Merge branch 'main' into 567_show_filesize

.github/ISSUE_TEMPLATE/feature_request.md

@@ -2,7 +2,7 @@
 name: Feature Request
 about: Suggestions for new features and improvements
 title: ""
-labels: "new feature"
+labels: "question"
 assignees: ""
 ---
 

.github/workflows/docker-build-and-push.yml

@@ -43,9 +43,19 @@ jobs:
         cp .meta ./backend/
         cp .meta ./backend/ciso_assistant/
 
+    - name: Build and Push Frontend Docker Image
+      uses: docker/build-push-action@v6
+      with:
+        context: ./frontend
+        file: ./frontend/Dockerfile
+        push: true
+        tags: |
+          ghcr.io/${{ github.repository }}/frontend:${{ env.VERSION }}
+          ghcr.io/${{ github.repository }}/frontend:latest
+        platforms: linux/amd64,linux/arm64,linux/arm64/v8
 
     - name: Build and Push Backend Docker Image
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
       with:
         context: ./backend
         file: ./backend/Dockerfile
@@ -55,13 +65,3 @@ jobs:
           ghcr.io/${{ github.repository }}/backend:latest
         platforms: linux/amd64,linux/arm64,linux/arm64/v8
 
-    - name: Build and Push Frontend Docker Image
-      uses: docker/build-push-action@v5
-      with:
-        context: ./frontend
-        file: ./frontend/Dockerfile
-        push: true
-        tags: |
-          ghcr.io/${{ github.repository }}/frontend:${{ env.VERSION }}
-          ghcr.io/${{ github.repository }}/frontend:latest
-        platforms: linux/amd64,linux/arm64,linux/arm64/v8

.github/workflows/frontend-coverage.yaml

@@ -26,15 +26,15 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-      - name: Install latest npm
+      - name: Install latest pnpm
         working-directory: ${{env.working-directory}}
         run: |
-          npm install -g npm &&
-          npm --version &&
-          npm list -g --depth 0
+          npm install -g pnpm &&
+          pnpm --version &&
+          pnpm list -g --depth 0
       - name: Install dependencies
         working-directory: ${{env.working-directory}}
-        run: npm ci
+        run: pnpm i --frozen-lockfile
       - name: Run coverage
         working-directory: ${{env.working-directory}}
-        run: npm run coverage
+        run: pnpm run coverage

.github/workflows/frontend-unit-tests.yml

@@ -28,12 +28,12 @@ jobs:
       - name: Install latest npm
         working-directory: ${{env.working-directory}}
         run: |
-          npm install -g npm &&
-          npm --version &&
-          npm list -g --depth 0
+          npm install -g pnpm &&
+          pnpm --version &&
+          pnpm list -g --depth 0
       - name: Install dependencies
         working-directory: ${{env.working-directory}}
-        run: npm ci
+        run: pnpm i --frozen-lockfile
       - name: Run tests
         working-directory: ${{env.working-directory}}
-        run: npm run test:ci
+        run: pnpm run test:ci

.github/workflows/functional-tests.yml

@@ -53,8 +53,8 @@ jobs:
       - name: Install dependencies
         working-directory: ${{ env.working-directory }}
         run: |
-          npm install
-          npm ci
+          npm install -g pnpm
+          pnpm i --frozen-lockfile
       - name: Install Playwright browser ${{ matrix.playwright-browser }}
         working-directory: ${{ env.working-directory }}
         run: npx playwright install --with-deps ${{ matrix.playwright-browser }}

.github/workflows/startup-tests.yml

@@ -46,8 +46,8 @@ jobs:
       - name: Install dependencies
         working-directory: ${{ env.working-directory }}
         run: |
-          npm install
-          npm ci
+          npm install -g pnpm
+          pnpm i --frozen-lockfile
       - name: Install Playwright Browsers
         working-directory: ${{ env.working-directory }}
         run: npx playwright install --with-deps
@@ -101,8 +101,8 @@ jobs:
       - name: Install dependencies
         working-directory: ${{ env.working-directory }}
         run: |
-          npm install
-          npm ci
+          npm install -g pnpm
+          pnpm i --frozen-lockfile
       - name: Install Playwright Browsers
         working-directory: ${{ env.working-directory }}
         run: npx playwright install --with-deps

README.md

@@ -50,6 +50,11 @@ The decoupling allows you to save a considerable amount of time:
 - leave the reporting formatting and sanity check to CISO assistant and focus on your fixes,
 - balance controls implementation and compliance follow-up
 
+Here is an overview of CISO Assistant features and capabilities:
+
+![overview](features.png)
+
+
 CISO Assistant is developed and maintained by [intuitem](https://intuitem.com/), a French 🇫🇷 company specialized in Cyber Security, Cloud and Data/AI.
 
