Merge branch 'intuitem:main' into pgssi-s

intuitem · May 7, 2024 · ca7f268 · ca7f268
2 parents 58b3399 + 6d0d550
commit ca7f268
Show file tree

Hide file tree

Showing 17 changed files with 524 additions and 73 deletions.
diff --git a/.github/workflows/startup-tests.yml b/.github/workflows/startup-tests.yml
@@ -8,7 +8,7 @@ env:
   GITHUB_WORKFLOW: github_actions
   backend-directory: ./backend
   working-directory: ./frontend
-
+  
 jobs:
   startup-functional-test:
     runs-on: ubuntu-20.04
@@ -18,7 +18,7 @@ jobs:
         image: postgres:14.1
         env:
           POSTGRES_USER: postgres
-          POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
+          POSTGRES_PASSWORD: postgres
           POSTGRES_DB: postgres
         ports: ["5432:5432"]
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
@@ -65,7 +65,7 @@ jobs:
           echo DJANGO_SUPERUSER_PASSWORD=1234 >> .env
           echo POSTGRES_NAME=postgres >> .env
           echo POSTGRES_USER=postgres >> .env
-          echo POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }} >> .env
+          echo POSTGRES_PASSWORD=postgres >> .env
           echo DB_HOST=localhost >> .env
           echo CISO_ASSISTANT_SUPERUSER_EMAIL='' >> .env
           echo CISO_ASSISTANT_URL=http://localhost:4173 >> .env

diff --git a/README.md b/README.md
@@ -128,9 +128,9 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the
 - UK Cyber Essentials
 - and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, _free of charge_ 😉
 
-### Add your own framework
+### Add your own library (framework, threat catalog, reference controls catalog or matrix)
 
-Have a look in the tools directory and its dedicated readme. The convert_framework.py script will help you create your library from a simple Excel file. A typical framework can be ingested in a few hours.
+Have a look in the tools directory and its dedicated readme. The convert_library.py script will help you create your library from a simple Excel file. A typical framework can be ingested in a few hours.
 
 You will also find some specific converters in the tools directory (e.g. for CIS or CCM Controls).
 

diff --git a/backend/ciso_assistant/settings.py b/backend/ciso_assistant/settings.py
@@ -202,6 +202,10 @@ def set_ciso_assistant_url(_, __, event_dict):
     REST_FRAMEWORK["DEFAULT_RENDERER_CLASSES"].append(
         "rest_framework.renderers.BrowsableAPIRenderer"
     )
+    # Add session authentication to allow using the browsable API
+    REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append(
+        "rest_framework.authentication.SessionAuthentication"
+    )
 
     INSTALLED_APPS.append("django.contrib.staticfiles")
     STATIC_URL = "/static/"

