regscale-cli 6.25.1.0__py3-none-any.whl → 6.27.0.0__py3-none-any.whl

regscale/integrations/compliance_integration.py

@@ -13,6 +13,7 @@ from collections import defaultdict
 from typing import Dict, List, Optional, Any, Iterator
 
 from regscale.core.app.utils.app_utils import get_current_datetime, regscale_string_to_datetime
+from regscale.integrations.control_matcher import ControlMatcher
 from regscale.integrations.scanner_integration import (
     ScannerIntegration,
     IntegrationAsset,
@@ -166,6 +167,9 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         self._compliance_settings = None
         self._security_plan = None
 
+        # Initialize control matcher for robust control ID matching
+        self._control_matcher = ControlMatcher()
+
     def is_poam(self, finding: IntegrationFinding) -> bool:  # type: ignore[override]
         """
         Determines if an issue should be considered a POAM for compliance integrations.
@@ -1230,7 +1234,6 @@ class ComplianceIntegration(ScannerIntegration, ABC):
                 processed_impl_today.add(impl.id)
 
             self._record_control_mapping(control_id, impl.id)
-            self._map_assets_to_control_component(sec_control, items)
             return 1
         except Exception as e:  # noqa: BLE001
             logger.error(f"Error processing control assessment for '{control_id}': {e}")
@@ -1245,13 +1248,22 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         """
         Find matching implementation and security control for a control ID.
 
+        Uses ControlMatcher for robust control ID matching with leading zero normalization.
+
         :param str control_id: Control identifier to match
         :param List[ControlImplementation] implementations: Available implementations
         :return: Tuple of matching implementation and security control, or (None, None)
         :rtype: tuple[Optional[ControlImplementation], Optional[SecurityControl]]
         """
+        # Generate all variations of the search control ID for matching
+        search_variations = self._control_matcher._get_control_id_variations(control_id)
+        if not search_variations:
+            logger.debug(f"Could not generate control ID variations for: {control_id}")
+            return None, None
+
         matching_implementation = None
         matching_security_control = None
+
         for implementation in implementations:
             try:
                 security_control = SecurityControl.get_object(object_id=implementation.controlID)
@@ -1264,10 +1276,16 @@ class ComplianceIntegration(ScannerIntegration, ABC):
                 if not security_control_id:
                     logger.debug(f"Security control {security_control.id} has no controlId")
                     continue
+
+                # Get variations of the security control ID
+                control_variations = self._control_matcher._get_control_id_variations(security_control_id)
+
                 logger.debug(
-                    f"Comparing extracted '{control_id}' with RegScale control '{security_control_id}' (impl: {implementation.id})"
+                    f"Comparing control '{control_id}' variations {list(search_variations)[:3]} with RegScale control '{security_control_id}' variations {list(control_variations)[:3]} (impl: {implementation.id})"
                 )
-                if self._control_ids_match(control_id, security_control_id):
+
+                # Check if any variation matches (set intersection)
+                if search_variations & control_variations:
                     matching_implementation = implementation
                     matching_security_control = security_control
                     logger.info(
@@ -1351,44 +1369,6 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         except Exception:
             pass
 
-    def _map_assets_to_control_component(self, sec_control: SecurityControl, items: List[ComplianceItem]) -> None:
-        """
-        Map assets to control-specific components for organization.
-
-        :param SecurityControl sec_control: Security control to create component for
-        :param List[ComplianceItem] items: Compliance items with asset references
-        :return: None
-        :rtype: None
-        """
-        try:
-            component_title = f"Control {sec_control.controlId}"
-            component = self.components_by_title.get(component_title) if hasattr(self, "components_by_title") else None
-            if not component:
-                component = regscale_models.Component(
-                    title=component_title,
-                    componentType=regscale_models.ComponentType.Hardware,
-                    securityPlansId=self.plan_id,
-                    description=component_title,
-                    componentOwnerId=self.get_assessor_id(),
-                ).get_or_create()
-                regscale_models.ComponentMapping(
-                    componentId=component.id,
-                    securityPlanId=self.plan_id,
-                ).get_or_create()
-                if hasattr(self, "components_by_title"):
-                    self.components_by_title[component_title] = component
-
-            for item in items:
-                asset = self.get_asset_by_identifier(getattr(item, "resource_id", ""))
-                if not asset:
-                    continue
-                regscale_models.AssetMapping(
-                    assetId=asset.id,
-                    componentId=component.id,
-                ).get_or_create_with_status()
-        except Exception as map_exc:  # noqa: BLE001
-            logger.debug(f"Control-to-asset mapping skipped due to: {map_exc}")
-
     @staticmethod
     def _parse_control_id(control_id: str) -> tuple[str, Optional[str]]:
         """
@@ -2050,6 +2030,8 @@ class ComplianceIntegration(ScannerIntegration, ABC):
         """
         Create or update an issue from a finding, using cache to prevent duplicates.
 
