regscale-cli 6.20.4.1__py3-none-any.whl → 6.20.6.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/scanner.py

@@ -5,10 +5,11 @@ import json
 import logging
 import os
 import re
-from typing import Any, Dict, Iterator, List, Optional, Union
+from typing import Any, Dict, Iterator, List, Optional, Union, Tuple
 
 from regscale.core.app.utils.app_utils import check_file_path, get_current_datetime
 from regscale.core.utils import get_base_protocol_from_port
+from regscale.core.utils.date import format_to_regscale_iso
 from regscale.integrations.commercial.wizv2.constants import (
     INVENTORY_FILE_PATH,
     INVENTORY_QUERY,
@@ -19,7 +20,6 @@ from regscale.integrations.commercial.wizv2.parsers import (
     collect_components_to_create,
     fetch_wiz_data,
     get_disk_storage,
-    get_ip_address_from_props,
     get_latest_version,
     get_network_info,
     get_product_ids,
@@ -101,7 +101,7 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         :yield: IntegrationFinding objects
         :rtype: Iterator[IntegrationFinding]
         """
-        self.authenticate(kwargs.get("client_id"), kwargs.get("client_secret"))
+
         project_id = kwargs.get("wiz_project_id")
         if not project_id:
             raise ValueError("Wiz project ID is required")
@@ -137,7 +137,7 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         """
         for node in nodes:
             if finding := self.parse_finding(node, vulnerability_type):
-                self.num_findings_to_process += 1
+                self.num_findings_to_process = (self.num_findings_to_process or 0) + 1
                 yield finding
 
     @classmethod
@@ -151,6 +151,25 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         """
         return cls.finding_severity_map.get(severity.capitalize(), regscale_models.IssueSeverity.Low)
 
+    def process_comments(self, comments_dict: Dict) -> Optional[str]:
+        """
+        Processes comments from Wiz findings to match RegScale's comment format.
+
+        :param Dict comments_dict: The comments from the Wiz finding
+        :return: If available the Processed comments in RegScale format
+        :rtype:  Optional[str]
+        """
+        result = None
+
+        if comments := comments_dict.get("comments", {}).get("edges", []):
+            formatted_comments = [
+                f"{edge.get('node', {}).get('author', {}).get('name', 'Unknown')}: {edge.get('node', {}).get('body', 'No comment')}"
+                for edge in comments
+            ]
+            # Join with newlines
+            result = "\n".join(formatted_comments)
+        return result
+
     def parse_finding(
         self, node: Dict[str, Any], vulnerability_type: WizVulnerabilityType
     ) -> Optional[IntegrationFinding]:
@@ -167,7 +186,10 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             if not asset_id:
                 return None
 
+            first_seen = node.get("firstDetectedAt") or node.get("firstSeenAt") or get_current_datetime()
+            first_seen = format_to_regscale_iso(first_seen)
             severity = self.get_issue_severity(node.get("severity", "Low"))
+            due_date = regscale_models.Issue.get_due_date(severity, self.app.config, "wiz", first_seen)
 
             status = self.map_status_to_issue_status(node.get("status", "Open"))
             name: str = node.get("name", "")
@@ -177,6 +199,9 @@ class WizVulnerabilityIntegration(ScannerIntegration):
                 else node.get("cve", name)
             )
 
