regscale-cli 6.25.1.0__py3-none-any.whl → 6.26.0.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/compliance_report.py

@@ -17,8 +17,10 @@ from regscale.integrations.commercial.wizv2.reports import WizReportManager
 from regscale.integrations.commercial.wizv2.variables import WizVariables
 from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
 from regscale.integrations.compliance_integration import ComplianceIntegration, ComplianceItem
+from regscale.integrations.control_matcher import ControlMatcher
 from regscale.models import regscale_models
-from regscale.models.regscale_models.control_implementation import ControlImplementation, ControlImplementationStatus
+from regscale.models.regscale_models.control_implementation import ControlImplementation
+from regscale.models.regscale_models.issue import IssueIdentification
 
 logger = logging.getLogger("regscale")
 
@@ -135,7 +137,12 @@ class WizComplianceReportItem(ComplianceItem):
     def _format_control_id(self, base_control: str, enhancement: str) -> str:
         """Format control ID with optional enhancement."""
         if enhancement:
-            return f"{base_control}({enhancement})"
+            # Normalize enhancement number to remove leading zeros
+            try:
+                normalized_enhancement = str(int(enhancement))
+            except ValueError:
+                normalized_enhancement = enhancement
+            return f"{base_control}({normalized_enhancement})"
         else:
             return base_control
 
@@ -277,6 +284,10 @@ class WizComplianceReportProcessor(ComplianceIntegration):
 
         self.report_manager = WizReportManager(WizVariables.wizUrl, access_token)
 
+        # Initialize control matcher for robust control ID matching (inherited from parent but ensure it's set)
+        if not hasattr(self, "_control_matcher"):
+            self._control_matcher = ControlMatcher()
+
     def parse_csv_report(self, file_path: str) -> List[WizComplianceReportItem]:
         """
         Parse CSV compliance report.
@@ -783,7 +794,7 @@ class WizComplianceReportProcessor(ComplianceIntegration):
         """
         try:
             # Filter for compliance reports for this specific project
-            filter_by = {"project": [self.wiz_project_id], "type": ["COMPLIANCE_ASSESSMENTS"]}
+            filter_by = {"projectId": [self.wiz_project_id], "type": ["COMPLIANCE_ASSESSMENTS"]}
 
             logger.debug(f"Searching for existing compliance reports with filter: {filter_by}")
             reports = self.report_manager.list_reports(filter_by=filter_by)
@@ -876,76 +887,66 @@ class WizComplianceReportProcessor(ComplianceIntegration):
         """
         Update passing controls to 'Implemented' status in RegScale.
 
+        Uses ControlMatcher for robust control ID matching with leading zero normalization.
+
         :param list[str] passing_control_ids: List of control IDs that passed
         """
         if not passing_control_ids:
             return
 
-        # Initialize Application for control implementation updates
-        # app = Application()  # Will be used through self.app
-
         try:
-            # Use the existing method that works for getting control name to implementation ID mapping
-            control_impl_map = ControlImplementation.get_control_label_map_by_parent(
-                parent_id=self.plan_id, parent_module=self.parent_module
-            )
-
-            logger.debug(
-                f"Built control implementation map with {len(control_impl_map)} entries using get_control_label_map_by_parent"
-            )
-            if control_impl_map:
-                sample_keys = list(control_impl_map.keys())[:10]
-                logger.debug(f"Sample control names in map: {sample_keys}")
-
             logger.debug(f"Looking for passing control IDs: {passing_control_ids}")
 
