regscale-cli 6.20.10.0__py3-none-any.whl → 6.21.1.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/constants.py

@@ -3,7 +3,225 @@
 from enum import Enum
 from typing import List, Optional
 
-from regscale.models import IssueSeverity
+from regscale.models import IssueSeverity, regscale_models
+
+WIZ_POLICY_QUERY = """
+query PolicyAssessmentsTable($filterBy: PolicyAssessmentFilters, $first: Int, $after: String) {
+  policyAssessments(filterBy: $filterBy, first: $first, after: $after) {
+    nodes {
+      id
+      policy {
+        ... on CloudConfigurationRule {
+          id
+          shortId
+          name
+          ruleDescription: description
+          severity
+          graphId
+          remediationInstructions
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+        ... on Control {
+          id
+          name
+          description
+          lastRunAt
+          lastRunError
+          lastSuccessfulRunAt
+          severity
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+        ... on HostConfigurationRule {
+          id
+          name
+          shortName
+          remediationInstructions
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+      }
+      result
+      resource {
+        id
+        name
+        type
+        region
+        tags { key value }
+        subscription { id name externalId cloudProvider }
+      }
+      output {
+        ... on Issue { id issueStatus: status }
+        ... on ConfigurationFinding { id name cloudConfigurationFindingStatus: status remediation }
+        ... on HostConfigurationRuleAssessment { id hostConfigurationRule: rule { id name shortName description remediationInstructions } }
+      }
+    }
+    pageInfo { hasNextPage endCursor }
+    totalCount
+  }
+}
+
+fragment SecuritySubCategoriesDetails on SecuritySubCategory {
+  description
+  id
+  resolutionRecommendation
+  title
+  externalId
+  category { id name framework { id name enabled } }
+}
+"""
+
+WIZ_FRAMEWORK_QUERY = """
+query SecurityFrameworksTable($first: Int, $after: String, $filterBy: SecurityFrameworkFilters) {
+  securityFrameworks(first: $first, after: $after, filterBy: $filterBy) {
+    nodes { policyTypes ...SecurityFrameworkFragment }
+    pageInfo { hasNextPage endCursor }
+    totalCount
+  }
+}
+
+fragment SecurityFrameworkFragment on SecurityFramework {
+  id
+  name
+  description
+  builtin
+  enabled
+  parentFramework { id name }
+}
+"""
+
+# Comprehensive framework mappings with shorthand names for easy CLI usage
+FRAMEWORK_MAPPINGS = {
+    "wf-id-4": "NIST SP 800-53 Revision 5",
+    "wf-id-48": "NIST SP 800-53 Revision 4",
+    "wf-id-5": "FedRAMP (Moderate and Low levels)",
+    "wf-id-17": "CIS Controls v7.1",
+    "wf-id-24": "CIS Controls v8",
+    "wf-id-6": "CIS AWS v1.2.0",
+    "wf-id-7": "CIS AWS v1.3.0",
+    "wf-id-32": "CIS AWS v1.4.0",
+    "wf-id-45": "CIS AWS v1.5.0",
+    "wf-id-84": "CIS AWS v2.0.0",
+    "wf-id-98": "CIS AWS v3.0.0",
+    "wf-id-197": "CIS AWS v4.0.0",
+    "wf-id-50": "AWS Foundational Security Best Practices v1.0.0",
+    "wf-id-124": "AWS Well-Architected Framework (Section 2 - Security)",
+    "wf-id-8": "CIS Azure v1.3.0",
+    "wf-id-35": "CIS Azure v1.4.0",