+        Properly handles milestone creation for compliance integrations.
+
         :param str title: Issue title
         :param IntegrationFinding finding: The finding to create issue from
         :return: Created or updated issue
@@ -2068,6 +2050,9 @@ class ComplianceIntegration(ScannerIntegration, ABC):
                 f"Found existing issue {existing_issue.id} (other_identifier: '{existing_issue.otherIdentifier}') for lookup external_id '{external_id}', updating instead of creating"
             )
 
+            # Store original status for milestone comparison
+            original_status = existing_issue.status
+
             # Update existing issue with new finding data
             existing_issue.title = title
             existing_issue.description = finding.description
@@ -2095,8 +2080,42 @@ class ComplianceIntegration(ScannerIntegration, ABC):
             existing_issue.orgId = self.determine_issue_organization_id(existing_issue.issueOwnerId)
             existing_issue.save()
 
+            # Create milestone if status changed
+            # Reconstruct original issue state for comparison
+            original_issue = regscale_models.Issue()
+            original_issue.status = original_status
+            self._create_milestones_for_updated_issue(existing_issue, finding, original_issue)
+
             return existing_issue
         else:
             # No existing issue found, create new one using parent method
             logger.debug(f"No existing issue found for external_id {external_id}, creating new issue")
             return super().create_or_update_issue_from_finding(title, finding)
+
+    def _create_milestones_for_updated_issue(
+        self,
+        issue: regscale_models.Issue,
+        finding: IntegrationFinding,
+        original_issue: regscale_models.Issue,
+    ) -> None:
+        """
+        Create milestones for an updated issue in compliance integration.
+
+        This method handles both status transition milestones and backfilling of missing
+        creation milestones for existing issues.
+
+        :param regscale_models.Issue issue: The updated issue
+        :param IntegrationFinding finding: The finding data
+        :param regscale_models.Issue original_issue: Original state for comparison
+        """
+        milestone_manager = self.get_milestone_manager()
+
+        # First, ensure the issue has a creation milestone (backfill if missing)
+        milestone_manager.ensure_creation_milestone_exists(issue=issue, finding=finding)
+
+        # Then, handle status transition milestones
+        milestone_manager.create_milestones_for_issue(
+            issue=issue,
+            finding=finding,
+            existing_issue=original_issue,
+        )

