regscale-cli 6.21.2.0__py3-none-any.whl → 6.28.2.1__py3-none-any.whl

regscale/integrations/commercial/sicura/api.py

@@ -203,7 +203,6 @@ class SicuraAPI:
     FILTER_TYPE = "filter[type]"
     FILTER_REJECTED = "filter[rejected]"
     FILTER_TASK_ID = "filter[task_id]"
-    csrf_token: Optional[str] = None
 
     def __init__(self):
         """
@@ -246,12 +245,9 @@ class SicuraAPI:
 
         if data:
             self.session.headers["Content-Type"] = "application/json"
-        if not endpoint.endswith("/auth/token"):
-            if not self.csrf_token:
-                self.csrf_token = self.get_csrf_token()
-            if self.csrf_token:
-                self.session.headers["X-CSRF-TOKEN"] = str(self.csrf_token)
-            self.session.headers["auth-token-signature"] = SicuraVariables.sicuraToken
+
+        # Always set the auth token signature for API authentication
+        self.session.headers["auth-token-signature"] = SicuraVariables.sicuraToken
 
         try:
             # Use the session object to maintain cookies between requests
@@ -313,22 +309,6 @@ class SicuraAPI:
             logging.error(f"Error validating response: {e}", exc_info=True)
             return None
 
-    def get_csrf_token(self) -> Optional[AuthResponse]:
-        """
-        Get authentication token from Sicura API.
-
-        :return: Authentication response
-        :rtype: Optional[AuthResponse]
-        :raises requests.exceptions.RequestException: If the request fails
-        """
-        try:
-            response = self._make_request("GET", "/auth/token")
-            self.csrf_token = response
-            return response
-        except requests.exceptions.RequestException as e:
-            logger.error(f"Error getting authentication token: {e}", exc_info=True)
-            raise
-
     class Device(SicuraModel):
         """Model for Sicura device information."""
 
@@ -356,7 +336,7 @@ class SicuraAPI:
         try:
             response = self._make_request(
                 "GET",
-                "/backend/api/jaeger/v1/nodes",
+                "/api/jaeger/v1/nodes",
                 params={
                     "verbose": "true",
                     "attributes": "platforms,scannable_profiles,most_recent_scan",
@@ -384,11 +364,56 @@ class SicuraAPI:
             logger.error(f"Failed to get devices: {e}", exc_info=True)
             return []
 
+    def create_or_update_control_profile(self, profile_name: str, controls: list[dict]) -> Optional[dict]:
+        """
+        Create or update a control profile.
+
+        :param str profile_name: Name of the control profile
+        :param list[dict] controls: List of controls to add to the profile
+        :return: The control profile if successfully created or updated, None otherwise
+        :rtype: Optional[dict]
+        """
+        profile_id = None
+        profile_data = None
+        params = {"verbose": "true"}
+        try:
+            # see if the profile already exists
+            response = self._make_request("GET", "/api/jaeger/v1/control_profiles", params=params)
+            for profile in response:
+                if profile["name"] == profile_name:
+                    profile_id = profile["id"]
+                    break
+            payload = {
+                "name": profile_name,
+                "description": f"Profile for {profile_name} with {len(controls)} controls.",
+                "controls": controls,
+            }
+            if not profile_id:
+                crud_operation = "Created"
+                response = self._make_request("POST", "/api/jaeger/v1/control_profiles", data=payload, params=params)
+                profile_id = response
+                profile_data = self._make_request("GET", f"/api/jaeger/v1/control_profiles/{profile_id}", params=params)
+            else:
+                crud_operation = "Updated"
+                response = self._make_request(
+                    "PUT", f"/api/jaeger/v1/control_profiles/{profile_id}", data=payload, params=params
+                )
+                profile_id = response["id"]
+                profile_data = response
+            logger.info(f"{crud_operation} control profile #{profile_id} in Sicura with {len(controls)} controls.")
+            return profile_data
+
+            return profile_id
+        except Exception as e:
+            logger.error(f"Failed to create or update control profile: {e}", exc_info=True)
+            return None
+
     def create_scan_task(
         self,
         device_id: int,
         platform: str,
-        profile: SicuraProfile,
+        profile: Union[SicuraProfile, str],
+        author: Optional[str] = None,
         task_name: Optional[str] = None,
         scheduled_time: Optional[datetime.datetime] = None,
     ) -> Optional[str]:
@@ -398,6 +423,7 @@ class SicuraAPI:
         :param int device_id: ID of the device to scan
         :param str platform: Platform name (e.g., 'Red Hat Enterprise Linux 9')
         :param SicuraProfile profile: Scan profile name (e.g., 'I - Mission Critical Classified')
+        :param Optional[str] author: Author of the scan task (default: None)
         :param Optional[str] task_name: Name for the scan task (default: auto-generated)
         :param Optional[datetime.datetime] scheduled_time: When to run the scan (default: now)
         :return: Task ID if successful, None otherwise
@@ -425,7 +451,10 @@ class SicuraAPI:
                 "scanAttributes": {"platform": platform, "profile": profile},
             }
 
