regscale-cli 6.20.9.1__py3-none-any.whl → 6.20.10.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/utils.py

@@ -54,6 +54,7 @@ from regscale.models import (
     ControlImplementationStatus,
     ImplementationObjective,
 )
+from regscale.models.regscale_models.compliance_settings import ComplianceSettings
 from regscale.utils import PaginatedGraphQLClient
 from regscale.utils.decorators import deprecated
 
@@ -781,8 +782,6 @@ def _sync_compliance(
         fetch_regscale_data_job = compliance_job_progress.add_task(
             "[#f68d1f]Fetching RegScale Catalog info for framework...", total=1
         )
-        compliance_job_progress.update(report_job, completed=True, advance=1)
-
         framework_mapping = {
             "CSF": "NIST CSF v1.1",
             "NIST800-53R5": "NIST SP 800-53 Revision 5",
@@ -836,8 +835,14 @@ def _sync_compliance(
             finally:
                 compliance_job_progress.update(running_compliance_job, advance=1)
         try:
+            controls_with_data = len(controls_to_reports)
+            logger.info(f"Creating assessments for {controls_with_data} controls with compliance data")
+            if controls_with_data == 0:
+                logger.warning("No controls have compliance data from Wiz")
+                return report_models
+
             saving_regscale_data_job = compliance_job_progress.add_task(
-                "[#f68d1f]Saving RegScale data...", total=len(controls_to_reports)
+                "[#f68d1f]Saving RegScale data...", total=controls_with_data
             )
             create_assessment_from_compliance_report(
                 controls_to_reports=controls_to_reports,
@@ -851,8 +856,8 @@ def _sync_compliance(
         except Exception:
             error_message = traceback.format_exc()
             logger.error(f"Error creating ControlImplementations from compliance report: {error_message}")
-        finally:
-            compliance_job_progress.update(saving_regscale_data_job, completed=True, advance=len(controls_to_reports))
+            # Re-raise the exception so it's not silently swallowed
+            raise
         return report_models
 
 
@@ -932,50 +937,199 @@ def create_assessment_from_compliance_report(
     :rtype: None
     """
     implementations = ControlImplementation.get_all_by_parent(parent_module=regscale_module, parent_id=regscale_id)
+    total_controls = len(controls_to_reports)
+    processed_count = 0
+
     for control_id, reports in controls_to_reports.items():
-        control_record_id = None
-        for control in controls:
-            if control.get("controlId").lower() == control_id:
-                control_record_id = control.get("id")
-                break
-        filtered_results = [x for x in implementations if x.controlID == control_record_id]
-        create_report_assessment(filtered_results, reports, control_id)
-        progress.update(task, advance=1)
+        try:
+            processed_count += 1
+            logger.debug(f"Processing control {control_id} ({processed_count}/{total_controls})")
+
+            control_record_id = None
+            for control in controls:
+                if control.get("controlId").lower() == control_id:
+                    control_record_id = control.get("id")
+                    break
+
+            filtered_results = [x for x in implementations if x.controlID == control_record_id]
+
+            start_time = time.time()
+            create_report_assessment(filtered_results, reports, control_id)
+            end_time = time.time()
+            logger.debug(f"Assessment creation for {control_id} took {end_time - start_time:.2f} seconds")
+
+            progress.update(task, advance=1)
+            logger.debug(f"Updated progress: {processed_count}/{total_controls}")
+
+        except Exception as e:
+            logger.error(f"Error processing control {control_id}: {e}")
+            # Still update progress even if there's an error
+            progress.update(task, advance=1)
 
 
 def create_report_assessment(filtered_results: List, reports: List, control_id: str) -> None:
     """
-    Create report assessment
+    Create a single aggregated report assessment per control
 