             # Prepare batch updates for passing controls
             implementations_to_update = []
-
-            # Debug: Show what keys are actually in the control_impl_map
-            if control_impl_map:
-                logger.debug(f"Control implementation map keys: {list(control_impl_map.keys())[:20]}")
+            controls_not_found = []
 
             for control_id in passing_control_ids:
-                control_id_lower = control_id.lower()
-                logger.debug(f"Looking for control '{control_id_lower}' in implementation map")
-
-                if control_id_lower in control_impl_map:
-                    impl_id = control_impl_map[control_id_lower]
-                    logger.debug(f"Found matching implementation for '{control_id_lower}': {impl_id}")
-
-                    # Get the ControlImplementation object
-                    impl = ControlImplementation.get_object(object_id=impl_id)
-                    if impl:
-                        # Update status using compliance settings
-                        new_status = self._get_implementation_status_from_result("Pass")
-                        logger.debug(f"Setting control {control_id} status from 'Pass' result to: {new_status}")
-                        impl.status = new_status
-                        impl.dateLastAssessed = get_current_datetime()
-                        impl.lastAssessmentResult = "Pass"
-                        impl.bStatusImplemented = True
-
-                        # Ensure required fields are set if empty
-                        if not impl.responsibility:
-                            impl.responsibility = ControlImplementation.get_default_responsibility(
-                                parent_id=impl.parentId
-                            )
-                            logger.debug(
-                                f"Setting default responsibility for control {control_id}: {impl.responsibility}"
-                            )
-
-                        if not impl.implementation:
-                            impl.implementation = f"Implementation details for {control_id} will be documented."
-                            logger.debug(f"Setting default implementation statement for control {control_id}")
-
-                        # Set audit fields if available
-                        user_id = self.app.config.get("userId")
-                        if user_id:
-                            impl.lastUpdatedById = user_id
-                            impl.dateLastUpdated = get_current_datetime()
-
-                        implementations_to_update.append(impl.dict())
-                        logger.info(f"Marking control {control_id} as {new_status}")
+                # Use ControlMatcher to find implementation with robust control ID matching
+                impl = self._control_matcher.find_control_implementation(
+                    control_id=control_id, parent_id=self.plan_id, parent_module=self.parent_module
+                )
+
+                if impl:
+                    logger.debug(f"Found matching implementation for '{control_id}': {impl.id}")
+
+                    # Update status using compliance settings
+                    new_status = self._get_implementation_status_from_result("Pass")
+                    logger.debug(f"Setting control {control_id} status from 'Pass' result to: {new_status}")
+                    impl.status = new_status
+                    impl.dateLastAssessed = get_current_datetime()
+                    impl.lastAssessmentResult = "Pass"
+                    impl.bStatusImplemented = True
+
+                    # Ensure required fields are set if empty
+                    if not impl.responsibility:
+                        impl.responsibility = ControlImplementation.get_default_responsibility(parent_id=impl.parentId)
+                        logger.debug(f"Setting default responsibility for control {control_id}: {impl.responsibility}")
+
+                    if not impl.implementation:
+                        impl.implementation = f"Implementation details for {control_id} will be documented."
+                        logger.debug(f"Setting default implementation statement for control {control_id}")
+
+                    # Set audit fields if available
+                    user_id = self.app.config.get("userId")
+                    if user_id:
+                        impl.lastUpdatedById = user_id
+                        impl.dateLastUpdated = get_current_datetime()
+
+                    implementations_to_update.append(impl.dict())
+                    logger.info(f"Marking control {control_id} as {new_status}")
+                else:
+                    logger.debug(f"Control '{control_id}' not found in implementation map")
+                    controls_not_found.append(control_id)
+
+            # Log summary
+            if controls_not_found:
+                logger.info(f"Passing control IDs not found in plan: {', '.join(sorted(controls_not_found))}")
+
+            logger.info(
+                f"Control implementation status update summary: {len(implementations_to_update)} found, "
+                f"{len(controls_not_found)} not in plan"
+            )
 
             # Batch update all implementations
             if implementations_to_update:
@@ -957,104 +958,47 @@ class WizComplianceReportProcessor(ComplianceIntegration):
         except Exception as e:
             logger.error(f"Error updating control implementation status: {e}")
 