diff --git a/backend/library/libraries/risk-matrix-3x3-mult.yaml b/backend/library/libraries/risk-matrix-3x3-mult.yaml
@@ -0,0 +1,88 @@
+urn: urn:intuitem:risk:library:risk-matrix-3x3-mult
+locale: fr
+ref_id: risk-matrix-3x3-mult
+name: Matrice 3x3 multiplicative
+description: Matrice de risque simple 3x3 multiplicative
+copyright: domaine public
+version: 1
+provider: intuitem
+packager: intuitem
+objects:
+  risk_matrix:
+  - urn: urn:intuitem:risk:matrix:3x3-mult
+    ref_id: risk-matrix-3x3-mult
+    name: Matrice 3x3 multiplicative
+    description: Matrice de risque simple 3x3 multiplicative
+    probability:
+    - id: 0
+      abbreviation: 1
+      name: '[1] peu probable'
+      description: 0-33%
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: '[2] moyennement probable'
+      description: 34-66%
+      hexcolor: '#FFFF00'
+    - id: 2
+      abbreviation: 3
+      name: "[3] tr\xE8s probable"
+      description: '>66%'
+      hexcolor: '#FF0000'
+    impact:
+    - id: 0
+      abbreviation: 1
+      name: '[1] mineur'
+      description: impact mineur
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: "[2] mod\xE9r\xE9"
+      description: "impact mod\xE9r\xE9"
+      hexcolor: '#FFFF00'
+    - id: 2
+      abbreviation: 3
+      name: '[3] majeur'
+      description: impact majeur
+      hexcolor: '#FF0000'
+    risk:
+    - id: 0
+      abbreviation: 1
+      name: '[1] faible'
+      description: "n\xE9gligeable"
+      hexcolor: '#92D050'
+    - id: 1
+      abbreviation: 2
+      name: '[2] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#D3FF4E'
+    - id: 2
+      abbreviation: 3
+      name: '[3] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#EAFF03'
+    - id: 3
+      abbreviation: 4
+      name: '[4] moyen'
+      description: "tol\xE9rable"
+      hexcolor: '#FFFF00'
+    - id: 4
+      abbreviation: 6
+      name: '[6] fort'
+      description: "rem\xE9diation sour 6 mois"
+      hexcolor: '#FFC000'
+    - id: 5
+      abbreviation: 9
+      name: '[9] critique'
+      description: "Rem\xE9diation sous 2 mois"
+      hexcolor: '#FF0000'
+    grid:
+    - - 0
+      - 1
+      - 2
+    - - 1
+      - 3
+      - 4
+    - - 2
+      - 4
+      - 5
diff --git a/backend/library/libraries/risk-matrix-5x5-sensitive.yaml b/backend/library/libraries/risk-matrix-5x5-sensitive.yaml
@@ -0,0 +1,104 @@
+urn: urn:intuitem:risk:library:risk-matrix-5x5-sensitive
+locale: en
+ref_id: risk-matrix-5x5-sensitive
+name: 5x5 sensitive
+description: 5x5 matrix for highly sensitive
+copyright: domaine public
+version: 1
+provider: intuitem
+packager: intuitem
+objects:
+  risk_matrix:
+  - urn: urn:intuitem:risk:matrix:5x5-sensitive
+    ref_id: risk-matrix-5x5-sensitive
+    name: 5x5 sensitive
+    description: 5x5 matrix for highly sensitive
+    probability:
+    - id: 0
+      abbreviation: AC
+      name: rare
+      description: rare
+    - id: 1
+      abbreviation: LI
+      name: unlikely
+      description: unlikely
+    - id: 2
+      abbreviation: MO
+      name: moderate
+      description: moderate
+    - id: 3
+      abbreviation: UN
+      name: likely
+      description: likely
+    - id: 4
+      abbreviation: RA
+      name: almost certain
+      description: almost certain
+    impact:
+    - id: 0
+      abbreviation: IN
+      name: insignificant
+      description: insignificant
+    - id: 1
+      abbreviation: MI
+      name: minor
+      description: minor
+    - id: 2
+      abbreviation: SI
+      name: significant
+      description: significant
+    - id: 3
+      abbreviation: MA
+      name: major
+      description: major
+    - id: 4
+      abbreviation: SE
+      name: severe
+      description: severe
+    risk:
+    - id: 0
+      abbreviation: LO
+      name: low
+      description: low
+      hexcolor: '#02A45A'
+    - id: 1
+      abbreviation: ME
+      name: medium
+      description: medium
+      hexcolor: '#FFCE02'
+    - id: 2
+      abbreviation: HI
+      name: high
+      description: high
+      hexcolor: '#FFA600'
+    - id: 3
+      abbreviation: CR
+      name: critical
+      description: critical
+      hexcolor: '#FF1A00'
+    grid:
+    - - 0
+      - 0
+      - 0
+      - 1
+      - 1
+    - - 0
+      - 0
+      - 1
+      - 1
+      - 2
+    - - 0
+      - 1
+      - 1
+      - 2
+      - 3
+    - - 1
+      - 1
+      - 2
+      - 3
+      - 3
+    - - 1
+      - 2
+      - 3
+      - 3
+      - 3
diff --git a/frontend/messages/en.json b/frontend/messages/en.json
@@ -338,7 +338,7 @@
 	"librariesStore": "Libraries store",
 	"currentlyNoImportedLibraries": "You currently have no imported libraries",
 	"loadingLibraryUploadButton": "Loading the library upload button",
-	"errorOccuredWhileLoadingLibrary": "The following error occured while loading the library form",
+	"errorOccuredWhileLoadingLibrary": "The following error occurred while loading the library form",
 	"packager": "Packager",
 	"dependencies": "Dependencies",
 	"copyright": "Copyright",
@@ -491,7 +491,7 @@
 	"lowSOK": "The strength of the knowledge supporting the assessment is low",
 	"mediumSOK": "The strength of the knowledge supporting the assessment is medium",
 	"highSOK": "The strength of the knowledge supporting the assessment is high",
-	"libraryImportError": "An error occured during the importation of your library.",
+	"libraryImportError": "An error occurred during the importation of your library.",
 	"libraryAlreadyImportedError": "This library has already been imported.",
 	"invalidLibraryFileError": "Invalid library file. Please make sure the format is correct.",
 	"taintedFormMessage": "Do you want to leave this page? Changes you made may not be saved.",

