💬 Questions and Help

Please note that this issue tracker is not a help form and this issue will be closed.

For questions or help please see:

• ✉️ Email CSET support

🐛 Bug Report

The link for the ISA 62443 2013 reference under "Resource Library / General Control Systems Standards / Industrial Automation and CS Security 2013" is not valid and is not present in the Website/Documents directory.

To Reproduce

Click reference link and error page is displayed.

Expected behavior

A PDF document similar to Industrial Automation and CS Security 2009 should be displayed.

🐛 Bug Report

The application throws a message
Access Denied
Your session has expired, a connection error has occurred, or you are no longer authorized to access that assessment.
Please log in again.
OK

To Reproduce

In both versions 9.2.2 and 10.0.0

Create a new assessment.
Proceed to Questions
(Questions show correctly)
Click on Requirements Mode button

or

Create a new assessment.
Proceed to Questions
(Questions show correctly)
Answer a question
Click on Results button

Expected behavior

I expect to stay logged into the application.

Any helpful log output

Chrome developer tools show:
POST https://myorg/api/questionlist 500
The database-principal 'dbo' does not exist or user is not a member
JWT Invalid. logging out.

it references main.f4409f2ea3c52be23d63.js

StackTrace: " at CSETWeb_Api.BusinessManagers.RequirementsManager.BuildResponse(List1 requirements, List1 answers, List1 domains) ↵ at CSETWeb_Api.BusinessManagers.RequirementsManager.GetRequirementsList() ↵ at CSETWeb_Api.Controllers.QuestionsController.GetList(String group) ↵ at lambda_method(Closure , Object , Object[] ) ↵ at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass6_2.<GetExecutor>b__2(Object instance, Object[] methodParameters) ↵ at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary2 arguments, CancellationToken cancellationToken)
↵--- End of stack trace from previous location where exception was thrown ---
↵ at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
↵ at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
↵ at System.Web.Http.Controllers.ApiControllerActionInvoker.d__1.MoveNext()
↵--- End of stack trace from previous location where exception was thrown ---
↵ at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
↵ at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
↵ at System.Web.Http.Controllers.ActionFilterResult.d__5.MoveNext()
↵--- End of stack trace from previous location where exception was thrown ---
↵ at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
↵ at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
↵ at System.Web.Http.Dispatcher.HttpControllerDispatcher.d__15.MoveNext()"

💥 Regression Report

A clear and concise description of what the regression is.
I am not able to export any of the assessments. A file is generated but its only 2 or 4 k.

Last working version

Worked up to version: 9.1
I have a number of exports from 9.1 that I imported into 9.2. They imported properly but now when I export the file size is only 2 K. Exporter from 9.1 the files sizes averaged 450K.

Stopped working in version: 9.2.0

To Reproduce

Steps to reproduce the behavior: Export an assessment

Expected behavior

A clear and concise description of what you expected to happen.
Create an export file of the assessment that can be used as a backup or re-imported.

Any helpful log output

There are no errors produced during the operation and you just assume it exported correctly. Its not until you try to re-import it that you know it isn't working. I also looked at the
Paste the results here:

When on the results page, the Reports tab doesnt show up sometimes.
If I click back to requirements and back to results and wait a few seconds, it sometimes comes back.

Steps to reproduce the behavior:
Go to the results tab and look for the Reports option.

Expected behavior

It should open the Report choices

Any helpful log output

Paste the results here:

🐛 Bug Report

When trying to access the Results tab in an assessment, the site produces the access denied error and kicks you back to the login screen.

When changing an assessment from Questions Mode to Requirements Mode, the same issue occurs and same error in the browser is printed.

To Reproduce

Build latest 9.2.1 master branch with clean database. Create a new assessment, add any SAL and standard. Click on Results Tab - it will kick you back to login. Relogin, select assessment again, click on Questions, and then then change to Requirements Mode. It will kick you out again.

Expected behavior

Access to results and requirements mode.

Any helpful log output

Edge DevTools:

Attempt to view Results:

HTTP500: SERVER ERROR - The server encountered an unexpected condition that prevented it from fulfilling the request.
(XHR)GET - http://localhost/api/analysis/Dashboard

The database-principal 'dbo' does not exist or user is not a member.

The database-principal 'dbo' does not exist or user is not a member.
main.js (13871,21)

JWT Invalid. logging out.
main.js (13872,21)

Attempt to view Requirements Mode:

HTTP500: SERVER ERROR - The server encountered an unexpected condition that prevented it from fulfilling the request.
(XHR)POST - http://localhost/api/questionlist

The database-principal 'dbo' does not exist or user is not a member.

