regscale-cli 6.24.0.0__py3-none-any.whl → 6.24.0.1__py3-none-any.whl

regscale/integrations/compliance_integration.py

@@ -25,6 +25,8 @@ from regscale.models.regscale_models import (
     ControlImplementation,
     Assessment,
     ImplementationObjective,
+    SecurityPlan,
+    ComplianceSettings,
 )
 
 logger = logging.getLogger("regscale")
@@ -160,6 +162,10 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         # Set scan date
         self.scan_date = get_current_datetime()
 
+        # Cache for compliance settings
+        self._compliance_settings = None
+        self._security_plan = None
+
     def is_poam(self, finding: IntegrationFinding) -> bool:  # type: ignore[override]
         """
         Determines if an issue should be considered a POAM for compliance integrations.
@@ -1387,6 +1393,7 @@ class ComplianceIntegration(ScannerIntegration, ABC):
     def _parse_control_id(control_id: str) -> tuple[str, Optional[str]]:
         """
         Parse a control id like 'AC-2(1)', 'AC-2 (1)', 'AC-2-1' into (base, sub).
+        Normalizes leading zeros (e.g., AC-01 becomes AC-1).
 
         Returns (base, None) when no subcontrol.
 
@@ -1400,8 +1407,22 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         if not m:
             return cid.upper(), None
         base = m.group(1).upper()
+        # Normalize leading zeros in base control number (e.g., AC-01 -> AC-1)
+        if "-" in base:
+            prefix, number = base.split("-", 1)
+            try:
+                normalized_number = str(int(number))
+                base = f"{prefix}-{normalized_number}"
+            except ValueError:
+                pass  # Keep original if conversion fails
         # Subcontrol may be captured in group 2, 3, or 4 depending on the branch matched
         sub = m.group(2) or m.group(3) or m.group(4)
+        # Normalize leading zeros in subcontrol (e.g., 01 -> 1)
+        if sub:
+            try:
+                sub = str(int(sub))
+            except ValueError:
+                pass  # Keep original if conversion fails
         return base, sub
 
     @classmethod
@@ -1433,6 +1454,7 @@ class ComplianceIntegration(ScannerIntegration, ABC):
     def _normalize_control_id(control_id: str) -> tuple[str, Optional[str]]:
         """
         Normalize control id to a canonical tuple (BASE, SUB) for set membership.
+        Normalizes leading zeros (e.g., AC-01 becomes AC-1).
 
         :param str control_id: Control identifier to normalize
         :return: Tuple of (base_control, subcontrol) in canonical form
@@ -1444,7 +1466,21 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         if not m:
             return cid.upper(), None
         base = m.group(1).upper()
+        # Normalize leading zeros in base control number (e.g., AC-01 -> AC-1)
+        if "-" in base:
+            prefix, number = base.split("-", 1)
+            try:
+                normalized_number = str(int(number))
+                base = f"{prefix}-{normalized_number}"
+            except ValueError:
+                pass  # Keep original if conversion fails
         sub = m.group(2) or m.group(3) or m.group(4)
+        # Normalize leading zeros in subcontrol (e.g., 01 -> 1)
+        if sub:
+            try:
+                sub = str(int(sub))
+            except ValueError:
+                pass  # Keep original if conversion fails
         return base, sub
 
     def _create_control_assessment(
@@ -1622,9 +1658,198 @@ class ComplianceIntegration(ScannerIntegration, ABC):
 
         return "\n".join(html_parts)
 
