regscale-cli 6.20.8.0__py3-none-any.whl → 6.20.9.1__py3-none-any.whl

regscale/_version.py

@@ -33,7 +33,7 @@ def get_version_from_pyproject() -> str:
                     return match.group(1)
     except Exception:
         pass
-    return "6.20.8.0"  # fallback version
+    return "6.20.9.1"  # fallback version
 
 
 __version__ = get_version_from_pyproject()

regscale/core/app/application.py

@@ -399,10 +399,10 @@ class Application(metaclass=Singleton):
         if config is None:
             config = {}
         self.logger.debug(f"Provided config in _fetch_config_from_regscale is: {type(config)}")
-        token = config.get("token") or os.getenv("REGSCALE_TOKEN")
-        domain = config.get("domain") or os.getenv("REGSCALE_DOMAIN")
+        token = config.get("token", os.getenv("REGSCALE_TOKEN"))
+        domain = config.get("domain", os.getenv("REGSCALE_DOMAIN"))
         if domain is None or "http" not in domain or domain == self.template["domain"]:
-            domain = self.retrieve_domain()[:-1] if self.retrieve_domain().endswith("/") else self.retrieve_domain()
+            domain = self.retrieve_domain().rstrip("/")
         self.logger.debug(f"domain: {domain}, token: {token}")
         if domain is not None and token is not None:
             self.logger.info(f"Fetching config from {domain}...")
@@ -416,23 +416,87 @@ class Application(metaclass=Singleton):
                     },
                 )
                 self.logger.debug(f"status_code: {response.status_code} text: {response.text}")
-                res_data = response.json()
-                if config := res_data.get("cliConfig"):
-                    parsed_dict = yaml.safe_load(config)
-                    self.logger.debug(f"parsed_dict: {parsed_dict}")
-                    parsed_dict["token"] = token
-                    parsed_dict["domain"] = domain
-                    from regscale.core.app.internal.login import parse_user_id_from_jwt
-
-                    parsed_dict["userId"] = res_data.get("userId") or parse_user_id_from_jwt(self, token)
-                    self.logger.debug(f"Updated domain, token and userId: {parsed_dict}")
-                    self.logger.info("Successfully fetched config from RegScale.")
-                    # fill in any missing keys with the template
-                    return {**self.template, **parsed_dict}
+
+                # Get the encrypted config from the response
+                fetched_config = response.json()
+                if not fetched_config or response.text == "":
+                    self.logger.warning("No secrets found in %s", domain)
+                    return {}
+                # see if it's just a dictionary
+                if isinstance(fetched_config, dict):
+                    parsed_dict = fetched_config
+                else:
+                    decrypted_config = self._decrypt_config(fetched_config, token)
+                    parsed_dict = json.loads(decrypted_config)
+
+                parsed_dict["token"] = token
+                parsed_dict["domain"] = domain
+                from regscale.core.app.internal.login import parse_user_id_from_jwt
+
+                parsed_dict["userId"] = parsed_dict.get("userId") or parse_user_id_from_jwt(self, token)
+                self.logger.info("Successfully fetched config from RegScale.")
+                # fill in any missing keys with the template
+                return {**self.template, **parsed_dict}
             except Exception as ex:
-                self.logger.error("Unable to fetch config from RegScale.\n%s", ex)
+                self.logger.error("Unable to fetch config from RegScale.\n%s", str(ex))
         return {}
 
+    def _decrypt_config(self, encrypted_text: str, bearer_token: str) -> str:
+        """
+        Decrypt the configuration using AES encryption with the bearer token as key
+
+        :param str encrypted_text: Base64 encoded encrypted text
+        :param str bearer_token: Bearer token used as encryption key
+        :return: Decrypted configuration string
+        :rtype: str
+        """
+        import base64
+        import hashlib
+        from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+        from cryptography.hazmat.backends import default_backend
+
+        try:
+            # Convert from base64
+            combined = base64.b64decode(encrypted_text)
+
+            # Extract IV (first 16 bytes) and cipher text
+            iv = combined[:16]
+            cipher_text = combined[16:]
+
+            # Generate key from bearer token using SHA256
+            key = hashlib.sha256(bearer_token.encode()).digest()
+
+            # Create cipher
+            cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+
+            # Decrypt
+            decryptor = cipher.decryptor()
+            decrypted = decryptor.update(cipher_text) + decryptor.finalize()
+
+            # Remove padding and convert to string
+            decoded = decrypted.decode("utf-8")
+            # Remove all trailing whitespace and control characters
+            cleaned = decoded.rstrip()
+            # Also remove any trailing null bytes that might remain
+            while cleaned.endswith("\0"):
+                cleaned = cleaned[:-1]
+            # Use regex to remove any ending backslash-like pattern and characters after it
+            import re
+
+            # Remove any trailing backslash followed by any characters until the end
+            # This handles both literal backslashes and control characters like \x0e
+            cleaned = re.sub(r"\\[^\\]*$", "", cleaned)
+            # Also remove any trailing control characters that might remain
+            # Avoid regex for trailing control character removal to prevent potential catastrophic backtracking.
+            # Instead, use rstrip with a string of control characters.
+            cleaned = cleaned.rstrip(
+                "".join([chr(i) for i in range(0x00, 0x20)]) + "".join([chr(i) for i in range(0x7F, 0xA0)])
+            )
+            return cleaned
+        except Exception as err:
+            self.logger.error("Unable to decrypt config: %s", err)
+            return "{}"
+
     def _load_config_from_click_context(self) -> Optional[dict]:
         """
         Load configuration from Click context

regscale/integrations/commercial/synqly/vulnerabilities.py

@@ -148,6 +148,39 @@ def sync_rapid7_insight_cloud(regscale_ssp_id: int, vuln_filter: str, scan_date:
     )
 
 
+@vulnerabilities.command(name="sync_servicenow_vr")
+@regscale_ssp_id()
+@click.option(
+    "--vuln_filter",
+    help="Filter the vulnerabilities for the selected severity. (Options: critical, high, medium, low, info)",
+    required=False,
+    type=click.Choice(["critical", "high", "medium", "low", "info"]),
+    default=None,
+)
+@click.option(
+    "--scan_date",
+    help="The date of the scan to sync vulnerabilities from Servicenow Vr",
+    required=False,
+    type=click.DateTime(formats=["%Y-%m-%d"]),
+    default=None,
+)
+@click.option(
+    "--all_scans",
+    help="Whether to sync all vulnerabilities from Servicenow Vr",
+    required=False,
+    is_flag=True,
+    default=False,
+)
+def sync_servicenow_vr(regscale_ssp_id: int, vuln_filter: str, scan_date: datetime, all_scans: bool) -> None:
+    """Sync Vulnerabilities from Servicenow Vr to RegScale."""
+    from regscale.models.integration_models.synqly_models.connectors import Vulnerabilities
+
+    vulnerabilities_servicenow_vr = Vulnerabilities("servicenow_vr")
+    vulnerabilities_servicenow_vr.run_sync(
+        regscale_ssp_id=regscale_ssp_id, vuln_filter=vuln_filter, scan_date=scan_date, all_scans=all_scans
+    )
+
+
 @vulnerabilities.command(name="sync_tanium_cloud")
 @regscale_ssp_id()
 @click.option(

regscale/models/integration_models/cisa_kev_data.json

@@ -1,7 +1,7 @@
 {
     "title": "CISA Catalog of Known Exploited Vulnerabilities",
-    "catalogVersion": "2025.07.28",
-    "dateReleased": "2025-07-28T14:00:14.6746Z",
+    "catalogVersion": "2025.07.29",
+    "dateReleased": "2025-07-29T12:46:00.2038Z",
     "count": 1391,
     "vulnerabilities": [
         {
@@ -115,8 +115,8 @@
             "product": "SharePoint",
             "vulnerabilityName": "Microsoft SharePoint Code Injection Vulnerability",
             "dateAdded": "2025-07-22",
-            "shortDescription": "Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704.",
-            "requiredAction": "CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS). For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use. For supported versions, please follow the mitigations according to CISA and vendor instructions. Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.",
+            "shortDescription": "Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.",
+            "requiredAction": "Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.",
             "dueDate": "2025-07-23",
             "knownRansomwareCampaignUse": "Known",
             "notes": "CISA Mitigation Instructions: https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/07\/20\/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770; https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/ ; https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49704 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-49704",
@@ -130,8 +130,8 @@
             "product": "SharePoint",
             "vulnerabilityName": "Microsoft SharePoint Improper Authentication Vulnerability",
             "dateAdded": "2025-07-22",
-            "shortDescription": "Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.",
-            "requiredAction": "CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS). For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use. For supported versions, please follow the mitigations according to CISA and vendor instructions. Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.",
+            "shortDescription": "Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. CVE-2025-53771 is a patch bypass for CVE-2025-49706, and the updates for CVE-2025-53771 include more robust protection than those for CVE-2025-49706.",
+            "requiredAction": "Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.",
             "dueDate": "2025-07-23",
             "knownRansomwareCampaignUse": "Known",
             "notes": "CISA Mitigation Instructions: https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/07\/20\/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770 ; https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/ ; https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-49706 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-49706",
@@ -145,8 +145,8 @@
             "product": "SharePoint",
             "vulnerabilityName": "Microsoft SharePoint Deserialization of Untrusted Data Vulnerability",
             "dateAdded": "2025-07-20",
-            "shortDescription": "Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network.",
-            "requiredAction": "CISA recommends configuring AMSI integration in SharePoint and deploying Defender AV on all SharePoint servers. If AMSI cannot be enabled, CISA recommends disconnecting affected products that are public-facing on the internet from service until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions. Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.  ",
+            "shortDescription": "Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-53771. CVE-2025-53770 is a patch bypass for CVE-2025-49704, and the updates for CVE-2025-53770 include more robust protection than those for CVE-2025-49704.",
+            "requiredAction": "Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) to include SharePoint Server 2013 and earlier versions. For supported versions, please follow the mitigations according to CISA (URL listed below in Notes) and vendor instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.",
             "dueDate": "2025-07-21",
             "knownRansomwareCampaignUse": "Unknown",
             "notes": "CISA Mitigation Instructions: https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/07\/20\/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770; https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/ ; https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53770 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-53770",