Merge branch 'main' into feat/implementation-groups

README.md

@@ -128,9 +128,9 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the
 - UK Cyber Essentials
 - and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, _free of charge_ 😉
 
-### Add your own framework
+### Add your own library (framework, threat catalog, reference controls catalog or matrix)
 
-Have a look in the tools directory and its dedicated readme. The convert_framework.py script will help you create your library from a simple Excel file. A typical framework can be ingested in a few hours.
+Have a look in the tools directory and its dedicated readme. The convert_library.py script will help you create your library from a simple Excel file. A typical framework can be ingested in a few hours.
 
 You will also find some specific converters in the tools directory (e.g. for CIS or CCM Controls).
 

backend/library/libraries/risk-matrix-3x3-mult.yaml

@@ -0,0 +1,88 @@
+urn: urn:intuitem:risk:library:risk-matrix-3x3-mult
+locale: fr
+ref_id: risk-matrix-3x3-mult
+name: Matrice 3x3 multiplicative
+description: Matrice de risque simple 3x3 multiplicative
+copyright: domaine public
+version: 1
+provider: intuitem
+packager: intuitem
+objects:
+  risk_matrix:
+  - urn: urn:intuitem:risk:matrix:3x3-mult
+    ref_id: risk-matrix-3x3-mult
+    name: Matrice 3x3 multiplicative
+    description: Matrice de risque simple 3x3 multiplicative
+    probability:
+    - id: 0
+      abbreviation: 1
+      name: '[1] peu probable'
+      description: 0-33%
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: '[2] moyennement probable'
+      description: 34-66%
+      hexcolor: '#FFFF00'
+    - id: 2
+      abbreviation: 3
+      name: "[3] tr\xE8s probable"
+      description: '>66%'
+      hexcolor: '#FF0000'
+    impact:
+    - id: 0
+      abbreviation: 1
+      name: '[1] mineur'
+      description: impact mineur
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: "[2] mod\xE9r\xE9"
+      description: "impact mod\xE9r\xE9"
+      hexcolor: '#FFFF00'
+    - id: 2
+      abbreviation: 3
+      name: '[3] majeur'
+      description: impact majeur
+      hexcolor: '#FF0000'
+    risk:
+    - id: 0
+      abbreviation: 1
+      name: '[1] faible'
+      description: "n\xE9gligeable"
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: '[2] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#D3FF4E'
+    - id: 2
+      abbreviation: 3
+      name: '[3] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#EAFF03'
+    - id: 3
+      abbreviation: 4
+      name: '[4] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#FFFF00'
+    - id: 4
+      abbreviation: 6
+      name: '[6] fort'
+      description: "rem\xE9diation sour 6 mois"
+      hexcolor: '#FFC000'
+    - id: 5
+      abbreviation: 9
+      name: '[9] critique'
+      description: "Rem\xE9diation sous 2 mois"
+      hexcolor: '#FF0000'
+    grid:
+    - - 0
+      - 1
+      - 2
+    - - 1
+      - 3
+      - 4
+    - - 2
+      - 4
+      - 5