The database-principal 'dbo' does not exist or user is not a member.

The database-principal 'dbo' does not exist or user is not a member.

The database-principal 'dbo' does not exist or user is not a member.

🐛 Bug Report

I'm trying to run the build.sh script to get the application installed for the Enterprise and the script returns many errors.

Here are a list of issues I've found executing the build.sh file:

1. Missing files - Diagram\etc\build\base-viewer.min.js and base.min.js are missing
2. More missing files - Diagram\sec\main\webapp\js\app.min.js, shapes.min.js, stencils.min.js, viewer.min.js
3. Incorrect build path - the script that sets the "vs-install-dir" variable doesn't work correctly. I have VS 2017 and VS 2019 installed but the MSBuild.exe is located in my VS 2017 path, but this script returns the 2019 path since it's the latest. Then the build fails since there is no MSBuild.exe at that location. (I was able to modify that to point it to the correct location on my machine)
4. Dependencies not installed - neither the NPM dependencies or the NuGet packages are installed via the build.sh script. I added the "npm install" command to the "build_ng" function, but I had to build the .Net project in VS in order for the NuGet packages to be restored.
5. Folders not created - none of the distribution folders were created by the script if they didn't already exist, such as the "CSETWebApi/CSETWeb_Api/CSETWeb_Api/bin/localdb/Publish" folder.

To Reproduce

1. Run the build.sh script

Expected behavior

Unless I'm missing something, this project needs to be fixed so these missing files and other issues are resolved.

Any helpful log output

QUESTION - what is the difference between the build.sh script and the standalone.exe? Can I install the standalone.exe and make some modifications to the produced application to use it for the enterprise? Is it as simple as just changing a database connection string or something more?

This is the api-build.log output. The build fails, and the last line shows one of the reasons, the build.bat file which has pointers in the script to files that don't exist. (see my missing files bullet point).
(snipped the beginning of the file since it was too large for this submission.)

BUILD: (ResolveAssemblyReferences target) ->
BUILD: C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(2110,5): warning MSB3245: Could not resolve this reference. Could not locate the assembly "Microsoft.EntityFrameworkCore.Design". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors. [C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\ExportCSV.csproj]
BUILD: C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(2110,5): warning MSB3245: Could not resolve this reference. Could not locate the assembly "Microsoft.EntityFrameworkCore.Relational". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors. [C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\ExportCSV.csproj]
BUILD:
BUILD:
BUILD: "C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api.sln" (Build target) (1) ->
BUILD: "C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj" (default target) (2) ->
BUILD: "C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\ExportCSV.csproj" (default target) (5:2) ->
BUILD: (CoreCompile target) ->
BUILD: oldReportEngine\DataHandling.cs(16,33): warning CS0436: The type 'IDataHandling' in 'C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\oldReportEngine\IDataHandling.cs' conflicts with the imported type 'IDataHandling' in 'BusinessLogic, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. Using the type defined in 'C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\oldReportEngine\IDataHandling.cs'. [C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\ExportCSV.csproj]
BUILD: CSETtoExcelDataMappings.cs(159,13): warning CS0436: The type 'IDataHandling' in 'C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\oldReportEngine\IDataHandling.cs' conflicts with the imported type 'IDataHandling' in 'BusinessLogic, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. Using the type defined in 'C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\oldReportEngine\IDataHandling.cs'. [C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\ExportCSV.csproj]
BUILD: CSETtoExcelDataMappings.cs(159,36): warning CS0436: The type 'DataHandling' in 'C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\oldReportEngine\DataHandling.cs' conflicts with the imported type 'DataHandling' in 'BusinessLogic, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. Using the type defined in 'C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\oldReportEngine\DataHandling.cs'. [C:\cset-deploy\CSETWebApi\CSETWeb_Api\ExportCSV\ExportCSV.csproj]
BUILD:
BUILD:
BUILD: "C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api.sln" (Build target) (1) ->
BUILD: "C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj" (default target) (2) ->
BUILD: Version\VersionHandler.cs(76,30): warning CS0168: The variable 'ex' is declared but never used [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\ACETFilterController.cs(41,34): warning CS0168: The variable 'e' is declared but never used [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\FileUploadController.cs(56,20): warning CS0168: The variable 'fileHash' is declared but never used [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\DiagramController.cs(274,30): warning CS0168: The variable 'ex' is declared but never used [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\DiagramController.cs(302,30): warning CS0168: The variable 'ex' is declared but never used [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\DiagramController.cs(330,30): warning CS0168: The variable 'ex' is declared but never used [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\DiagramController.cs(358,30): warning CS0168: The variable 'ex' is declared but never used [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\DiagramController.cs(386,30): warning CS0168: The variable 'ex' is declared but never used [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\ResetPasswordController.cs(125,48): warning CS1998: This async method lacks 'await' operators and will run synchronously. Consider using the 'await' operator to await non-blocking API calls, or 'await Task.Run(...)' to do CPU-bound work on a background thread. [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\DiagramController.cs(399,26): warning CS1572: XML comment has a param tag for 'token', but there is no parameter by that name [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\QuestionsController.cs(162,90): warning CS1573: Parameter 'IsComponent' has no matching param tag in the XML comment for 'QuestionsController.GetDetails(int, bool)' (but other parameters do) [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: App_Start\RouteConfig.cs(24,13): warning CS1587: XML comment is not placed on a valid language element [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\AnalysisController.cs(537,13): warning CS1587: XML comment is not placed on a valid language element [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD: Controllers\AnalysisController.cs(852,54): warning CS1587: XML comment is not placed on a valid language element [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD:
BUILD:
BUILD: "C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api.sln" (Build target) (1) ->
BUILD: "C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj" (default target) (2) ->
BUILD: (PostBuildEvent target) ->
BUILD: C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\MSBuild\15.0\Bin\Microsoft.Common.CurrentVersion.targets(5165,5): error MSB3073: The command "call C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\Diagram\etc\build\build.bat" exited with code 9009. [C:\cset-deploy\CSETWebApi\CSETWeb_Api\CSETWeb_Api\CSETWeb_Api.csproj]
BUILD:
BUILD: 52 Warning(s)
BUILD: 1 Error(s)
BUILD:
BUILD: Time Elapsed 00:00:16.39

