regscale-cli 6.21.0.0__py3-none-any.whl → 6.21.1.0__py3-none-any.whl

regscale/integrations/commercial/cpe.py

@@ -109,6 +109,23 @@ def extract_product_name_and_version(cpe_string: str) -> Dict:
     :rtype: Dict
     """
     # convert to version 2.3 if 2.2
+    # TODO: Note this is an incomplete conversion as the additional properties
+    # in the URI format (which is still supported in 2.3) are separated by
+    # tildes (~) after the final colon. We should extend this to support them
+    # at some point to be safe. Example from NISTIR7697 the 2.3 dictionary
+    # specification:
+    #
+    # WFN:
+    #     wfn:[part="o",vendor="microsoft",product="windows_vista",version="6\.0",
+    #     update="sp1",edition=NA,language=NA,sw_edition="home_premium",
+    #     target_sw=NA,target_hw="x64",other=NA]
+    #
+    # WFN bound to a URI:
+    #     cpe:/o:microsoft:windows_vista:6.0:sp1:~-~home_premium~-~x64~-
+    #
+    # WFN bound to a formatted string:
+    #     cpe:2.3:o:microsoft:windows_vista:6.0:sp1:-:-:home_premium:-:x64:-
+    #
     if cpe_string.startswith("cpe:/"):
         cpe_string = cpe_string.replace("cpe:/", "cpe:2.3:")
 
@@ -117,7 +134,7 @@ def extract_product_name_and_version(cpe_string: str) -> Dict:
 
     # Extract the product name and version
     # parts[3] is the product name, parts[4] is the version
-    part = parts[2]
+    part = parts[2] if len(parts) > 2 else None
     logger.debug(f"part: {part}")
     vendor_name = parts[3] if len(parts) > 3 else None
     product_name = parts[4] if len(parts) > 4 else None

regscale/integrations/commercial/tenablev2/jsonl_scanner.py

@@ -446,7 +446,7 @@ class TenableSCJsonlScanner(JSONLScannerIntegration):
             # If no findings were created, return a basic finding
             # Get the IP from the vulnerability directly rather than using passed asset_identifier
             finding_asset_id = vuln.ip or asset_identifier
-
+            logger.debug(item)
             return IntegrationFinding(
                 title=item.get("pluginName", "Unknown Finding"),
                 description=item.get("description", "No description available"),
@@ -456,6 +456,7 @@ class TenableSCJsonlScanner(JSONLScannerIntegration):
                 category="Vulnerability",
                 scan_date=self.scan_date,
                 plugin_name=item.get("pluginName", UNKNOWN_PLUGIN),
+                control_labels=item.get("controlLabels", []),
             )
 
         except Exception as e:

regscale/integrations/commercial/wizv2/async_client.py

@@ -10,6 +10,7 @@ import anyio
 import httpx
 
 from regscale.core.app.utils.app_utils import error_and_exit
+from regscale.integrations.variables import ScannerVariables
 
 logger = logging.getLogger("regscale")
 
@@ -72,7 +73,9 @@ class AsyncWizGraphQLClient:
             logger.debug(f"Variables: {variables}")
 
             try:
-                async with httpx.AsyncClient(timeout=self.timeout) as client:
+                # Get SSL verify setting from scanner variables config
+                ssl_verify = getattr(ScannerVariables, "sslVerify", True)
+                async with httpx.AsyncClient(timeout=self.timeout, verify=ssl_verify) as client:
                     if progress_callback:
                         progress_callback(task_name, "requesting")
 
@@ -81,7 +84,7 @@ class AsyncWizGraphQLClient:
                     if progress_callback:
                         progress_callback(task_name, "processing")
 
