Skip to content

docs: add threat model document#1328

Open
Ron (rjaegers) wants to merge 12 commits into
mainfrom
feature/add-threat-model
Open

docs: add threat model document#1328
Ron (rjaegers) wants to merge 12 commits into
mainfrom
feature/add-threat-model

Conversation

@rjaegers

Copy link
Copy Markdown
Member

🚀 Hey, I have created a Pull Request

Description of changes

This pull request adds automated generation of a comprehensive threat model document (including PDF and diagram) to the documentation build workflow. It introduces a new Jinja2 template for the threat model, updates the workflow to install required dependencies, and ensures the threat model is built and exported alongside other documents. Minor formatting improvements are also included.

Threat modeling automation:

  • Added a new Jinja2 template (docs/templates/threat-model.md.j2) for generating a detailed threat model document from the SBDL model, including methodology, system decomposition, threat analysis, and risk summaries.
  • Updated the documentation workflow (.github/workflows/wc-document-generation.yml) to:
    • Install graphviz for diagram rendering.
    • Generate the threat model Markdown document and a data flow diagram image using SBDL.
    • Export the threat model as a styled PDF alongside existing documents.

Formatting improvements:

  • Fixed table alignment in docs/templates/partials/document-control.md.j2 for improved readability.

✔️ Checklist

  • I have followed the contribution guidelines for this repository
  • I have added tests for new behavior, and have not broken any existing tests
  • I have added or updated relevant documentation
  • I have verified that all added components are accounted for in the SBOM

@rjaegers Ron (rjaegers) requested a review from a team as a code owner July 1, 2026 19:45
Copilot AI review requested due to automatic review settings July 1, 2026 19:45
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edgeghcr.io/philips-software/amp-devcontainer-base:pr-1328

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 71.79 MB 71.79 MB 21 B (0%) 🔽
linux/arm64 70.09 MB 70.09 MB +1.2 kB (+0%) 🔼

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

⚠️MegaLinter analysis: Success with warnings

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 23 0 0 0.29s
✅ DOCKERFILE hadolint 3 0 0 0.33s
✅ JSON npm-package-json-lint yes no no 0.86s
✅ JSON prettier 28 6 0 0 1.05s
✅ JSON v8r 28 0 0 13.73s
✅ MARKDOWN markdownlint 12 0 0 0 1.56s
✅ MARKDOWN markdown-table-formatter 12 0 0 0 0.3s
✅ REPOSITORY checkov yes no no 29.86s
✅ REPOSITORY gitleaks yes no no 1.27s
✅ REPOSITORY git_diff yes no no 0.02s
✅ REPOSITORY grype yes no no 56.95s
⚠️ REPOSITORY osv-scanner yes 1 no 1.1s
✅ REPOSITORY secretlint yes no no 2.91s
✅ REPOSITORY syft yes no no 2.26s
✅ REPOSITORY trivy yes no no 15.43s
✅ REPOSITORY trivy-sbom yes no no 0.33s
✅ REPOSITORY trufflehog yes no no 5.37s
⚠️ SPELL lychee 94 1 0 9.28s
✅ YAML prettier 32 0 0 0 1.67s
✅ YAML v8r 32 0 0 13.79s
✅ YAML yamllint 32 0 0 1.81s

Detailed Issues

⚠️ SPELL / lychee - 1 error
📝 Summary
---------------------
🔍 Total..........140
🔗 Unique.........116
✅ Successful.....133
⏳ Timeouts.........0
🔀 Redirected......17
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........1
⛔ Unsupported......1

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads (at 38:7) | Rejected status code: 403 Forbidden

Hint: Followed 17 redirects. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Hint: You can configure accepted/rejected response codes with `-a` or `--accept`
⚠️ REPOSITORY / osv-scanner - 1 error
Scanning dir .
Starting filesystem walk for root: /
Scanned .devcontainer/cpp/requirements.txt file and found 20 packages
Scanned package-lock.json file and found 73 packages
Scanned test/rust/workspace/cargo/Cargo.lock file and found 1 package
Scanned test/rust/workspace/test/Cargo.lock file and found 1 package
Scanned test/rust/workspace/cortex-m/Cargo.lock file and found 20 packages
Scanned test/rust/workspace/clippy/Cargo.lock file and found 1 package
Scanned test/rust/workspace/cortex-mf/Cargo.lock file and found 20 packages
End status: 88 dirs visited, 295 inodes visited, 7 Extract calls, 57.786542ms elapsed, 57.786871ms wall time

Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.
0 vulnerabilities can be fixed.