-            result = self._make_request("POST", "/backend/api/jaeger/v1/tasks/", data=payload)
+            if author:
+                payload["scanAttributes"]["author"] = author
+
+            result = self._make_request("POST", "/api/jaeger/v1/tasks/", data=payload)
 
             if result:
                 logger.info(f"Successfully created scan task with ID: {result}")
@@ -448,7 +477,7 @@ class SicuraAPI:
         """
         try:
             response = self._make_request(
-                "GET", "/backend/api/jaeger/v1/jobs", params={"verbose": "true", self.FILTER_TASK_ID: task_id}
+                "GET", "/api/jaeger/v1/jobs", params={"verbose": "true", self.FILTER_TASK_ID: task_id}
             )
 
             # Handle 404 or empty response
@@ -483,14 +512,16 @@ class SicuraAPI:
         self,
         fqdn: str,
         platform: Optional[str] = None,
-        profile: SicuraProfile = SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED,
+        profile: Union[SicuraProfile, str] = SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED,
+        author: Optional[str] = None,
     ) -> Optional[ScanReport]:
         """
         Get scan results for a specific device.
 
         :param str fqdn: Fully qualified domain name of the device
         :param Optional[str] platform: Platform name to filter results (e.g., 'Red Hat Enterprise Linux 9')
-        :param SicuraProfile profile: Profile name to filter results (e.g., 'I - Mission Critical Classified')
+        :param Union[SicuraProfile, str] profile: Profile name to filter results, defaults to I - Mission Critical Classified
+        :param Optional[str] author: Author of the scan task (default: None)
         :return: Scan report containing device info and scan results, or None if not found
         :rtype: Optional[ScanReport]
         """
@@ -503,7 +534,10 @@ class SicuraAPI:
             if profile:
                 params["profile"] = profile
 
-            response = self._make_request("GET", "/backend/api/jaeger/v1/nodes", params=params)
+            if author:
+                params["author"] = author
+
+            response = self._make_request("GET", "/api/jaeger/v1/nodes", params=params)
 
             # Handle 404 or empty response
             if not response or (isinstance(response, list) and not response):
@@ -524,16 +558,17 @@ class SicuraAPI:
                     return None  # Return None if no scans available
 
                 # Calculate summary stats
-                pass_count = sum(1 for scan in device.get("scans", []) if scan.get("result") == "pass")
-                fail_count = sum(1 for scan in device.get("scans", []) if scan.get("result") == "fail")
-                total_count = len(device.get("scans", []))
+                scan_results = device.get("scans", {}).get("results", [])
+                pass_count = sum(1 for scan in scan_results if scan.get("result") == "pass")
+                fail_count = sum(1 for scan in scan_results if scan.get("result") == "fail")
+                total_count = len(scan_results)
 
