When using Azure OpenAI i get the following error:

Error generating threat model after 3 attempts: Error code: 400 - {'error': {'message': "Invalid parameter: 'response_format' of type 'json_object' is not supported with this model.", 'type': 'invalid_request_error', 'param': 'response_format', 'code': None}}

I just used the example prompt from the left pane and left all settings as it is.
Models I tried from my Azure OpenAI instance: gpt-4 & gpt3.5-turbo. Both resulted in the same error.

Allow, for example, Bing Chat Enterprise to be the AI backend for this. Sending threat modeling data for enterprise systems to an open AI system is going to make orgs nervous. Allowing them to use their own would encourage adoption and mitigate concerns.

Hey, some times the app seems experiencing a time-out issue and then the output its standard stride instead of web application description related:

Application log with timeout error:

Retrying langchain.llms.openai.completion_with_retry.<locals>._completion_with_retry in 4.0 seconds as it raised Timeout: Request timed out: HTTPSConnectionPool(host='api.openai.com', port=443): Read timed out. (read timeout=600).

Description and output with default stride

Hey, do you think the code needs an update? Looking into logs i see the following warnings:

2023-11-21 15:37:46.540 Session with id c47b6f13-4f5b-49b4-a2f5-9c6b33d2c165 is already connected! Connecting to a new session.
/usr/local/lib/python3.8/dist-packages/langchain/llms/openai.py:243: UserWarning: You are trying to use a chat model. This way of initializing it is no longer supported. Instead, please use: `from langchain.chat_models import ChatOpenAI`
  warnings.warn(
/usr/local/lib/python3.8/dist-packages/langchain/llms/openai.py:1038: UserWarning: You are trying to use a chat model. This way of initializing it is no longer supported. Instead, please use: `from langchain.chat_models import ChatOpenAI`

I found some info related here

Regards,
Fab

I was wondering if perhaps you could have an option to open attack tree in a separate browser with the code? Just checking..webbrowser.open("https://mermaid.live/")...

Is there a problem with open AI API keys? I dont get a connection when adding a project API key for ChatGPT-4o? Error generating threat model after 3 attempts: Error code: 404 - {'error': {'message': 'The model gpt-4o does not exist or you do not have access to it.', 'type': 'invalid_request_error', 'param': None, 'code': 'model_not_found'}}

HI @mrwadams - This is more of a question. Sometimes even though prompt is programmed to return a json, i sometimes get an output from the open AI/Azure open AI that's not json but a string. If it's only string, it's ok but i sometimes also get a statement like this "Here's a JSON response providing a threat model and improvement suggestions for the web application described:\n\n```json" and there are other variants:)

I now suddenly have a very big exception handler that handles JsonDecodeError where i spend time parsing. Is this normal? Have you seen this?

Hi @mrwadams would it be possible to replace the open AI's LLM with custom instance of LLM?

I forked the repository and added support for a custom OpenAI compatible endpoint using LM Studio. This allows you to run a local LLM and generate threat modeling artifacts through the tool without sharing data with a 3rd party. Happy to put in a pull request, but still testing on my end.

Mistral 7B performs relatively well here, but I am seeing some issues with the mermaid output not being escaped properly and the Gherkin test case generation is failing on return. Not sure why, but otherwise... it works pretty great.

I recently tried to pull and run the mrwadams/stridegpt:latest Docker image on my AMD64 architecture machine. However, I encountered an architecture mismatch issue. The image appears to be built for ARM64 architecture, which leads to an "exec format error" when running it on an AMD64 host.

Here are the steps I followed:

Pulled the latest Docker image:

docker pull mrwadams/stridegpt:latest
Tried to run the Docker container:

docker run -p 8501:8501 mrwadams/stridegpt

Encountered the following error:

WARNING: The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v4) and no specific platform was requested exec /usr/local/bin/streamlit: exec format error

Would it be possible to provide an AMD64 compatible version of the Docker image? This would greatly help users running on AMD64 architecture to use stridegpt without needing to set up QEMU for emulation.

Thank you for your assistance!

Best regards,

Hey I'm trying to package this for NixOS but I'm running into an issue, it seems a dependency is not available at least on common repos.

error: builder for '/nix/store/acw9c43i76w3m4ywr69qw96ymimgqxqc-mach_nix_file.drv' failed with exit code 1;
       last 9 log lines:
       >
       > The Package 'google.generativeai' (build: ()) is not available from any of the selected providers ['nixpkgs', 'sdist', 'wheel']
       >  for the selected python version
       > The required package might just not (yet) be part of the dependency DB currently used.            
       >
       For full logs, run 'nix log /nix/store/acw9c43i76w3m4ywr69qw96ymimgqxqc-mach_nix_file.drv'

I will try and see if I can package google.generativeai in Nixpkgs and attempt to rebuild this package.

Hi @mrwadams,

Please could you help me, I'm facing some issues with trying app.
I tried to use OpenAI API option, after following steps to enter OpenAI API key.
Entered API key (using paid version of chatGPT).
Using Example Application description. After clicking on Threat Model I get this error:
Error generating threat model after 3 attempts: Error code: 404 - {'error': {'message': 'The model gpt-4o does not exist or you do not have access to it.', 'type': 'invalid_request_error', 'param': None, 'code': 'model_not_found'}}

I'm facing error with gpt-4o, gpt-4-turbo and couldn't try other versions as text field to enter information is missing.

Thanks in advance

That one seems easy enough :) Thanks for opening up the code!

First of all, this is a great initiative. I think all developer teams can save a lot of time and find security more pleasurable to work with if they use this tool.

I have tested it using the gpt4-o model and when I upload the architecture diagram it seems to override the description of the application. In threat modelling we should focus on the threats that matter and I think the output can be even better.

To make it better, I think it should be possible to upload both an architecture diagram and provide your own description of the application or add your own security requirements:

• Some developer teams might use a developer platform which already have many security measures built in. This could be a set of policies that ensures a super secure configuration of storage accounts or a policies that ensures all data both in rest and in motion are encrypted.
• Other teams might get a list of security requirements from the security department, often a Excel document with requirements of the more generic type such as "All data shall be encrypted" and it might be difficult implement this 100%.

Would love to hear what others think about this.