Consider adding a CONTRIBUTING.md file. This file should contain a lot of what is in the README.md now. But it should also help people contribute back to our project.

Here is the file that we use in our generic skeleton project:

https://github.com/cisagov/skeleton-generic/blob/develop/CONTRIBUTING.md

💬 Questions and Help

Using the CSET 9.1.2 standalone installer, there's no SQL server installed anywhere. Going to localhost:46000, gives this error msg:

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 50 - Local Database Runtime error occurred. Error occurred during LocalDB instance startup: SQL Server process failed to start.
)

Please note that this issue tracker is not a help form and this issue will be closed.

For questions or help please see:

• ✉️ Email CSET support

🚀 Feature Proposal

Sign-up restrictions would be useful for restricting the domains/emails that are allowed to create accounts.

Motivation

Some organizations need to use CSET as a public-facing site, but don't want to allow unauthorized users to create accounts. There is no "admin approval" process, but sign-up restrictions are a great alternative.

Example

GitLab uses sign-up restrictions where the admin can whitelist domains. Since GitLab's implementation uses an admin console, CSET could either: develop an admin console or read the whitelist from a txt file.

Pitch

CSET may contain sensitive or confidential information. Restricting domains to whitelist-only would prevent unauthorized users from creating accounts.

I just install CSET 10.0.0 and i getting this message:

Invalid object name 'INSTALLATION'.
Descripción: Excepción no controlada al ejecutar la solicitud Web actual. Revise el seguimiento de la pila para obtener más información acerca del error y dónde se originó en el código.

Detalles de la excepción: System.Data.SqlClient.SqlException: Invalid object name 'INSTALLATION'.

Error de código fuente:

Se ha generado una excepción no controlada durante la ejecución de la solicitud Web actual. La información sobre el origen y la ubicación de la excepción pueden identificarse utilizando la excepción del seguimiento de la pila siguiente.