diff --git a/frontend/messages/fr.json b/frontend/messages/fr.json
@@ -120,7 +120,7 @@
 	"revokedAt": "Révoqué le",
 	"submitted": "Soumis",
 	"rejected": "Rejeté",
-	"revoked": "Revoqué",
+	"revoked": "Révoqué",
 	"locale": "Locale",
 	"defaultLocale": "Locale par défaut",
 	"annotation": "Annotation",
@@ -178,7 +178,7 @@
 	"authors": "Auteurs",
 	"reviewers": "Relecteurs",
 	"processButton": "Traiter",
-	"selectTargets": "Selectionnez vos cibles",
+	"selectTargets": "Sélectionnez vos cibles",
 	"composerDescription": "Cela vous aidera à agréger plusieurs composants (projets) pour obtenir une vue d'ensemble de vos risques. Ceci est particulièrement utile pour deux cas d'utilisation",
 	"composerDescription1": "une approche de veille stratégique pour se concentrer sur un sous-ensemble spécifique à travers différents domaines de projet (par exemple, à travers les divisions)",
 	"composerDescription2": "vous êtes intéressé par l'évaluation des risques d'un système spécifique, pour lequel vous avez besoin de l'évaluation des risques des composants sous-jacents",
@@ -247,7 +247,7 @@
 	"confirmNewPassword": "Confirmer le nouveau mot de passe",
 	"label": "Label",
 	"NA": "N/A",
-	"threatAgentFactors": "Facteurs liés aux agents de menace",
+	"threatAgentFactors": "Facteurs liés aux agents menaçants",
 	"vulnerabilityFactors": "Facteurs de vulnérabilité",
 	"businessImpactFactors": "Facteurs d’impact sur les entreprises",
 	"technicalImpactFactors": "Facteurs d’impact techniques",
@@ -258,11 +258,11 @@
 	"skillLevelChoice3": "Utilisateur informatique avancé",
 	"skillLevelChoice4": "Compétences en réseau et en programmation",
 	"skillLevelChoice5": "Compétences en matière de pénétration de la sécurité",
-	"motiveText": "Dans quelle mesure ce groupe d’agents de menace est-il motivé à trouver et à exploiter cette vulnérabilité ?",
+	"motiveText": "Dans quelle mesure ce groupe d’agents menaçants est-il motivé à trouver et à exploiter cette vulnérabilité ?",
 	"motiveChoice1": "Récompense faible ou inexistante",
 	"motiveChoice2": "Récompense possible",
 	"motiveChoice3": "Récompense élevée",
-	"opportunityText": "Quelles ressources et opportunités sont nécessaires pour que ce groupe d’agents de menace trouve et exploite cette vulnérabilité ?",
+	"opportunityText": "Quelles ressources et opportunités sont nécessaires pour que ce groupe d’agents menaçants trouve et exploite cette vulnérabilité ?",
 	"opportunityChoice1": "Accès complet ou ressources coûteuses requises",
 	"opportunityChoice2": "Accès spécialisé ou ressources requises",
 	"opportunityChoice3": "Certains accès ou ressources requis",
@@ -492,7 +492,7 @@
 	"mediumSOK": "La force des connaissances à l’appui de l’évaluation est moyenne",
 	"highSOK": "La force des connaissances à l’appui de l’évaluation est élevée",
 	"libraryImportError": "Une erreur a été détectée durant l'importation de votre librairie.",
-	"libraryAlreadyImportedError": "Cette libairie a été déjà été importée.",
+	"libraryAlreadyImportedError": "Cette librairie a été déjà été importée.",
 	"invalidLibraryFileError": "Fichier de bibliothèque invalide. Veuillez vérifier le format du fichier.",
 	"taintedFormMessage": "Voulez-vous vraiment quitter cette page ? Toutes les données non enregistrées seront perdues.",
 	"riskScenariosStatus": "Statut des scénarios de risque",

diff --git a/frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.svelte b/frontend/src/routes/(app)/requirement-assessments/[id=uuid]/+page.svelte
@@ -151,7 +151,9 @@
 <div class="card space-y-2 p-4 bg-white shadow">
 	<code class="code">{data.requirement.urn}</code>
 	{#if data.requirement.description}
-		<p class="whitespace-pre-line">{data.requirement.description}</p>
+		<p class="whitespace-pre-line p-2 font-light text-lg">
+			👉 {data.requirement.description}
+		</p>
 	{/if}
 	{#if (threats && threats.length > 0) || (reference_controls && reference_controls.length > 0)}
 		<div class="card p-4 variant-glass-primary text-sm flex flex-row cursor-auto">
@@ -266,8 +268,9 @@
 			<HiddenInput {form} field="folder" />
 			<HiddenInput {form} field="requirement" />
 			<HiddenInput {form} field="compliance_assessment" />
-			<div class="flex flex-col space-y-3 mt-3">
+			<div class="flex flex-col my-8 space-y-6">
 				<Select {form} options={data.model.selectOptions['status']} field="status" label="Status" />
+
 				<Score
 					{form}
 					min_score={data.compliance_assessment_score.min_score}
@@ -276,8 +279,8 @@
 					field="score"
 					label="Score"
 				/>
-				<TextArea {form} field="observation" label="Observation" />
 
+				<TextArea {form} field="observation" label="Observation" />
 				<div class="flex flex-row justify-between space-x-4">
 					<button
 						class="btn bg-gray-400 text-white font-semibold w-full"