regscale-cli 6.25.0.1__py3-none-any.whl → 6.26.0.0__py3-none-any.whl

regscale/integrations/compliance_integration.py

@@ -13,6 +13,7 @@ from collections import defaultdict
 from typing import Dict, List, Optional, Any, Iterator
 
 from regscale.core.app.utils.app_utils import get_current_datetime, regscale_string_to_datetime
+from regscale.integrations.control_matcher import ControlMatcher
 from regscale.integrations.scanner_integration import (
     ScannerIntegration,
     IntegrationAsset,
@@ -166,6 +167,9 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         self._compliance_settings = None
         self._security_plan = None
 
+        # Initialize control matcher for robust control ID matching
+        self._control_matcher = ControlMatcher()
+
     def is_poam(self, finding: IntegrationFinding) -> bool:  # type: ignore[override]
         """
         Determines if an issue should be considered a POAM for compliance integrations.
@@ -1245,13 +1249,22 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         """
         Find matching implementation and security control for a control ID.
 
+        Uses ControlMatcher for robust control ID matching with leading zero normalization.
+
         :param str control_id: Control identifier to match
         :param List[ControlImplementation] implementations: Available implementations
         :return: Tuple of matching implementation and security control, or (None, None)
         :rtype: tuple[Optional[ControlImplementation], Optional[SecurityControl]]
         """
+        # Generate all variations of the search control ID for matching
+        search_variations = self._control_matcher._get_control_id_variations(control_id)
+        if not search_variations:
+            logger.debug(f"Could not generate control ID variations for: {control_id}")
+            return None, None
+
         matching_implementation = None
         matching_security_control = None
+
         for implementation in implementations:
             try:
                 security_control = SecurityControl.get_object(object_id=implementation.controlID)
@@ -1264,10 +1277,16 @@ class ComplianceIntegration(ScannerIntegration, ABC):
                 if not security_control_id:
                     logger.debug(f"Security control {security_control.id} has no controlId")
                     continue
+
+                # Get variations of the security control ID
+                control_variations = self._control_matcher._get_control_id_variations(security_control_id)
+
                 logger.debug(
-                    f"Comparing extracted '{control_id}' with RegScale control '{security_control_id}' (impl: {implementation.id})"
+                    f"Comparing control '{control_id}' variations {list(search_variations)[:3]} with RegScale control '{security_control_id}' variations {list(control_variations)[:3]} (impl: {implementation.id})"
                 )
-                if self._control_ids_match(control_id, security_control_id):
+
+                # Check if any variation matches (set intersection)
+                if search_variations & control_variations:
                     matching_implementation = implementation
                     matching_security_control = security_control
                     logger.info(
@@ -1364,12 +1383,19 @@ class ComplianceIntegration(ScannerIntegration, ABC):
             component_title = f"Control {sec_control.controlId}"
             component = self.components_by_title.get(component_title) if hasattr(self, "components_by_title") else None
             if not component:
+                # Get complianceSettingsId from the security plan
+                security_plan = self._get_security_plan()
+                compliance_settings_id = getattr(security_plan, "complianceSettingsId", None) if security_plan else None
+                if not compliance_settings_id:
+                    compliance_setting = self._get_compliance_settings()
+                    compliance_settings_id = getattr(compliance_setting, "id", None) if compliance_setting else None
                 component = regscale_models.Component(
                     title=component_title,
                     componentType=regscale_models.ComponentType.Hardware,
                     securityPlansId=self.plan_id,
                     description=component_title,
                     componentOwnerId=self.get_assessor_id(),
+                    complianceSettingsId=compliance_settings_id,
                 ).get_or_create()
                 regscale_models.ComponentMapping(
                     componentId=component.id,
@@ -2050,6 +2076,8 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         """
         Create or update an issue from a finding, using cache to prevent duplicates.
 
+        Properly handles milestone creation for compliance integrations.
+
         :param str title: Issue title
         :param IntegrationFinding finding: The finding to create issue from
         :return: Created or updated issue
@@ -2068,6 +2096,9 @@ class ComplianceIntegration(ScannerIntegration, ABC):
                 f"Found existing issue {existing_issue.id} (other_identifier: '{existing_issue.otherIdentifier}') for lookup external_id '{external_id}', updating instead of creating"
             )
 
+            # Store original status for milestone comparison
+            original_status = existing_issue.status
+
             # Update existing issue with new finding data
             existing_issue.title = title
             existing_issue.description = finding.description
@@ -2095,8 +2126,42 @@ class ComplianceIntegration(ScannerIntegration, ABC):
             existing_issue.orgId = self.determine_issue_organization_id(existing_issue.issueOwnerId)
             existing_issue.save()
 