Seguimiento de la pila:

[SqlException (0x80131904): Invalid object name 'INSTALLATION'.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) +212 System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) +81
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +631
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) +4233
System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() +58
System.Data.SqlClient.SqlDataReader.get_MetaData() +89
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption, Boolean shouldCacheForAlwaysEncrypted) +437
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest) +2616
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry) +1700 System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +64 System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) +243 System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior) +37 System.Data.Common.DbCommand.ExecuteReader() +12 Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.Execute(IRelationalConnection connection, DbCommandMethod executeMethod, IReadOnlyDictionary2 parameterValues) +871
Microsoft.EntityFrameworkCore.Storage.Internal.RelationalCommand.ExecuteReader(IRelationalConnection connection, IReadOnlyDictionary2 parameterValues) +40 Microsoft.EntityFrameworkCore.Query.Internal.Enumerator.BufferlessMoveNext(DbContext _, Boolean buffer) +182 Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.Execute(TState state, Func3 operation, Func3 verifySucceeded) +57 Microsoft.EntityFrameworkCore.Query.Internal.Enumerator.MoveNext() +100 System.Linq.Enumerable.FirstOrDefault(IEnumerable1 source) +183
lambda_method(Closure ) +244
Microsoft.EntityFrameworkCore.Query.Internal.ResultEnumerable1.GetEnumerator() +14 Microsoft.EntityFrameworkCore.Query.Internal.<_TrackEntities>d__172.MoveNext() +109
Microsoft.EntityFrameworkCore.Query.Internal.EnumeratorExceptionInterceptor.MoveNext() +172
System.Linq.Enumerable.First(IEnumerable1 source) +183 Microsoft.EntityFrameworkCore.Query.Internal.<>c__DisplayClass15_11.b__0(QueryContext qc) +111
Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler.Execute(Expression query) +262
Microsoft.EntityFrameworkCore.Query.Internal.EntityQueryProvider.Execute(Expression expression) +60
System.Linq.Queryable.FirstOrDefault(IQueryable`1 source) +212
CSETWeb_Api.Helpers.TransactionSecurity.GetSecret() +190
CSETWeb_Api.Helpers.TransactionSecurity.GenerateSecret() +29
CSETWeb_Api.Startup.Configuration(IAppBuilder app) +55

[TargetInvocationException: Se produjo una excepción en el destino de la invocación.]
System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) +0
System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments) +168
System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) +105
Owin.Loader.<>c__DisplayClass18_1.b__0(IAppBuilder builder) +66
Owin.Loader.<>c__DisplayClass9_0.b__0(IAppBuilder builder) +123
Microsoft.Owin.Host.SystemWeb.<>c__DisplayClass5_0.b__0(IAppBuilder builder) +81
Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action1 startup) +462 Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action1 startup) +40
Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint() +70
System.Threading.LazyInitializer.EnsureInitializedCore(T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory) +119
Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context) +106
System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +523
System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +176
System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +220
System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +303

[HttpException (0x80004005): Se produjo una excepción en el destino de la invocación.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +659
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +89
System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +188

Información de versión: Versión de Microsoft .NET Framework:4.0.30319; Versión ASP.NET:4.8.4250.0

🚀 Feature Proposal

CMMC Model v1.0 Assessment Template

Motivation

To be able to assess against the newly released CMMC Cybersecurity Maturity Model Certification standard.

Example

https://www.acq.osd.mil/cmmc/draft.html

Pitch

This newly released framework is now the standard for DIB contractors.

Is there a feature for Deleting users from the CSET database?

I know that you can add them via the GUI or the addcsetuser.exe, but I do not see any place to delete them.

I am using this for a university course, and would like to remote users at the end of the semester.

This page is ancient and needs to be updated or "taken out behind the shed™":

https://www.us-cert.gov/ics/Downloading-and-Installing-CSET

Module import on version 10.1 not working. OPtion presents a blank page. Tested in Firefox and Edge on two machines with the same result.

🚀 Feature Proposal

The ability to export CSET data in a "clean", non-attributable fashion.

Motivation

If a user wants to share data with CISA or another organization, it would be useful if they could do so in a non-attributable way.

Questions

• Does export functionality already exist?
• Can it be non-attributable?
• If not how hard would it be to implement?

The current question set, and controls from the 800-53A are outdated. They are not tailored to the newest revision, the 800-53Ar4.

CSET is a great tool, but it is not scalable for the masses as it can not be customized for organizational specific needs? Like disabling features not needed or simplifying interface. Ie will never use the maturity model, so I'd like to remove it, or the ability to disable standards not used in my vertical. Let us customize the product for our own organizational needs?

🐛 Bug Report

I have CSET v6.2 installed on a Windows 10 virtual machine.

When I attempt to uninstall it, it fails with the following popup message:
Error 1606. Could not access network location \vmware-host\Shared Folders\Documents

However the path is accessible via File Explorer

🐛 Bug Report

Using 9.2.0 windows installer, when accessing the questions screen for a NIST CSF v1.1 assessment, it fails to load screen and redirects back to assessments screen.