backend/library/libraries/risk-matrix-5x5-sensitive.yaml

@@ -0,0 +1,104 @@
+urn: urn:intuitem:risk:library:risk-matrix-5x5-sensitive
+locale: en
+ref_id: risk-matrix-5x5-sensitive
+name: 5x5 sensitive
+description: 5x5 matrix for highly sensitive
+copyright: domaine public
+version: 1
+provider: intuitem
+packager: intuitem
+objects:
+  risk_matrix:
+  - urn: urn:intuitem:risk:matrix:5x5-sensitive
+    ref_id: risk-matrix-5x5-sensitive
+    name: 5x5 sensitive
+    description: 5x5 matrix for highly sensitive
+    probability:
+    - id: 0
+      abbreviation: AC
+      name: rare
+      description: rare
+    - id: 1
+      abbreviation: LI
+      name: unlikely
+      description: unlikely
+    - id: 2
+      abbreviation: MO
+      name: moderate
+      description: moderate
+    - id: 3
+      abbreviation: UN
+      name: likely
+      description: likely
+    - id: 4
+      abbreviation: RA
+      name: almost certain
+      description: almost certain
+    impact:
+    - id: 0
+      abbreviation: IN
+      name: insignificant
+      description: insignificant
+    - id: 1
+      abbreviation: MI
+      name: minor
+      description: minor
+    - id: 2
+      abbreviation: SI
+      name: significant
+      description: significant
+    - id: 3
+      abbreviation: MA
+      name: major
+      description: major
+    - id: 4
+      abbreviation: SE
+      name: severe
+      description: severe
+    risk:
+    - id: 0
+      abbreviation: LO
+      name: low
+      description: low
+      hexcolor: '#02A45A'
+    - id: 1
+      abbreviation: ME
+      name: medium
+      description: medium
+      hexcolor: '#FFCE02'
+    - id: 2
+      abbreviation: HI
+      name: high
+      description: high
+      hexcolor: '#FFA600'
+    - id: 3
+      abbreviation: CR
+      name: critical
+      description: critical
+      hexcolor: '#FF1A00'
+    grid:
+    - - 0
+      - 0
+      - 0
+      - 1
+      - 1
+    - - 0
+      - 0
+      - 1
+      - 1
+      - 2
+    - - 0
+      - 1
+      - 1
+      - 2
+      - 3
+    - - 1
+      - 1
+      - 2
+      - 3
+      - 3
+    - - 1
+      - 2
+      - 3
+      - 3
+      - 3

frontend/messages/en.json

@@ -338,7 +338,7 @@
 	"librariesStore": "Libraries store",
 	"currentlyNoImportedLibraries": "You currently have no imported libraries",
 	"loadingLibraryUploadButton": "Loading the library upload button",
-	"errorOccuredWhileLoadingLibrary": "The following error occured while loading the library form",
+	"errorOccuredWhileLoadingLibrary": "The following error occurred while loading the library form",
 	"packager": "Packager",
 	"dependencies": "Dependencies",
 	"copyright": "Copyright",
@@ -491,7 +491,7 @@
 	"lowSOK": "The strength of the knowledge supporting the assessment is low",
 	"mediumSOK": "The strength of the knowledge supporting the assessment is medium",
 	"highSOK": "The strength of the knowledge supporting the assessment is high",
-	"libraryImportError": "An error occured during the importation of your library.",
+	"libraryImportError": "An error occurred during the importation of your library.",
 	"libraryAlreadyImportedError": "This library has already been imported.",
 	"invalidLibraryFileError": "Invalid library file. Please make sure the format is correct.",
 	"taintedFormMessage": "Do you want to leave this page? Changes you made may not be saved.",