+            # Create milestone if status changed
+            # Reconstruct original issue state for comparison
+            original_issue = regscale_models.Issue()
+            original_issue.status = original_status
+            self._create_milestones_for_updated_issue(existing_issue, finding, original_issue)
+
             return existing_issue
         else:
             # No existing issue found, create new one using parent method
             logger.debug(f"No existing issue found for external_id {external_id}, creating new issue")
             return super().create_or_update_issue_from_finding(title, finding)
+
+    def _create_milestones_for_updated_issue(
+        self,
+        issue: regscale_models.Issue,
+        finding: IntegrationFinding,
+        original_issue: regscale_models.Issue,
+    ) -> None:
+        """
+        Create milestones for an updated issue in compliance integration.
+
+        This method handles both status transition milestones and backfilling of missing
+        creation milestones for existing issues.
+
+        :param regscale_models.Issue issue: The updated issue
+        :param IntegrationFinding finding: The finding data
+        :param regscale_models.Issue original_issue: Original state for comparison
+        """
+        milestone_manager = self.get_milestone_manager()
+
+        # First, ensure the issue has a creation milestone (backfill if missing)
+        milestone_manager.ensure_creation_milestone_exists(issue=issue, finding=finding)
+
+        # Then, handle status transition milestones
+        milestone_manager.create_milestones_for_issue(
+            issue=issue,
+            finding=finding,
+            existing_issue=original_issue,
+        )

