regscale-cli 6.20.4.1__py3-none-any.whl → 6.20.6.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/utils.py

@@ -16,8 +16,10 @@ from zipfile import ZipFile
 import cachetools
 import requests
 from pydantic import ValidationError
+from rich.progress import Progress, TaskID
 
 from regscale.core.app.api import Api
+from regscale.core.app.application import Application
 from regscale.core.app.utils.app_utils import (
     error_and_exit,
     check_file_path,
@@ -27,19 +29,31 @@ from regscale.core.app.utils.app_utils import (
 )
 from regscale.core.utils.date import datetime_obj
 from regscale.integrations.commercial.wizv2.constants import (
-    DOWNLOAD_QUERY,
     BEARER,
-    REPORTS_QUERY,
+    CHECK_INTERVAL_FOR_DOWNLOAD_REPORT,
     CONTENT_TYPE,
-    RATE_LIMIT_MSG,
     CREATE_REPORT_QUERY,
+    DOWNLOAD_QUERY,
     MAX_RETRIES,
-    CHECK_INTERVAL_FOR_DOWNLOAD_REPORT,
+    RATE_LIMIT_MSG,
+    REPORTS_QUERY,
+    RERUN_REPORT_QUERY,
 )
 from regscale.integrations.commercial.wizv2.models import ComplianceReport, ComplianceCheckStatus
 from regscale.integrations.commercial.wizv2.variables import WizVariables
 from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
-from regscale.models import File, Sbom, SecurityPlan, Catalog, ControlImplementation, Assessment, regscale_models
+from regscale.models import (
+    File,
+    Sbom,
+    SecurityControl,
+    SecurityPlan,
+    Catalog,
+    ControlImplementation,
+    Assessment,
+    regscale_models,
+    ControlImplementationStatus,
+    ImplementationObjective,
+)
 from regscale.utils import PaginatedGraphQLClient
 from regscale.utils.decorators import deprecated
 
@@ -47,6 +61,31 @@ logger = logging.getLogger("regscale")
 compliance_job_progress = create_progress_object()
 
 
+def is_report_expired(report_run_at: str, max_age_days: int) -> bool:
+    """
+    Check if a report is expired based on its run date
+
+    :param str report_run_at: Report run date in ISO format
+    :param int max_age_days: Maximum age in days
+    :return: True if report is expired, False otherwise
+    :rtype: bool
+    """
+    try:
+        run_date = datetime_obj(report_run_at)
+        if not run_date:
+            return True
+
+        # Convert to naive datetime for comparison
+        run_date_naive = run_date.replace(tzinfo=None)
+        current_date = datetime.datetime.now()
+        age_in_days = (current_date - run_date_naive).days
+
+        return age_in_days >= max_age_days
+    except (ValueError, TypeError):
+        # If we can't parse the date, consider it expired
+        return True
+
+
 def get_notes_from_wiz_props(wiz_entity_properties: Dict, external_id: str) -> str:
     """
     Get notes from wiz properties
@@ -407,15 +446,28 @@ def get_or_create_report_id(
     :param target_framework: Target framework name with underscores
     :return: Single report ID
     """
+    app = Application()
+    report_age_days = app.config.get("wizReportAge", 15)
     report_name = f"{target_framework}_project_{project_id}"
 
     # Check for existing report with exact name
     for report in existing_reports:
         if report.get("name") == report_name:
             logger.info(f"Found existing report '{report_name}' with ID {report['id']}")
-            return report["id"]
 