-    def _update_failing_controls_to_in_remediation(self, control_ids: List[str]) -> None:
-        """
-        Update control implementation status to In Remediation for failing controls.
-
-        :param List[str] control_ids: List of control IDs that are failing
-        :return: None
-        :rtype: None
+    def _prepare_failing_control_update(self, control_id: str) -> Optional[dict]:
         """
-        if not control_ids:
-            return
-
-        try:
-            control_impl_map = self._get_control_implementation_map()
-            if not control_impl_map:
-                return
-
-            implementations_to_update, controls_not_found = self._process_failing_control_ids(
-                control_ids, control_impl_map
-            )
-
-            self._log_update_summary(implementations_to_update, controls_not_found)
-            self._batch_update_implementations(implementations_to_update)
-
-        except Exception as e:
-            logger.error(f"Error updating failing control implementation status: {e}")
-
-    def _get_control_implementation_map(self) -> dict:
-        """Get control implementation map and validate it exists."""
-
-        control_impl_map = ControlImplementation.get_control_label_map_by_parent(
-            parent_id=self.plan_id, parent_module=self.parent_module
-        )
-
-        if not control_impl_map:
-            logger.warning("No control implementation mapping found for security plan")
-            return {}
+        Prepare a single failing control for update.
 
-        logger.debug(f"Control implementation map contains {len(control_impl_map)} entries")
-        return control_impl_map
-
-    def _process_failing_control_ids(self, control_ids: List[str], control_impl_map: dict) -> tuple[list, list]:
-        """Process failing control IDs and return implementations to update and controls not found."""
-
-        logger.debug(f"Looking for failing control IDs: {control_ids}")
-        implementations_to_update = []
-        controls_not_found = []
-
-        # Debug: Show what keys are actually in the control_impl_map for comparison
-        if control_impl_map:
-            logger.debug(f"Control implementation map keys (first 20): {list(control_impl_map.keys())[:20]}")
-
-        for control_id in control_ids:
-            control_id_normalized = control_id.lower()
-            logger.debug(f"Looking for control '{control_id_normalized}' in implementation map")
-
-            if control_id_normalized in control_impl_map:
-                impl = self._update_single_control_implementation(
-                    control_id, control_id_normalized, control_impl_map[control_id_normalized]
-                )
-                if impl:
-                    implementations_to_update.append(impl)
-                else:
-                    controls_not_found.append(control_id)
-            else:
-                logger.debug(f"Control '{control_id_normalized}' not found in implementation map")
-                controls_not_found.append(control_id)
-
-        return implementations_to_update, controls_not_found
-
-    def _update_single_control_implementation(
-        self, control_id: str, control_id_normalized: str, impl_id: int
-    ) -> Optional[dict]:
-        """Update a single control implementation to In Remediation status.
-        :param str control_id: ID of the control to update
-        :param str control_id_normalized: ID of the control to update
-        :param int impl_id: ID of the implementation to update
-        :return: Updated implementation status if implementation exists
+        :param str control_id: Control ID to update
+        :return: Dictionary representation of updated implementation, or None if not found
         :rtype: Optional[dict]
         """
-        from regscale.core.app.utils.app_utils import get_current_datetime
-        from regscale.models.regscale_models import ControlImplementationStatus
-
-        logger.debug(f"Found matching implementation for '{control_id_normalized}': {impl_id}")
+        impl = self._control_matcher.find_control_implementation(
+            control_id=control_id, parent_id=self.plan_id, parent_module=self.parent_module
+        )
 
-        impl = ControlImplementation.get_object(object_id=impl_id)
         if not impl:
-            logger.warning(f"Could not retrieve implementation object for ID {impl_id}")
+            logger.debug(f"Control '{control_id}' not found in implementation map")
             return None
 
-        # Update status using compliance settings
+        logger.debug(f"Found matching implementation for '{control_id}': {impl.id}")
+
         new_status = self._get_implementation_status_from_result("Fail")
         logger.debug(f"Setting control {control_id} status from 'Fail' result to: {new_status}")
+
         impl.status = new_status
         impl.dateLastAssessed = get_current_datetime()
         impl.lastAssessmentResult = "Fail"
         impl.bStatusImplemented = False
 
