeNationState represents government-sponsored actors.
	ThreatActorTypeNationState ThreatActorType = "nation-state"

	// ThreatActorTypeCriminal represents financially motivated criminal organizations.
	ThreatActorTypeCriminal ThreatActorType = "criminal"

	// ThreatActorTypeHacktivist represents ideologically motivated actors.
	ThreatActorTypeHacktivist ThreatActorType = "hacktivist"

	// ThreatActorTypeInsider represents malicious or negligent insiders.
	ThreatActorTypeInsider ThreatActorType = "insider"

	// ThreatActorTypeCompetitor represents corporate espionage actors.
	ThreatActorTypeCompetitor ThreatActorType = "competitor"

	// ThreatActorTypeTerrorist represents terrorist organizations.
	ThreatActorTypeTerrorist ThreatActorType = "terrorist"

	// ThreatActorTypeScriptKiddie represents low-sophistication opportunistic actors.
	ThreatActorTypeScriptKiddie ThreatActorType = "script-kiddie"

	// ThreatActorTypeResearcher represents security researchers or ethical hackers.
	ThreatActorTypeResearcher ThreatActorType = "researcher"
)

func (ThreatActorType) JSONSchema added in v0.4.0 

func (ThreatActorType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ThreatActorType.

type ThreatEntry added in v0.4.0 

type ThreatEntry struct {
	// ID is the unique identifier for the threat.
	ID string `json:"id"`

	// Title is a brief description of the threat.
	Title string `json:"title"`

	// Description provides detailed information about the threat.
	Description string `json:"description,omitempty"`

	// STRIDECategory identifies the STRIDE threat category.
	STRIDECategory STRIDEThreat `json:"strideCategory,omitempty"`

	// LINDDUNCategory identifies the LINDDUN privacy threat category.
	LINDDUNCategory LINDDUNThreat `json:"linddunCategory,omitempty"`

	// AffectedElements lists the element IDs affected by this threat.
	AffectedElements []string `json:"affectedElements,omitempty"`

	// AffectedAssets lists the asset IDs affected by this threat.
	AffectedAssets []string `json:"affectedAssets,omitempty"`

	// Status indicates the current threat lifecycle state.
	// Use "potential" or "theoretical" for design-time threats.
	Status ThreatStatus `json:"status"`

	// Risk provides structured risk assessment (likelihood × impact).
	Risk *RiskAssessment `json:"risk,omitempty"`

	// Severity indicates the threat severity (critical, high, medium, low).
	// Deprecated: Use Risk.Level instead for structured assessment.
	Severity string `json:"severity,omitempty"`

	// Likelihood indicates the probability of exploitation (high, medium, low).
	// Deprecated: Use Risk.Likelihood instead for structured assessment.
	Likelihood string `json:"likelihood,omitempty"`

	// MitigationIDs lists the IDs of mitigations addressing this threat.
	MitigationIDs []string `json:"mitigationIds,omitempty"`

	// AttackVector describes how the threat could be exploited.
	AttackVector string `json:"attackVector,omitempty"`

	// Preconditions lists what must be true for this threat to be exploitable.
	Preconditions []string `json:"preconditions,omitempty"`

	// SSVCAssessment contains CISA SSVC vulnerability prioritization data.
	SSVCAssessment *SSVCAssessment `json:"ssvcAssessment,omitempty"`
}

ThreatEntry represents a threat with status tracking. This can be used for both design-time (potential) and identified threats.

type ThreatModel added in v0.2.0 

type ThreatModel struct {
	// ID is a unique identifier for the threat model (e.g., "openclaw-websocket-localhost").
	ID string `json:"id"`

	// Title is the human-readable title of the threat model.
	Title string `json:"title"`

	// Description provides an overview of the vulnerability or threat scenario.
	Description string `json:"description,omitempty"`

	// Version tracks the threat model version (e.g., "1.0.0").
	Version string `json:"version,omitempty"`