+            comments_dict = node.get("commentThread", {})
+            formatted_comments = self.process_comments(comments_dict)
+
             return IntegrationFinding(
                 control_labels=[],
                 category="Wiz Vulnerability",
@@ -186,8 +211,11 @@ class WizVulnerabilityIntegration(ScannerIntegration):
                 status=status,
                 asset_identifier=asset_id,
                 external_id=f"{node.get('sourceRule', {'id': cve}).get('id')}",
-                first_seen=node.get("firstDetectedAt") or node.get("firstSeenAt") or get_current_datetime(),
-                last_seen=node.get("lastDetectedAt") or node.get("analyzedAt") or get_current_datetime(),
+                first_seen=first_seen,
+                date_created=first_seen,
+                last_seen=format_to_regscale_iso(
+                    node.get("lastDetectedAt") or node.get("analyzedAt") or get_current_datetime()
+                ),
                 remediation=node.get("description", ""),
                 cvss_score=node.get("score"),
                 cve=cve,
@@ -195,6 +223,11 @@ class WizVulnerabilityIntegration(ScannerIntegration):
                 cvss_v3_base_score=node.get("score"),
                 source_rule_id=node.get("sourceRule", {}).get("id"),
                 vulnerability_type=vulnerability_type.value,
+                due_date=due_date,
+                date_last_updated=format_to_regscale_iso(get_current_datetime()),
+                identification="Vulnerability Assessment",
+                comments=formatted_comments,
+                poam_comments=formatted_comments,
             )
         except (KeyError, TypeError, ValueError) as e:
             logger.error("Error parsing Wiz finding: %s", str(e), exc_info=True)
@@ -222,9 +255,9 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         :yields: Iterator[IntegrationAsset]
         """
         self.authenticate(kwargs.get("client_id"), kwargs.get("client_secret"))
-        wiz_project_id = kwargs.get("wiz_project_id")
+        wiz_project_id: str = kwargs.get("wiz_project_id", "")
         logger.info("Fetching Wiz assets...")
-        filter_by_override = kwargs.get("filter_by_override") or WizVariables.wizInventoryFilterBy
+        filter_by_override: Dict[str, Any] = kwargs.get("filter_by_override") or WizVariables.wizInventoryFilterBy or {}
         filter_by = self.get_filter_by(filter_by_override, wiz_project_id)
 
         variables = self.get_variables()
@@ -257,6 +290,32 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             filter_by["updatedAt"] = {"after": WizVariables.wizLastInventoryPull}  # type: ignore
         return filter_by
 
+    def get_software_details(
+        self, wiz_entity_properties: Dict, node: Dict[str, Any], software_name_dict: Dict[str, str], name: str
+    ) -> Tuple[Optional[str], Optional[str], Optional[str]]:
+        """
+        Gets the software version, vendor, and name from the Wiz entity properties and node.
+        Handles container images differently by extracting the version and name from the image tags.
+        :param Dict wiz_entity_properties: The properties of the Wiz entity
+        :param Dict node: The Wiz node containing the entity
+        :param Dict software_name_dict: Dictionary containing software name and vendor
+        :param str name: The name of the software or container image
+        :return: A tuple containing software_version, software_vendor, and software_name
+        :rtype: Tuple[Optional[str], Optional[str], Optional[str]]
+        """
+        if node.get("type", "") == "CONTAINER_IMAGE":
+            software_version = handle_container_image_version(
+                image_tags=wiz_entity_properties.get("imageTags", []), name=name
+            )
+            software_name = name.split(":")[0].split("/")[-1] if name else ""
+            software_vendor = name.split(":")[0].split("/")[1] if len(name.split(":")[0].split("/")) > 1 else None
+        else:
+            software_version = self.get_software_version(wiz_entity_properties, node)
+            software_name = self.get_software_name(software_name_dict, wiz_entity_properties, node)
+            software_vendor = self.get_software_vendor(software_name_dict, wiz_entity_properties, node)
+
+        return software_version, software_vendor, software_name
+
     def parse_asset(self, node: Dict[str, Any]) -> Optional[IntegrationAsset]:
         """
         Parses Wiz assets
@@ -272,23 +331,20 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             return None
 
         wiz_entity_properties = wiz_entity.get("properties", {})
+        is_public = False
+        if public_exposures := wiz_entity.get("publicExposures"):
+            if exposure_count := public_exposures.get("totalCount"):
+                is_public = exposure_count > 0
+
         network_dict = get_network_info(wiz_entity_properties)
         handle_provider_dict = handle_provider(wiz_entity_properties)
         software_name_dict = get_software_name_from_cpe(wiz_entity_properties, name)
         software_list = self.create_name_version_dict(wiz_entity_properties.get("installedPackages", []))
-
         ports_and_protocols = self.get_ports_and_protocols(wiz_entity_properties)
 