                 # Create the raw result data
                 result_data = {
                     "device_id": device.get("id"),
                     "fqdn": device.get("fqdn"),
                     "ip_address": device.get("ip_address"),
-                    "scans": device.get("scans", []),
+                    "scans": scan_results,
                     "summary": {
                         "total": total_count,
                         "pass": pass_count,
@@ -559,7 +594,8 @@ class SicuraAPI:
         task_id: Union[int, str],
         fqdn: str,
         platform: Optional[str] = None,
-        profile: SicuraProfile = SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED,
+        profile: Union[SicuraProfile, str] = SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED,
+        author: Optional[str] = None,
         max_wait_time: int = 600,
         poll_interval: int = 10,
     ) -> Optional[Union[ScanReport, Dict[str, Any]]]:
@@ -569,7 +605,8 @@ class SicuraAPI:
         :param Union[int, str] task_id: ID of the scan task to monitor
         :param str fqdn: Fully qualified domain name of the device
         :param Optional[str] platform: Platform name to filter results
-        :param SicuraProfile profile: Profile name to filter results
+        :param Union[SicuraProfile, str] profile: Profile name to filter results, defaults to I - Mission Critical Classified
+        :param Optional[str] author: Author of the scan task (default: None)
         :param int max_wait_time: Maximum time to wait in seconds (default: 10 minutes)
         :param int poll_interval: Time between status checks in seconds (default: 10 seconds)
         :return: Scan results once the task is complete, or None if timeout or error
@@ -601,7 +638,7 @@ class SicuraAPI:
                         logger.info(f"Scan task {task_id} completed successfully, fetching results...")
                         # Wait a moment for results to be processed
                         time.sleep(2)
-                        return self.get_scan_results(fqdn, platform, profile)
+                        return self.get_scan_results(fqdn=fqdn, platform=platform, profile=profile, author=author)
                     else:
                         logger.error(f"Scan task {task_id} ended with status {latest_status}")
                         return None
@@ -638,7 +675,7 @@ class SicuraAPI:
             if ip_address:
                 params[self.FILTER_IP_ADDRESS] = ip_address
 
-            response = self._make_request("GET", "/backend/api/jaeger/v1/node_templates/", params=params)
+            response = self._make_request("GET", "/api/jaeger/v1/node_templates/", params=params)
 
             # Handle 404 or empty response
             if not response or (isinstance(response, dict) and "detail" in response):
@@ -670,7 +707,7 @@ class SicuraAPI:
             # Use PUT method with the correct endpoint and payload
             result = self._make_request(
                 "PUT",
-                f"/backend/api/jaeger/v1/node_templates/{device_id}",
+                f"/api/jaeger/v1/node_templates/{device_id}",
                 params={"verbose": "true", "include_controls": "true", "action": "promote"},
             )
 
@@ -697,7 +734,7 @@ class SicuraAPI:
             # Use PUT method with the correct endpoint and payload
             result = self._make_request(
                 "PUT",
-                f"/backend/api/jaeger/v1/node_templates/{device_id}",
+                f"/api/jaeger/v1/node_templates/{device_id}",
                 params={"verbose": "true", "include_controls": "true", "action": "reject"},
             )
 
@@ -721,7 +758,7 @@ class SicuraAPI:
         :rtype: bool
         """
         try:
-            result = self._make_request("DELETE", f"/backend/api/jaeger/v1/nodes/{device_id}")
+            result = self._make_request("DELETE", f"/api/jaeger/v1/nodes/{device_id}")
 
             # For DELETE operations, an empty result typically indicates success
             if result is None or result == "" or (isinstance(result, dict) and not result):
@@ -854,7 +891,7 @@ class SicuraAPI:
         }
 
         logger.info(f"Creating enforcement task for device {device_id} with {len(ce_names)} CE names")
-        result = self._make_request("POST", "/backend/api/jaeger/v1/tasks/", data=payload)
+        result = self._make_request("POST", "/api/jaeger/v1/tasks/", data=payload)
 
         if result:
             logger.info(f"Successfully created enforcement task with ID: {result}")

regscale/integrations/commercial/sicura/commands.py

@@ -46,7 +46,13 @@ def sync_assets(regscale_id: int):
 
 @sicura.command(name="sync_findings")
 @regscale_id(help="RegScale will create and update findings as children of this record.")
-def sync_findings(regscale_id: int):
+@click.option(
+    "--trigger_scan",
+    "-s",
+    is_flag=True,
+    help="Trigger a new scan on Sicura assets before syncing.",
+)
+def sync_findings(regscale_id: int, trigger_scan: bool):
     """
     Sync Sicura findings to RegScale.
 