To Reproduce

Install 9.2.0 Windows installer. Select NIST CSF as assessment type. Navigate thru screens until you reach questions.

Expected behavior

The NIST CSF questions are available to access and answer.

Any helpful log output

Paste the results here:

What standard similar with IEC62443?

🐛 Bug Report

Unable to view or create assessments after building and installing enterprise version 9.2.

It looks like the database image is not updated to version 9.2 in the master or development branches, and the update is not compatible with v9.0.1's database image.

To Reproduce

Using build version 9.2, connect to the database image committed in April (dbo.CSET_VERSION.Cset_Version = 9.0.1), and then try to view or create an assessment.

Expected behavior

Ability to create new assessments.

Any helpful log output

After upgrading Enterprise from 9.2.2 to 10.0.0, the Help-About page still shows version 9.2.2.

There are some errors in the initial Enterprise installation instructions for 9.2.2 that will be handled separately.

However, it would be nice to provide upgrade instructions for Enterprise.

I assumed you just replace the wwwroot contents with the new ones. However, what do you do with the database files?

If I leave an assessment while in progress and come back, I have been loosing progress. I am in "Requirements Mode" with CNSSI 1253 V2 requirements selected. I completed all of the Access Control requirements. I left the page and when I came back only a few of the requirements were showing as completed.

CSET 9.2.1
Win 10 Pro
Chrome 79.0

🐛 Bug Report

If an assessment is done using several computers:

1. Start the assessment on Computer 1
2. Continue the assessment on Computer 2
3. Import the assessment from Computer 2 into Computer 1, to update the initial assessment

You end up with several Contacts at the first screen of the assessment - listing all users who worked on it.

If you then Delete the user from Computer 2, The WHOLE assessment disappears!

There is NO warning that deleting a contact from that screen will wipe the whole assessment!

Expected behavior

Deleting a user should just delete the user (deleting a Contact should just delete the CONTACT!)

A clear and concise description of what you expected to happen.

Any helpful log output

Paste the results here:

Vulnerability Scan Report

@johnmod3 sent an email in with a couple of attachments concerning vulnerabilities scanned in this repository.

I've take a quick look and these seem to be a subset of our dependabot and CodeQL findings. I believe that most of these dependency bumps are going to be addressed in the next release. Some have been captured in the current crop of dependabot PRs.

I'm attaching for further review by the CSET development team.

Thank you @johnmod3 for your contribution. Having extra sets of eyes is why we're here! 👀

Attachments:

• Project Analysis Summary _ Ion Console.pdf
• CISA_1dad9f26-ca07-4a29-9e74-5c648280e9f0.json

🐛 Bug Report

When creating an assessment in Requirements Mode, per-requirement comments added to the 'comments' field do not display on the Site Detail Report, under 'Question Comments And Marked For Review'.

Comments DO show up correctly when comments are entered in Questions Mode.

To Reproduce

Create New Assessment, Next x 2, Select 'NIST Special Publication 800-171 Rev 1', Next, Select 'Requirements Mode', Expand first question, select 'Yes' on this question, select 'Comments', enter any text into comments field, select 'Results' tab, 'Reports', 'Site Detail Report', scroll to the bottom of the report to heading 'Question Comments And Marked For Review'. "Question: | There are no questions with comments to display." is displayed.

Expected behavior

Comments entered while using Requirements Mode should appear in the "Site Detail Report", "Question Comments And Marked for Review" section.

Thank you.

Any helpful log output

Paste the results here:

• ✉️ Email CSET support

• I have configured the CSET Enterprise version on my system with IIS and SQL manager installation.

• I have configured the SMTP Host setting for sending the Emails which we get after registration.

• But I am not receiving any emails which will contain a temporary password that will allow us to log in to the CSET Application.

• CSET application is running but at the time of registration, I am getting an internal server Error ("Unknown Error" in the console window) also the user is created in the database.

I have attached the error screens, It would be great if anyone can check on this issue and revert me back.

• I have tried to create a user by the second way that is to run the AddCSETUser.exe file. But it's not running.
  Rather than the execution of exe file, a blank cmd screen appears for a second.

🚀 Feature Proposal

Ability to add custom Question Group Headings to align with other standards that do not match those provided. If custom is not possible, need addition of:

• Asset Management
• Situational Awareness
• Process Maturity

Would like functionality similar to custom Subcategories.