	// Phase indicates the SDLC phase of this threat model.
	// Use "design" for pre-implementation threat modeling,
	// "production" for live systems, "incident" for post-incident analysis.
	Phase ModelPhase `json:"phase,omitempty"`

	// Authors lists the people who created or contributed to this threat model.
	Authors []Author `json:"authors,omitempty"`

	// References contains external links to related resources.
	References []Reference `json:"references,omitempty"`

	// Mappings contains references to external security frameworks
	// (MITRE ATT&CK, ATLAS, OWASP, CWE, CVSS, STRIDE).
	// These mappings apply to the overall threat model.
	Mappings *Mappings `json:"mappings,omitempty"`

	// Diagrams contains the individual diagram views of the threat model.
	// Each diagram represents a different perspective (DFD, attack chain, sequence).
	Diagrams []DiagramView `json:"diagrams"`

	// ThreatActors contains adversary profiles relevant to this threat model.
	ThreatActors []ThreatActor `json:"threatActors,omitempty"`

	// Assumptions contains security assumptions underlying the threat model.
	Assumptions []Assumption `json:"assumptions,omitempty"`

	// Prerequisites contains preconditions that must be true.
	Prerequisites []Prerequisite `json:"prerequisites,omitempty"`

	// Mitigations contains countermeasures at the threat model level.
	// These apply across all diagrams; individual diagrams may have additional mitigations.
	Mitigations []Mitigation `json:"mitigations,omitempty"`

	// Assets lists the assets being protected in this threat model.
	Assets []Asset `json:"assets,omitempty"`

	// Scenarios contains what-if attack scenarios for analysis.
	Scenarios []Scenario `json:"scenarios,omitempty"`

	// RedTeam contains offensive security/penetration testing guidance.
	RedTeam *ExploitationGuidance `json:"redTeam,omitempty"`

	// BlueTeam contains defensive security/detection guidance.
	BlueTeam *DefenseGuidance `json:"blueTeam,omitempty"`

	// Remediation contains developer guidance for fixing vulnerabilities.
	Remediation *RemediationGuidance `json:"remediation,omitempty"`

	// Playbooks contains incident response playbooks.
	Playbooks []IncidentPlaybook `json:"playbooks,omitempty"`

	// TestSuites links to app-test-spec test suites for validation.
	TestSuites []TestSuiteReference `json:"testSuites,omitempty"`

	// RiskAssessment contains FAIR (Factor Analysis of Information Risk) assessment data.
	RiskAssessment *FAIRAssessment `json:"riskAssessment,omitempty"`

	// BusinessImpact contains broader business impact analysis.
	BusinessImpact *BusinessImpact `json:"businessImpact,omitempty"`

	// EPSSData contains Exploit Prediction Scoring System data for CVEs.
	EPSSData []EPSSData `json:"epssData,omitempty"`

	// AtomicTests contains Atomic Red Team test mappings for validation.
	AtomicTests []AtomicTestMapping `json:"atomicTests,omitempty"`

	// DetectionCoverage contains MITRE ATT&CK detection coverage matrix.
	DetectionCoverage *DetectionCoverageMatrix `json:"detectionCoverage,omitempty"`

	// Metrics contains security metrics for tracking detection/response effectiveness.
	Metrics *SecurityMetrics `json:"metrics,omitempty"`

	// SBOM contains references to Software Bill of Materials documents.
	SBOM *SBOMReference `json:"sbom,omitempty"`

	// VEXStatements contains Vulnerability Exploitability eXchange statements.
	VEXStatements []VEXStatement `json:"vexStatements,omitempty"`

	// DependencyRisks tracks risk information for software dependencies.
	DependencyRisks []DependencyRisk `json:"dependencyRisks,omitempty"`

	// CredentialFlows tracks credential lifecycles through the system.
	// Use this to model token exfiltration, replay attacks, and credential exposure.
	CredentialFlows []CredentialFlow `json:"credentialFlows,omitempty"`

	// AttackPatterns contains reusable attack pattern templates applied to this model.
	// These can be instantiated from built-in patterns or custom-defined.
	AttackPatterns []AttackPattern `json:"attackPatterns,omitempty"`
}

ThreatModel is the canonical representation of a security threat model. It contains shared metadata and framework mappings, with multiple diagram views of the same vulnerability or threat scenario.