regscale/integrations/control_matcher.py

@@ -0,0 +1,358 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""
+Control Matcher - A utility class for identifying and matching control implementations
+across different RegScale entities based on control ID strings.
+"""
+
+import logging
+import re
+from typing import Dict, List, Optional, Tuple, Union
+
+from regscale.core.app.api import Api
+from regscale.core.app.application import Application
+from regscale.models.regscale_models.control_implementation import ControlImplementation
+from regscale.models.regscale_models.security_control import SecurityControl
+
+logger = logging.getLogger("regscale")
+
+
+class ControlMatcher:
+    """
+    A class to identify control IDs and match them across different RegScale entities.
+
+    This class provides control matching capabilities:
+    - Parse control ID strings to extract NIST control identifiers
+    - Match controls from catalogs to security plans
+    - Find control implementations based on control IDs
+    - Support multiple control ID formats (e.g., AC-1, AC-1(1), AC-1.1)
+
+    Note: This class is focused on finding and matching existing controls only.
+    Control creation/modification should be handled by calling code.
+    """
+
+    def __init__(self, app: Optional[Application] = None):
+        """
+        Initialize the ControlMatcher.
+
+        :param Optional[Application] app: RegScale Application instance
+        """
+        self.app = app or Application()
+        self.api = Api()
+        self._catalog_cache: Dict[int, List[SecurityControl]] = {}
+        self._control_impl_cache: Dict[Tuple[int, str], Dict[str, ControlImplementation]] = {}
+
+    def parse_control_id(self, control_string: str) -> Optional[str]:
+        """
+        Parse a control ID string and extract the standardized control identifier.
+
+        Handles various formats:
+        - NIST format: AC-1, AC-1(1), AC-1.1
+        - With leading zeros: AC-01, AC-17(02)
+        - With text: "Access Control AC-1"
+        - Multiple controls: "AC-1, AC-2"
+
+        :param str control_string: Raw control ID string
+        :return: Standardized control ID or None if not found
+        :rtype: Optional[str]
+        """
+        if not control_string:
+            return None
+
+        # Clean the string
+        control_string = control_string.strip().upper()
+
+        # Common NIST control ID pattern
+        # Matches: AC-1, AC-01, AC-1(1), AC-1(01), AC-1.1, AC-1.01, etc.
+        pattern = r"([A-Z]{2,3}-\d+(?:\(\d+\)|\.\d+)?)"
+
+        matches = re.findall(pattern, control_string)
+        if matches:
+            # Normalize parentheses to dots for consistency
+            control_id = matches[0]
+            control_id = control_id.replace("(", ".").replace(")", "")
+            return control_id
+
+        return None
+
+    def find_control_in_catalog(self, control_id: str, catalog_id: int) -> Optional[SecurityControl]:
+        """
+        Find a security control in a specific catalog by control ID.
+
+        :param str control_id: The control ID to search for
+        :param int catalog_id: The catalog ID to search in
+        :return: SecurityControl object if found, None otherwise
+        :rtype: Optional[SecurityControl]
+        """
+        controls = self._get_catalog_controls(catalog_id)
+
+        # Generate all possible variations of the control ID
+        search_ids = self._get_control_id_variations(control_id)
+
+        # Try exact match with any variation
+        for control in controls:
+            if control.controlId in search_ids:
+                return control
+
+        # Try matching control variations against search variations
+        for control in controls:
+            control_variations = self._get_control_id_variations(control.controlId)
+            if control_variations & search_ids:  # Set intersection
+                return control
+
+        return None
+
+    def find_control_implementation(
+        self, control_id: str, parent_id: int, parent_module: str = "securityplans", catalog_id: Optional[int] = None
+    ) -> Optional[ControlImplementation]:
+        """
+        Find a control implementation based on control ID and parent context.
+
+        :param str control_id: The control ID to match
+        :param int parent_id: Parent entity ID (e.g., security plan ID)
+        :param str parent_module: Parent module type (default: securityplans)
+        :param Optional[int] catalog_id: Optional catalog ID for better matching
+        :return: ControlImplementation if found, None otherwise
+        :rtype: Optional[ControlImplementation]
+        """
+        # Get control implementations for the parent
+        implementations = self._get_control_implementations(parent_id, parent_module)
+
+        # Get all variations of the control ID for matching
+        search_variations = self._get_control_id_variations(control_id)
+        if not search_variations:
+            logger.warning(f"Could not parse control ID: {control_id}")
+            return None
+
+        # Try to find matching implementation with variation matching
+        for impl_key, impl in implementations.items():
+            impl_variations = self._get_control_id_variations(impl_key)
+            if impl_variations & search_variations:  # Set intersection
+                return impl
+
+        # If catalog ID provided, try to find via security control
+        if catalog_id:
+            control = self.find_control_in_catalog(control_id, catalog_id)
+            if control:
+                # Search implementations by control ID
+                for impl in implementations.values():
+                    if impl.controlID == control.id:
+                        return impl
+
+        return None
+
+    def match_controls_to_implementations(
+        self,
+        control_ids: List[str],
+        parent_id: int,
+        parent_module: str = "securityplans",
+        catalog_id: Optional[int] = None,
+    ) -> Dict[str, Optional[ControlImplementation]]:
+        """
+        Match multiple control IDs to their implementations.
+
+        :param List[str] control_ids: List of control ID strings
+        :param int parent_id: Parent entity ID
+        :param str parent_module: Parent module type
+        :param Optional[int] catalog_id: Optional catalog ID
+        :return: Dictionary mapping control IDs to implementations
+        :rtype: Dict[str, Optional[ControlImplementation]]
+        """
+        results = {}
+
+        for control_id in control_ids:
+            impl = self.find_control_implementation(control_id, parent_id, parent_module, catalog_id)
+            results[control_id] = impl
+
+        return results
+
+    def get_security_plan_controls(self, security_plan_id: int) -> Dict[str, ControlImplementation]:
+        """
+        Get all control implementations for a security plan.
+
+        :param int security_plan_id: The security plan ID
+        :return: Dictionary of control implementations keyed by control ID