-                    if response.raise_for_status():
+                    if not response.is_success:
                         error_and_exit(
                             f"Received non-200 response from GraphQL API: {response.status_code}: {response.text}"
                         )
@@ -304,6 +307,7 @@ def run_async_queries(
     query_configs: List[Dict[str, Any]],
     progress_tracker: Optional[Any] = None,
     max_concurrent: int = 5,
+    timeout: int = 60,
 ) -> List[Tuple[str, List[Dict[str, Any]], Optional[Exception]]]:
     """
     Convenience function to run async queries from synchronous code.
@@ -313,12 +317,15 @@ def run_async_queries(
     :param List[Dict[str, Any]] query_configs: Query configurations
     :param Optional[Any] progress_tracker: Progress tracker
     :param int max_concurrent: Maximum concurrent requests
+    :param int timeout: Request timeout in seconds
     :return: Query results
     :rtype: List[Tuple[str, List[Dict[str, Any]], Optional[Exception]]]
     """
 
     async def _run():
-        client = AsyncWizGraphQLClient(endpoint=endpoint, headers=headers, max_concurrent=max_concurrent)
+        client = AsyncWizGraphQLClient(
+            endpoint=endpoint, headers=headers, max_concurrent=max_concurrent, timeout=timeout
+        )
         return await client.execute_concurrent_queries(query_configs, progress_tracker)
 
     # Use anyio.run for better compatibility

regscale/integrations/commercial/wizv2/click.py

@@ -9,7 +9,7 @@ from typing import Optional
 import click
 
 from regscale.integrations.commercial.wizv2.variables import WizVariables
-from regscale.models import regscale_id, regscale_module
+from regscale.models import regscale_id
 from regscale.models.app_models.click import regscale_ssp_id
 
 logger = logging.getLogger("regscale")
@@ -333,12 +333,10 @@ def add_report_evidence(
     "--wiz_project_id",
     "-p",
     prompt="Enter the Wiz project ID",
-    help="Enter the Wiz Project ID.  Options include: projects, \
-          policies, supplychain, securityplans, components.",
+    help="Enter the Wiz Project ID for policy compliance sync.",
     required=True,
 )
-@regscale_id(help="RegScale will create and update issues as children of this record.")
-@regscale_module()
+@regscale_id(help="RegScale will create and update control assessments as children of this record.")
 @click.option(  # type: ignore
     "--client_id",
     "-i",
@@ -356,44 +354,122 @@ def add_report_evidence(
     required=False,
 )
 @click.option(  # type: ignore
-    "--catalog_id",
-    "-c",
-    help="RegScale Catalog ID for the selected framework.",
-    hide_input=False,
+    "--framework_id",
+    "-f",
+    help="Wiz framework ID or shorthand (e.g., 'nist', 'aws', 'wf-id-4'). Use --list-frameworks to see options. Default: wf-id-4 (NIST SP 800-53 Rev 5)",
+    default="wf-id-4",
     required=False,
-    default=None,
 )
 @click.option(  # type: ignore
-    "--framework",
-    "-f",
-    type=click.Choice(["CSF", "NIST800-53R5", "NIST800-53R4"], case_sensitive=False),  # type: ignore
-    help="Choose either one of the Frameworks",
-    default="NIST800-53R5",
-    required=True,
+    "--list-frameworks",
+    "-lf",
+    is_flag=True,
+    help="List all available framework options and shortcuts",
+    default=False,
+)
+@click.option(  # type: ignore
+    "--create-issues/--no-create-issues",
+    "-ci/-ni",
+    default=True,
+    help="Create issues for failed policy assessments (default: enabled)",
+)
+@click.option(  # type: ignore
+    "--update-control-status/--no-update-control-status",
+    "-ucs/-nucs",
+    default=True,
+    help="Update control implementation status based on assessment results (default: enabled)",
+)
+@click.option(  # type: ignore
+    "--create-poams/--no-create-poams",
+    "-cp/-ncp",
+    default=False,
+    help="Mark created issues as POAMs (default: disabled)",
+)
+@click.option(  # type: ignore
+    "--refresh/--no-refresh",
+    "-r/-nr",
+    default=False,
+    help="Force refresh and ignore cached data (default: use cache if available)",
+)
+@click.option(  # type: ignore
+    "--cache-duration",
+    "-cd",
+    type=click.INT,
+    default=1440,
+    help="Cache duration in minutes - reuse cached data if newer than this (default: 1440 minutes / 1 day)",
 )
 def sync_compliance(
     wiz_project_id,
     regscale_id,
-    regscale_module,
     client_id,
     client_secret,
-    catalog_id,
-    framework,
+    framework_id,
+    list_frameworks,
+    create_issues,
+    update_control_status,
+    create_poams,
+    refresh,
+    cache_duration,
 ):
-    """Sync compliance posture from Wiz to RegScale"""
-    from regscale.integrations.commercial.wizv2.utils import _sync_compliance
+    """
+    Sync policy compliance assessments from Wiz to RegScale.
+
+    This command fetches policy assessment data from Wiz and creates:
+    - Control assessments based on policy compliance results
+    - Issues for failed policy assessments (if --create-issues enabled)
+    - Updates to control implementation status (if --update-control-status enabled)
+    - JSON output file with policy compliance data in artifacts/wiz/ directory
+    - Cached framework mapping for improved performance
+
+    CACHING:
+    By default, the command will reuse cached policy data if it's newer than the cache
+    duration (default: 60 minutes). Use --refresh to force fresh data from Wiz.
+    Use --cache-duration to adjust how long cached data is considered valid.
+    """
+    from regscale.integrations.commercial.wizv2.policy_compliance import (
+        WizPolicyComplianceIntegration,
+        list_available_frameworks,
+        resolve_framework_id,
+    )
+
+    # Handle --list-frameworks flag
+    if list_frameworks:
+        click.echo(list_available_frameworks())
+        return
 