Example

I am building a custom profile to align with DoD CMMC.

Pitch

CSET should align with both USG documents. Need to group questions by "Domain" and subcategory aligned to "Capability" for CMMC.

Version

CSET 9.2.1

🐛 Bug Report

I tried to submit the C2M2 as well as a custom module into the import module editor with the standalone install of CSET as well as the Enterprise Installation.
There is a processing error and nothing will upload to the database.

To Reproduce

Steps to reproduce the behavior: Load the C2M2 Module or any other module into the CSET editor and submit.

Unless I am missing something in the Web.config file, the SMTP configuration does not support authentication. Are the additional hidden keys that exist but are not defined in the sample file.

Please provide capability to authenticate to an SMTP server.

🐛 Bug Report

I am trying to add a new module (new Standard) using the Import Module. I have this new standard in JSON and trying to import. The questions from the first object in the Requirements section gets added in the module and rest of them are skipped.
I have tried again and again in various ways to make it work but the result is same. Could you please help me with this? Also, please check if the Enterprise version has the same issue.

To Reproduce

Create a json with custom requirements and questions which are not already in the database, and try importing from Import Module.

Expected behavior

All the custom questions should be added to the newly created module.

Any helpful log output

Paste the results here:

I have deployed the CSET SQL instance and have been able to successfully connect to the SQL instance from a remote system. When logging into the SQL instance using CSET Web interface we are presented with the gold ribbon at the top showing local instance.

Following the instructions, I am unable to find and download the DIST folder as the link points to an old link. Could you please provide any insight into why we would be receiving the local instance error when it is connected to the DB. Also, there are no webfile to be placed in the IIS for launching and not sure if this is part of the issue in the instructions\downloaded files

CSET 9.2.1: NIST SP 800-171 Rev 1 as of 06 07 2018 - This guidance is listed under Prepare>Cybersecurity Standards>NIST Framework>"NIST SP 800-171 Rev 1 Updates 06-07-2018" but when this is selected nothing populates the requirements section - instead it notes "There are no applicable questions/requirements to display. Check the assessment's SAL level and Standards selection."

Hi there!

I am facing a problem when I try to access the assessment results (I am using CSET Enterprise 9.2.2).
When I click on RESULTS, my session is disconnected and CSET presents a pop-up with an "Access Denied" error with the following message:

"
Your session has expired, a connection error has occurred, or you are no longer authorized to access that assessment.
Please log in again.
"

Same behaviour repeats for all assessments and for two different users.

Any ideas about this and how to fix?

Thanks in advance!

Best regards,
Fabio.

I am trying to run the WebApi project in debug mode, and I would like to modify the API code to use my own SMTP settings (to start with) - do you have any guidance on running the software in an interactive debugging environment?

I have the database installed, and have successfully built the enterprise 9.2.2 version in VS 2017.

When I try to debug the WebApi project, I get the "CSET Web Starting Configuration Page" - then when I click the "CSET Angular Site" link, I get a runtime error saying assets/config.json is not found:

An exception of type 'System.Web.HttpException' occurred in CSETWeb_Api.dll but was not handled in user code Additional information: assets/config.json file not found

I assume I am missing some step - maybe building the angular project?

🐛 Bug Report

LGTM is unable to build CSET using its default strategies. It needs some hints about how to go about it.

To Reproduce

Steps to reproduce the behavior:

• Look at LGTM build logs

Expected behavior

LGTM should be able to identify the correct way to extract and build the code.

Ideas

We should add a lgtm.yml file to the repository with some hints how to build CSET. See the documentation for information about this file:

https://lgtm.com/help/lgtm/lgtm.yml-configuration-file

💬 Questions and Help

Is it possible to export the Custom Module and the associated Custom Questions?

Need is high to develop customization that can be shared with others.

Version

CSET 9.2.1

🐛 Bug Report

When I create a new assessment, I am able to select the report "Observation Tear Out Sheets" but when I open an existing database, the PDF opens for a split second and then closes. I am trying to create a NIST 800-171 Observation Tear Out Sheet.

To Reproduce

Open an existing assessment and try running the Observation Tear Out Sheets report

Expected behavior

I expected the PDF to open.

Any helpful log output

Paste the results here:

🐛 Bug Report

After installation CSET 10.1 a presentation error "Invalid object name 'dbo.INSTALLATION'.".

Error

Detalhes da Exceção: Microsoft.Data.SqlClient.SqlException: Invalid object name 'dbo.INSTALLATION'.

Erro de Origem:

Exceção sem tratamento foi gerada durante a execução da atual solicitação da Web. As informações relacionadas à origem e ao local da exceção podem ser identificadas usando-se o rastreamento de pilha de exceção abaixo.

Rastreamento de Pilha:

[SqlException (0x80131904): Invalid object name 'dbo.INSTALLATION'.]
Microsoft.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) +220 Microsoft.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) +81
Microsoft.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +614
Microsoft.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) +4452
Microsoft.Data.SqlClient.SqlDataReader.TryConsumeMetaData() +60
Microsoft.Data.SqlClient.SqlDataReader.get_MetaData() +89
Microsoft.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption, Boolean shouldCacheForAlwaysEncrypted) +396
Microsoft.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, Boolean inRetry, SqlDataReader ds, Boolean describeParameterEncryptionRequest) +2597
Microsoft.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource1 completion, Int32 timeout, Task& task, Boolean& usedCache, Boolean asyncWrite, Boolean inRetry) +1557 Microsoft.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +64 Microsoft.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) +228 Microsoft.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior) +60 System.Data.Common.DbCommand.ExecuteReader() +12 Microsoft.EntityFrameworkCore.Storage.RelationalCommand.ExecuteReader(RelationalCommandParameterObject parameterObject) +947 Microsoft.EntityFrameworkCore.Query.Internal.Enumerator.InitializeReader(DbContext _, Boolean result) +204 Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.Execute(TState state, Func3 operation, Func3 verifySucceeded) +57 Microsoft.EntityFrameworkCore.Query.Internal.Enumerator.MoveNext() +550 System.Linq.Enumerable.SingleOrDefault(IEnumerable1 source) +198
lambda_method(Closure , QueryContext ) +264
Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler.Execute(Expression query) +263
Microsoft.EntityFrameworkCore.Query.Internal.EntityQueryProvider.Execute(Expression expression) +60
System.Linq.Queryable.FirstOrDefault(IQueryable`1 source) +212
CSETWeb_Api.Helpers.TransactionSecurity.GetSecret() +191
CSETWeb_Api.Helpers.TransactionSecurity.GenerateSecret() +29
CSETWeb_Api.Startup.Configuration(IAppBuilder app) +55

[TargetInvocationException: Uma exceção foi acionada pelo destino de uma chamada.]
System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) +0
System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments) +168
System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) +105
Owin.Loader.<>c__DisplayClass19_1.b__0(IAppBuilder builder) +66
Owin.Loader.<>c__DisplayClass9_0.b__0(IAppBuilder builder) +123
Microsoft.Owin.Host.SystemWeb.<>c__DisplayClass5_0.b__0(IAppBuilder builder) +81
Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action1 startup) +462 Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action1 startup) +40
Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint() +70
System.Threading.LazyInitializer.EnsureInitializedCore(T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory) +119
Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context) +106
System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +523
System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +176
System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +220
System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +303

[HttpException (0x80004005): Uma exceção foi acionada pelo destino de uma chamada.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +659
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +89
System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +188

Hi,
Since this is not a bug in the application I add my comments here.

I have installed the CSETstandalone.exe installer v10.1 on my Windows 10. It starts my browser and I get an error message:

Server Error in '/' Application.
Invalid object name 'dbo.INSTALLATION'.
Description: An unhandled exception occurred during the execution of the current web request.
Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Microsoft.Data.SqlClient.SqlException: Invalid object name 'dbo.INSTALLATION'.

Source Error:

An unhandled exception was generated during the execution of the current web request.
Information regarding the origin and location of the exception can be identified using the exception stack trace below.
bla bla bla

I wonder if the CSETstandalone.exe 10.1 is just the version described below "CSET Enterprise Installation Instructions"
If the standalone desktop version is not maintained any longer the read.me file should be updated.

#1 There's no mentioning on what OS version CSET support. the document often refers to Desktop, however it seems the evolution of CSET have gone towards a multiuser solution which is best suited for installation on a Windows server. The readme should describe the alternatives available.
For instance the line "A CSET dialogue will open asking if you want to install the CSET Desktop (Fig.2). Select "Yes"."

• There word "Desktop" is not mentioned in the installer.

#2 The pre-requisite comes far down in the document. The installation requirement (OS and pre req) should be listed first.