+    "wf-id-52": "CIS Azure v1.5.0",
+    "wf-id-74": "CIS Azure v2.0.0",
+    "wf-id-100": "CIS Azure v2.1.0",
+    "wf-id-196": "CIS Azure v2.1.0 (Latest)",
+    "wf-id-40": "Azure Security Benchmark v3",
+    "wf-id-9": "CIS GCP v1.1.0",
+    "wf-id-36": "CIS GCP v1.2.0",
+    "wf-id-53": "CIS GCP v1.3.0",
+    "wf-id-85": "CIS GCP v2.0.0",
+    "wf-id-25": "CIS AKS v1.0.0",
+    "wf-id-68": "CIS AKS v1.2.0",
+    "wf-id-75": "CIS AKS v1.3.0",
+    "wf-id-93": "CIS AKS v1.4.0",
+    "wf-id-162": "CIS AKS v1.5.0",
+    "wf-id-218": "CIS AKS v1.6.0",
+    "wf-id-23": "CIS EKS v1.0.1",
+    "wf-id-67": "CIS EKS v1.1.0",
+    "wf-id-86": "CIS EKS v1.2.0",
+    "wf-id-18": "CIS Kubernetes v1.5.1",
+    "wf-id-66": "CIS Kubernetes v1.6.1",
+    "wf-id-87": "CIS Kubernetes v1.7.0",
+    "wf-id-76": "SOC 2 Type I",
+    "wf-id-16": "ISO/IEC 27001:2013",
+    "wf-id-19": "PCI DSS v3.2.1",
+    "wf-id-78": "PCI DSS v4.0",
+    "wf-id-79": "GDPR",
+    "wf-id-64": "CCPA/CPRA",
+    "wf-id-77": "CCF (The Adobe Common Controls Framework)",
+    "wf-id-70": "Canadian PBMM (ITSG-33)",
+    "wf-id-111": "C5 - Cloud Computing Compliance Criteria Catalogue",
+    "wf-id-161": "CAF (Cyber Assessment Framework by NCSC)",
+    "wf-id-90": "APRA CPG 234",
+    "wf-id-207": "CISA Security Requirements for EO 14117",
+    "wf-id-214": "5Rs - Wiz for Data Security",
+    "wf-id-225": "Wiz for Risk Assessment",
+}
+
+FRAMEWORK_SHORTCUTS = {
+    "nist": "wf-id-4",
+    "nist53r5": "wf-id-4",
+    "nist53r4": "wf-id-48",
+    "fedramp": "wf-id-5",
+    "cis": "wf-id-24",
+    "cisv8": "wf-id-24",
+    "cisv7": "wf-id-17",
+    "aws": "wf-id-197",
+    "azure": "wf-id-196",
+    "gcp": "wf-id-85",
+    "k8s": "wf-id-87",
+    "kubernetes": "wf-id-87",
+    "eks": "wf-id-86",
+    "aks": "wf-id-218",
+    "soc2": "wf-id-76",
+    "iso27001": "wf-id-16",
+    "pci": "wf-id-78",
+    "gdpr": "wf-id-79",
+    "ccpa": "wf-id-64",
+    "aws-foundational": "wf-id-50",
+    "aws-wellarchitected": "wf-id-124",
+    "azure-benchmark": "wf-id-40",
+}
+
+FRAMEWORK_CATEGORIES = {
+    "NIST Frameworks": ["wf-id-4", "wf-id-48", "wf-id-5"],
+    "CIS Controls": ["wf-id-17", "wf-id-24"],
+    "AWS Security": [
+        "wf-id-197",
+        "wf-id-50",
+        "wf-id-124",
+        "wf-id-6",
+        "wf-id-7",
+        "wf-id-32",
+        "wf-id-45",
+        "wf-id-84",
+        "wf-id-98",
+    ],
+    "Azure Security": [
+        "wf-id-196",
+        "wf-id-40",
+        "wf-id-8",
+        "wf-id-35",
+        "wf-id-52",
+        "wf-id-74",
+        "wf-id-100",
+    ],
+    "Google Cloud Security": ["wf-id-85", "wf-id-9", "wf-id-36", "wf-id-53"],
+    "Kubernetes Security": [
+        "wf-id-87",
+        "wf-id-86",
+        "wf-id-218",
+        "wf-id-18",
+        "wf-id-23",
+        "wf-id-25",
+        "wf-id-66",
+        "wf-id-67",
+        "wf-id-68",
+        "wf-id-75",
+        "wf-id-93",
+        "wf-id-162",
+    ],
+    "Industry Standards": ["wf-id-76", "wf-id-16", "wf-id-78", "wf-id-19"],
+    "Privacy & Data Protection": ["wf-id-79", "wf-id-64", "wf-id-214"],
+    "Government/Regulatory": ["wf-id-70", "wf-id-111", "wf-id-161", "wf-id-90", "wf-id-207"],
+}
 