 ## Quick Start 🚀
@@ -78,6 +83,9 @@ and run the starter script
 > [!WARNING]
 > If you're getting warnings or errors about image's platform not matching host platform, raise an issue with the details and we'll add it shortly after. You can also use `docker-compose-build.sh` instead (see below) to build for your specific architecture.
 
+> [!CAUTION]
+> Don't use the `main` branch code directly for production as it's the merge upstream and can have breaking changes during our developemnt. Either use the `tags` for stable versions or prebuilt images. 
+
 ## End-user Documentation
 
 Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant.
@@ -127,9 +135,17 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant
 41. ENISA: 5G Security Controls Matrix 🇪🇺
 42. OWASP Mobile Application Security Verification Standard (MASVS) 🐝📱
 43. Agile Security Framework (ASF) - baseline - by intuitem 🤗
-44. EU AI Act 🇪🇺🤖
-45. FBI CJIS 🇺🇸👮
-46. Operational Technology Cybersecurity Controls (OTCC) 🇸🇦
+44. ISO 27001:2013 🌐 (For legacy and migration)
+45. EU AI Act 🇪🇺🤖
+46. FBI CJIS 🇺🇸👮
+47. Operational Technology Cybersecurity Controls (OTCC) 🇸🇦
+48. Secure Controls Framework (SCF) 🇺🇸🌐
+49. NCSC Cyber Assessment Framework (CAF) 🇬🇧
+50. California Consumer Privacy Act (CCPA) 🇺🇸
+51. California Consumer Privacy Act Regulations 🇺🇸
+52. NCSC Cyber Essentials 🇬🇧
+53. General Data Protection Regulation (GDPR) 🇪🇺
+54. Directive Nationale de la Sécurité des Systèmes d'Information (DNSSI) Maroc 🇲🇦
 
 ### Community contributions
 
@@ -150,13 +166,11 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the
 
 ### Coming soon
 
-- NCSC Cyber Assessment Framework (CAF)
-- Secure Controls Framework (SCF)
-- CCPA
 - Part-IS
-- SOX
 - NIST 800-82
-- UK Cyber Essentials
+- Korea ISA: ISMS-P
+- ENS Esquema Nacional de seguridad (español)
+
 - and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, _free of charge_ 😉
 
 ## Add your own library
@@ -167,6 +181,8 @@ Take a look at the `tools` directory and its dedicated readme. The `convert_libr
 
 You can also find some specific converters in the tools directory (e.g. for CIS or CCM Controls).
 
+There is also a tool to facilitate the creation of mappings, called `prepare_mapping.py` that will create an Excel file based on two framework libraries in yaml. Once properly filled, this Excel file can be processed by the `convert_library.py` tool to get the resulting mapping library.
+
 ## Community
 
 Join our [open Discord community](https://discord.gg/qvkaMdQ8da) to interact with the team and other GRC experts.

backend/app_tests/api/test_api_compliance_assessments.py

@@ -120,13 +120,18 @@ def test_get_compliance_assessments(self, test):
                 "project": {
                     "id": str(project.id),
                     "str": project.folder.name + "/" + project.name,
+                    "folder": {
+                        "id": str(project.folder.id),
+                        "str": project.folder.name,
+                    },
                 },
                 "framework": {
                     "id": str(Framework.objects.all()[0].id),
                     "str": str(Framework.objects.all()[0]),
                     "implementation_groups_definition": None,
                     "min_score": 1,
                     "max_score": 4,
+                    "ref_id": str(Framework.objects.all()[0].ref_id),
                 },
             },
             user_group=test.user_group,
@@ -154,13 +159,18 @@ def test_create_compliance_assessments(self, test):
                 "project": {
                     "id": str(project.id),
                     "str": project.folder.name + "/" + project.name,
+                    "folder": {
+                        "id": str(project.folder.id),
+                        "str": project.folder.name,
+                    },
                 },
                 "framework": {
                     "id": str(Framework.objects.all()[0].id),
                     "str": str(Framework.objects.all()[0]),
                     "implementation_groups_definition": None,
                     "min_score": Framework.objects.all()[0].min_score,
                     "max_score": Framework.objects.all()[0].max_score,
+                    "ref_id": str(Framework.objects.all()[0].ref_id),
                 },
             },
             user_group=test.user_group,
@@ -200,13 +210,18 @@ def test_update_compliance_assessments(self, test):
                 "project": {
                     "id": str(project.id),
                     "str": project.folder.name + "/" + project.name,
+                    "folder": {
+                        "id": str(project.folder.id),
+                        "str": project.folder.name,
+                    },
                 },
                 "framework": {
                     "id": str(Framework.objects.all()[0].id),
                     "str": str(Framework.objects.all()[0]),
                     "implementation_groups_definition": None,
                     "min_score": Framework.objects.all()[0].min_score,
                     "max_score": Framework.objects.all()[0].max_score,
+                    "ref_id": str(Framework.objects.all()[0].ref_id),
                 },
             },
             user_group=test.user_group,

backend/app_tests/api/test_api_requirement_assessments.py

@@ -13,8 +13,8 @@
 from test_utils import EndpointTestsQueries
 
 # Generic requirement assessment data for tests
-REQUIREMENT_ASSESSMENT_STATUS = "partially_compliant"
-REQUIREMENT_ASSESSMENT_STATUS2 = "non_compliant"
+REQUIREMENT_ASSESSMENT_STATUS = "to_do"
+REQUIREMENT_ASSESSMENT_STATUS2 = "in_progress"
 REQUIREMENT_ASSESSMENT_OBSERVATION = "Test observation"
 