+    # Use environment variables if not provided
     if not client_secret:
         client_secret = WizVariables.wizClientSecret
     if not client_id:
         client_id = WizVariables.wizClientId
 
-    _sync_compliance(
+    # Resolve framework ID using the enhanced framework resolution
+    try:
+        resolved_framework_id = resolve_framework_id(framework_id.lower())
+        if resolved_framework_id != framework_id:
+            from regscale.integrations.commercial.wizv2.policy_compliance import FRAMEWORK_MAPPINGS
+
+            framework_name = FRAMEWORK_MAPPINGS.get(resolved_framework_id, resolved_framework_id)
+            click.echo(f"🔍 Resolved '{framework_id}' to '{framework_name}' ({resolved_framework_id})")
+    except ValueError as e:
+        click.echo(f"❌ {str(e)}")
+        click.echo("\nUse --list-frameworks to see all available options.")
+        return
+
+    # Create and run the policy compliance integration
+    policy_integration = WizPolicyComplianceIntegration(
+        plan_id=regscale_id,
         wiz_project_id=wiz_project_id,
-        regscale_id=regscale_id,
-        regscale_module=regscale_module,
         client_id=client_id,
         client_secret=client_secret,
-        catalog_id=catalog_id,
-        framework=framework,
+        framework_id=resolved_framework_id,
+        create_poams=create_poams,
+        cache_duration_minutes=cache_duration,
+        force_refresh=refresh,
+    )
+
+    # Run the policy compliance sync
+    policy_integration.sync_policy_compliance(
+        create_issues=create_issues,
+        update_control_status=update_control_status,
     )