This is the preferred format for complete threat models. Individual DiagramIR files can be used for single-diagram use cases or generated from a ThreatModel.

func LoadThreatModelFromFile added in v0.2.0 

func LoadThreatModelFromFile(path string) (*ThreatModel, error)

LoadThreatModelFromFile loads a ThreatModel from a JSON file.

func (*ThreatModel) ExportSTIXBundle added in v0.6.0 

func (tm *ThreatModel) ExportSTIXBundle(opts STIXExportOptions) (*STIXBundle, error)

ExportSTIXBundle exports the ThreatModel to a STIX 2.1 Bundle.

func (*ThreatModel) GetDiagram added in v0.2.0 

func (tm *ThreatModel) GetDiagram(dt DiagramType) *DiagramView

GetDiagram returns the first diagram of the specified type, or nil if not found.

func (*ThreatModel) GetDiagramIR added in v0.2.0 

func (tm *ThreatModel) GetDiagramIR(dt DiagramType) *DiagramIR

GetDiagramIR returns a standalone DiagramIR for the specified type, with inherited mappings from the ThreatModel.

func (*ThreatModel) IsValid added in v0.2.0 

func (tm *ThreatModel) IsValid() bool

IsValid returns true if the threat model passes validation.

func (*ThreatModel) Validate added in v0.2.0 

func (tm *ThreatModel) Validate() error

Validate checks that the ThreatModel is internally consistent.

func (*ThreatModel) ValidateOWASPMappings added in v0.6.0 

func (tm *ThreatModel) ValidateOWASPMappings() []string

ValidateOWASPMappings checks that OWASP IDs in the ThreatModel are recognized.

type ThreatStatus added in v0.4.0 

type ThreatStatus string

ThreatStatus represents the lifecycle state of a threat. 

const (
	// ThreatStatusPotential indicates a hypothetical threat identified during design review.
	// Use this for design-time threat modeling before implementation.
	ThreatStatusPotential ThreatStatus = "potential"

	// ThreatStatusTheoretical indicates a threat based on threat modeling methodology.
	// Use this for threats derived from STRIDE/LINDDUN analysis.
	ThreatStatusTheoretical ThreatStatus = "theoretical"

	// ThreatStatusIdentified indicates the threat has been confirmed through testing or incident.
	ThreatStatusIdentified ThreatStatus = "identified"

	// ThreatStatusAnalyzing indicates the threat is under investigation.
	ThreatStatusAnalyzing ThreatStatus = "analyzing"

	// ThreatStatusMitigated indicates the threat has been mitigated.
	ThreatStatusMitigated ThreatStatus = "mitigated"

	// ThreatStatusAccepted indicates the threat risk is accepted.
	ThreatStatusAccepted ThreatStatus = "accepted"

	// ThreatStatusTransferred indicates the threat risk is transferred.
	ThreatStatusTransferred ThreatStatus = "transferred"

	// ThreatStatusMonitoring indicates the threat is being monitored.
	ThreatStatusMonitoring ThreatStatus = "monitoring"
)

func (ThreatStatus) JSONSchema added in v0.4.0 

func (ThreatStatus) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ThreatStatus.

type VEXDocument added in v0.6.0 

type VEXDocument struct {
	// Context is the JSON-LD context (typically "https://openvex.dev/ns/v0.2.0")
	Context string `json:"@context,omitempty"`

	// ID is the document identifier
	ID string `json:"@id,omitempty"`

	// Author is the entity that created this document
	Author string `json:"author,omitempty"`

	// Role is the author's role (e.g., "vendor", "coordinator", "discoverer")
	Role string `json:"role,omitempty"`