@@ -60,7 +66,7 @@ def sync_findings(regscale_id: int):
         )
 
         # Using import_findings method which handles the synchronization
-        integration.sync_findings(plan_id=regscale_id)
+        integration.sync_findings(plan_id=regscale_id, trigger_scan=trigger_scan)
 
         logger.info("[bold green]Finding synchronization complete.")
 

regscale/integrations/commercial/sicura/scanner.py

@@ -4,7 +4,7 @@
 RegScale Sicura Integration
 """
 import datetime
-from typing import Generator, Iterator, Any
+from typing import Any, Generator, Iterator, Union
 
 from regscale.core.utils.date import date_str
 from regscale.integrations.commercial.sicura.api import SicuraAPI, ScanReport, SicuraProfile, Device, ScanResult
@@ -55,6 +55,8 @@ class SicuraIntegration(ScannerIntegration):
         """
         super().__init__(*args, **kwargs)
         self.api = SicuraAPI()
+        self.control_scan = False
+        self.control_scan_profile = None
 
     def fetch_findings(self, **kwargs) -> Generator[IntegrationFinding, None, None]:
         """
@@ -74,6 +76,10 @@ class SicuraIntegration(ScannerIntegration):
             logger.warning("No devices found in Sicura")
             return
 
+        if kwargs.pop("trigger_scan", False):
+            logger.info(f"Triggering scans on Sicura {len(devices)} devices...")
+            self.trigger_scans(devices)
+
         self.num_findings_to_process = 0
         findings_count = 0
 
@@ -99,23 +105,28 @@ class SicuraIntegration(ScannerIntegration):
             return
 
         # Profiles to scan
-        profiles = [SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED, SicuraProfile.LEVEL_1_SERVER]
+        profiles = [SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED]
+        if self.control_scan:
+            profiles = [self.control_scan_profile]
 
         for profile in profiles:
             yield from self._process_profile_findings(device, profile)
 
     def _process_profile_findings(
-        self, device: Device, profile: SicuraProfile
+        self, device: Device, profile: Union[SicuraProfile, str]
     ) -> Generator[IntegrationFinding, None, None]:
         """
         Process findings for a device with a specific profile
 
         :param Device device: The device to process
-        :param SicuraProfile profile: The profile to process
+        :param Union[SicuraProfile, str] profile: The profile to process
         :yield: IntegrationFinding objects
         :rtype: Generator[IntegrationFinding, None, None]
         """
-        scan_report = self.api.get_scan_results(fqdn=device.fqdn, profile=profile)
+        if self.control_scan and profile == self.control_scan_profile:
+            scan_report = self.api.get_scan_results(fqdn=device.fqdn, profile=profile, author="control")
+        else:
+            scan_report = self.api.get_scan_results(fqdn=device.fqdn, profile=profile)
 
         if not scan_report:
             logger.warning(f"No scan results found for device: {device.fqdn} with profile: {profile}")
@@ -206,7 +217,8 @@ class SicuraIntegration(ScannerIntegration):
                 mitigation=mitigation,
             )
 
-    def _extract_scan_data(self, scan: Any) -> dict:
+    @staticmethod
+    def _extract_scan_data(scan: Any) -> dict:
         """
         Extract scan data from the scan object
 
@@ -235,7 +247,8 @@ class SicuraIntegration(ScannerIntegration):
                 "controls": scan.controls if hasattr(scan, "controls") else {},
             }
 
-    def _extract_control_refs(self, controls: dict) -> tuple:
+    @staticmethod
+    def _extract_control_refs(controls: dict) -> tuple:
         """
         Extract CCI and SRG references from controls
 
@@ -353,8 +366,9 @@ class SicuraIntegration(ScannerIntegration):
             baseline=platform,
         )
 
+    @staticmethod
     def _create_results_text(
-        self, title, ce_name, result, description, state, state_reason, cci_ref, srg_refs, is_cci_finding
+        title, ce_name, result, description, state, state_reason, cci_ref, srg_refs, is_cci_finding
     ) -> str:
         """
         Create the results text for a finding
@@ -401,42 +415,6 @@ class SicuraIntegration(ScannerIntegration):
         :rtype: Iterator[IntegrationAsset]
         """
         logger.info("Fetching assets from Sicura...")
-
-        # Get all devices
-        pending_devices = self.api.get_pending_devices()
-        for pending_device in pending_devices:
-            print(f"Pending device: {pending_device}")
-            self.api.accept_pending_device(pending_device.id)
-            task_id = self.api.create_scan_task(
-                device_id=pending_device.id,
-                platform=pending_device.platform,
-                profile=SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED,
-            )
-            if task_id:
-                self.api.wait_for_scan_results(
-                    task_id=task_id,
-                    fqdn=pending_device.fqdn,
-                    platform=pending_device.platform,
-                    profile=SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED,
-                )
-            else:
-                logger.warning(f"Failed to create scan task for device {pending_device.fqdn}")
-                continue  # Continue to next device if creating scan task failed
-
-            task_id = self.api.create_scan_task(
-                device_id=pending_device.id, platform=pending_device.platform, profile=SicuraProfile.LEVEL_1_SERVER
-            )
-            if task_id:
-                self.api.wait_for_scan_results(
-                    task_id=task_id,
-                    fqdn=pending_device.fqdn,
-                    platform=pending_device.platform,
-                    profile=SicuraProfile.LEVEL_1_SERVER,
-                )
-            else:
-                logger.warning(f"Failed to create scan task for device {pending_device.fqdn}")
-                # No continue needed here as we're at the end of the loop iteration
-
         devices = self.api.get_devices()
 