regscale/integrations/commercial/wizv2/constants.py

@@ -3,7 +3,225 @@
 from enum import Enum
 from typing import List, Optional
 
-from regscale.models import IssueSeverity
+from regscale.models import IssueSeverity, regscale_models
+
+WIZ_POLICY_QUERY = """
+query PolicyAssessmentsTable($filterBy: PolicyAssessmentFilters, $first: Int, $after: String) {
+  policyAssessments(filterBy: $filterBy, first: $first, after: $after) {
+    nodes {
+      id
+      policy {
+        ... on CloudConfigurationRule {
+          id
+          shortId
+          name
+          ruleDescription: description
+          severity
+          graphId
+          remediationInstructions
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+        ... on Control {
+          id
+          name
+          description
+          lastRunAt
+          lastRunError
+          lastSuccessfulRunAt
+          severity
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+        ... on HostConfigurationRule {
+          id
+          name
+          shortName
+          remediationInstructions
+          risks
+          threats
+          securitySubCategories {
+            ...SecuritySubCategoriesDetails
+          }
+        }
+      }
+      result
+      resource {
+        id
+        name
+        type
+        region
+        tags { key value }
+        subscription { id name externalId cloudProvider }
+      }
+      output {
+        ... on Issue { id issueStatus: status }
+        ... on ConfigurationFinding { id name cloudConfigurationFindingStatus: status remediation }
+        ... on HostConfigurationRuleAssessment { id hostConfigurationRule: rule { id name shortName description remediationInstructions } }
+      }
+    }
+    pageInfo { hasNextPage endCursor }
+    totalCount
+  }
+}
+
+fragment SecuritySubCategoriesDetails on SecuritySubCategory {
+  description
+  id
+  resolutionRecommendation
+  title
+  externalId
+  category { id name framework { id name enabled } }
+}
+"""
+
+WIZ_FRAMEWORK_QUERY = """
+query SecurityFrameworksTable($first: Int, $after: String, $filterBy: SecurityFrameworkFilters) {
+  securityFrameworks(first: $first, after: $after, filterBy: $filterBy) {
+    nodes { policyTypes ...SecurityFrameworkFragment }
+    pageInfo { hasNextPage endCursor }
+    totalCount
+  }
+}
+
+fragment SecurityFrameworkFragment on SecurityFramework {
+  id
+  name
+  description
+  builtin
+  enabled
+  parentFramework { id name }
+}
+"""
+
+# Comprehensive framework mappings with shorthand names for easy CLI usage
+FRAMEWORK_MAPPINGS = {
+    "wf-id-4": "NIST SP 800-53 Revision 5",
+    "wf-id-48": "NIST SP 800-53 Revision 4",
+    "wf-id-5": "FedRAMP (Moderate and Low levels)",
+    "wf-id-17": "CIS Controls v7.1",
+    "wf-id-24": "CIS Controls v8",
+    "wf-id-6": "CIS AWS v1.2.0",
+    "wf-id-7": "CIS AWS v1.3.0",
+    "wf-id-32": "CIS AWS v1.4.0",
+    "wf-id-45": "CIS AWS v1.5.0",
+    "wf-id-84": "CIS AWS v2.0.0",
+    "wf-id-98": "CIS AWS v3.0.0",
+    "wf-id-197": "CIS AWS v4.0.0",
+    "wf-id-50": "AWS Foundational Security Best Practices v1.0.0",
+    "wf-id-124": "AWS Well-Architected Framework (Section 2 - Security)",
+    "wf-id-8": "CIS Azure v1.3.0",