#3 The statement " If the user doesn't have IIS 10.0 Express, CSET will install it. " Sounds very good. However, it would be nice to have a way to verify if this component is installed properly. In my Windows Features I don't see anything installed under IIS. I can't find the IIS Express as an installation i the control panel either. But the fact that my browser shows the error message under the URL "http://localhost:46000/index.html?v=10.1.7607" indicates that that at least I have a web server running locally.

#4 There is no file called "CSET_10.1-Binary.zip on the CSET® releases page
"Click "CSET_10.1-Binary.zip" file to download it."

#5 There's a broken link "Again, this can be downloaded directly from Microsoft" (https://www.microsoft.com/en-us/download/details.aspx?id=47337)

#6 The IIS installation is a bit different on Windows 10 vs Server 2016.

#7 The SQL installation procedure was very long. Could this be scripted? Is it possible to run it on Windows 10?
I would think many like me are not that keen on putting all this on my windows 10 workstation. If it has to be like this it would be nice to have a procedure how to run the CSET on a VM (VMware workstatation or VirtualBox) and then use the Chrome browser only on the company PC (Windows 10).

Best regards,

Tolleif Onarheim

Bug - After installation in do CSET 9.2.docx

I can't seem to create custom reports off assessment questions that would break out POAM. The doc i looked at says there should be a "Report Builder" within the tool but it is not there. I really really could use this as it is the main thing I need.

🚀 Feature Proposal

Prior to CSET 9.x, it was possible to export reports in .docx format for customization. Would like this feature added back to the CSET, especially with the Site Cybersecurity Plan.

Motivation

Feature was used extensively in prior releases.

Version

CSET 9.2.1

🐛 Bug Report

Unable to start a new assessment in version 10.1.1.0.

Tried using multiple browsers and all had same results. Screen would flicker but would return to the selection screen with Start New Assessment or Import Assessment. Import Assessment button does open the import dialog.

To Reproduce

Steps to reproduce the behavior:

1. Start Stand Alone CSET 10.1.1.0.
2. Open browser (Edge, IE, Chrome, Firefox)
3. Navigate to local CSET website
4. Select Start New Assessment button

Expected behavior

Expect new assessment dialog to open.

Any helpful log output

Paste the results here:

After upgrading from CSET version 9.0.1 to version 9.2.0 (stand alone) the system would not allow me to open my assessments that I had done on version 9.0.1, neither would it allow me to start a new assessment.

When I click on the old assessments to open them the system just "blinks", and then nothing happens. Likewise when I click on the "New Assessment", it blinks and does nothing.

🚀 Feature Proposal

CSET 8 produced DOCX and PDF reports. Please support this in version 10+.

Motivation

These reports are useful to others in the organization that do not have CSET installed. It would be nice to email stakeholders a Word or PDF document. In fact, reports with a signature block require editing. Simply opening a saved HTML file in word does not pick up the network diagram.

Example

Just as in CSET 8, the report builder would allow producing DOCX or PDF reports.

Pitch

This feature would support sharing of assessment results both inside and outside organization. (e.g. to prove compliance to a customer.)

🐛 Bug Report

Using the Standalone version, Attempting to import a new module always gets DB input error.

To Reproduce

I have tried a variety of approaches (all XML). Importing another module and replace name and shortname just to see if I could get it to work. I was successful in creating a new module but not one that contained requirements. Including requirements fails.

Expected behavior

A clear and concise description of what you expected to happen.

Any helpful log output

Paste the results here:

I've been testing some styling changes in the front end part of the app but I can't seem to run the build. Whenever I do ng serve -o i get this error:

[error] C:\Users\User\Desktop\cset-master\CSETWebNg\node_modules\lodash\lodash.js:3980
if ((key === 'proto' || key === 'constructor' || key === 'prototype')) {
^^

SyntaxError: Unexpected token 'if'
at wrapSafe (internal/modules/cjs/loader.js:979:16)
at Module._compile (internal/modules/cjs/loader.js:1027:27)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
at Module.load (internal/modules/cjs/loader.js:928:32)
at Function.Module._load (internal/modules/cjs/loader.js:769:14)
at Module.require (internal/modules/cjs/loader.js:952:19)
at require (internal/modules/cjs/helpers.js:88:18)
at Object. (C:\Users\User\Desktop\cset-master\CSETWebNg\node_modules\http-proxy-middleware\lib\index.js:1:9)
at Module._compile (internal/modules/cjs/loader.js:1063:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)

I have Node v14.15.3 and @angular/[email protected] installed so i don't know if it has to do with the version?