We will basically create a project without assessment model composition, include our prepared composition manually to the project paths and then make our Analysis-model depend on its models.
1. Create a security analysis project without any Assessment Model Composition. We will add the composition later on by hand.
Select origin of Assessment Model and Catalog
2. As we can see, the created project contains only the analysis template in the model „Project12“ and no composition. I right-click on the root node now and click on „Project Paths“.
Open Project Paths to add the assessment model composition
3. This view lists only that one solution. I click on the + and select the MyComposition.msd in the folder of my composition so that the composition solution is listed here as well. I click apply.
Project Paths are .msd files that contain one or more solutions, such as analyses or assessment models
To add a solution, select the .msd file in its folder
4. My project view lists both solutions now. What we configured so far is just about the solutions that are listed in the left pane. Let’s now configure the Project12 solution to use our Composition solution. For that, I right-click on the Project12 solution and select „Model Properties“:
Open the model properties to make this solution model depend on the assessment model and catalog model
5. I see that there are no dependencies yet. The solution model should depend on the AssessmentModel and the Catalog though. Let’s click on the plus to start adding them
The solution model so far does not import any other models
6. The „Choose Model“ window opened in front of it. You may need to resize it – sometimes the parts on the right side are important to see. In this case, we want to add the two upper models. For that, I click on AssessmentModel, hold shift and click on Catalog to select both entries and click on „Ok“.
A list of models that are in this project. The right hand side shows the name of their containing solution
7. They are listed now in the model properties. Note that when adding them for the first time, they may appear in red font. That’s okay for now. I hit „Ok“ anyway to close the model properties.
The list of imported models
8. That should be all. When creating a threat now and looking at its instantiates-menu, I can see the threat classes that come from the imported catalog as intended.
The tool now includes the imported models in all of its tooling, such as instantiating a threat class from the catalog
9. The VCS integration supports having multiple VCS roots and also supports using svn externals / git submodules (as far as I know). You can add the respective repositories by opening the project preferences and adding the VCS root of the composition:
The settings allow to configure version control for multiple folders
The integration (in my case git) will then show both repositories in all the views. Peculiarly, if I make a change in both repositories and try to commit them together, I will create a commit in each repository with a shared commit message.
The vcs tooling allows to choose in which repository to change the branch
Committing changes in both repositories at the same time will in fact perform two commits with the same description