-    # Create new report if no exact match found
+            # Check if report is expired based on wizReportAge
+            run_at = report.get("lastRun", {}).get("runAt")
+
+            if run_at and is_report_expired(run_at, report_age_days):
+                logger.info(
+                    f"Report '{report_name}' is expired (older than {report_age_days} days), will create new report"
+                )
+                break
+            else:
+                logger.info(f"Report '{report_name}' is still valid, using existing report")
+                return report["id"]
+
+    # Create new report if no valid existing report found
     try:
         framework_index = frameworks.index(target_framework)
         framework_id = wiz_frameworks[framework_index].get("id")
@@ -439,13 +491,14 @@ def fetch_report_data(report_id: str) -> List[Dict]:
     """
     try:
         download_url = get_report_url_and_status(report_id)
-        logger.info(f"Fetching report {report_id} from: {download_url}")
+        logger.debug(f"Fetching report {report_id} from: {download_url}")
 
         with closing(requests.get(url=download_url, stream=True, timeout=10)) as response:
             response.raise_for_status()
-            logger.info(f"Streaming and parsing report {report_id}")
+            logger.info(f"Streaming and parsing report {report_id}...")
 
             reader = csv.DictReader(codecs.iterdecode(response.iter_lines(), encoding="utf-8"), delimiter=",")
+            logger.info(f"Report {report_id} fetched successfully.")
             return list(reader)
     except requests.RequestException as e:
         error_and_exit(f"Failed to fetch report {report_id}: {str(e)}")
@@ -586,7 +639,7 @@ def send_request(
     """
     logger.debug("Sending a request to Wiz API")
     api = Api()
-    payload = dict({"query": query, "variables": variables})
+    payload = {"query": query, "variables": variables}
     if api_endpoint_url is None:
         api_endpoint_url = WizVariables.wizUrl
     if WizVariables.wizAccessToken:
@@ -650,8 +703,7 @@ def get_report_url_and_status(report_id: str) -> str:
             raise requests.RequestException("Failed to download report")
 
         response_json = response.json()
-        errors = response_json.get("errors")
-        if errors:
+        if errors := response_json.get("errors"):
             message = errors[0]["message"]
             if RATE_LIMIT_MSG in message:
                 rate = errors[0]["extensions"]["retryAfter"]
@@ -664,6 +716,10 @@ def get_report_url_and_status(report_id: str) -> str:
             status = response_json.get("data", {}).get("report", {}).get("lastRun", {}).get("status")
             if status == "COMPLETED":
                 return response_json["data"]["report"]["lastRun"]["url"]
+            elif status == "EXPIRED":
+                logger.warning("Report %s is expired, rerunning report...", report_id)
+                rerun_expired_report({"reportId": report_id})
+                return get_report_url_and_status(report_id)
 
     raise requests.RequestException("Download failed, exceeding the maximum number of retries")
 
@@ -680,13 +736,25 @@ def download_report(variables: Dict) -> requests.Response:
     return response
 
 
+def rerun_expired_report(variables: Dict) -> requests.Response:
+    """
+    Rerun a report
+
+    :param Dict variables: Variables for Wiz request
+    :return: Response object from Wiz API
+    :rtype: requests.Response
+    """
+    response = send_request(RERUN_REPORT_QUERY, variables=variables)
+    return response
+
+
 def _sync_compliance(
     wiz_project_id: str,
     regscale_id: int,
     regscale_module: str,
     client_id: str,
     client_secret: str,
-    catalog_id: int,
+    catalog_id: Optional[int] = None,
     framework: Optional[str] = "NIST800-53R5",
 ) -> List[ComplianceReport]:
     """
@@ -697,7 +765,7 @@ def _sync_compliance(
     :param str regscale_module: RegScale module
     :param str client_id: Wiz Client ID
     :param str client_secret: Wiz Client Secret
-    :param int catalog_id: Catalog ID, defaults to None
+    :param Optional[int] catalog_id: Catalog ID, defaults to None
     :param Optional[str] framework: Framework, defaults to NIST800-53R5
     :return: List of ComplianceReport objects
     :rtype: List[ComplianceReport]
@@ -708,68 +776,84 @@ def _sync_compliance(
         client_id=client_id,
         client_secret=client_secret,
     )
-    report_job = compliance_job_progress.add_task("[#f68d1f]Fetching Wiz compliance report...", total=1)
-    fetch_regscale_data_job = compliance_job_progress.add_task(
-        "[#f68d1f]Fetching RegScale Catalog info for framework...", total=1
-    )
-    logger.info("Fetching Wiz compliance report for project ID %s...", wiz_project_id)
-    compliance_job_progress.update(report_job, completed=True, advance=1)
+    with compliance_job_progress:
+        report_job = compliance_job_progress.add_task("[#f68d1f]Fetching Wiz compliance report...", total=1)
+        fetch_regscale_data_job = compliance_job_progress.add_task(
+            "[#f68d1f]Fetching RegScale Catalog info for framework...", total=1
+        )
+        compliance_job_progress.update(report_job, completed=True, advance=1)
 