     :param List filtered_results: Filtered results
-    :param List reports: Reports
+    :param List reports: List of ComplianceReport objects for this control
     :param str control_id: Control ID
     :return: None
     :rtype: None
     """
+    logger.debug(f"Creating assessment for control {control_id} with {len(reports)} reports")
+
     implementation = filtered_results[0] if len(filtered_results) > 0 else None
+    if not implementation or not reports:
+        logger.debug(
+            f"Skipping control {control_id}: implementation={bool(implementation)}, reports={len(reports) if reports else 0}"
+        )
+        return
+
+    # Aggregate results: Fail if ANY asset fails, Pass only if ALL pass
+    overall_result = "Pass"
+    pass_count = 0
+    fail_count = 0
+
+    # Collect detailed results for comprehensive reporting
+    asset_details = []
+
     for report in reports:
-        html_summary = format_dict_to_html(report.dict())
-        if implementation:
-            a = Assessment(
-                leadAssessorId=implementation.createdById,
-                title=f"Wiz compliance report assessment for {control_id}",
-                assessmentType="Control Testing",
-                plannedStart=get_current_datetime(),
-                plannedFinish=get_current_datetime(),
-                actualFinish=get_current_datetime(),
-                assessmentResult=report.result,
-                assessmentReport=html_summary,
-                status="Complete",
-                parentId=implementation.id,
-                parentModule="controls",
-                isPublic=True,
-            ).create()
-            update_implementation_status(
-                implementation=implementation,
-                result=report.result,
+        if report.result == ComplianceCheckStatus.FAIL.value:
+            overall_result = "Fail"
+            fail_count += 1
+        else:
+            pass_count += 1
+
+        # Collect asset details for the report
+        asset_details.append(
+            {
+                "resource_name": report.resource_name,
+                "resource_id": report.resource_id,
+                "cloud_provider": report.cloud_provider,
+                "subscription": report.subscription,
+                "result": report.result,
+                "policy_short_name": report.policy_short_name,
+                "compliance_check": report.compliance_check,
+                "severity": report.severity,
+                "assessed_at": report.assessed_at,
+            }
+        )
+
+    # Create comprehensive HTML summary
+    html_summary = _create_aggregated_assessment_report(
+        control_id=control_id,
+        overall_result=overall_result,
+        pass_count=pass_count,
+        fail_count=fail_count,
+        asset_details=asset_details,
+        total_assets=len(reports),
+    )
+
+    # Create single assessment for this control
+    assessment = Assessment(
+        leadAssessorId=implementation.createdById,
+        title=f"Wiz compliance assessment for {control_id}",
+        assessmentType="Control Testing",
+        plannedStart=get_current_datetime(),
+        plannedFinish=get_current_datetime(),
+        actualFinish=get_current_datetime(),
+        assessmentResult=overall_result,
+        assessmentReport=html_summary,
+        status="Complete",
+        parentId=implementation.id,
+        parentModule="controls",
+        isPublic=True,
+    ).create()
+
+    # Update implementation status once with aggregated result
+    update_implementation_status(
+        implementation=implementation,
+        result=overall_result,
+    )
+
+    logger.info(
+        f"Created aggregated assessment for {control_id}: {assessment.id} "
+        f"(Result: {overall_result}, Assets: {len(reports)}, Pass: {pass_count}, Fail: {fail_count})"
+    )
+
+
+def _create_aggregated_assessment_report(
+    control_id: str, overall_result: str, pass_count: int, fail_count: int, asset_details: List[Dict], total_assets: int
+) -> str:
+    """
+    Create a comprehensive HTML assessment report for aggregated compliance results
+
+    :param str control_id: Control identifier