-        # Ensure required fields are set if empty
+        self._set_default_fields_if_empty(impl, control_id)
+        self._set_audit_fields(impl)
+
+        logger.info(f"Marking control {control_id} as {new_status}")
+        return impl.dict()
+
+    def _set_default_fields_if_empty(self, impl: ControlImplementation, control_id: str) -> None:
+        """
+        Set default values for required fields if they are empty.
+
+        :param ControlImplementation impl: Implementation to update
+        :param str control_id: Control ID for logging
+        :return: None
+        :rtype: None
+        """
         if not impl.responsibility:
             impl.responsibility = ControlImplementation.get_default_responsibility(parent_id=impl.parentId)
             logger.debug(f"Setting default responsibility for control {control_id}: {impl.responsibility}")
@@ -1063,27 +1007,76 @@ class WizComplianceReportProcessor(ComplianceIntegration):
             impl.implementation = f"Implementation details for {control_id} will be documented."
             logger.debug(f"Setting default implementation statement for control {control_id}")
 
-        # Set audit fields if available
+    def _set_audit_fields(self, impl: ControlImplementation) -> None:
+        """
+        Set audit fields on implementation if user ID is available.
+
+        :param ControlImplementation impl: Implementation to update
+        :return: None
+        :rtype: None
+        """
         user_id = self.app.config.get("userId")
         if user_id:
             impl.lastUpdatedById = user_id
             impl.dateLastUpdated = get_current_datetime()
 
-        logger.info(f"Marking control {control_id} as {new_status}")
-        return impl.dict()
+    def _update_failing_controls_to_in_remediation(self, control_ids: List[str]) -> None:
+        """
+        Update control implementation status to In Remediation for failing controls.
+
+        Uses ControlMatcher for robust control ID matching with leading zero normalization.
+
+        :param List[str] control_ids: List of control IDs that are failing
+        :return: None
+        :rtype: None
+        """
+        if not control_ids:
+            return
 
-    def _log_update_summary(self, implementations_to_update: list, controls_not_found: list) -> None:
-        """Log summary of control implementation updates."""
+        try:
+            logger.debug(f"Looking for failing control IDs: {control_ids}")
+
+            implementations_to_update = []
+            controls_not_found = []
+
+            for control_id in control_ids:
+                impl_dict = self._prepare_failing_control_update(control_id)
+                if impl_dict:
+                    implementations_to_update.append(impl_dict)
+                else:
+                    controls_not_found.append(control_id)
+
+            self._log_update_summary(controls_not_found, implementations_to_update)
+            self._batch_update_implementations(implementations_to_update)
+
+        except Exception as e:
+            logger.error(f"Error updating failing control implementation status: {e}")
+
+    def _log_update_summary(self, controls_not_found: List[str], implementations_to_update: List[dict]) -> None:
+        """
+        Log summary of control update operation.
+
+        :param List[str] controls_not_found: List of controls not found
+        :param List[dict] implementations_to_update: List of implementations to update
+        :return: None
+        :rtype: None
+        """
         if controls_not_found:
-            skipped_list = ", ".join(controls_not_found[:5])
-            more_indicator = "..." if len(controls_not_found) > 5 else ""
-            logger.info(
-                f"Control implementation status update summary: {len(implementations_to_update)} found, "
-                f"{len(controls_not_found)} not in plan (skipped: {skipped_list}{more_indicator})"
-            )
+            logger.info(f"Control IDs not found in plan: {', '.join(sorted(controls_not_found))}")
+
+        logger.info(
+            f"Control implementation status update summary: {len(implementations_to_update)} found, "
+            f"{len(controls_not_found)} not in plan"
+        )
+
+    def _batch_update_implementations(self, implementations_to_update: List[dict]) -> None:
+        """
+        Perform batch update of control implementations.
 