-    framework_mapping = {
-        "CSF": "NIST CSF v1.1",
-        "NIST800-53R5": "NIST SP 800-53 Revision 5",
-        "NIST800-53R4": "NIST SP 800-53 Revision 4",
-    }
-    sync_framework = framework_mapping.get(framework)
-    snake_framework = sync_framework.replace(" ", "_")
-    logger.debug(f"{snake_framework=}")
-    logger.info("Fetching Wiz compliance report for project ID %s", wiz_project_id)
-    report_data = fetch_framework_report(wiz_project_id, snake_framework)
-    report_models = []
-    compliance_job_progress.update(report_job, completed=True, advance=1)
-
-    catalog = Catalog.get_with_all_details(catalog_id=catalog_id)
-    controls = catalog.get("controls") if catalog else []
-    passing_controls = {}
-    failing_controls = {}
-    controls_to_reports = {}
-
-    compliance_job_progress.update(fetch_regscale_data_job, completed=True, advance=1)
-    logger.info("Analyzing ComplianceReport for framework %s from Wiz" % sync_framework)
-    running_compliance_job = compliance_job_progress.add_task(
-        "[#f68d1f]Building compliance posture from wiz report...",
-        total=len(report_data),
-    )
-    for row in report_data:
-        try:
-            cr = ComplianceReport(**row)
-            if cr.framework == sync_framework:
-                check_compliance(
-                    cr,
-                    controls,
-                    passing_controls,
-                    failing_controls,
-                    controls_to_reports,
-                )
-                report_models.append(cr)
+        framework_mapping = {
+            "CSF": "NIST CSF v1.1",
+            "NIST800-53R5": "NIST SP 800-53 Revision 5",
+            "NIST800-53R4": "NIST SP 800-53 Revision 4",
+        }
+        sync_framework = framework_mapping.get(framework)
+        snake_framework = sync_framework.replace(" ", "_")
+        logger.debug(f"{snake_framework=}")
+        logger.info("Fetching Wiz compliance report for project ID %s...", wiz_project_id)
+        report_data = fetch_framework_report(wiz_project_id, snake_framework)
+        report_models = []
+        compliance_job_progress.update(report_job, completed=True, advance=1)
+
+        if catalog_id:
+            logger.info("Fetching all Controls for catalog #%s...", catalog_id)
+            catalog = Catalog.get_with_all_details(catalog_id=catalog_id)
+            controls = catalog.get("controls") if catalog else []
+        else:
+            # get all of the ControlImplementations for the security plan and get the controls from them
+            logger.info("Fetching all Controls for %s #%d...", regscale_module, regscale_id)
+            controls = SecurityControl.get_controls_by_parent_id_and_module(
+                parent_module=regscale_module, parent_id=regscale_id, return_dicts=True
+            )
+        logger.info("Received %d control(s) from RegScale.", len(controls))
+
+        passing_controls = {}
+        failing_controls = {}
+        controls_to_reports = {}
+
+        compliance_job_progress.update(fetch_regscale_data_job, completed=True, advance=1)
+        logger.info("Analyzing ComplianceReport for framework %s from Wiz...", sync_framework)
+        running_compliance_job = compliance_job_progress.add_task(
+            "[#f68d1f]Building compliance posture from wiz report...",
+            total=len(report_data),
+        )
+        for row in report_data:
+            try:
+                cr = ComplianceReport(**row)
+                if cr.framework == sync_framework:
+                    check_compliance(
+                        cr,
+                        controls,
+                        passing_controls,
+                        failing_controls,
+                        controls_to_reports,
+                    )
+                    report_models.append(cr)
+            except ValidationError:
+                error_message = traceback.format_exc()
+                logger.error(f"Error creating ComplianceReport: {error_message}")
+            finally:
                 compliance_job_progress.update(running_compliance_job, advance=1)
-        except ValidationError:
+        try:
+            saving_regscale_data_job = compliance_job_progress.add_task(
+                "[#f68d1f]Saving RegScale data...", total=len(controls_to_reports)
+            )
+            create_assessment_from_compliance_report(
+                controls_to_reports=controls_to_reports,
+                regscale_id=regscale_id,
+                regscale_module=regscale_module,
+                controls=controls,
+                progress=compliance_job_progress,
+                task=saving_regscale_data_job,
+            )
+            logger.info("Completed saving RegScale data.")
+        except Exception:
             error_message = traceback.format_exc()
-            logger.error(f"Error creating ComplianceReport: {error_message}")
-    try:
-        saving_regscale_data_job = compliance_job_progress.add_task("[#f68d1f]Saving RegScale data...", total=1)
-        create_assessment_from_compliance_report(
-            controls_to_reports=controls_to_reports,
-            regscale_id=regscale_id,
-            regscale_module=regscale_module,
-            controls=controls,
-        )
-        compliance_job_progress.update(saving_regscale_data_job, completed=True, advance=1)
-
-    except Exception:
-        error_message = traceback.format_exc()
-        logger.error(f"Error creating ControlImplementations from compliance report: {error_message}")
-    return report_models
+            logger.error(f"Error creating ControlImplementations from compliance report: {error_message}")
+        finally:
+            compliance_job_progress.update(saving_regscale_data_job, completed=True, advance=len(controls_to_reports))
+        return report_models
 
