Consider using python objects for defining threats

[NoodlesNZ]

The current system of using threats defined in JSON is a little bit hard to use/maintain. The conditions for a threat are written as a string, then eval'ed which is not ideal.

With the pydantic models, it should be easy to define threats as python classes and allow for type hinting, unit tests, linting etc

[NoodlesNZ]

Proof of concept: #328

[izar]

and that would remove the need for the eval, correct?

[NoodlesNZ]

Correct, at least for the built in threats. If you want to allow loading of json files for backwards compatibility then it will have eval

Each threat class has a method called _check_condition:
https://github.com/OWASP/pytm/pull/328/changes#diff-c0ca22ec4303e6900ea65a55c408ad3cefdcc1285aa68d68c613c67b19625845R22-R23
This implements the conditional logic of when to apply the threat