         if not devices:
@@ -479,3 +457,64 @@ class SicuraIntegration(ScannerIntegration):
             )
 
             self.asset_progress.update(loading_devices, advance=1)
+
+    def trigger_and_wait_for_scan(self, device: Device) -> None:
+        """
+        Trigger a scan and wait for the results
+
+        :param Device device: The device to trigger a scan for
+        :return: None
+        """
+        profile = self.control_scan_profile if self.control_scan else SicuraProfile.I_MISSION_CRITICAL_CLASSIFIED
+        author = "control" if self.control_scan else None
+        task_id = self.api.create_scan_task(
+            device_id=device.id,
+            platform=device.platforms,
+            profile=profile,
+            author=author,
+        )
+        if task_id:
+            self.api.wait_for_scan_results(
+                task_id=task_id,
+                fqdn=device.fqdn,
+                platform=device.platforms,
+                profile=profile,
+                author=author,
+            )
+        else:
+            logger.warning(f"Failed to create scan task for device {device.fqdn}")
+
+    def trigger_scans(self, devices: list[Device]) -> None:
+        """
+        Trigger scans for a list of devices
+
+        :param list[Device] devices: The devices to trigger scans for
+        :return: None
+        """
+        # get the SSP's controlImplementations
+        if control_imps := regscale_models.ControlImplementation.get_list_by_parent(
+            regscale_id=self.plan_id, regscale_module=regscale_models.SecurityPlan.get_module_slug()
+        ):
+            if profile := self.api.create_or_update_control_profile(
+                profile_name=f"regscale_ssp_id_{self.plan_id}",
+                controls=control_imps,
+            ):
+                self.control_scan = True
+                self.control_scan_profile = profile["name"]
+            else:
+                logger.warning("Failed to create or update control profile")
+                self.control_scan = False
+                self.control_scan_profile = None
+        else:
+            self.control_scan = False
+            self.control_scan_profile = None
+
+        if len(devices) > 1:
+            from regscale.utils.threading import ThreadManager
+
+            # use multithreading to trigger scans for multiple devices
+            thread_manager = ThreadManager(max_workers=10)
+            thread_manager.submit_tasks_from_list(self.trigger_and_wait_for_scan, devices)
+            thread_manager.execute_and_verify()
+        else:
+            self.trigger_and_wait_for_scan(devices[0])

regscale/integrations/commercial/stigv2/ckl_parser.py

@@ -82,15 +82,15 @@ class STIGInfo(BaseModel):
     """Data model for STIG Information with optional and required attributes."""
 
     version: str
-    classification: str
+    classification: Optional[str] = None
     customname: Optional[str] = None
     stigid: str
     description: Optional[str] = None
     filename: Optional[str] = None
     releaseinfo: str
     title: str
-    uuid: str
-    notice: str
+    uuid: Optional[str] = None
+    notice: Optional[str] = None
     source: Optional[str] = None
 
 
@@ -115,10 +115,10 @@ class Vuln(BaseModel):
     check_content: Optional[str] = None
     fix_text: str
     check_content_ref: Optional[str] = None
-    weight: str
+    weight: Optional[str] = None
     stigref: Optional[str] = None
     targetkey: Optional[str] = None
-    stig_uuid: str
+    stig_uuid: Optional[str] = None
     vuln_discuss: Optional[str] = None
     ia_controls: Optional[str] = None
     class_: Optional[str] = None