 SBOM_FILE_PATH = "artifacts/wiz_sbom.json"
 INVENTORY_FILE_PATH = "artifacts/wiz_inventory.json"
@@ -181,6 +399,36 @@ RECOMMENDED_WIZ_INVENTORY_TYPES = [
     "VIRTUAL_NETWORK",
 ]
 
+# This is the set of technology deploymentModels and CloudResource types which we
+# map to the asset category Hardware (instead of Software) when the useWizHardwareTypes
+# feature is enabled.
+# So either things which are hardware-like, or which use technologies that, in turn,
+# imply they are hardware-like.
+# Note that using technology deploymentModels can grab things such as virutal machine
+# image files in addition to actual virtual machines. While this doesn't fit with
+# general concepts of "hardware", for the purposes of attestation, it is the correct
+# choice, as we may be certifying a source image that dynamic resources are created from,
+# rather than attempt to document a variable pool of auto-scaled resources.
+DEFAULT_WIZ_HARDWARE_TYPES = [
+    # CloudResource types
+    "VIRTUAL_MACHINE",
+    "VIRTUAL_MACHINE_IMAGE",
+    "CONTAINER",
+    "CONTAINER_IMAGE",
+    "DB_SERVER",
+    # technology deploymentModels
+    "SERVER_APPLICATION",
+    "CLIENT_APPLICATION",
+    "VIRTUAL_APPLIANCE",
+]
+
+# This maps CPE part values to Asset categories.
+CPE_PART_TO_CATEGORY_MAPPING = {
+    "h": regscale_models.AssetCategory.Hardware,  # Hardware
+    "a": regscale_models.AssetCategory.Software,  # Application
+    "o": regscale_models.AssetCategory.Software,  # Other? Operating system? (includes OSs and firmware)
+}
+
 INVENTORY_QUERY = """
     query CloudResourceSearch(
     $filterBy: CloudResourceFilters

regscale/integrations/commercial/wizv2/issue.py

@@ -262,12 +262,12 @@ class WizIssue(WizVulnerabilityIntegration):
             return "Wiz-Event"
         if not name:
             return f"Wiz-{service_type}-Event"
-        event_match = re.match(r"^([A-Za-z\s]+?)\s+(?:detection|event|alert|activity)", name)
+        event_match = re.match(r"^([A-Za-z\s]+?)\s+(detection|event|alert|activity)", name)
         if not event_match:
             return f"Wiz-{service_type}-Event"
 
         event_type = event_match.group(1).strip()
-        if event_type == "Suspicious activity":
+        if event_type == "Suspicious" and event_match.group(2).strip().lower() == "activity":
             return f"Wiz-{service_type}-SuspiciousActivity"
 
         event_type = "".join(word.capitalize() for word in event_type.split())

regscale/integrations/commercial/wizv2/parsers.py

@@ -76,11 +76,12 @@ def get_software_name_from_cpe(wiz_entity_properties: Dict, name: str) -> Dict:
     """
     cpe_info_dict = {
         "name": name,
+        "part": None,
         "software_name": None,
         "software_version": None,
         "software_vendor": None,
     }
-    if "cpe" in wiz_entity_properties.keys() and wiz_entity_properties.get("cpe"):
+    if "cpe" in wiz_entity_properties and wiz_entity_properties.get("cpe"):
         cpe_info_dict = extract_product_name_and_version(wiz_entity_properties.get("cpe", ""))
         cpe_info_dict["name"] = name
     return cpe_info_dict
@@ -349,7 +350,7 @@ def get_ip_address(
     ip6_address = None
     dns = None
     url = None
-    if "address" in wiz_entity_properties.keys():
+    if "address" in wiz_entity_properties:
         if wiz_entity_properties.get("addressType") == "IPV4":
             ip4_address = wiz_entity_properties.get("address")
         elif wiz_entity_properties.get("addressType") == "IPV6":