+        :rtype: Dict[str, ControlImplementation]
+        """
+        return self._get_control_implementations(security_plan_id, "securityplans")
+
+    def find_controls_by_pattern(self, pattern: str, catalog_id: int) -> List[SecurityControl]:
+        """
+        Find all controls in a catalog matching a pattern.
+
+        :param str pattern: Regex pattern or substring to match
+        :param int catalog_id: Catalog ID to search in
+        :return: List of matching SecurityControl objects
+        :rtype: List[SecurityControl]
+        """
+        controls = self._get_catalog_controls(catalog_id)
+        matched = []
+
+        for control in controls:
+            if (re.search(pattern, control.controlId, re.IGNORECASE)) or (
+                control.title and re.search(pattern, control.title, re.IGNORECASE)
+            ):
+                matched.append(control)
+
+        return matched
+
+    def bulk_match_controls(
+        self,
+        control_mappings: Dict[str, str],
+        parent_id: int,
+        parent_module: str = "securityplans",
+        catalog_id: Optional[int] = None,
+    ) -> Dict[str, Optional[ControlImplementation]]:
+        """
+        Bulk match control IDs to their implementations.
+
+        :param Dict[str, str] control_mappings: Dict of {external_id: control_id}
+        :param int parent_id: Parent entity ID
+        :param str parent_module: Parent module type
+        :param Optional[int] catalog_id: Catalog ID for controls
+        :return: Dictionary mapping external IDs to ControlImplementations (None if not found)
+        :rtype: Dict[str, Optional[ControlImplementation]]
+        """
+        results = {}
+
+        for external_id, control_id in control_mappings.items():
+            impl = self.find_control_implementation(control_id, parent_id, parent_module, catalog_id)
+            results[external_id] = impl
+
+        return results
+
+    def _get_catalog_controls(self, catalog_id: int) -> List[SecurityControl]:
+        """
+        Get all controls for a catalog (with caching).
+
+        :param int catalog_id: Catalog ID
+        :return: List of SecurityControl objects
+        :rtype: List[SecurityControl]
+        """
+        if catalog_id not in self._catalog_cache:
+            try:
+                controls = SecurityControl.get_list_by_catalog(catalog_id)
+                self._catalog_cache[catalog_id] = controls
+            except Exception as e:
+                logger.error(f"Failed to get controls for catalog {catalog_id}: {e}")
+                return []
+
+        return self._catalog_cache.get(catalog_id, [])
+
+    def _normalize_control_id(self, control_id: str) -> Optional[str]:
+        """
+        Normalize a control ID by removing leading zeros from all numeric parts.
+
+        Examples:
+        - AC-01 -> AC-1
+        - AC-17(02) -> AC-17.2
+        - AC-1.01 -> AC-1.1
+
+        :param str control_id: The control ID to normalize
+        :return: Normalized control ID or None if invalid
+        :rtype: Optional[str]
+        """
+        parsed = self.parse_control_id(control_id)
+        if not parsed:
+            return None
+
+        # Split by '-' to get family and number parts
+        parts = parsed.split("-")
+        if len(parts) != 2:
+            return None
+
+        family = parts[0]
+        number_part = parts[1]
+
+        # Handle enhancement notation (both . and parentheses are normalized to .)
+        if "." in number_part:
+            main_num, enhancement = number_part.split(".", 1)
+            # Remove leading zeros from both parts
+            main_num = str(int(main_num))
+            enhancement = str(int(enhancement))
+            return f"{family}-{main_num}.{enhancement}"
+        else:
+            # Just main control number
+            main_num = str(int(number_part))
+            return f"{family}-{main_num}"
+
+    def _get_control_id_variations(self, control_id: str) -> set:
+        """
+        Generate all valid variations of a control ID (with and without leading zeros).
+
+        Examples:
+        - AC-1 -> {AC-1, AC-01}
+        - AC-17.2 -> {AC-17.2, AC-17.02, AC-17(2), AC-17(02)}
+
+        :param str control_id: The control ID to generate variations for
+        :return: Set of all valid variations
+        :rtype: set
+        """
+        parsed = self.parse_control_id(control_id)
+        if not parsed:
+            return set()
+
+        variations = set()
+
+        # Split by '-' to get family and number parts
+        parts = parsed.split("-")
+        if len(parts) != 2:
+            return set()
+
+        family = parts[0]
+        number_part = parts[1]
+
+        # Handle enhancement notation
+        if "." in number_part:
+            main_num, enhancement = number_part.split(".", 1)
+            main_int = int(main_num)
+            enh_int = int(enhancement)
+
+            # Generate all combinations: with/without leading zeros, dot/parenthesis notation
+            for main_fmt in [str(main_int), f"{main_int:02d}"]:
+                for enh_fmt in [str(enh_int), f"{enh_int:02d}"]:
+                    variations.add(f"{family}-{main_fmt}.{enh_fmt}")
+                    variations.add(f"{family}-{main_fmt}({enh_fmt})")
+        else:
+            # Just main control number
+            main_int = int(number_part)
+            variations.add(f"{family}-{main_int}")
+            variations.add(f"{family}-{main_int:02d}")
+
+        # Add uppercase versions to ensure consistency
+        return {v.upper() for v in variations}
+
+    def _get_control_implementations(self, parent_id: int, parent_module: str) -> Dict[str, ControlImplementation]:
+        """
+        Get control implementations for a parent (with caching).
+
+        :param int parent_id: Parent ID
+        :param str parent_module: Parent module
+        :return: Dict of implementations keyed by control ID
+        :rtype: Dict[str, ControlImplementation]
+        """
+        cache_key = (parent_id, parent_module)
+
+        if cache_key not in self._control_impl_cache:
+            try:
+                # Get the label map which maps control IDs to implementation IDs
+                label_map = ControlImplementation.get_control_label_map_by_parent(parent_id, parent_module)
+
+                implementations = {}
+                for control_label, impl_id in label_map.items():
+                    impl = ControlImplementation.get_object(impl_id)
+                    if impl:
+                        implementations[control_label] = impl
+
+                self._control_impl_cache[cache_key] = implementations
+            except Exception as e:
+                logger.error(f"Failed to get implementations for {parent_module}/{parent_id}: {e}")
+                return {}
+
+        return self._control_impl_cache.get(cache_key, {})
+
+    def clear_cache(self):
+        """Clear all cached data."""
+        self._catalog_cache.clear()
+        self._control_impl_cache.clear()
+        logger.info("Cleared control matcher cache")