-    def _batch_update_implementations(self, implementations_to_update: list) -> None:
-        """Perform batch update of control implementations."""
+        :param List[dict] implementations_to_update: List of implementations to update
+        :return: None
+        :rtype: None
+        """
         if implementations_to_update:
             ControlImplementation.put_batch_implementation(self.app, implementations_to_update)
             logger.debug(f"Updated {len(implementations_to_update)} Control Implementations, Successfully!")
@@ -1551,6 +1544,7 @@ class WizComplianceReportProcessor(ComplianceIntegration):
             rule_id=control_id,
             baseline=representative_item.framework,
             affected_controls=control_id,
+            identification=IssueIdentification.SecurityControlAssessment.value,
         )
 
     def _create_finding_from_compliance_item(self, compliance_item: ComplianceItem) -> Optional[Any]:
@@ -1587,6 +1581,7 @@ class WizComplianceReportProcessor(ComplianceIntegration):
                 rule_id=compliance_item.control_id,
                 baseline=compliance_item.framework,
                 affected_controls=compliance_item.affected_controls,  # Use our property with all control IDs
+                identification=IssueIdentification.SecurityControlAssessment.value,
             )
 
             return finding

regscale/integrations/commercial/wizv2/scanner.py

@@ -1940,10 +1940,9 @@ class WizVulnerabilityIntegration(ScannerIntegration):
         else:
             logger.info("File %s does not exist. Fetching new data...", file_path)
 
-        self.authenticate(WizVariables.wizClientId, WizVariables.wizClientSecret)
-
+        # Ensure we have a valid token (should already be set by caller)
         if not self.wiz_token:
-            error_and_exit("Wiz token is not set. Please authenticate first.")
+            error_and_exit("Wiz token is not set. Please authenticate before calling fetch_wiz_data_if_needed.")
 
         nodes = fetch_wiz_data(
             query=query,
@@ -1952,6 +1951,7 @@ class WizVulnerabilityIntegration(ScannerIntegration):
             token=self.wiz_token,
             topic_key=topic_key,
         )
+
         with open(file_path, "w", encoding="utf-8") as file:
             json.dump(nodes, file)
 

regscale/integrations/compliance_integration.py

@@ -13,6 +13,7 @@ from collections import defaultdict
 from typing import Dict, List, Optional, Any, Iterator
 
 from regscale.core.app.utils.app_utils import get_current_datetime, regscale_string_to_datetime
+from regscale.integrations.control_matcher import ControlMatcher
 from regscale.integrations.scanner_integration import (
     ScannerIntegration,
     IntegrationAsset,
@@ -166,6 +167,9 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         self._compliance_settings = None
         self._security_plan = None
 
+        # Initialize control matcher for robust control ID matching
+        self._control_matcher = ControlMatcher()
+
     def is_poam(self, finding: IntegrationFinding) -> bool:  # type: ignore[override]
         """
         Determines if an issue should be considered a POAM for compliance integrations.
@@ -1245,13 +1249,22 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         """
         Find matching implementation and security control for a control ID.
 