 
 def check_compliance(
@@ -833,7 +917,7 @@ def _clean_passing_list(passing: Dict, failing: Dict) -> None:
 
 
 def create_assessment_from_compliance_report(
-    controls_to_reports: Dict, regscale_id: int, regscale_module: str, controls: List
+    controls_to_reports: Dict, regscale_id: int, regscale_module: str, controls: List, progress: Progress, task: TaskID
 ) -> None:
     """
     Create assessment from compliance report
@@ -842,6 +926,8 @@ def create_assessment_from_compliance_report(
     :param int regscale_id: RegScale ID
     :param str regscale_module: RegScale module
     :param List controls: Controls
+    :param Progress progress: Progress object, used for progress bar updates
+    :param TaskID task: Task ID, used for progress bar updates
     :return: None
     :rtype: None
     """
@@ -854,6 +940,7 @@ def create_assessment_from_compliance_report(
                 break
         filtered_results = [x for x in implementations if x.controlID == control_record_id]
         create_report_assessment(filtered_results, reports, control_id)
+        progress.update(task, advance=1)
 
 
 def create_report_assessment(filtered_results: List, reports: List, control_id: str) -> None:
@@ -870,7 +957,7 @@ def create_report_assessment(filtered_results: List, reports: List, control_id:
     for report in reports:
         html_summary = format_dict_to_html(report.dict())
         if implementation:
-            Assessment(
+            a = Assessment(
                 leadAssessorId=implementation.createdById,
                 title=f"Wiz compliance report assessment for {control_id}",
                 assessmentType="Control Testing",
@@ -884,3 +971,49 @@ def create_report_assessment(filtered_results: List, reports: List, control_id:
                 parentModule="controls",
                 isPublic=True,
             ).create()
+            update_implementation_status(
+                implementation=implementation,
+                result=report.result,
+            )
+            logger.info(f"Created report assessment for {control_id}: {a.id}")
+
+
+def update_implementation_status(implementation: ControlImplementation, result: str) -> ControlImplementation:
+    """
+    Update implementation status based on the report result
+
+    :param ControlImplementation implementation: Control Implementation object
+    :param str result: Report result
+    :return: Updated Control Implementation object
+    :rtype: ControlImplementation
+    """
+    objectives = ImplementationObjective.get_all_by_parent(
+        parent_module=implementation.get_module_slug(),
+        parent_id=implementation.id,
+    )
+    if objectives:
+        for objective in objectives:
+            objective.status = report_result_to_implementation_status(result)
+            objective.save()
+            logger.debug(f"Updated status for {objective.id}: {objective.status}")
+    else:
+        implementation.objectives = []
+    implementation.status = report_result_to_implementation_status(result)