regscale/integrations/due_date_handler.py

@@ -7,13 +7,16 @@ from datetime import datetime
 from typing import Any, Dict, Optional
 
 from regscale.core.app.application import Application
-from regscale.core.utils.date import date_str, get_day_increment
+from regscale.core.utils.date import get_day_increment
 from regscale.integrations.public.cisa import pull_cisa_kev
 from regscale.models import regscale_models
 from regscale.utils.threading import ThreadSafeDict
 
 logger = logging.getLogger("regscale")
 
+# Date format constant for consistent datetime string formatting
+DATETIME_FORMAT = "%Y-%m-%dT%H:%M:%S"
+
 
 class DueDateHandler:
     """
@@ -21,6 +24,19 @@ class DueDateHandler:
     1. Init.yaml timeline configurations per integration
     2. KEV (Known Exploited Vulnerabilities) dates from CISA
     3. Default severity-based timelines
+    4. Configurable past due date validation (noPastDueDates setting)
+
+    Configuration Options:
+    - Global setting: issues.noPastDueDates (default: true)
+    - Per-integration: issues.{integration_name}.noPastDueDates
+
+    When noPastDueDates=true (default):
+    - Due dates calculated in the past are automatically adjusted to future dates
+    - Prevents API validation errors for past due dates
+
+    When noPastDueDates=false:
+    - Original due dates are preserved, even if they're in the past
+    - Useful for historical data or when past dates are intentionally required
     """
 
     def __init__(self, integration_name: str, config: Optional[Dict[str, Any]] = None):
@@ -45,6 +61,9 @@ class DueDateHandler:
         # Load integration-specific timelines from config
         self.integration_timelines = self._load_integration_timelines()
 
+        # Load noPastDueDates setting (defaults to True)
+        self.no_past_due_dates = self._load_no_past_due_dates_setting()
+
     def _load_integration_timelines(self) -> Dict[regscale_models.IssueSeverity, int]:
         """
         Load timeline configurations for this integration from init.yaml
@@ -75,6 +94,37 @@ class DueDateHandler:
 
         return timelines
 
+    def _load_no_past_due_dates_setting(self) -> bool:
+        """
+        Load noPastDueDates setting for this integration from init.yaml
+
+        Configuration hierarchy:
+        1. Integration-specific setting: issues.{integration_name}.noPastDueDates
+        2. Global setting: issues.noPastDueDates
+        3. Default: True
+
+        :return: True if past due dates should be automatically adjusted to future dates
+        :rtype: bool
+        """
+        issues_config = self.config.get("issues", {})
+        integration_config = issues_config.get(self.integration_name, {})
+
+        # Check integration-specific setting first
+        if "noPastDueDates" in integration_config:
+            setting = integration_config["noPastDueDates"]
+            logger.debug(f"Using integration-specific noPastDueDates={setting} for {self.integration_name}")
+            return bool(setting)
+
+        # Fall back to global setting
+        if "noPastDueDates" in issues_config:
+            setting = issues_config["noPastDueDates"]
+            logger.debug(f"Using global noPastDueDates={setting} for {self.integration_name}")
+            return bool(setting)
+
+        # Default to True (prevent past due dates)
+        logger.debug(f"Using default noPastDueDates=True for {self.integration_name}")
+        return True
+
     def _get_kev_data(self) -> ThreadSafeDict:
         """
         Get KEV data from CISA, using cache if available
@@ -160,17 +210,26 @@ class DueDateHandler:
                     kev_date = date_parse(kev_due_date).date()
                     created_dt = date_parse(created_date).date()
 
