Did you try the --exclude flag? It is probably going to be unwieldy but might be a temporary solution. You can also replace threats.json with your own, and we have been thinking about adding a BYO capability for user libraries. Let me look into that.

For completenes, you can also exclude threats by adding an Assumption.

But I wonder why you don't create a threat library JSON file with only your threats and then just create a report from it.
Doing it this way only your threats will be in the report.

What could be interesting is to have the ability to use multiple threat files, but this would require some code changes.

Thanks for your inputs! I am only using threat library that I built now and thats working.

Yes, multiple threat library support would be useful.

Multiple threat libraries would require some though.
@izar should this be a new issue?

@harsh02 One last question would you be willing to share your threat library?

I have that code almost ready, it is a small change. One question though - libraries added in the command line should override the built-in one, or be in addition to it ?

Mhhh I would go by allowing to set multiple files.
When only one file is give override the defaults.
When two files are given cobine the two.

Further you could add a constant which is the path to the default one.

So

# is the default and this line could be removed
tm.threatFiles =pytm.DEFAULT_THREADS
# custom lib
tm.threatFiles = "./custom.json"
# default joined with custom, where custom overrides
tm.threatFiles = [pytm.DEFAULT_THREADS, "./custom.json"]

Ok, now you confused me :)

If none is given then we use the default one.
If many are given, then we combine them. But do we keep the default one or drop it ?

Ahh sorry, I used the word override twice in different ways.

None is the default yes.

If you set tm.threatFiles the default is ignored.

tm.threatFiles = "./custom.json"

If you have two custom files you combine them

tm.threatFiles = ["./custom.json", "./another.json"]

If you want to still use the default but want to add your custom threats

tm.threatFiles = [pytm.DEFAULT_THREADS, "./custom.json", "./another.json"]

With this behaviour it is possible to fully replace the default threats.
But by using pytm.DEFAULT_THREADS it is possible to still use the defaults.

Have you considered how pytm should behave when two files define a threat with the same Id?
Here I would suggest that the last file in the list overwrites the others.

I don't think the default should be None. It should be the built-in library. Perhaps I'll have "default" as a keyword, such that:

./tm.py --threat-libraries default foo.json bar.json

would make the 3 of them be loaded,

./tm.py --threat-libraries foo.json bar.json

would use just the 2,

./tm.py --report foo

would use just the default ?

Ok I should stop writing quick replies on my phone 🤣 .

Ok, now you confused me :)

If none is given then we use the default one.

Yes no argument should be the default library. ("None is the default yes.")

./tm.py --threat-libraries default foo.json bar.json

would make the 3 of them be loaded,

./tm.py --threat-libraries foo.json bar.json

would use just the 2,

Exactly.

./tm.py --report foo

would use just the default ?

Yes if no threat library argument is given the default threat library should be used, since this change would not affect other users which assume the old behavior.

What will happen to tm.threatsFile?

Thanks guys for your comments, I'll see what I can share in terms of threat library with putting my org at risk.

Usually I run into another problem also, when I add my custom threats I would like to apply those threats to specific assets in my threat model but I'd have to pick (asset, dataflow etc.) as target element. Any ideas to do this easier way?

Can we move the coding question to a separate issue?