+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
| OSV URL                           | CVSS | ECOSYSTEM | PACKAGE    | VERSION | FIXED VERSION | SOURCE                                   |
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+
| https://osv.dev/RUSTSEC-2026-0110 |      | crates.io | bare-metal | 0.2.5   | --            | test/rust/workspace/cortex-m/Cargo.lock  |
| https://osv.dev/RUSTSEC-2026-0110 |      | crates.io | bare-metal | 0.2.5   | --            | test/rust/workspace/cortex-mf/Cargo.lock |
+-----------------------------------+------+-----------+------------+---------+---------------+------------------------------------------+

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an automatically generated threat model document (Markdown + PDF) and a generated data-flow diagram (PNG) to the documentation build pipeline, based on a new SBDL threat model.

Changes:

  • Added an SBDL threat model source file (docs/threat-model.sbdl).
  • Added a Jinja2 template to render a full threat model document (docs/templates/threat-model.md.j2) and extended the document-generation workflow to produce the MD/PDF plus a DFD image.
  • Improved table formatting in the shared document-control partial.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
docs/threat-model.sbdl Introduces the threat model data (trust boundaries, actors, data flows, threats, mitigations) in SBDL.
docs/templates/threat-model.md.j2 Adds a document template to render the threat model, including threat details and an RPN-based summary.
docs/templates/partials/document-control.md.j2 Adjusts the document control table formatting for better readability.
.github/workflows/wc-document-generation.yml Installs Graphviz and adds steps to generate the threat model MD/PDF and DFD diagram during document builds.

Comment thread docs/threat-model.sbdl Outdated
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edgeghcr.io/philips-software/amp-devcontainer-rust:pr-1328

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 468.61 MB 468.61 MB +47 B (+0%) 🔼
linux/arm64 419.8 MB 419.8 MB +827 B (+0%) 🔼

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edgeghcr.io/philips-software/amp-devcontainer-cpp:pr-1328

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 371.99 MB 371.99 MB 374 B (0%) 🔽
linux/arm64 352.18 MB 352.19 MB +1.39 kB (+0%) 🔼

@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 1, 2026 19:55 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-embedded-cpp:edgeghcr.io/philips-software/amp-devcontainer-embedded-cpp:pr-1328

📈 Size Comparison Table

OS/Platform Previous Current Change Trend
linux/amd64 560.21 MB 560.21 MB +701 B (+0%) 🔼
linux/arm64 538.89 MB 538.9 MB +1.49 kB (+0%) 🔼

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Test Results

 17 files  ±0   17 suites  ±0   19m 35s ⏱️ +7s
 33 tests ±0   33 ✅ ±0  0 💤 ±0  0 ❌ ±0 
141 runs  ±0  141 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit a9e71bc. ± Comparison against base commit 157fcb2.

♻️ This comment has been updated with latest results.

@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 1, 2026 20:27 — with GitHub Actions Inactive
Copilot AI review requested due to automatic review settings July 1, 2026 20:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/wc-document-generation.yml
Comment thread .github/workflows/wc-document-generation.yml
@rjaegers Ron (rjaegers) changed the title docs: add thread model document docs: add threat model document Jul 1, 2026
@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 1, 2026 21:02 — with GitHub Actions Inactive
Copilot AI review requested due to automatic review settings July 1, 2026 21:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 4, 2026 17:38 — with GitHub Actions Inactive
Copilot AI review requested due to automatic review settings July 4, 2026 17:58

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread .dockerignore
Comment on lines +5 to +6
*
!.devcontainer/
@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 4, 2026 18:07 — with GitHub Actions Inactive
@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 4, 2026 18:37 — with GitHub Actions Inactive
Copilot AI review requested due to automatic review settings July 4, 2026 18:58
@sonarqubecloud

sonarqubecloud Bot commented Jul 4, 2026

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Comment thread .dockerignore
Comment on lines +5 to +6
*
!.devcontainer/
@rjaegers Ron (rjaegers) temporarily deployed to acceptance-testing July 4, 2026 19:07 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants