simplerisk / bundles Goto Github PK

To whom it may concern

Trying to install simplerisk today using simplerisk-20210305-001.tgz and simplerisk-installer-20210305-001.tgz. I pass the first install check (modules and ownership of files) and i'm being asked the mysql db host/port/user/pass. However i get an error no matter what php version i try (i tested with 7.0/7.1/7.3/8.0)
With 7.x i get:
PHP message: PHP Warning: Invalid argument supplied for foreach() in /path/obfuscated/install/index.php on line 274
With 8.0 i get:
PHP message: PHP Warning: foreach() argument must be of type array|object, string given in /path/obfuscated/install/index.php on line 274

Any advice how to i get past database check step in the install folder?
Thank you in advance

Andy

When submitting a risk and using the OWASP option under Threat Agent Factors/Skill Level, the rating is 1=No technical skills, and 9=Security penetration skills.

But on the OWASP page : https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Under skill level, the values are around the other way, 1=Security penetration skills, and 9=No technical skills.

This is the difference between a risk having a score of 10, and now that I've switched it around 1.1

I followed the instructions and installed SimpleRisk on Ubuntu 12.04 64-bit, but see "A fatal error has occurred. Please contact support." on the homepage. I am using the most recent bundle package "2014-0413-001"
My error.log file shows:
"PHP Fatal error: Call to a member function prepare() on a non-object in /var/www/simplerisk/includes/authenticate.php on line 522"

Any ideas, or are others seeing the same error?

Hello!

I'm trying to install simplerisk in a 000webhost website/database and i keep getting errors after errors.

I sent through ftp the two folders needed for installation of simplerisk. The bundle files are inside a folder named "simplerisk" and the installation files are inside a folder named "install". (see web.png)

Then, as the simplerisk installation guides says, I navigated to my website \install folder (error1.png) and introduced the database name provided by 000webhost. (see db.png)

As a results of this steps i keep getting an error named "http error 500".

Is there any help you could provide me on this subject?

I'm using firefox and windows 7

Best regards.

Filipe

Hello,

It would be nice if we could create a project with a series of issues to used a template eg by copying the project to a new one.

Many thanks for your hard work!

In the moment to create a new user the script user_management.php generates the following error:

Without this all new risks get a value of 0 and are not selectable even when flagged for project.

I imported a CSV of about 40 risks this afternoon. Everything went fine on the front end; mapping worked great and I selected the field that each column should map to. When I went in to view the risks I noted that any value that I mapped to "Custom Value" was changed to 10. For example, the following risk had a custom value of "2."

After import, the value changed to "10." Upon further inspection it seems as though math is not working:

Curious indeed. Perhaps it has something to do with the scoring method. My preference is custom because we are using a scoring method not supported natively by the application.

Thanks!

I have tried following the advice from the previous issue but that did not resolve the issue.

I have several risks. I perform a management review and mark them as "Approve Risk" and "Consider for Project."

The audit trail shows the review but when I click Prioritize for Project Planning the risk does not appear as it does in the demo.

I am running this on a fresh CentOS server. I did delete the database and recreate it using the schema but had the same issue both times.

I did find these in my logs:

"[Wed Jul 23 15:08:18 2014] [error] [client x.x.x.x] PHP Warning: Invalid argument supplied for foreach() in /var/www/html/management/prioritize_planning.php on line 52, referer: http://x.x.x.x/management/prioritize_planning.php"

"[Wed Jul 23 13:53:11 2014] [error] [client x.x.x.x] PHP Notice: Undefined index: ids in /var/www/html/management/prioritize_planning.php on line 52, referer: http://x.x.x.x/management/prioritize_planning.php"

I doubt these errors are related to the problem.

Looking in the DB I see:

mysql> select id, status, mgmt_review, project_id from risks;
+----+---------------+-------------+------------+
| id | status | mgmt_review | project_id |
+----+---------------+-------------+------------+
| 1 | Mgmt Reviewed | 6 | 0 |
| 2 | Mgmt Reviewed | 3 | 0 |
| 3 | Mgmt Reviewed | 4 | 0 |
+----+---------------+-------------+------------+

mysql> select id, risk_id, next_step from mgmt_reviews;
+----+---------+-----------+
| id | risk_id | next_step |
+----+---------+-----------+
| 1 | 1 | 2 |
| 2 | 1 | 2 |
| 3 | 2 | 2 |
| 4 | 3 | 2 |
| 5 | 1 | 2 |
| 6 | 1 | 2 |
+----+---------+-----------+

mysql> select * from next_step;
+-------+------------------------------+
| value | name |
+-------+------------------------------+
| 1 | Accept Until Next Review |
| 2 | Consider for Project |
| 3 | Submit as a Production Issue |
+-------+------------------------------+

It seems like the project id in risks should be 1 since they are all reviewed with Consider for Project as a next step.

Any help would be appreciated.

Hi - I believe there should be a capability to add multiple files to a single risk / issue (Supporting Documentation). This would help maintain a trail of all the documentation associated with the risk (emails / documents / spreadsheets etc). Thank you for the good work!

#1055 - Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'osshoa4m_newprojectinfo.com.pd.state_id' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by

Hi;

After a new installation, I'm seeing the following error on the Reporting tab.

