Within the View Asset Model: The corresponding asset options are not appearing correctly. Asset options are either empty or not corresponding with the asset that was selected.

Installation problems

I've found a few problems installing CAIRIS on Ubuntu 14.04 LTS - fixes inline.

Step 1:

sudo apt-get install python-wxglade python-glade2 python-wxgtk2.8 python-dev build-essential mysql-server mysql-client graphviz docbook dblatex python- pip git libmysqlclient-dev --no-install-recommends texlive-latex-extra docbook-utils

Should be python-pip. Also we have an unsatisfied dependency on python-numpy. Pip installation fails without it's own dependencies, so we should just install the package.

Step 4:

$ sudo chown -R $CAIRIS_USER:$CAIRIS_USER $CAIRIS_DIR $ sudo chmod -R 775 $CAIRIS_DIR

Needs to be split at the $

Step 6:

$ mysql –u cairis –p –database=cairis < $CAIRIS_SQL/procs.sql
$ mysql –u cairis –p –database=cairis < $CAIRIS_SQL/init.sql

Should be

$ mysql –u cairis –p cairis < $CAIRIS_SQL/procs.sql
$ mysql –u cairis –p cairis < $CAIRIS_SQL/init.sql

Expected behaviour

Create new goal. Click on close button. List of goals should be displayed

Actual behaviour

Dialog remains unchanged

Steps to reproduce the behaviour

Follow expected behaviour instructions

Version of CAIRIS

All versions of the web app

Operating Systems / Hardware

All

Expected behaviour

Countermeasure-generated assets should appear in classModelElements stored procedure.

Actual behaviour

Countermeasure-generated assets don't appear in classModelElements stored procedure.

Steps to reproduce the behaviour

Generate asset from countermeasure. View asset model.

Version of CAIRIS

All

Operating Systems / Hardware

All

Currently supported in desktop application. Not supported in web app.
To implement this:

• The architectural pattern API needs to be revised to:
  (i) GET a weakness analysis for an architectural pattern.
  (ii) POST a pattern situate operation

• It should be possible to right-click an architectural pattern from the web app, and have this open up a weakness analysis dialog box showing threats, vulnerabilities, persona impact and obstacles.

When adding a Threat in CAIRIS, leaving the Tags field blank, it will be assigned "". If another threat is created it will also be assigned the same tag. This causes a primary key error when importing the model.

Apologies if this has been addressed in a newer version.

It should be possible to find CAIRIS objects based on tags.

Expected behaviour

When deleting an object in the web app, a warning about the consequences of the deletion should be displayed.

Actual behaviour

A warning is displayed, but only if there are dependencies on the object.

Steps to reproduce the behaviour

1. Go to any menu, e.g. Risk/Assets
2. Click on the '-' icon next to whatever object you want to delete.

Version of CAIRIS

1.2.10

Operating Systems / Hardware

All

When importing model files, it's possible that people might erroneously add the same label to different requirements, e.g.

These sort of errors should be caught when importing models. Moreover, it shouldn't be possible to add requirements to the database if the same label already exists for the same asset or environment.

Obstacle probability are defined in obstacle database objects, and can be visualised. However, these currently can't be edited - either from the XML model files or from the GUI.

In the stored procedure 'delete_vulnerability' there is an SQL statement which refers to a non-existing column in the database. This makes it impossible to delete any vulnerability.

The SQL statement which contains the invalid reference is the following:
delete from component_vulnerability_target where threat_id = threatId;
...where threat_id is the non-existing column.

To generate GRL models, it's necessary to add additional information to a few model elements, e.g. document references, persona characteristics, elements of use cases.

This entails updating the model definitions to include the additional information, and UI updates to facilitate adding/updating them.

The problem mostly occurs when there are some tension fields in the last column are " ". When you update these tensions and reopen them, they don't have the same values.

This is an example of what happens.

Firstly I alter the tensions

After updating the environment and closing all of the environment windows, I reopen the window and the tensions values are changed to the following sequence.
It seems that the third column is copied to the last column.

the risk table within the cairis database, seems to contain an environment_id that always defaults to the default value.

Expected behaviour

Removing goal/sub-goal refinements from goal dialog should remove refinements from the goal object, such that these aren't visible when updating goals.

Actual behaviour

This isn't happening due to some faulty logic where the refinement list continues to be iterated after refinements are spliced from the list.

Steps to reproduce the behaviour

Open goal with refinements. Remove refinement from the list. Update the goal. Open the goal again - the refinement is still visible.

Version of CAIRIS

All versions of the web app

Operating Systems / Hardware

All

Obstacles in KAOS model are coloured based on their probability, but this isn't currently the case with obstacles in risk models.

Expected behaviour

Clicking create when defining a new asset should add a new entry to the asset table.

Actual behaviour

It doesn't. You need to click on the Assets breadcrumb to update the list

Steps to reproduce the behaviour

See expected behaviour.

Version of CAIRIS

Current version of web app

Operating Systems / Hardware

All

Expected behaviour

Importing CAIRIS model containing tasks and task characteristic based on non-document references should be successful

Actual behaviour

Import fails with database errors.

Steps to reproduce the behaviour

1. Run the regenerate.sh script in the webinos design data repository to create the webinos CAIRIS model.
2. Export the model
3. Re-import the model

Version of CAIRIS

All

Operating Systems / Hardware

All

Expected behaviour

Clicking on a dependency object in web app loads up dependency details in a modal dialog.

Actual behaviour

They don't

Steps to reproduce the behaviour

Add a dependency. Try and edit it

Version of CAIRIS

Latest of web app

Operating Systems / Hardware

All

Expected behaviour

Web app should be blocked and/or some sort of progress indication should be given.

Actual behaviour

Possible to interact with web app while model is being imported

Steps to reproduce the behaviour

Once logged in.

1. Go to System/Import model menu
2. Select 'Model' and choose model to import
3. Click Ok

Version of CAIRIS

1.2.10

Operating Systems / Hardware

All

Expected behaviour

• Model should import successfully, and clicking on toolbar buttons should show the correct objects for the new model

Actual behaviour

• This error is shown in the cairisd logs
  Database conflict: Cannot remove vulnerability_type due to dependent data (id:1451,message:Cannot delete or update a parent row: a foreign key constraint fails (arm.vulnerability, CONSTRAINT vulnerability_ibfk_1 FOREIGN KEY (vulnerability_type_id) REFERENCES vulnerability_type (id)))
• The CAIRIS database is left in an inconsistent state

Steps to reproduce the behaviour

1. Click on File/Import menu option
2. Select Menu from the combo box
3. Select a different XML model file to that currently open

Version of CAIRIS

1.2.1

Operating Systems / Hardware

Debian 8

Expected behaviour

If threat or vulnerability types haven't been imported, it shouldn't be possible to open threat and vulnerability tables.

Actual behaviour

It is :-)

Steps to reproduce the behaviour

Create an empty project. Add an environment, asset, and attacker. Click on Risk/Threats or Risk/Vulnerabilities menu

Version of CAIRIS

All versions of the web app

Operating Systems / Hardware

All

While much of the CAIRIS GUI is available in the CAIRIS web app, this issue keeps track of the various tasks that need to be complete before the web app (and web services API) is functionality complete.

When we've ticked off all these boxes, we can say that the core of 'CAIRIS Web' is functionally complete.

Absent interfaces

• Domain Properties
• Obstacles
• Personas
• Tasks
• Use Cases
• Countermeasures
• Goal Associations
• Class Associations
• Responsibility Associations
• Responsibility models
• Persona Argumentation models
• Searching by text / type
• Model export
• Documentation generation

Absent web services

• Domain Properties
• Obstacles
• Personas
• Tasks
• Countermeasures
• Use Cases
• Goal Associations
• Class Associations
• Responsibility Associations
• Documentation generation

Incomplete models

Asset model

• Asset security property values not displayed
• Persona values not displayed
• model filtering

Risk model

• Asset security properties not visible
• Asset security property options not displayed
• Threat likelihood not visible
• Threat security properties not visible
• Vulnerabilities severity not visible
• Roles not properly displayed
• Task values not displayed
• Attacker values not displayed
• Threat values not displayed
• Vulnerability values not displayed
• Risk values not displayed
• Misuse case values not displayed
• Role values not displayed
• Response values not displayed
• Obstacle values not displayed
• Requirement values not displayed
• Countermeasure values not displayed
• model filtering

KAOS models

• Goal options not displayed
• Obstacle options not displayed
• Role options not displayed
• Domain property options not displayed
• model filtering

Task model

• Task values not displayed
• Misuse case values not displayed
• Role values not displayed
• Persona values not displayed
• Attacker values not displayed
• model filtering

Expected behaviour

When import a new model, the breadcrumb should reset to the home settings.

Actual behaviour

The breadcrumb settings are based on the form open when the model was imported.

Steps to reproduce the behaviour

1. Go to documentation form. Import model.

Version of CAIRIS

All

Operating Systems / Hardware

All

Test issue body

In the CAIRIS GUI, it's possible to see the details behind a particular risk's score. This can be useful if a risk has an unexpectedly high or low score. These details are accessible via the API, so it's just a case of making sure these are displayed in the web app.

When trying to export a model I get the following error message:

{
"code": 400,
"message": "One or more parameters are missing or invalid. Please check your request if it contains all the required parameters.\nRequired parameters:\n* session_id",
"status": 400
}

It seems to happen when I add a persona and or roles.
The error message doesn't always come up after a persona or role is added and will allow my to export the model.xml file however when trying to import that very same file later it never gets past the loading screen.

I have looked at the model.xml file that it allowed me to download and when deleting everything in between the usability tags it is able to load the model.

Any help would be greatly appreciated

Archive.zip

Version of CAIRIS

Attempting to install the Debian package on Debian 8.4.0 does not run the postInst script.
Installation steps to reproduce:

sudo dpkg -i cairis_package.deb
sudo apt-get install -f

When trying to create any model on Ubuntu 14.04, the function read_number(self) at line 490 in xdot.py renders an exception because it is unable to convert a float declared as a string into an integer. A simple fix would be to change the line of code to first convert it to a float number, then use the round() method to make it a round number and then finally convert it to an integer.

The following code...

def read_number(self):
    return int(self.read_code())

...would become...

def read_number(self):
    return int(round(float(self.read_code())))

because, for example,...

int("12.8")

... is not supported in Python 2.7.

I have tested this on my version of Linux and apparently I have been using this fix on my Lubuntu 12.04 virtual machine for a while, so this solution should work. But I was wondering if you experienced the same problem on Debian as well.

Expected behaviour

Clicking on the update button when updating properties should return to the home screen.

Actual behaviour

Clicking on the update button indicates a successful update, but the properties form is still displayed.

Steps to reproduce the behaviour

1. Go to Systems/Properties menu
2. Update any property.
3. Click on Update

Version of CAIRIS

All versions of the web app

Operating Systems / Hardware

All

Expected behaviour

If you click on File/Export from the web app, a new [XML] file should be downloaded containing an XML model export

Actual behaviour

If you click on File/Export from the web app, a new window is opened with the text of the exported XML model

Steps to reproduce the behaviour

1. Click on the File/Export menu option

Version of CAIRIS

1.2.0

Operating Systems / Hardware

All

It should be helpful to simplify the current install process, as there are myriad of little dependencies that need to be setup with the current install.

I have setup a simple puppet script with dependencies to setup a VM machine.
See https://github.com/nigel-v-thomas/Vagrant_CAIRIS

See attached screen shot of error

When creating a mitigation response, it's possible to select an environment for mitigating a risk that is not associated with the risk. By default, the environment panel should be disabled until a risk is selected and when it is, only environments specific to the selected risk should be available for selection.

Expected behaviour

Import model file in web app. Environments not updated in environment comboxbox in requirements form.

Actual behaviour

Requirements should be updated in all comboboxes. Logging out and logging back in fixes the problem, but it's an unnecessary hack :-)

Steps to reproduce the behaviour

Start with an empty model, import a model, environments in that model aren't shown

Version of CAIRIS

All versions

Operating Systems / Hardware

All

The desktop application supports the association of use case steps with exceptions, and the ability to generate obstacles associated with exceptions.

This should be added to the web app as well. While this entails some modest changes to the model definitions, the changes are mainly to the front end (HTML and JavaScript).

From the test case :

================================================================ FAILURES ================================================================
__________________________________________________ ComponentViewTest.testComponentView ___________________________________________________

self = <cairis.test.test_ComponentView.ComponentViewTest testMethod=testComponentView>

def testComponentView(self):

  cvName = self.iComponentViews[0]["theName"]
  cvSyn = self.iComponentViews[0]["theSynopsis"]
  theComponents = []
  for c in self.iComponentViews[0]["theComponents"]:
    cName = c["theName"]
    cDesc = c["theDescription"]
    cInts = []
    for i in c["theInterfaces"]:
      cInts.append((i["theName"],i["theType"],i["theAccessRight"],i["thePrivilege"]))
    cStructs = []
    for cs in c["theStructure"]:
      cStructs.append((cs["theHeadAsset"],cs["theHeadAdornment"],cs["theHeadNav"],cs["theHeadNry"],cs["theHeadRole"],cs["theTailRole"],cs["theTailNry"],cs["theTailNav"],cs["theTailAdornment"],cs["theTailAsset"]))
    cReqs = []
    cGoals = []
    for i in c["theComponentGoals"]:
      cGoals.append(i)

    cGoalAssocs = []
    for cga in c["theComponentGoalAssociations"]:
      cGoalAssocs.append((cga["theGoalName"],cga["theSubGoalName"],cga["theRefType"],'None'))
    theComponents.append(ComponentParameters(cName,cDesc,cInts,cStructs,cReqs,cGoals,cGoalAssocs))

  theConnectors = []
  for conn in self.iComponentViews[0]["theConnectors"]:
    theConnectors.append(ConnectorParameters(conn["theName"],cvName,conn["theFromComponent"],conn["theFromRole"],conn["theFromInterface"],conn["theToComponent"],conn["theToInterface"],conn["theToRole"],conn["theAssetName"],conn["theProtocol"],conn["theAccessRight"]))

  icvp = ComponentViewParameters(cvName,cvSyn,self.theMetricTypes,self.theRoles,self.theAssets,self.theRequirements,self.theGoals,theComponents,theConnectors)
  b = Borg()
  b.dbProxy.addComponentView(icvp)

  ocvps = b.dbProxy.getComponentViews()
  ocvp = ocvps[cvName]

  self.assertEqual(icvp.name(), ocvp.name())
  self.assertEqual(icvp.synopsis(), ocvp.synopsis())

b.dbProxy.deleteComponentView(ocvp.id())

test_ComponentView.py:116:

../core/MySQLDatabaseProxy.py:9468: in deleteComponentView
self.deleteObject(cvId,'component_view')

self = <cairis.core.MySQLDatabaseProxy.MySQLDatabaseProxy instance at 0xac2cdac>, objtId = 104L, tableName = 'component_view'

def deleteObject(self,objtId,tableName):
  try:
    curs = self.conn.cursor()
    sqlTxt = 'call delete_' + tableName + '(%s)'
    curs.execute(sqlTxt,[objtId])
    if (curs.rowcount == -1):
      exceptionText = 'Error deleting ' + tableName + ' id ' + str(objtId)
      raise DatabaseProxyException(exceptionText)
    curs.close()
  except _mysql_exceptions.IntegrityError, e:
    id,msg = e
    exceptionText = 'Cannot remove ' + tableName + ' due to dependent data (id:' + str(id) + ',message:' + msg + ').'

  raise IntegrityException(exceptionText)

E IntegrityException: 'Cannot remove component_view due to dependent data (id:1451,message:Cannot delete or update a parent row: a foreign key constraint fails (arm.connector, CONSTRAINT connector_ibfk_4 FOREIGN KEY (to_component_id) REFERENCES component (id))).'

../core/MySQLDatabaseProxy.py:1014: IntegrityException
---------------------------------------------------------- Captured stderr call ----------------------------------------------------------
/home/cairisuser/cairis/cairis/core/MySQLDatabaseProxy.py:9132: Warning: Incorrect integer value: 'provided' for column 'reqId' at row 1
curs.execute('call addComponentInterface(%s,%s,%s,%s,%s)',[componentId,ifName,ifType,arName,pName])
/home/cairisuser/cairis/cairis/core/MySQLDatabaseProxy.py:9132: Warning: Incorrect integer value: 'required' for column 'reqId' at row 1
curs.execute('call addComponentInterface(%s,%s,%s,%s,%s)',[componentId,ifName,ifType,arName,pName])
/usr/local/lib/python2.7/dist-packages/MySQLdb/cursors.py:91: Warning: No data - zero rows fetched, selected, or processed

Expected behaviour

When viewing concept maps in requirements, it should be possible to see all requirements with manual traceability relations with other requirements.

Actual behaviour

Currently these models are only visible if requirements are explicitly assigned to environments.

Steps to reproduce the behaviour

1. Add traceability links between any two requirements associated with assets

Version of CAIRIS

All

Operating Systems / Hardware

all

What it says on the tin!

At the moment, only security/privacy properties and their values are displayed when clicking on an asset node. There is no obvious reason rationale can't be displayed as well though.

If there are blank lines in cairis.cnf an IndexError is thrown.

Expected behaviour

When in Asset, when selecting Association tab, then hovering over existing association (e.g. from "Smartphone Capability" Asset to "Smartphone Battery"), then clicking the minus symbol to delete the entry, the entry should appear to be deleted and actually be deleted when clicking "Update", then "Update" Asset and receive the "Success" message.

Actual behaviour

When in Asset, when selecting Association tab, then hovering over existing association (e.g. from "Smartphone Capability" Asset to "Smartphone Battery"), then clicking the minus symbol to delete the entry, the entry appears to be deleted when clicking "Update", then "Update" Asset and the "Success" message is displayed. However, I then check to make sure it looks ok in the Asset Model view, OR go back in to the Asset and its Association tab, and notice "Smartphone Battery" did not actually get deleted and instead another asset (e.g. "Smartphone Storage") got deleted instead, despite it not being the original one selected. This means the association needs to be re-entered in the Association tab.

Steps to reproduce the behaviour

As noted, when in Asset, when selecting Association tab, then hovering over existing association (e.g. from "Smartphone Capability" Asset to "Smartphone Battery"), then clicking the minus symbol to delete the entry, the entry appears to be deleted when clicking "Update", then "Update" Asset and the "Success" message is displayed. I didn't really notice this as an issue at first, because you think it worked, but as I had quite a few to update, this problem became noticeably worse to at least 50% or more of the time, meaning there was quite a few to re-fix. That said, under normal circumstances (where these may be edited in small batches), it's difficult to tell if this issue would happen occasionally, or get progressively worse?

Version of CAIRIS

Current CAIRIS Web App (V?)

Operating Systems / Hardware

In Firefox on Ubuntu 14 Linux, in VMWare on Windows 7.

Could it be possible to adapt Cairis to load more than one exemplar at a time?

Expected behaviour

Assets should display the security properties even if they are null. In practice this means that assets with e.g. no confidentiality should display an empty row.

Actual behaviour

Security properties that have no value are not displayed visually. This means that you need to rely on the colour of the boxes to determine whether it is a confidentiality, integrity, availability, or accountability property.

Steps to reproduce the behaviour

Look at the risk model.

Version of CAIRIS

Operating Systems / Hardware

The desktop application supports the import, specification, and situation of security patterns. Security patterns can act as a response to a countermeasure, so adding one to an environment adds the associated assets and goals/requirements as well.

This functionality would be useful for the web app as well.

Expected behaviour

When in Asset, when selecting Association tab, then selecting an existing association (e.g. from Asset to "Smartphone Battery"), the next window where you adjust the association types should display "Smartphone Battery" in the lower field of the associated asset.

Actual behaviour

When in Asset, when selecting Association tab, then selecting an existing association (e.g. from Asset to "Smartphone Battery"), the next window where you adjust the association types does not display "Smartphone Battery" in the lower field of the associated asset. Instead it shows a different asset (which was actually the last new asset added to the database and has nothing to do with this association), meaning you have to re-enter "Smartphone Battery", otherwise it will save incorrectly when "Update" is clicked.

Steps to reproduce the behaviour

This issue occurs every time following the noted steps of editing an association of an asset.

Version of CAIRIS

Current Web App (V?)

Operating Systems / Hardware

Firefox in Ubuntu 14, Linux, in VMWare on Windows 7

Actual behaviour

Produces a serialized error.
{
"code": 404,
"message": "The provided role name could not be found in the database. You have requested this URI [/api/roles/name/attacker] but did you mean /api/roles/name/string:name or /api/roles/name/string:name/properties or /api/goals/name/string:name ?",
"status": "Object not found"
}

Steps to reproduce the behaviour

When you view the risk model and click the line between two elements (in this case the role and the attacker) it produces an error.

Operating Systems / Hardware

Ubuntu VPS (2gb RAM)

Expected behaviour

Create a new object (e.g. asset or goal) in an empty model. Add an environment. When clicking ok, there should be a warning that no environment exist.

Actual behaviour

A null environment is added.

Steps to reproduce the behaviour

Follow instructions in the expected behaviour

Version of CAIRIS

All versions of the web app

Operating Systems / Hardware

All

Expected behaviour

New empty model created.

Actual behaviour

Program hangs, then once the sql query is killed produces:
`sqlalchemy.exc.ProgrammingError

ProgrammingError: (_mysql_exceptions.ProgrammingError) (1146, "Table 'cairis.roles_users' doesn't exist") [SQL: u'SELECT auth_role.id AS auth_role_id, auth_role.name AS auth_role_name, auth_role.description AS auth_role_description \nFROM auth_role, roles_users \nWHERE %s = roles_users.user_id AND auth_role.id = roles_users.role_id'] [parameters: (1L,)]
`

Steps to reproduce the behaviour

1. Log in to CAIRIS
2. Select new from system menu

Version of CAIRIS

All versions

Operating Systems / Hardware

All except when using docker