+        Uses ControlMatcher for robust control ID matching with leading zero normalization.
+
         :param str control_id: Control identifier to match
         :param List[ControlImplementation] implementations: Available implementations
         :return: Tuple of matching implementation and security control, or (None, None)
         :rtype: tuple[Optional[ControlImplementation], Optional[SecurityControl]]
         """
+        # Generate all variations of the search control ID for matching
+        search_variations = self._control_matcher._get_control_id_variations(control_id)
+        if not search_variations:
+            logger.debug(f"Could not generate control ID variations for: {control_id}")
+            return None, None
+
         matching_implementation = None
         matching_security_control = None
+
         for implementation in implementations:
             try:
                 security_control = SecurityControl.get_object(object_id=implementation.controlID)
@@ -1264,10 +1277,16 @@ class ComplianceIntegration(ScannerIntegration, ABC):
                 if not security_control_id:
                     logger.debug(f"Security control {security_control.id} has no controlId")
                     continue
+
+                # Get variations of the security control ID
+                control_variations = self._control_matcher._get_control_id_variations(security_control_id)
+
                 logger.debug(
-                    f"Comparing extracted '{control_id}' with RegScale control '{security_control_id}' (impl: {implementation.id})"
+                    f"Comparing control '{control_id}' variations {list(search_variations)[:3]} with RegScale control '{security_control_id}' variations {list(control_variations)[:3]} (impl: {implementation.id})"
                 )
-                if self._control_ids_match(control_id, security_control_id):
+
+                # Check if any variation matches (set intersection)
+                if search_variations & control_variations:
                     matching_implementation = implementation
                     matching_security_control = security_control
                     logger.info(
@@ -1364,12 +1383,19 @@ class ComplianceIntegration(ScannerIntegration, ABC):
             component_title = f"Control {sec_control.controlId}"
             component = self.components_by_title.get(component_title) if hasattr(self, "components_by_title") else None
             if not component:
+                # Get complianceSettingsId from the security plan
+                security_plan = self._get_security_plan()
+                compliance_settings_id = getattr(security_plan, "complianceSettingsId", None) if security_plan else None
+                if not compliance_settings_id:
+                    compliance_setting = self._get_compliance_settings()
+                    compliance_settings_id = getattr(compliance_setting, "id", None) if compliance_setting else None
                 component = regscale_models.Component(
                     title=component_title,
                     componentType=regscale_models.ComponentType.Hardware,
                     securityPlansId=self.plan_id,
                     description=component_title,
                     componentOwnerId=self.get_assessor_id(),
+                    complianceSettingsId=compliance_settings_id,
                 ).get_or_create()
                 regscale_models.ComponentMapping(
                     componentId=component.id,
@@ -2050,6 +2076,8 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         """
         Create or update an issue from a finding, using cache to prevent duplicates.
 
+        Properly handles milestone creation for compliance integrations.
+
         :param str title: Issue title
         :param IntegrationFinding finding: The finding to create issue from
         :return: Created or updated issue
@@ -2068,6 +2096,9 @@ class ComplianceIntegration(ScannerIntegration, ABC):
                 f"Found existing issue {existing_issue.id} (other_identifier: '{existing_issue.otherIdentifier}') for lookup external_id '{external_id}', updating instead of creating"
             )
 
+            # Store original status for milestone comparison
+            original_status = existing_issue.status
+
             # Update existing issue with new finding data
             existing_issue.title = title
             existing_issue.description = finding.description
@@ -2095,8 +2126,42 @@ class ComplianceIntegration(ScannerIntegration, ABC):
             existing_issue.orgId = self.determine_issue_organization_id(existing_issue.issueOwnerId)
             existing_issue.save()
 
+            # Create milestone if status changed
+            # Reconstruct original issue state for comparison
+            original_issue = regscale_models.Issue()
+            original_issue.status = original_status
+            self._create_milestones_for_updated_issue(existing_issue, finding, original_issue)
+
             return existing_issue
         else:
             # No existing issue found, create new one using parent method
             logger.debug(f"No existing issue found for external_id {external_id}, creating new issue")
             return super().create_or_update_issue_from_finding(title, finding)
+
+    def _create_milestones_for_updated_issue(
+        self,
+        issue: regscale_models.Issue,
+        finding: IntegrationFinding,
+        original_issue: regscale_models.Issue,
+    ) -> None:
+        """
+        Create milestones for an updated issue in compliance integration.
+
+        This method handles both status transition milestones and backfilling of missing
+        creation milestones for existing issues.
+
+        :param regscale_models.Issue issue: The updated issue
+        :param IntegrationFinding finding: The finding data
+        :param regscale_models.Issue original_issue: Original state for comparison
+        """
+        milestone_manager = self.get_milestone_manager()
+
+        # First, ensure the issue has a creation milestone (backfill if missing)
+        milestone_manager.ensure_creation_milestone_exists(issue=issue, finding=finding)
+
+        # Then, handle status transition milestones
+        milestone_manager.create_milestones_for_issue(
+            issue=issue,
+            finding=finding,
+            existing_issue=original_issue,
+        )