 

backend/app_tests/api/test_api_risk_acceptances.py

@@ -117,7 +117,12 @@ def test_get_risk_acceptances(self, test):
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
-                "approver": {"id": str(approver.id), "str": approver.email},
+                "approver": {
+                    "id": str(approver.id),
+                    "str": approver.email,
+                    "last_name": approver.last_name,
+                    "first_name": approver.first_name,
+                },
                 "state": RISK_ACCEPTANCE_STATE[1],
             },
             user_group=test.user_group,
@@ -157,7 +162,12 @@ def test_create_risk_acceptances(self, test):
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
-                "approver": {"id": str(approver.id), "str": approver.email},
+                "approver": {
+                    "id": str(approver.id),
+                    "str": approver.email,
+                    "last_name": approver.last_name,
+                    "first_name": approver.first_name,
+                },
                 "risk_scenarios": [
                     {"id": str(risk_scenario.id), "str": str(risk_scenario)}
                 ],
@@ -208,7 +218,12 @@ def test_update_risk_acceptances(self, test):
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},
-                "approver": {"id": str(approver.id), "str": approver.email},
+                "approver": {
+                    "id": str(approver.id),
+                    "str": approver.email,
+                    "last_name": approver.last_name,
+                    "first_name": approver.first_name,
+                },
                 # 'state': RISK_ACCEPTANCE_STATE[1],
             },
             user_group=test.user_group,

backend/app_tests/api/test_api_risk_assessments.py

@@ -123,6 +123,10 @@ def test_get_risk_assessments(self, test):
                 "project": {
                     "id": str(project.id),
                     "str": project.folder.name + "/" + project.name,
+                    "folder": {
+                        "id": str(project.folder.id),
+                        "str": project.folder.name,
+                    },
                 },
                 "risk_matrix": {"id": str(risk_matrix.id), "str": str(risk_matrix)},
             },
@@ -152,6 +156,10 @@ def test_create_risk_assessments(self, test):
                 "project": {
                     "id": str(project.id),
                     "str": project.folder.name + "/" + project.name,
+                    "folder": {
+                        "id": str(project.folder.id),
+                        "str": project.folder.name,
+                    },
                 },
                 "risk_matrix": {"id": str(risk_matrix.id), "str": str(risk_matrix)},
             },
@@ -193,6 +201,10 @@ def test_update_risk_assessments(self, test):
                 "project": {
                     "id": str(project.id),
                     "str": project.folder.name + "/" + project.name,
+                    "folder": {
+                        "id": str(project.folder.id),
+                        "str": project.folder.name,
+                    },
                 },
                 "risk_matrix": {"id": str(risk_matrix.id), "str": str(risk_matrix)},
             },

backend/app_tests/api/test_api_risk_scenarios.py

@@ -197,6 +197,7 @@ def test_get_risk_scenarios(self, test):
                 "treatment": RISK_SCENARIO_TREATMENT_STATUS[1],
                 "risk_assessment": {
                     "id": str(risk_assessment.id),
+                    "name": str(risk_assessment.name),
                     "str": str(risk_assessment),
                 },
                 "threats": [{"id": str(threat.id), "str": str(threat)}],
@@ -256,6 +257,7 @@ def test_create_risk_scenarios(self, test):
                 "risk_assessment": {
                     "id": str(risk_assessment.id),
                     "str": str(risk_assessment),
+                    "name": str(risk_assessment.name),
                 },
                 "threats": [{"id": str(threat.id), "str": threat.name}],
                 "risk_matrix": {
@@ -339,6 +341,7 @@ def test_update_risk_scenarios(self, test):
                 "risk_assessment": {
                     "id": str(risk_assessment.id),
                     "str": str(risk_assessment),
+                    "name": str(risk_assessment.name),
                 },
                 "threats": [{"id": str(threat.id), "str": threat.name}],
                 "risk_matrix": {

backend/ciso_assistant/settings.py

@@ -196,6 +196,7 @@ def set_ciso_assistant_url(_, __, event_dict):
     "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination",
     "PAGE_SIZE": PAGINATE_BY,
     "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
+    "EXCEPTION_HANDLER": "core.helpers.handle",
 }
 
 REST_KNOX = {