-                    # If KEV due date is after creation date, use KEV date
+                    # If KEV due date is after creation date, use KEV date but ensure it's not in the past
                     # If KEV due date is before creation date, add the difference to creation date
                     if kev_date >= created_dt:
-                        logger.debug(f"Using KEV due date {kev_due_date} for CVE {cve}")
-                        return kev_due_date
+                        # Ensure KEV due date is not in the past
+                        kev_due_validated = self._ensure_future_due_date(
+                            kev_due_date, 30
+                        )  # Use 30 days as fallback for KEV
+                        logger.debug(f"Using KEV due date {kev_due_validated} for CVE {cve}")
+                        return kev_due_validated
                     else:
                         # KEV date has passed, calculate new due date from creation
                         days_diff = (created_dt - kev_date).days
                         # Give at least 30 days from creation for critical KEV items
                         adjusted_days = max(30, days_diff)
-                        due_date = date_str(get_day_increment(start=created_date, days=adjusted_days))
+                        calculated_due_date_obj = get_day_increment(start=created_date, days=adjusted_days)
+                        calculated_due_date = datetime.combine(calculated_due_date_obj, datetime.min.time()).strftime(
+                            DATETIME_FORMAT
+                        )
+                        # Ensure the adjusted due date is not in the past
+                        due_date = self._ensure_future_due_date(calculated_due_date, adjusted_days)
                         logger.debug(f"KEV date passed, using adjusted due date {due_date} for CVE {cve}")
                         return due_date
 
@@ -179,12 +238,64 @@ class DueDateHandler:
 
         # Fall back to severity-based timeline from integration config
         days = self.integration_timelines.get(severity, self.default_timelines[severity])
-        due_date = date_str(get_day_increment(start=created_date, days=days))
+        calculated_due_date_obj = get_day_increment(start=created_date, days=days)
+        calculated_due_date = datetime.combine(calculated_due_date_obj, datetime.min.time()).strftime(DATETIME_FORMAT)
+
+        # Ensure due date is never in the past (allow yesterday for timezone differences)
+        due_date = self._ensure_future_due_date(calculated_due_date, days)
 
         logger.debug(f"Using {self.integration_name} timeline: {severity.name} = {days} days, due date = {due_date}")
 
         return due_date
 
+    def _ensure_future_due_date(self, calculated_due_date: str, original_days: int) -> str:
+        """
+        Ensure the due date is not in the past. If it is, set it to today + original timeline days.
+        Behavior is controlled by the noPastDueDates configuration setting.
+
+        :param str calculated_due_date: The originally calculated due date
+        :param int original_days: The original number of days for this severity
+        :return: A due date that respects the noPastDueDates setting
+        :rtype: str
+        """
+        # If noPastDueDates is disabled, return the original date without validation
+        if not self.no_past_due_dates:
+            logger.debug(
+                f"noPastDueDates=False for {self.integration_name}, returning original due date: {calculated_due_date}"
+            )
+            return calculated_due_date
+
+        from dateutil.parser import parse as date_parse
+        from datetime import date
+
+        try:
+            calculated_date = date_parse(calculated_due_date).date()
+            today = date.today()
+
+            if calculated_date >= today:
+                return calculated_due_date
+            else:
+                # Due date is in the past, calculate new due date from today
+                # Use minimum 1 day to ensure it's always in the future
+                safe_days = max(1, original_days)
+                new_due_date_obj = get_day_increment(start=today, days=safe_days)
+                new_due_date = datetime.combine(new_due_date_obj, datetime.min.time()).strftime(DATETIME_FORMAT)
+                logger.debug(
+                    f"Due date {calculated_due_date} was in the past for {self.integration_name}. "
+                    f"Adjusted to {new_due_date} ({safe_days} days from today)."
+                )
+                return new_due_date
+
+        except Exception as e:
+            logger.warning(f"Failed to validate due date {calculated_due_date}: {e}")
+            # If we can't parse the date, return a safe fallback only if noPastDueDates is enabled
+            if self.no_past_due_dates:
+                safe_days = max(1, original_days)
+                fallback_due_date_obj = get_day_increment(start=date.today(), days=safe_days)
+                return datetime.combine(fallback_due_date_obj, datetime.min.time()).strftime(DATETIME_FORMAT)
+            else:
+                return calculated_due_date
+
     def get_integration_config(self) -> Dict[str, Any]:
         """
         Get the full integration configuration from init.yaml
@@ -205,6 +316,7 @@ class DueDateHandler:
         return {
             "integration_name": self.integration_name,
             "use_kev": self._should_use_kev(),
+            "no_past_due_dates": self.no_past_due_dates,
             "timelines": {severity.name: days for severity, days in self.integration_timelines.items()},
             "config_source": "init.yaml",
         }