+    "wf-id-35": "CIS Azure v1.4.0",
+    "wf-id-52": "CIS Azure v1.5.0",
+    "wf-id-74": "CIS Azure v2.0.0",
+    "wf-id-100": "CIS Azure v2.1.0",
+    "wf-id-196": "CIS Azure v2.1.0 (Latest)",
+    "wf-id-40": "Azure Security Benchmark v3",
+    "wf-id-9": "CIS GCP v1.1.0",
+    "wf-id-36": "CIS GCP v1.2.0",
+    "wf-id-53": "CIS GCP v1.3.0",
+    "wf-id-85": "CIS GCP v2.0.0",
+    "wf-id-25": "CIS AKS v1.0.0",
+    "wf-id-68": "CIS AKS v1.2.0",
+    "wf-id-75": "CIS AKS v1.3.0",
+    "wf-id-93": "CIS AKS v1.4.0",
+    "wf-id-162": "CIS AKS v1.5.0",
+    "wf-id-218": "CIS AKS v1.6.0",
+    "wf-id-23": "CIS EKS v1.0.1",
+    "wf-id-67": "CIS EKS v1.1.0",
+    "wf-id-86": "CIS EKS v1.2.0",
+    "wf-id-18": "CIS Kubernetes v1.5.1",
+    "wf-id-66": "CIS Kubernetes v1.6.1",
+    "wf-id-87": "CIS Kubernetes v1.7.0",
+    "wf-id-76": "SOC 2 Type I",
+    "wf-id-16": "ISO/IEC 27001:2013",
+    "wf-id-19": "PCI DSS v3.2.1",
+    "wf-id-78": "PCI DSS v4.0",
+    "wf-id-79": "GDPR",
+    "wf-id-64": "CCPA/CPRA",
+    "wf-id-77": "CCF (The Adobe Common Controls Framework)",
+    "wf-id-70": "Canadian PBMM (ITSG-33)",
+    "wf-id-111": "C5 - Cloud Computing Compliance Criteria Catalogue",
+    "wf-id-161": "CAF (Cyber Assessment Framework by NCSC)",
+    "wf-id-90": "APRA CPG 234",
+    "wf-id-207": "CISA Security Requirements for EO 14117",
+    "wf-id-214": "5Rs - Wiz for Data Security",
+    "wf-id-225": "Wiz for Risk Assessment",
+}
+
+FRAMEWORK_SHORTCUTS = {
+    "nist": "wf-id-4",
+    "nist53r5": "wf-id-4",
+    "nist53r4": "wf-id-48",
+    "fedramp": "wf-id-5",
+    "cis": "wf-id-24",
+    "cisv8": "wf-id-24",
+    "cisv7": "wf-id-17",
+    "aws": "wf-id-197",
+    "azure": "wf-id-196",
+    "gcp": "wf-id-85",
+    "k8s": "wf-id-87",
+    "kubernetes": "wf-id-87",
+    "eks": "wf-id-86",
+    "aks": "wf-id-218",
+    "soc2": "wf-id-76",
+    "iso27001": "wf-id-16",
+    "pci": "wf-id-78",
+    "gdpr": "wf-id-79",
+    "ccpa": "wf-id-64",
+    "aws-foundational": "wf-id-50",
+    "aws-wellarchitected": "wf-id-124",
+    "azure-benchmark": "wf-id-40",
+}
+
+FRAMEWORK_CATEGORIES = {
+    "NIST Frameworks": ["wf-id-4", "wf-id-48", "wf-id-5"],
+    "CIS Controls": ["wf-id-17", "wf-id-24"],
+    "AWS Security": [
+        "wf-id-197",
+        "wf-id-50",
+        "wf-id-124",
+        "wf-id-6",
+        "wf-id-7",
+        "wf-id-32",
+        "wf-id-45",
+        "wf-id-84",
+        "wf-id-98",
+    ],
+    "Azure Security": [
+        "wf-id-196",
+        "wf-id-40",
+        "wf-id-8",
+        "wf-id-35",
+        "wf-id-52",
+        "wf-id-74",
+        "wf-id-100",
+    ],
+    "Google Cloud Security": ["wf-id-85", "wf-id-9", "wf-id-36", "wf-id-53"],
+    "Kubernetes Security": [
+        "wf-id-87",
+        "wf-id-86",
+        "wf-id-218",
+        "wf-id-18",
+        "wf-id-23",
+        "wf-id-25",
+        "wf-id-66",
+        "wf-id-67",
+        "wf-id-68",
+        "wf-id-75",
+        "wf-id-93",
+        "wf-id-162",
+    ],
+    "Industry Standards": ["wf-id-76", "wf-id-16", "wf-id-78", "wf-id-19"],
+    "Privacy & Data Protection": ["wf-id-79", "wf-id-64", "wf-id-214"],
+    "Government/Regulatory": ["wf-id-70", "wf-id-111", "wf-id-161", "wf-id-90", "wf-id-207"],
+}
 