frontend/messages/fr.json

@@ -120,7 +120,7 @@
 	"revokedAt": "Révoqué le",
 	"submitted": "Soumis",
 	"rejected": "Rejeté",
-	"revoked": "Revoqué",
+	"revoked": "Révoqué",
 	"locale": "Locale",
 	"defaultLocale": "Locale par défaut",
 	"annotation": "Annotation",
@@ -178,7 +178,7 @@
 	"authors": "Auteurs",
 	"reviewers": "Relecteurs",
 	"processButton": "Traiter",
-	"selectTargets": "Selectionnez vos cibles",
+	"selectTargets": "Sélectionnez vos cibles",
 	"composerDescription": "Cela vous aidera à agréger plusieurs composants (projets) pour obtenir une vue d'ensemble de vos risques. Ceci est particulièrement utile pour deux cas d'utilisation",
 	"composerDescription1": "une approche de veille stratégique pour se concentrer sur un sous-ensemble spécifique à travers différents domaines de projet (par exemple, à travers les divisions)",
 	"composerDescription2": "vous êtes intéressé par l'évaluation des risques d'un système spécifique, pour lequel vous avez besoin de l'évaluation des risques des composants sous-jacents",
@@ -247,7 +247,7 @@
 	"confirmNewPassword": "Confirmer le nouveau mot de passe",
 	"label": "Label",
 	"NA": "N/A",
-	"threatAgentFactors": "Facteurs liés aux agents de menace",
+	"threatAgentFactors": "Facteurs liés aux agents menaçants",
 	"vulnerabilityFactors": "Facteurs de vulnérabilité",
 	"businessImpactFactors": "Facteurs d’impact sur les entreprises",
 	"technicalImpactFactors": "Facteurs d’impact techniques",
@@ -258,11 +258,11 @@
 	"skillLevelChoice3": "Utilisateur informatique avancé",
 	"skillLevelChoice4": "Compétences en réseau et en programmation",
 	"skillLevelChoice5": "Compétences en matière de pénétration de la sécurité",
-	"motiveText": "Dans quelle mesure ce groupe d’agents de menace est-il motivé à trouver et à exploiter cette vulnérabilité ?",
+	"motiveText": "Dans quelle mesure ce groupe d’agents menaçants est-il motivé à trouver et à exploiter cette vulnérabilité ?",
 	"motiveChoice1": "Récompense faible ou inexistante",
 	"motiveChoice2": "Récompense possible",
 	"motiveChoice3": "Récompense élevée",
-	"opportunityText": "Quelles ressources et opportunités sont nécessaires pour que ce groupe d’agents de menace trouve et exploite cette vulnérabilité ?",
+	"opportunityText": "Quelles ressources et opportunités sont nécessaires pour que ce groupe d’agents menaçants trouve et exploite cette vulnérabilité ?",
 	"opportunityChoice1": "Accès complet ou ressources coûteuses requises",
 	"opportunityChoice2": "Accès spécialisé ou ressources requises",
 	"opportunityChoice3": "Certains accès ou ressources requis",
@@ -492,7 +492,7 @@
 	"mediumSOK": "La force des connaissances à l’appui de l’évaluation est moyenne",
 	"highSOK": "La force des connaissances à l’appui de l’évaluation est élevée",
 	"libraryImportError": "Une erreur a été détectée durant l'importation de votre librairie.",
-	"libraryAlreadyImportedError": "Cette libairie a été déjà été importée.",
+	"libraryAlreadyImportedError": "Cette librairie a été déjà été importée.",
 	"invalidLibraryFileError": "Fichier de bibliothèque invalide. Veuillez vérifier le format du fichier.",
 	"taintedFormMessage": "Voulez-vous vraiment quitter cette page ? Toutes les données non enregistrées seront perdues.",
 	"riskScenariosStatus": "Statut des scénarios de risque",

tools/README.md

@@ -1,6 +1,6 @@
 # Library workbench
 
-The convert-framework.py script can be used to transform an Excel file to a CISO Assistant library.
+The convert-library.py script can be used to transform an Excel file to a CISO Assistant library.
 
 Have a look to the given examples.
 
@@ -9,7 +9,7 @@ Have a look to the given examples.
 To launch it, open a shell in a command line, and type:
 
 ```bash
-python convert-framework.py your_library_file.xlsx
+python convert-library.py your_library_file.xlsx
 ```
 
 This will produce a file name your_library_file.yaml
@@ -20,26 +20,34 @@ This will produce a file name your_library_file.yaml
 Conventions:
     | means a cell separation, <> means empty cell
     The first tab shall be named "library_content" and contain the description of the library in the other tabs
-        library_urn                 | <urn>
-        library_version             | <version>
-        library_locale              | <en/fr/...>
-        library_ref_id              | <ref_id>
-        library_name                | <name>
-        library_description         | <description>
-        library_copyright           | <copyright>
-        library_provider            | <provider>
-        library_packager            | <packager>
-        library_dependencies        | <urn1, urn2...
-        framework_urn               | <urn>
-        framework_ref_id            | <ref_id>
-        framework_name              | <name>
-        framework_description       | <description>
-        reference_control_base_urn  | <base_urn>            | id
-        threat_base_urn             | <base_urn>            | id
-        tab                         | <tab_name>            | requirements       | <section_name>
-        tab                         | <tab_name>            | threats            | <base_urn>
-        tab                         | <tab_name>            | reference_controls | <base_urn>
-
+        library_urn                | <urn>
+        library_version            | <version>
+        library_locale             | <en/fr/...>
+        library_ref_id             | <ref_id>
+        library_name               | <name>
+        library_description        | <description>
+        library_copyright          | <copyright>
+        library_provider           | <provider>
+        library_packager           | <packager>
+        library_dependencies       | <urn1, urn2...
+        framework_urn              | <urn>
+        framework_ref_id           | <ref_id>
+        framework_name             | <name>
+        framework_description      | <description>
+        framework_min_score        | <min_score>
+        framework_max_score        | <max_score>
+        reference_control_base_urn | <base_urn> | id
+        threat_base_urn            | <base_urn> | id
+        risk_matrix_urn            | <urn>
+        risk_matrix_ref_id         | <ref_id>
+        risk_matrix_name           | <name>
+        risk_matrix_description    | <description>
+        tab                        | <tab_name> | requirements
+        tab                        | <tab_name> | threats            | <base_urn>
+        tab                        | <tab_name> | reference_controls | <base_urn>
+        tab                        | <tab_name> | scores
+        tab                        | <tab_name> | implementation_groups
+        tab                        | <tab_name> | risk_matrix
 
     For requirements:
         If no section_name is given, no upper group is defined, else an upper group (depth 0) with the section name is used.
@@ -64,6 +72,16 @@ Conventions:
             - description
             - category (policy/process/techncial/physical).
             - annotation
+    For risk matrices:
+        The first line is a header, with the following mandatory fields:
+            - type: probability/impact/risk.
+            - id: a number from 0 to n-1 (depending of the number of objects for a given type)
+            - abbreviation: the abbreviation for the object
+            - name: name of the object
+            - description: description of the object
+            - grid: several columns describing the matrix with colors.
+        The grid shall be aligned with the probability objects, the columns being the impact in order of id, and the content of each cell being the id of the risk.
+        This is a topological representation. The display on the screen (transposition, direction of axes) will be managed in the frontend, not in the data model. 
     A library has a single locale. Translated libraries have the same urns, they are merged during import.
     Dependencies are given as a comma or blank separated list of urns.
 ```

tools/aircyber/aircyber.py

@@ -95,7 +95,9 @@
 ws.append(["tab", "implementation_groups", "implementation_groups"])
 
 ws1 = wb_output.create_sheet("controls")
-ws1.append(["assessable", "depth", "ref_id", "name", "description", "implementation_groups"])
+ws1.append(
+    ["assessable", "depth", "ref_id", "name", "description", "implementation_groups"]
+)
 for row in output_table:
     ws1.append(row)
 ws2 = wb_output.create_sheet("implementation_groups")

tools/ccm/convert_ccm.py

@@ -97,12 +97,18 @@ def pretify_content(content):
 ws1 = wb_output.create_sheet("controls")
 ws1.append(
     ["assessable", "depth", "ref_id", "name", "description", "implementation_groups"]
-    )
+)
 for row in output_table:
     ws1.append(row)
 ws2 = wb_output.create_sheet("implementation_groups")
 ws2.append(["ref_id", "name", "description"])
-ws2.append(["lite", "foundational", "foundational controls that should be implemented by any organization, regardless of their budget, maturity and risk profile"])
+ws2.append(
+    [
+        "lite",
+        "foundational",
+        "foundational controls that should be implemented by any organization, regardless of their budget, maturity and risk profile",
+    ]
+)
 ws2.append(["full", "systematic ", "systematic assessment of a cloud implementation"])
 print("generate ", output_file_name)
 wb_output.save(output_file_name)