+    :param str overall_result: Overall Pass/Fail result
+    :param int pass_count: Number of passing assets
+    :param int fail_count: Number of failing assets
+    :param List[Dict] asset_details: Detailed information about each asset
+    :param int total_assets: Total number of assets assessed
+    :return: HTML formatted assessment report
+    :rtype: str
+    """
+    # Create summary section
+    summary_html = f"""
+    <div style="margin-bottom: 20px; padding: 15px; border: 2px solid {'#d32f2f' if overall_result == 'Fail' else '#2e7d32'}; border-radius: 5px; background-color: {'#ffebee' if overall_result == 'Fail' else '#e8f5e8'};">
+        <h3 style="margin: 0 0 10px 0; color: {'#d32f2f' if overall_result == 'Fail' else '#2e7d32'};">
+            Assessment Summary for Control {control_id}
+        </h3>
+        <p><strong>Overall Result:</strong> <span style="color: {'#d32f2f' if overall_result == 'Fail' else '#2e7d32'}; font-weight: bold;">{overall_result}</span></p>
+        <p><strong>Total Assets Assessed:</strong> {total_assets}</p>
+        <p><strong>Passing Assets:</strong> <span style="color: #2e7d32;">{pass_count}</span></p>
+        <p><strong>Failing Assets:</strong> <span style="color: #d32f2f;">{fail_count}</span></p>
+        <p><strong>Assessment Date:</strong> {get_current_datetime()}</p>
+    </div>
+    """
+
+    # Create detailed asset results table
+    if asset_details:
+        table_rows = []
+        for asset in asset_details:
+            result_color = "#d32f2f" if asset["result"] == "Fail" else "#2e7d32"
+            table_rows.append(
+                f"""
+                <tr>
+                    <td style="padding: 8px; border-bottom: 1px solid #ddd;">{asset.get('resource_name', 'N/A')}</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #ddd;">{asset.get('resource_id', 'N/A')}</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #ddd;">{asset.get('cloud_provider', 'N/A')}</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #ddd;">{asset.get('subscription', 'N/A')}</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #ddd; color: {result_color}; font-weight: bold;">{asset.get('result', 'N/A')}</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #ddd;">{asset.get('policy_short_name', 'N/A')}</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #ddd;">{asset.get('compliance_check', 'N/A')}</td>
+                    <td style="padding: 8px; border-bottom: 1px solid #ddd;">{asset.get('severity', 'N/A')}</td>
+                </tr>
+            """
             )
-            logger.info(f"Created report assessment for {control_id}: {a.id}")
+
+        asset_table_html = f"""
+        <div style="margin-top: 20px;">
+            <h4>Detailed Asset Results</h4>
+            <table style="width: 100%; border-collapse: collapse; border: 1px solid #ddd;">
+                <thead>
+                    <tr style="background-color: #f5f5f5;">
+                        <th style="padding: 10px; border-bottom: 2px solid #ddd; text-align: left;">Resource Name</th>
+                        <th style="padding: 10px; border-bottom: 2px solid #ddd; text-align: left;">Resource ID</th>
+                        <th style="padding: 10px; border-bottom: 2px solid #ddd; text-align: left;">Cloud Provider</th>
+                        <th style="padding: 10px; border-bottom: 2px solid #ddd; text-align: left;">Subscription</th>
+                        <th style="padding: 10px; border-bottom: 2px solid #ddd; text-align: left;">Result</th>
+                        <th style="padding: 10px; border-bottom: 2px solid #ddd; text-align: left;">Policy</th>
+                        <th style="padding: 10px; border-bottom: 2px solid #ddd; text-align: left;">Compliance Check</th>
+                        <th style="padding: 10px; border-bottom: 2px solid #ddd; text-align: left;">Severity</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {''.join(table_rows)}
+                </tbody>
+            </table>
+        </div>
+        """
+    else:
+        asset_table_html = "<p><em>No asset details available.</em></p>"
+
+    # Combine summary and details
+    return summary_html + asset_table_html
 