	// Timestamp is when this document was created
	Timestamp time.Time `json:"timestamp,omitempty"`

	// Version is the document version
	Version string `json:"version,omitempty"`

	// Tooling describes the tool that generated this document
	Tooling string `json:"tooling,omitempty"`

	// Statements contains the VEX statements
	Statements []VEXStatement `json:"statements,omitempty"`
}

VEXDocument represents a collection of VEX statements (OpenVEX format)

func NewVEXDocument added in v0.6.0 

func NewVEXDocument(author string) *VEXDocument

NewVEXDocument creates a new VEX document with default context

func (*VEXDocument) AddStatement added in v0.6.0 

func (d *VEXDocument) AddStatement(stmt VEXStatement)

AddStatement adds a VEX statement to the document

type VEXJustification added in v0.6.0 

type VEXJustification string

VEXJustification provides the reason for a not_affected status 

const (
	// VEXJustificationComponentNotPresent - the vulnerable component is not included
	VEXJustificationComponentNotPresent VEXJustification = "component_not_present"

	// VEXJustificationVulnerableCodeNotPresent - the vulnerable code is not present
	VEXJustificationVulnerableCodeNotPresent VEXJustification = "vulnerable_code_not_present"

	// VEXJustificationVulnerableCodeNotInExecutePath - vulnerable code exists but cannot be executed
	VEXJustificationVulnerableCodeNotInExecutePath VEXJustification = "vulnerable_code_not_in_execute_path"

	// VEXJustificationVulnerableCodeCannotBeControlledByAdversary - input cannot reach vulnerable code
	VEXJustificationVulnerableCodeCannotBeControlledByAdversary VEXJustification = "vulnerable_code_cannot_be_controlled_by_adversary"

	// VEXJustificationInlineMitigationsAlreadyExist - mitigations are in place
	VEXJustificationInlineMitigationsAlreadyExist VEXJustification = "inline_mitigations_already_exist"
)

type VEXStatement added in v0.6.0 

type VEXStatement struct {
	// ID is a unique identifier for this VEX statement
	ID string `json:"id,omitempty"`

	// VulnerabilityID is the CVE or other vulnerability identifier
	VulnerabilityID string `json:"vulnerabilityId,omitempty"`

	// Status indicates the exploitability status
	Status VEXStatus `json:"status,omitempty"`

	// Justification explains why status is not_affected (required when status is not_affected)
	Justification VEXJustification `json:"justification,omitempty"`

	// ImpactStatement provides additional context for the status
	ImpactStatement string `json:"impactStatement,omitempty"`

	// ActionStatement describes what action is recommended
	ActionStatement string `json:"actionStatement,omitempty"`

	// Products lists the affected product identifiers (PURLs, CPEs, etc.)
	Products []string `json:"products,omitempty"`

	// Subcomponents lists specific subcomponents if not the entire product
	Subcomponents []string `json:"subcomponents,omitempty"`

	// Supplier is the organization making this statement
	Supplier string `json:"supplier,omitempty"`

	// Timestamp is when this statement was made
	Timestamp time.Time `json:"timestamp,omitempty"`

	// LastUpdated is when this statement was last modified
	LastUpdated time.Time `json:"lastUpdated,omitempty"`

	// Version is the version of this VEX statement
	Version string `json:"version,omitempty"`
}

VEXStatement represents a Vulnerability Exploitability eXchange statement

func NewAffectedStatement added in v0.6.0 

func NewAffectedStatement(vulnID string, products []string, actionStatement string) VEXStatement

NewAffectedStatement creates a VEX statement for an affected vulnerability

func NewFixedStatement added in v0.6.0 

func NewFixedStatement(vulnID string, products []string, impactStatement string) VEXStatement

NewFixedStatement creates a VEX statement for a fixed vulnerability

func NewNotAffectedStatement added in v0.6.0 

func NewNotAffectedStatement(vulnID string, justification VEXJustification, products []string, impactStatement string) VEXStatement

NewNotAffectedStatement creates a VEX statement for a not_affected vulnerability

func NewUnderInvestigationStatement added in v0.6.0 

func NewUnderInvestigationStatement(vulnID string, products []string) VEXStatement

NewUnderInvestigationStatement creates a VEX statement for a vulnerability under investigation

func (*VEXStatement) IsValid added in v0.6.0 

func (s *VEXStatement) IsValid() bool

IsValid checks if the VEX statement has required fields

type VEXStatus added in v0.6.0 

type VEXStatus string

VEXStatus represents the status of a vulnerability in a VEX statement 

const (
	VEXStatusNotAffected        VEXStatus = "not_affected"
	VEXStatusAffected           VEXStatus = "affected"
	VEXStatusFixed              VEXStatus = "fixed"
	VEXStatusUnderInvestigation VEXStatus = "under_investigation"
)

type ValidationError 

type ValidationError struct {
	Field   string
	Message string
}

ValidationError represents a diagram validation error.

func (ValidationError) Error 

func (e ValidationError) Error() string

type ValidationErrors 

type ValidationErrors []ValidationError

ValidationErrors is a collection of validation errors.

func (ValidationErrors) Error 

func (errs ValidationErrors) Error() string

func (ValidationErrors) HasErrors 

func (errs ValidationErrors) HasErrors() bool

HasErrors returns true if there are any validation errors.

func (ValidationErrors) Is 

func (errs ValidationErrors) Is(target error) bool

Is implements errors.Is for ValidationErrors.

func (ValidationErrors) Unwrap 

func (errs ValidationErrors) Unwrap() []error

Errors implements the error interface check for ValidationErrors.

type ValidationStatus added in v0.4.0 

type ValidationStatus string

ValidationStatus indicates whether an assumption has been validated. 

const (
	ValidationStatusNotValidated ValidationStatus = "not-validated"
	ValidationStatusValidated    ValidationStatus = "validated"
	ValidationStatusInvalidated  ValidationStatus = "invalidated"
	ValidationStatusPending      ValidationStatus = "pending"
)

func (ValidationStatus) JSONSchema added in v0.4.0 

func (ValidationStatus) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for ValidationStatus.

type WebSocketConfig added in v0.7.0 

type WebSocketConfig struct {
	// Protocol specifies the WebSocket protocol (ws or wss).
	Protocol WebSocketProtocol `json:"protocol,omitempty"`

	// Endpoint is the WebSocket endpoint path (e.g., "/ws", "/socket.io").
	Endpoint string `json:"endpoint,omitempty"`

	// AllowedOrigins lists origins permitted to connect.
	// An empty list indicates no origin validation (vulnerable).
	AllowedOrigins []string `json:"allowedOrigins,omitempty"`

	// OriginValidation indicates whether origin validation is enforced.
	// When false, the endpoint is vulnerable to Cross-Site WebSocket Hijacking.
	OriginValidation bool `json:"originValidation,omitempty"`

	// CSRFProtection indicates whether CSRF tokens are required for WebSocket upgrade.
	CSRFProtection bool `json:"csrfProtection,omitempty"`

	// AuthenticationRequired indicates whether authentication is required to connect.
	AuthenticationRequired bool `json:"authenticationRequired,omitempty"`

	// AuthenticationMethod describes how authentication is performed.
	// Examples: "bearer-token", "cookie", "query-param", "first-message"
	AuthenticationMethod string `json:"authenticationMethod,omitempty"`

	// RateLimitRPS is the rate limit in requests per second (0 = no limit).
	RateLimitRPS int `json:"rateLimitRps,omitempty"`

	// RateLimitConnections is the max concurrent connections (0 = no limit).
	RateLimitConnections int `json:"rateLimitConnections,omitempty"`

	// MessageSizeLimit is the maximum message size in bytes (0 = no limit).
	MessageSizeLimit int `json:"messageSizeLimit,omitempty"`