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1055 Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'simplerisk.a.calculated_risk' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by' in /Library/WebServer/Documents/simplerisk/includes/reporting.php:428 Stack trace: #0 /Library/WebServer/Documents/simplerisk/includes/reporting.php(428): PDOStatement->execute() #1 /Library/WebServer/Documents/simplerisk/reports/index.php(85): open_risk_level_pie('Risk Level') #2 {main} thrown in /Library/WebServer/Documents/simplerisk/includes/reporting.php on line 428

Regards,
Jeff

"V. Review Risks Regularly" → "Show Risk Scoring Details" → "Risk Scoring Actions" → "Score by Classic"

Hi Josh - I really think the simplerisk homepage could be used for something better than just the simplerisk logo PNG file. It feels quite a bit empty right now.
Maybe even a aggregation of user relevant RSS feeds (that can be configured in the configuration menu?) can be displayed here beneath the large simplerisk logo could be useful here.

Rather than displaying "Owner's Manager", "Owner's Manager" is displayed.

@jsokol

I recently update the Simplerisk applications to the latest version, but the Save button does not working when try to edit an existing risk or to add a comment.

My PHP version is 5.6.40.

Thanks

Hi
After giving a user access only to assessments tab is there a way that we can disable the report tab.
We are busy testing the system and need to disable the report tab for certain users and only allow them to see the assessments tab. We are currently using the core system on prem.

Looking forward to your reply.
Sincerely.
G

Hi;

Is there any chance you could add the NIST 800-53 control catalog to the Control Regulation?

Regards,
Jeff

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1364 Field 'mitigation_id' doesn't have a default value' in C:\xampp\htdocs\simplerisk\includes\functions.php:1023 Stack trace: #0 C:\xampp\htdocs\simplerisk\includes\functions.php(1023): PDOStatement->execute() #1 C:\xampp\htdocs\simplerisk\management\index.php(137): submit_risk('New', 'Test', '', 5, '1', '5', 1, 30, 23, 3, 1, 'none', 'none') #2 {main} thrown in C:\xampp\htdocs\simplerisk\includes\functions.php on line 1023

Release: 20141013-001

I just upgraded to the latest version from the previous version. On running upgrade.php, the script doesn't finish and is stuck at the line shown in the image.

Also, the simplerisk database in mysql still shows only 29 tables as it was before. I was expecting to see one more table for the file attachments.

Thank you for looking into this!

After I installed it and login I see that theme is corrupted not like demo page any suggestions

Hi - a new user can be created in the latest version with null values for username and password, while all the privileges can be assigned to this "empty" username user. This "null" user can log in and log out like normal user.

I have not he root password of my shared host. How can I install it?

Note: I manually edited the config.php file too, to try.

The error log:

[09-Jul-2021 23:09:44 UTC] PHP Fatal error: Uncaught Error: Call to a member function prepare() on null in /home/ohsc1orckkh1/public_html/simplerisk/includes/permissions.php:26
Stack trace:
#0 /home/ohsc1orckkh1/public_html/simplerisk/includes/permissions.php(168): table_exists('permissions')
#1 /home/ohsc1orckkh1/public_html/simplerisk/includes/permissions.php(43): get_possible_permissions()
#2 /home/ohsc1orckkh1/public_html/simplerisk/includes/authenticate.php(12): require_once('/home/ohsc1orck...')
#3 /home/ohsc1orckkh1/public_html/simplerisk/includes/functions.php(13): require_once('/home/ohsc1orck...')
#4 /home/ohsc1orckkh1/public_html/simplerisk/index.php(7): require_once('/home/ohsc1orck...')
#5 {main}
thrown in /home/ohsc1orckkh1/public_html/simplerisk/includes/permissions.php on line 26

In the latest version, when I try to download an attachment from a risk, an entirely different file (from a different risk) is downloaded. Steps to reproduce;

1. I attach files "filenameA.PDF" and "filenameB.XLS" to risk no. 1022
2. Save the risk or update the risk
3. Click on the link showing either "filenameA.PDF" or "filenameB.XLS"
4. The file that is downloaded is not either "filenameA.PDF" or "filenameB.XLS" - it is actually a file that was attached to an entirely different risk (lets call it risk no. 1007)
5. Everytime you try to open the attached file in ANY of the inserted risks, ONLY the file attached in the risk 1007 is downloaded.

I have tried it on Latest Chrome and IE 11. Please let me know if you need additional information. Thanks!

Just installed the latest version in kali 1.0 to try it out. I created a risk and went to management review to approve the risk and set 'Consider for Project'. The problem is that under 'Prioritize for Project Planning' I cannot see the risk.

Installed version:
simplerisk-20140413-001.tgz
simplerisk-en-20140413-001.sql

I really like this project and appreciate your efforts. I ran into one thing I found confusing. On the "Configure Risk Formula" page, there is a drop down with the formulas used to calculate the risk. The formulas in the drop down do not match what is displayed in the risk chart. 5x1 does not equal 2 for example. Once I looked in the code I saw that you scaled all values so they fit a 1-10 scale. That makes good sense and makes the risk settings at the top of the page the same regardless of what formula you use.

I suggest adding a note like "All values are adjusted to fit a 10 point scale" somewhere on the page so people don't think the calculations are wrong.