+    implementation.save()
+    logger.info(f"Updated implementation status for {implementation.id}: {implementation.status}")
+
+
+def report_result_to_implementation_status(result: str) -> str:
+    """
+    Convert report result to implementation status
+
+    :param str result: Report result
+    :return: Implementation status
+    :rtype: str
+    """
+    if result == ComplianceCheckStatus.PASS.value:
+        return ControlImplementationStatus.Implemented.value
+    elif result == ComplianceCheckStatus.FAIL.value:
+        return ControlImplementationStatus.InRemediation.value
+    else:
+        return ControlImplementationStatus.NotImplemented.value

regscale/integrations/commercial/wizv2/variables.py

@@ -31,7 +31,7 @@ class WizVariables(metaclass=RsVariablesMeta):
   "PRIVATE_LINK", "RAW_ACCESS_POLICY", "REGISTERED_DOMAIN", "RESOURCE_GROUP", "SECRET",
   "SECRET_CONTAINER", "SERVERLESS", "SERVERLESS_PACKAGE", "SERVICE_ACCOUNT", "SERVICE_CONFIGURATION",
   "STORAGE_ACCOUNT", "SUBNET", "SUBSCRIPTION", "VIRTUAL_DESKTOP", "VIRTUAL_MACHINE",
-  "VIRTUAL_MACHINE_IMAGE", "VIRTUAL_NETWORK", "VOLUME", "WEB_SERVICE" ] }""",
+  "VIRTUAL_MACHINE_IMAGE", "VIRTUAL_NETWORK", "VOLUME", "WEB_SERVICE", "NETWORK_ADDRESS"] }""",
     )  # type: ignore
     wizAccessToken: RsVariableType(str, "", sensitive=True, required=False)  # type: ignore
     wizClientId: RsVariableType(str, "", sensitive=True)  # type: ignore
@@ -44,3 +44,4 @@ class WizVariables(metaclass=RsVariablesMeta):
         default=["SERVER_APPLICATION", "CLIENT_APPLICATION", "VIRTUAL_APPLIANCE"],
         required=False,
     )  # type: ignore
+    wizReportAge: RsVariableType(int, "14", default=14, required=False)  # type: ignore

regscale/integrations/commercial/wizv2/wiz_auth.py

@@ -49,10 +49,10 @@ def wiz_authenticate(client_id: Optional[str] = None, client_secret: Optional[st
     # get secrets
     client_id = WizVariables.wizClientId if client_id is None else client_id
     if not client_id:
-        raise ValueError("No Wiz Client ID provided in system environment or CLI command.")
+        error_and_exit("No Wiz Client ID provided in system environment or CLI command.")
     client_secret = WizVariables.wizClientSecret if client_secret is None else client_secret
     if not client_secret:
-        raise ValueError("No Wiz Client Secret provided in system environment or CLI command.")
+        error_and_exit("No Wiz Client Secret provided in system environment or CLI command.")
     wiz_auth_url = config.get("wizAuthUrl")
     if not wiz_auth_url:
         error_and_exit("No Wiz Authentication URL provided in the init.yaml file.")
@@ -100,7 +100,7 @@ def get_token(api: Api, client_id: str, client_secret: str, token_url: str) -> t
     )
     if response.ok:
         status_code = 200
-    logger.debug(response.reason)
+    logger.info(response.reason)
     # If response is unauthorized, try the first cognito url
     if response.status_code == requests.codes.unauthorized:
         try: