The attempt[Read/Deny/Modify]FromSoftProdVulnerability attack steps on the Application asset show up as viable using the https://github.com/mal-lang/mal-toolbox. This is not incorrect, but it feels confusing and the steps themselves seem redundant as they could only be called if the associated SoftwareProduct existed in the first place.
It might be worth removing them if they do not serve any other purpose to clean up the resulting attack graphs.
The
attempt[Read/Deny/Modify]FromSoftProdVulnerabilityattack steps on theApplicationasset show up as viable using the https://github.com/mal-lang/mal-toolbox. This is not incorrect, but it feels confusing and the steps themselves seem redundant as they could only be called if the associatedSoftwareProductexisted in the first place.It might be worth removing them if they do not serve any other purpose to clean up the resulting attack graphs.