 SBOM_FILE_PATH = "artifacts/wiz_sbom.json"
 INVENTORY_FILE_PATH = "artifacts/wiz_inventory.json"
@@ -181,6 +399,36 @@ RECOMMENDED_WIZ_INVENTORY_TYPES = [
     "VIRTUAL_NETWORK",
 ]
 
+# This is the set of technology deploymentModels and CloudResource types which we
+# map to the asset category Hardware (instead of Software) when the useWizHardwareTypes
+# feature is enabled.
+# So either things which are hardware-like, or which use technologies that, in turn,
+# imply they are hardware-like.
+# Note that using technology deploymentModels can grab things such as virutal machine
+# image files in addition to actual virtual machines. While this doesn't fit with
+# general concepts of "hardware", for the purposes of attestation, it is the correct
+# choice, as we may be certifying a source image that dynamic resources are created from,
+# rather than attempt to document a variable pool of auto-scaled resources.
+DEFAULT_WIZ_HARDWARE_TYPES = [
+    # CloudResource types
+    "VIRTUAL_MACHINE",
+    "VIRTUAL_MACHINE_IMAGE",
+    "CONTAINER",
+    "CONTAINER_IMAGE",
+    "DB_SERVER",
+    # technology deploymentModels
+    "SERVER_APPLICATION",
+    "CLIENT_APPLICATION",
+    "VIRTUAL_APPLIANCE",
+]
+
+# This maps CPE part values to Asset categories.
+CPE_PART_TO_CATEGORY_MAPPING = {
+    "h": regscale_models.AssetCategory.Hardware,  # Hardware
+    "a": regscale_models.AssetCategory.Software,  # Application
+    "o": regscale_models.AssetCategory.Software,  # Other? Operating system? (includes OSs and firmware)
+}
+
 INVENTORY_QUERY = """
     query CloudResourceSearch(
     $filterBy: CloudResourceFilters

regscale/integrations/commercial/wizv2/issue.py

@@ -262,12 +262,12 @@ class WizIssue(WizVulnerabilityIntegration):
             return "Wiz-Event"
         if not name:
             return f"Wiz-{service_type}-Event"
-        event_match = re.match(r"^([A-Za-z\s]+?)\s+(?:detection|event|alert|activity)", name)
+        event_match = re.match(r"^([A-Za-z\s]+?)\s+(detection|event|alert|activity)", name)
         if not event_match:
             return f"Wiz-{service_type}-Event"
 
         event_type = event_match.group(1).strip()
-        if event_type == "Suspicious activity":
+        if event_type == "Suspicious" and event_match.group(2).strip().lower() == "activity":
             return f"Wiz-{service_type}-SuspiciousActivity"
 
         event_type = "".join(word.capitalize() for word in event_type.split())

regscale/integrations/commercial/wizv2/parsers.py

@@ -76,11 +76,12 @@ def get_software_name_from_cpe(wiz_entity_properties: Dict, name: str) -> Dict:
     """
     cpe_info_dict = {
         "name": name,
+        "part": None,
         "software_name": None,
         "software_version": None,
         "software_vendor": None,
     }
-    if "cpe" in wiz_entity_properties.keys() and wiz_entity_properties.get("cpe"):
+    if "cpe" in wiz_entity_properties and wiz_entity_properties.get("cpe"):
         cpe_info_dict = extract_product_name_and_version(wiz_entity_properties.get("cpe", ""))
         cpe_info_dict["name"] = name
     return cpe_info_dict
@@ -349,7 +350,7 @@ def get_ip_address(
     ip6_address = None
     dns = None
     url = None
-    if "address" in wiz_entity_properties.keys():
+    if "address" in wiz_entity_properties:
         if wiz_entity_properties.get("addressType") == "IPV4":
             ip4_address = wiz_entity_properties.get("address")
         elif wiz_entity_properties.get("addressType") == "IPV6":