-        if node.get("type", "") == "CONTAINER_IMAGE":
-            software_version = handle_container_image_version(
-                image_tags=wiz_entity_properties.get("imageTags", []), name=name
-            )
-            software_name = name.split(":")[0].split("/")[-1] if name else ""
-            software_vendor = name.split(":")[0].split("/")[1] if len(name.split(":")[0].split("/")) > 1 else None
-        else:
-            software_version = self.get_software_version(wiz_entity_properties, node)
-            software_name = self.get_software_name(software_name_dict, wiz_entity_properties, node)
-            software_vendor = self.get_software_vendor(software_name_dict, wiz_entity_properties, node)
+        software_version, software_vendor, software_name = self.get_software_details(
+            wiz_entity_properties, node, software_name_dict, name
+        )
 
         if WizVariables.useWizHardwareAssetTypes and node.get("graphEntity", {}).get("technologies", []):
             technologies = node.get("graphEntity", {}).get("technologies", [])
@@ -312,7 +368,8 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             date_last_updated=wiz_entity.get("lastSeen", ""),
             management_type=handle_management_type(wiz_entity_properties),
             status=self.map_wiz_status(wiz_entity_properties.get("status")),
-            ip_address=get_ip_address_from_props(wiz_entity_properties),
+            ip_address=network_dict.get("ip4_address"),
+            ipv6_address=network_dict.get("ip6_address"),
             software_vendor=software_vendor,
             software_version=software_version,
             software_name=software_name,
@@ -321,10 +378,10 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             model=wiz_entity_properties.get("nativeType"),
             manufacturer=wiz_entity_properties.get("cloudPlatform"),
             serial_number=get_product_ids(wiz_entity_properties),
-            is_public_facing=wiz_entity_properties.get("directlyInternetFacing", False),
-            azure_identifier=handle_provider_dict.get("azureIdentifier"),
+            is_public_facing=is_public,
+            azure_identifier=handle_provider_dict.get("azureIdentifier", ""),
             mac_address=wiz_entity_properties.get("macAddress"),
-            fqdn=wiz_entity_properties.get("dnsName") or network_dict.get("dns"),
+            fqdn=network_dict.get("dns") or wiz_entity_properties.get("dnsName"),
             disk_storage=get_disk_storage(wiz_entity_properties) or 0,
             cpu=pull_resource_info_from_props(wiz_entity_properties)[1] or 0,
             ram=pull_resource_info_from_props(wiz_entity_properties)[0] or 0,
@@ -333,9 +390,9 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             end_of_life_date=wiz_entity_properties.get("versionEndOfLifeDate"),
             vlan_id=wiz_entity_properties.get("zone"),
             uri=network_dict.get("url"),
-            aws_identifier=handle_provider_dict.get("awsIdentifier"),
-            google_identifier=handle_provider_dict.get("googleIdentifier"),
-            other_cloud_identifier=handle_provider_dict.get("otherCloudIdentifier"),
+            aws_identifier=handle_provider_dict.get("awsIdentifier", ""),
+            google_identifier=handle_provider_dict.get("googleIdentifier", ""),
+            other_cloud_identifier=handle_provider_dict.get("otherCloudIdentifier", ""),
             patch_level=get_latest_version(wiz_entity_properties),
             cpe=wiz_entity_properties.get("cpe"),
             component_names=collect_components_to_create([node], []),
@@ -374,7 +431,7 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         :return: Software vendor
         :rtype: Optional[str]
         """
-        if map_category(node.get("type")) == regscale_models.AssetCategory.Software:
+        if map_category(node.get("type", "")) == regscale_models.AssetCategory.Software:
             return software_name_dict.get("software_vendor") or wiz_entity_properties.get("cloudPlatform")
         return None
 
@@ -388,8 +445,8 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         :return: Software version
         :rtype: Optional[str]
         """
-        if map_category(node.get("type")) == regscale_models.AssetCategory.Software:
-            return handle_software_version(wiz_entity_properties, map_category(node.get("type"))) or "1.0"
+        if map_category(node.get("type", "")) == regscale_models.AssetCategory.Software:
+            return handle_software_version(wiz_entity_properties, map_category(node.get("type", ""))) or "1.0"
         return None
 
     @staticmethod
@@ -403,7 +460,7 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         :return: Software name
         :rtype: Optional[str]
         """
-        if map_category(node.get("type")) == regscale_models.AssetCategory.Software:
+        if map_category(node.get("type", "")) == regscale_models.AssetCategory.Software:
             return software_name_dict.get("software_name") or wiz_entity_properties.get("nativeType")
         return None
 
@@ -454,6 +511,8 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         else:
             logger.info("File %s does not exist. Fetching new data...", file_path)
 
+        self.authenticate(WizVariables.wizClientId, WizVariables.wizClientSecret)
+
         if not self.wiz_token:
             raise ValueError("Wiz token is not set. Please authenticate first.")