	// SubProtocols lists supported WebSocket sub-protocols.
	SubProtocols []string `json:"subProtocols,omitempty"`

	// Vulnerabilities lists known security issues with this WebSocket configuration.
	Vulnerabilities []WebSocketVulnerability `json:"vulnerabilities,omitempty"`
}

WebSocketConfig contains WebSocket-specific security configuration. This is used to model WebSocket endpoints and their security posture.

func (*WebSocketConfig) GetVulnerabilities added in v0.7.0 

func (wsc *WebSocketConfig) GetVulnerabilities() []WebSocketVulnerability

GetVulnerabilities analyzes the WebSocket configuration and returns identified vulnerabilities.

func (*WebSocketConfig) IsVulnerableToCSWSH added in v0.7.0 

func (wsc *WebSocketConfig) IsVulnerableToCSWSH() bool

IsVulnerableToCSWSH returns true if the WebSocket configuration is vulnerable to Cross-Site WebSocket Hijacking.

type WebSocketProtocol added in v0.7.0 

type WebSocketProtocol string

WebSocketProtocol identifies the WebSocket protocol type. 

const (
	// WebSocketProtocolWS represents unencrypted WebSocket (ws://).
	WebSocketProtocolWS WebSocketProtocol = "ws"

	// WebSocketProtocolWSS represents encrypted WebSocket (wss://).
	WebSocketProtocolWSS WebSocketProtocol = "wss"
)

func (WebSocketProtocol) JSONSchema added in v0.7.0 

func (WebSocketProtocol) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for WebSocketProtocol.

type WebSocketVulnType added in v0.7.0 

type WebSocketVulnType string

WebSocketVulnType categorizes WebSocket-specific vulnerabilities. 

const (
	// WebSocketVulnCSWSH represents Cross-Site WebSocket Hijacking.
	WebSocketVulnCSWSH WebSocketVulnType = "cswsh"

	// WebSocketVulnNoOriginValidation represents missing origin header validation.
	WebSocketVulnNoOriginValidation WebSocketVulnType = "no-origin-validation"

	// WebSocketVulnNoRateLimit represents missing rate limiting.
	WebSocketVulnNoRateLimit WebSocketVulnType = "no-rate-limit"

	// WebSocketVulnNoAuth represents missing authentication.
	WebSocketVulnNoAuth WebSocketVulnType = "no-authentication"

	// WebSocketVulnWeakAuth represents weak authentication (e.g., query param token).
	WebSocketVulnWeakAuth WebSocketVulnType = "weak-authentication"

	// WebSocketVulnNoEncryption represents unencrypted WebSocket (ws:// instead of wss://).
	WebSocketVulnNoEncryption WebSocketVulnType = "no-encryption"

	// WebSocketVulnMessageInjection represents message injection vulnerability.
	WebSocketVulnMessageInjection WebSocketVulnType = "message-injection"

	// WebSocketVulnDenialOfService represents DoS through resource exhaustion.
	WebSocketVulnDenialOfService WebSocketVulnType = "denial-of-service"
)

func (WebSocketVulnType) JSONSchema added in v0.7.0 

func (WebSocketVulnType) JSONSchema() *jsonschema.Schema

JSONSchema implements jsonschema.JSONSchemaer for WebSocketVulnType.

type WebSocketVulnerability added in v0.7.0 

type WebSocketVulnerability struct {
	// Type categorizes the vulnerability.
	Type WebSocketVulnType `json:"type"`

	// Description provides details about the vulnerability.
	Description string `json:"description,omitempty"`

	// CWEIDs lists applicable CWE identifiers.
	CWEIDs []string `json:"cweIds,omitempty"`

	// Severity indicates the vulnerability severity.
	Severity string `json:"severity,omitempty"`

	// Exploitable indicates whether this has been verified as exploitable.
	Exploitable bool `json:"exploitable,omitempty"`
}

WebSocketVulnerability describes a security issue with a WebSocket endpoint.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.