 
 def update_implementation_status(implementation: ControlImplementation, result: str) -> ControlImplementation:
@@ -1003,14 +1157,104 @@ def update_implementation_status(implementation: ControlImplementation, result:
     logger.info(f"Updated implementation status for {implementation.id}: {implementation.status}")
 
 
+def get_wiz_compliance_settings():
+    """
+    Get Wiz compliance settings for status mapping
+
+    :return: Compliance settings instance or None
+    :rtype: Optional[ComplianceSettings]
+    """
+    try:
+        settings = ComplianceSettings.get_by_current_tenant()
+        wiz_compliance_setting = next((comp for comp in settings if comp.title == "Wiz Compliance Setting"), None)
+        if not wiz_compliance_setting:
+            logger.debug("No Wiz Compliance Setting found, using default implementation status mapping")
+        else:
+            logger.debug("Using Wiz Compliance Setting for implementation status mapping")
+        return wiz_compliance_setting
+    except Exception as e:
+        logger.debug(f"Error getting Wiz Compliance Setting: {e}")
+        return None
+
+
 def report_result_to_implementation_status(result: str) -> str:
     """
-    Convert report result to implementation status
+    Convert report result to implementation status using compliance settings if available
 
     :param str result: Report result
     :return: Implementation status
     :rtype: str
     """
+    compliance_settings = get_wiz_compliance_settings()
+
+    if compliance_settings:
+        status = _get_status_from_compliance_settings(result, compliance_settings)
+        if status:
+            return status
+
+    # Fallback to default mapping
+    return _get_default_status_mapping(result)
+
+
+def _get_status_from_compliance_settings(result: str, compliance_settings) -> Optional[str]:
+    """
+    Get implementation status from compliance settings
+
+    :param str result: Report result
+    :param compliance_settings: Compliance settings object
+    :return: Implementation status or None if not found
+    :rtype: Optional[str]
+    """
+    try:
+        status_labels = compliance_settings.get_field_labels("implementationStatus")
+        result_lower = result.lower()
+
+        for label in status_labels:
+            status = _match_result_to_label(result_lower, label)
+            if status:
+                return status
+
+        logger.debug(f"No matching compliance setting found for result: {result}")
+        return None
+
+    except Exception as e:
+        logger.debug(f"Error using compliance settings for implementation status mapping: {e}")
+        return None
+
+
+def _match_result_to_label(result_lower: str, label: str) -> Optional[str]:
+    """
+    Match a result to a status label based on predefined mappings
+
+    :param str result_lower: Lowercase result string
+    :param str label: Status label to check
+    :return: Matched label or None
+    :rtype: Optional[str]
+    """
+    label_lower = label.lower()
+
+    if result_lower == ComplianceCheckStatus.PASS.value.lower():
+        return label if label_lower in ["implemented", "complete", "compliant"] else None
+
+    if result_lower == ComplianceCheckStatus.FAIL.value.lower():
+        return (
+            label
+            if label_lower in ["inremediation", "in remediation", "remediation", "failed", "non-compliant"]
+            else None
+        )
+
+    # Not implemented or other status
+    return label if label_lower in ["notimplemented", "not implemented", "pending", "planned"] else None
+
+
+def _get_default_status_mapping(result: str) -> str:
+    """
+    Get default status mapping for a result
+
+    :param str result: Report result
+    :return: Default implementation status
+    :rtype: str
+    """
     if result == ComplianceCheckStatus.PASS.value:
         return ControlImplementationStatus.Implemented.value
     elif result == ComplianceCheckStatus.FAIL.value:

regscale/integrations/commercial/wizv2/variables.py

@@ -3,6 +3,7 @@
 """Wiz Variables"""
 
 from regscale.core.app.utils.variables import RsVariableType, RsVariablesMeta
+from regscale.integrations.commercial.wizv2.constants import RECOMMENDED_WIZ_INVENTORY_TYPES
 
 
 class WizVariables(metaclass=RsVariablesMeta):
@@ -22,16 +23,7 @@ class WizVariables(metaclass=RsVariablesMeta):
     wizInventoryFilterBy: RsVariableType(
         str,
         '{"projectId": ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"], "type": ["API_GATEWAY"]}',
-        default="""{"type":
-  [ "API_GATEWAY", "BACKUP_SERVICE", "CDN", "CICD_SERVICE", "CLOUD_LOG_CONFIGURATION",
-  "CLOUD_ORGANIZATION", "CONTAINER", "CONTAINER_IMAGE", "CONTAINER_REGISTRY", "CONTAINER_SERVICE",
-  "CONTROLLER_REVISION", "DATABASE", "DATA_WORKLOAD", "DB_SERVER", "DOMAIN", "EMAIL_SERVICE", "ENCRYPTION_KEY",
-  "FILE_SYSTEM_SERVICE", "FIREWALL", "GATEWAY", "KUBERNETES_CLUSTER", "LOAD_BALANCER",
-  "MANAGED_CERTIFICATE", "MESSAGING_SERVICE", "NAMESPACE", "NETWORK_INTERFACE", "PRIVATE_ENDPOINT",
-  "PRIVATE_LINK", "RAW_ACCESS_POLICY", "REGISTERED_DOMAIN", "RESOURCE_GROUP", "SECRET",
-  "SECRET_CONTAINER", "SERVERLESS", "SERVERLESS_PACKAGE", "SERVICE_ACCOUNT", "SERVICE_CONFIGURATION",
-  "STORAGE_ACCOUNT", "SUBNET", "SUBSCRIPTION", "VIRTUAL_DESKTOP", "VIRTUAL_MACHINE",
-  "VIRTUAL_MACHINE_IMAGE", "VIRTUAL_NETWORK", "VOLUME", "WEB_SERVICE", "NETWORK_ADDRESS"] }""",
+        default="""{"type": ["%s"] }""" % '","'.join(RECOMMENDED_WIZ_INVENTORY_TYPES),  # type: ignore
     )  # type: ignore
     wizAccessToken: RsVariableType(str, "", sensitive=True, required=False)  # type: ignore
     wizClientId: RsVariableType(str, "", sensitive=True)  # type: ignore

regscale/integrations/scanner_integration.py

@@ -1656,15 +1656,21 @@ class ScannerIntegration(ABC):
                 bulk_update=True, defaults={"otherIdentifier": self._get_other_identifier(finding, is_poam)}
             )
 
-        self._handle_property_creation_for_issue(issue, finding)
+        self._handle_property_and_milestone_creation(issue, finding, existing_issue)
         return issue
 
-    def _handle_property_creation_for_issue(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+    def _handle_property_and_milestone_creation(
+        self,
+        issue: regscale_models.Issue,
+        finding: IntegrationFinding,
+        existing_issue: Optional[regscale_models.Issue] = None,
+    ) -> None:
         """
         Handles property creation for an issue based on the finding data
 
         :param regscale_models.Issue issue: The issue to handle properties for
         :param IntegrationFinding finding: The finding data
+        :param bool new_issue: Whether this is a new issue
         :rtype: None
         """
         if poc := finding.point_of_contact:
@@ -1685,6 +1691,45 @@ class ScannerIntegration(ABC):
             ).create_or_update()
             logger.debug("Added CWE property %s to issue %s", finding.plugin_id, issue.id)
 
+        if ScannerVariables.useMilestones:
+            if (
+                existing_issue
+                and existing_issue.status == regscale_models.IssueStatus.Closed
+                and issue.status == regscale_models.IssueStatus.Open
+            ):
+                regscale_models.Milestone(
+                    title=f"Issue reopened from {self.title} scan",
+                    milestoneDate=get_current_datetime(),
+                    responsiblePersonId=self.assessor_id,
+                    parentID=issue.id,
+                    parentModule="issues",
+                ).create_or_update()
+                logger.debug("Added milestone for issue %s from finding %s", issue.id, finding.external_id)
+            elif (
+                existing_issue
+                and existing_issue.status == regscale_models.IssueStatus.Open
+                and issue.status == regscale_models.IssueStatus.Closed
+            ):
+                regscale_models.Milestone(
+                    title=f"Issue closed from {self.title} scan",
+                    milestoneDate=issue.dateCompleted,
+                    responsiblePersonId=self.assessor_id,
+                    parentID=issue.id,
+                    parentModule="issues",
+                ).create_or_update()
+                logger.debug("Added milestone for issue %s from finding %s", issue.id, finding.external_id)
+            elif not existing_issue:
+                regscale_models.Milestone(
+                    title=f"Issue created from {self.title} scan",
+                    milestoneDate=self.scan_date,
+                    responsiblePersonId=self.assessor_id,
+                    parentID=issue.id,
+                    parentModule="issues",
+                ).create_or_update()
+                logger.debug("Created milestone for issue %s from finding %s", issue.id, finding.external_id)
+            else:
+                logger.debug("No milestone created for issue %s from finding %s", issue.id, finding.external_id)
+
     @staticmethod
     def get_consolidated_asset_identifier(
         finding: IntegrationFinding,
@@ -2523,6 +2568,17 @@ class ScannerIntegration(ABC):
         issue.dateLastUpdated = get_current_datetime()
         issue.save()
 
+        if ScannerVariables.useMilestones:
+            regscale_models.Milestone(
+                title=f"Issue closed from {self.title} scan",
+                milestoneDate=issue.dateCompleted,
+                responsiblePersonId=self.assessor_id,
+                completed=True,
+                parentID=issue.id,
+                parentModule="issues",
+            ).create_or_update()
+            logger.debug("Created milestone for issue %s from %s tool", issue.id, self.title)
+
         with count_lock:
             self.closed_count += 1
             if issue.controlImplementationIds:

regscale/integrations/variables.py

@@ -26,3 +26,4 @@ class ScannerVariables(metaclass=RsVariablesMeta):
     maxRetries: RsVariableType(int, "3", default=3, required=False)  # type: ignore
     timeout: RsVariableType(int, "60", default=60, required=False)  # type: ignore
     complianceCreation: RsVariableType(str, "Assessment|Issue|POAM", default="Assessment", required=False)  # type: ignore # noqa: F722,F821
+    useMilestones: RsVariableType(bool, "true|false", default=False, required=False)  # type: ignore # noqa: F722,F722,F821