The "Microsoft Threat Modeling Tool to Cairis" (TMT2Cairis) converter is able to generate an XML file optimized for Cairis from a TM7 file for the automated creation of a data flow diagram. For later import in Cairis, please use the "diagrams.net" import (See Usage 9.)
-
Download the TMT2Cairis Project (zip, "git clone" ...)
-
Navigate to the directory where you have downloaded the tool (Windows - CMD or Ubuntu Shell)
-
Start the TMT2Cairis.py file with python. (Python3 is required)
python TMT2Cairis.py or python3 TMT2Cairis.py
-
Your File-Explorer should open
-
Navigate to the file to be transformed (For testing you can use the sample-TM7 Files in TMT2Cairis\tm7_Samples)
-
The TMT2Cairis Tool will now generate you a XML File in the same directory (source directory)
-
Open your Cairis-Tool or for testing go to https://demo.cairis.org/ (User: [email protected], PW: test)
-
Navigate to System/Import Model in Cairis
-
Import Model
- As Model Select : diagrams.net (Data Flow Diagram)
- File: Select the new generated XML file
- Environment: Choose your predefined Environment (You can define an environment in UX/Environment)
-
Navigate to Models/Data Flow in Cairis
- Python 3 is required
- Works best with Python 3.8+
- OS with GUI Windows/Ubuntu/Linux Mint/MAC OS (No Arch yet)
These Information might be relevant for a ongoing development, so it's just presented here...
| Type | Available Information from MS TMT |
|---|---|
| tm.Actor | name, type, size, position, id, hasOpenThreats & more |
| tm.Store | name, type, size, position, id, hasOpenThreats & more |
| tm.Flow | name, size, target, source, vertices, id, threats, attr |
| tm.Boundary | name, type, size, source, vertices, id, hasOpenThreats, attr |
| tm.Process | name, type, size, position, attr, hasOpenThreats |
| Class | Type | Necessary Information for Cairis | |
|---|---|---|---|
| Entity (incl. Actor) | Assets | entity | label (name), type, id, x, y, width, height |
| Entity - Data Store | Assets | datastore | label (name), type, id, x, y, width, height |
| Data Flow | Data Flows | None | label, asset, id, source, target |
| Trust Boundary | Trust Boundary | trustboundary | label, name, type, id, , x, y, width, height |
| Process | Usecase | usecase | label(name), type, id, x, y, width, height |
- Data Flow Names are ignored because of in Cairis all data flows inside objects are predefined as "undefined flows"
- TMT2Cairis can not handle Files with multiple Environments yet! Please create an own file for each environment first. You can later create and directly import the models in the environment in Cairis (See Usage 9.)
- In the MS TMT Tool you can create Trust Boundaries as lines. In Cairis a trust boundary at least has to have one Process. Data Stores and Entities are also not allowed to be inside a trust boundary
- Becuase of Cairis Syntax it's not allowed to have a direct data flow between two entities!
Almost complety used the TMT2TD Python Script from https://github.com/OWASP/threat-dragon/tree/main/utils/TMT2TD, For testing used the Open Threat Modeling Templates from https://github.com/matthiasrohr/OTMT