+    def _get_security_plan(self) -> Optional[regscale_models.SecurityPlan]:
+        """
+        Get the security plan for this integration.
+
+        :return: SecurityPlan instance or None
+        :rtype: Optional[regscale_models.SecurityPlan]
+        """
+        if self._security_plan is None:
+            try:
+                logger.debug(f"Retrieving security plan with ID: {self.plan_id}")
+                self._security_plan = SecurityPlan.get_object(object_id=self.plan_id)
+                if self._security_plan:
+                    logger.debug(f"Retrieved security plan: {self._security_plan.title}")
+                    logger.debug(f"complianceSettingsId: {getattr(self._security_plan, 'complianceSettingsId', None)}")
+                else:
+                    logger.debug(f"No security plan found with ID: {self.plan_id}")
+            except Exception as e:
+                logger.debug(f"Error getting security plan {self.plan_id}: {e}")
+                self._security_plan = None
+        return self._security_plan
+
+    def _get_compliance_settings(self) -> Optional[regscale_models.ComplianceSettings]:
+        """
+        Get compliance settings for the security plan.
+
+        :return: ComplianceSettings instance or None
+        :rtype: Optional[regscale_models.ComplianceSettings]
+        """
+        if self._compliance_settings is None:
+            try:
+                security_plan = self._get_security_plan()
+                if self._has_valid_compliance_settings_id(security_plan):
+                    self._compliance_settings = self._fetch_compliance_settings(security_plan)
+                else:
+                    self._log_missing_compliance_settings_reason(security_plan)
+            except Exception as e:
+                logger.debug(f"Error getting compliance settings: {e}")
+                import traceback
+
+                logger.debug(f"Full traceback: {traceback.format_exc()}")
+                self._compliance_settings = None
+        return self._compliance_settings
+
+    def _has_valid_compliance_settings_id(self, security_plan) -> bool:
+        """Check if security plan has valid compliance settings ID."""
+        return security_plan and hasattr(security_plan, "complianceSettingsId") and security_plan.complianceSettingsId
+
+    def _fetch_compliance_settings(self, security_plan) -> Optional[regscale_models.ComplianceSettings]:
+        """Fetch and log compliance settings."""
+        logger.debug(f"Retrieving compliance settings with ID: {security_plan.complianceSettingsId}")
+        compliance_settings = ComplianceSettings.get_object(object_id=security_plan.complianceSettingsId)
+
+        if compliance_settings:
+            logger.debug(f"Using compliance settings: {compliance_settings.title}")
+            logger.debug(
+                f"Compliance settings has field groups: {bool(getattr(compliance_settings, 'complianceSettingsFieldGroups', None))}"
+            )
+        else:
+            logger.debug(f"No compliance settings found for ID: {security_plan.complianceSettingsId}")
+
+        return compliance_settings
+
+    def _log_missing_compliance_settings_reason(self, security_plan) -> None:
+        """Log specific reason why compliance settings are not available."""
+        if not security_plan:
+            logger.debug("Security plan not found")
+        elif not hasattr(security_plan, "complianceSettingsId"):
+            logger.debug("Security plan does not have complianceSettingsId attribute")
+        elif not security_plan.complianceSettingsId:
+            logger.debug("Security plan has no complianceSettingsId set")
+
+    def _get_implementation_status_from_result(self, result: str) -> str:
+        """
+        Get implementation status based on assessment result using compliance settings.
+
+        :param str result: Assessment result ('Pass' or 'Fail')
+        :return: Implementation status string
+        :rtype: str
+        """
+        logger.debug(f"Getting implementation status for result: {result}")
+        compliance_settings = self._get_compliance_settings()
+
+        if compliance_settings:
+            logger.debug(f"Using compliance settings: {compliance_settings.title}")
+            try:
+                status_labels = compliance_settings.get_field_labels("implementationStatus")
+                logger.debug(f"Available status labels: {status_labels}")
+
+                best_match = self._find_best_status_match(result.lower(), status_labels)
+                if best_match:
+                    return best_match
+
+                logger.debug(f"No matching compliance setting found for result: {result}")
+            except Exception as e:
+                logger.debug(f"Error using compliance settings for status mapping: {e}")
+        else:
+            logger.debug("No compliance settings available, using default mapping")
+
+        return self._get_default_status(result)
+
+    def _find_best_status_match(self, result_lower: str, status_labels: list) -> Optional[str]:
+        """Find best matching status label for the given result."""
+        best_match = None
+        best_match_score = 0
+
+        for label in status_labels:
+            label_lower = label.lower()
+            logger.debug(f"Checking label '{label}' for result '{result_lower}'")
+
+            if result_lower == "pass":
+                score = self._score_pass_result_label(label_lower)
+            elif result_lower == "fail":
+                score = self._score_fail_result_label(label_lower)
+            else:
+                score = 0
+
+            if score > best_match_score:
+                best_match = label
+                best_match_score = score
+                logger.debug(f"New best match: '{label}' (score: {score})")
+
+        if best_match:
+            logger.debug(
+                f"Selected best match: '{best_match}' (final score: {best_match_score}) for {result_lower} result"
+            )
+
+        return best_match
+
+    def _score_pass_result_label(self, label_lower: str) -> int:
+        """Score a label for Pass results (higher score = better match)."""
+        # Skip negative keywords that shouldn't match Pass results
+        negative_keywords = ["not", "failed", "violation", "remediation", "unsatisfied", "non-compliant"]
+        if any(neg_kw in label_lower for neg_kw in negative_keywords):
+            return 0
+
+        # Exact word matches get highest priority
+        exact_matches = {"implemented": 100, "complete": 95, "compliant": 90, "satisfied": 85}
+        if label_lower in exact_matches:
+            return exact_matches[label_lower]
+
+        # Partial matches get lower priority
+        if "implemented" in label_lower and "fully" not in label_lower and "partially" not in label_lower:
+            return 80
+        elif "complete" in label_lower:
+            return 75
+        elif "compliant" in label_lower:
+            return 70
+        elif "satisfied" in label_lower:
+            return 65
+        elif "fully" in label_lower and "implemented" in label_lower:
+            return 60
+        elif "partially" in label_lower and "implemented" in label_lower:
+            return 55
+        elif "implemented" in label_lower:
+            return 45
+        elif any(kw in label_lower for kw in ["complete", "compliant", "satisfied"]):
+            return 40
+
+        return 0
+
+    def _score_fail_result_label(self, label_lower: str) -> int:
+        """Score a label for Fail results (higher score = better match)."""
+        # Exact word matches get highest priority
+        if label_lower in ["remediation", "in remediation"]:
+            return 100
+        elif label_lower in ["failed", "not implemented"]:
+            return 95
+        elif label_lower in ["non-compliant", "violation"]:
+            return 90
+        elif label_lower == "unsatisfied":
+            return 85
+
+        # Partial matches get lower priority
+        elif "remediation" in label_lower:
+            return 80
+        elif "failed" in label_lower or "not implemented" in label_lower:
+            return 75
+        elif any(kw in label_lower for kw in ["non-compliant", "violation", "unsatisfied"]):
+            return 70
+
+        return 0
+
+    def _get_default_status(self, result: str) -> str:
+        """Get default implementation status when no compliance settings are available."""
+        default_status = "Fully Implemented" if result.lower() == "pass" else "In Remediation"
+        logger.debug(f"Using default status: {default_status}")
+        return default_status
+
     def _update_implementation_status(self, implementation: ControlImplementation, result: str) -> None:
         """
         Update control implementation status based on assessment result.
+        Uses compliance settings from the security plan if available, otherwise falls back to defaults.
 
         :param ControlImplementation implementation: Control implementation to update
         :param str result: Assessment result ('Pass' or 'Fail')
@@ -1632,10 +1857,8 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         :rtype: None
         """
         try:
-            if result == "Pass":
-                new_status = "Fully Implemented"
-            else:
-                new_status = "In Remediation"
+            # Get status from compliance settings or fallback to default
+            new_status = self._get_implementation_status_from_result(result)
 
             # Update implementation status
             implementation.status = new_status
@@ -1653,7 +1876,7 @@ class ComplianceIntegration(ScannerIntegration, ABC):
                 objective.status = new_status
                 objective.save()
 
-            logger.debug(f"Updated implementation status to {new_status}")
+            logger.debug(f"Updated implementation status to {new_status} (from compliance settings)")
 
         except Exception as e:
             logger.error(f"Error updating implementation status: {e}")
@@ -1851,6 +2074,8 @@ class ComplianceIntegration(ScannerIntegration, ABC):
             except Exception:
                 pass
             existing_issue.dateLastUpdated = self.scan_date
+            # Set organization ID based on Issue Owner or SSP Owner hierarchy
+            existing_issue.orgId = self.determine_issue_organization_id(existing_issue.issueOwnerId)
             existing_issue.save()
 
             return existing_issue