search

intuitem / ciso-assistant-community

CISO Assistant is a one-stop-shop for GRC, covering Risk, AppSec and Audit Management and supporting +57 frameworks worldwide with auto-mapping: NIST CSF, ISO 27001, SOC2, CIS, PCI DSS, NIS2, CMMC, PSPF, GDPR, HIPAA, Essential Eight, NYDFS-500, DORA, NIST AI RMF, 800-53, 800-171, CyFun, CJIS, AirCyber, NCSC, ECC, SCF and so much more
https://intuitem.com
Other
1.05k stars 129 forks source link

Import of CISv8 fails due to faulty variables in CIS import Python scripts #606

Closed stijnpieters closed 2 months ago

stijnpieters commented 2 months ago

Describe the bug Wrong paths in convert_cis.py cause intermediate file to be created in wrong directory and script to fail:

parsing CIS_Controls_Version_8.xlsx
parsing tab Introduction
Ignored tab: Introduction
parsing tab License for Use
parsing tab Important Resources
Ignored tab: Important Resources
parsing tab Controls V8
generating cis-controls-v8.xlsx
generate  cis-controls-v8.xlsx
parsing cis/cis-controls-v8.xlsx
Traceback (most recent call last):
  File "/opt/ciso-assistant/tools/convert_library.py", line 126, in <module>
    dataframe = openpyxl.load_workbook(args.input_file_name)
  File "/usr/lib/python3/dist-packages/openpyxl/reader/excel.py", line 312, in load_workbook
    reader = ExcelReader(filename, read_only, keep_vba,
  File "/usr/lib/python3/dist-packages/openpyxl/reader/excel.py", line 124, in __init__
    self.archive = _validate_archive(fn)
  File "/usr/lib/python3/dist-packages/openpyxl/reader/excel.py", line 96, in _validate_archive
    archive = ZipFile(filename, 'r')
  File "/usr/lib/python3.9/zipfile.py", line 1239, in __init__
    self.fp = io.open(file, filemode)
FileNotFoundError: [Errno 2] No such file or directory: 'cis/cis-controls-v8.xlsx'
Resulting file is available at cis/cis-controls-v8.yaml

This can be easily resolved by editing the scripts in a few ways (further explained in comments).

After edits, following error also occurs:

parsing CIS_Controls_Version_8.xlsx
parsing tab Introduction
Ignored tab: Introduction
parsing tab License for Use
parsing tab Important Resources
Ignored tab: Important Resources
parsing tab Controls V8
generating cis-controls-v8.xlsx
generate  cis-controls-v8.xlsx
parsing cis/cis-controls-v8.xlsx
parsing tab library_content
processing library content
parsing tab controls
processing requirements
**Name too long: 14,7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates**
Resulting file is available at cis/cis-controls-v8.yaml

To Reproduce Steps to reproduce the behavior:

  1. Clone the repo and make sure you are at its root
  2. Make sure you have Python installed (including pip), version 3.11 or higher is recommended
  3. cd to /tools
  4. run pip install -r requirements.txt to install the script dependencies
  5. Copy the CISv8 Excel (downloaded from CIS' official website) to this folder (/tools)
  6. run convert_cis.sh

Expected behavior In the cis subfolder, cis-controls-v8.yaml should be created as stated in the command output.

Environment (please complete the following information):

stijnpieters commented 2 months ago

resolved by editing scripts as follows: prep_cis.py

"""
simple script to transform the official CIS Excel file to another Excel file for CISO assistant framework conversion tool
"""

import openpyxl
import sys
import re
import argparse
from openpyxl.styles import numbers

parser = argparse.ArgumentParser(
    prog="convert_cis",
    description="convert CIS controls offical Excel file to CISO Assistant Excel file",
)
parser.add_argument("filename", help="name of CIS controls Excel file")
parser.add_argument("packager", help="name of packager entity")
**parser.add_argument("intermediate", help="name of intermediate Excel file")**

args = parser.parse_args()
input_file_name = args.filename
packager = args.packager
**output_file_name = args.intermediate**

print("parsing", input_file_name)
...
  1. Added 3rd argument to parse for intermediate file location
  2. Changed output_file_name variable to argument path

convert_cis.py

file="CIS_Controls_Version_8.xlsx"
packager="personal"
intermediate="cis/cis-controls-v8.xlsx"
python cis/prep_cis.py $file $packager $intermediate
python convert_library.py cis/cis-controls-v8.xlsx
echo "Resulting file is available at cis/cis-controls-v8.yaml"
  1. Moved intermediate var definition up 1 line and added cis subfolder to path
  2. added extra argument to prep_cis.py call

convert_library.py

...
               name = row[header["name"]].value if "name" in header else None
                if name and len(name) > 150:
                    print("Name too long:", ref_id, name)
                    exit(1)
                description = (
                    row[header["description"]].value
                    if "description" in header
                    else None
                )
...
  1. Changed maximum length of line from 100 to 150

files in attachment: ciso-assistant.zip

Can someone create a PR for this?