regscale/integrations/control_matcher.py

@@ -0,0 +1,377 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""
+Control Matcher - A utility class for identifying and matching control implementations
+across different RegScale entities based on control ID strings.
+"""
+
+import logging
+import re
+from typing import Dict, List, Optional, Tuple, Union
+
+from regscale.core.app.api import Api
+from regscale.core.app.application import Application
+from regscale.models.regscale_models.control_implementation import ControlImplementation
+from regscale.models.regscale_models.security_control import SecurityControl
+
+logger = logging.getLogger("regscale")
+
+
+class ControlMatcher:
+    """
+    A class to identify control IDs and match them across different RegScale entities.
+
+    This class provides control matching capabilities:
+    - Parse control ID strings to extract NIST control identifiers
+    - Match controls from catalogs to security plans
+    - Find control implementations based on control IDs
+    - Support multiple control ID formats (e.g., AC-1, AC-1(1), AC-1.1)
+
+    Note: This class is focused on finding and matching existing controls only.
+    Control creation/modification should be handled by calling code.
+    """
+
+    def __init__(self, app: Optional[Application] = None):
+        """
+        Initialize the ControlMatcher.
+
+        :param Optional[Application] app: RegScale Application instance
+        """
+        self.app = app or Application()
+        self.api = Api()
+        self._catalog_cache: Dict[int, List[SecurityControl]] = {}
+        self._control_impl_cache: Dict[Tuple[int, str], Dict[str, ControlImplementation]] = {}
+
+    def parse_control_id(self, control_string: str) -> Optional[str]:
+        """
+        Parse a control ID string and extract the standardized control identifier.
+
+        Handles various formats:
+        - NIST format: AC-1, AC-1(1), AC-1.1
+        - With leading zeros: AC-01, AC-17(02)
+        - With spaces: AC-1 (1), AC-02 (04)
+        - With text: "Access Control AC-1"
+        - Multiple controls: "AC-1, AC-2"
+
+        :param str control_string: Raw control ID string
+        :return: Standardized control ID or None if not found
+        :rtype: Optional[str]
+        """
+        if not control_string:
+            return None
+
+        # Clean the string
+        control_string = control_string.strip().upper()
+
+        # Common NIST control ID pattern
+        # Matches: AC-1, AC-01, AC-1(1), AC-1(01), AC-1 (1), AC-1.1, AC-1.01, etc.
+        # Allows optional whitespace before and inside parentheses
+        pattern = r"([A-Z]{2,3}-\d+(?:\s*\(\s*\d+\s*\)|\.\d+)?)"
+
+        matches = re.findall(pattern, control_string)
+        if matches:
+            # Normalize parentheses to dots for consistency and remove spaces
+            control_id = matches[0]
+            control_id = control_id.replace(" ", "")  # Remove all spaces
+            control_id = control_id.replace("(", ".").replace(")", "")
+
+            # Normalize leading zeros (e.g., AC-01.02 -> AC-1.2)
+            parts = control_id.split("-")
+            if len(parts) == 2:
+                family = parts[0]
+                number_part = parts[1]
+
+                if "." in number_part:
+                    main_num, enhancement = number_part.split(".", 1)
+                    main_num = str(int(main_num))
+                    enhancement = str(int(enhancement))
+                    control_id = f"{family}-{main_num}.{enhancement}"
+                else:
+                    main_num = str(int(number_part))
+                    control_id = f"{family}-{main_num}"
+
+            return control_id
+
+        return None
+
+    def find_control_in_catalog(self, control_id: str, catalog_id: int) -> Optional[SecurityControl]:
+        """
+        Find a security control in a specific catalog by control ID.
+
+        :param str control_id: The control ID to search for
+        :param int catalog_id: The catalog ID to search in
+        :return: SecurityControl object if found, None otherwise
+        :rtype: Optional[SecurityControl]
+        """
+        controls = self._get_catalog_controls(catalog_id)
+
+        # Generate all possible variations of the control ID
+        search_ids = self._get_control_id_variations(control_id)
+
+        # Try exact match with any variation
+        for control in controls:
+            if control.controlId in search_ids:
+                return control
+
+        # Try matching control variations against search variations
+        for control in controls:
+            control_variations = self._get_control_id_variations(control.controlId)
+            if control_variations & search_ids:  # Set intersection
+                return control
+
+        return None
+
+    def find_control_implementation(
+        self, control_id: str, parent_id: int, parent_module: str = "securityplans", catalog_id: Optional[int] = None
+    ) -> Optional[ControlImplementation]:
+        """
+        Find a control implementation based on control ID and parent context.
+
+        :param str control_id: The control ID to match
+        :param int parent_id: Parent entity ID (e.g., security plan ID)
+        :param str parent_module: Parent module type (default: securityplans)
+        :param Optional[int] catalog_id: Optional catalog ID for better matching
+        :return: ControlImplementation if found, None otherwise
+        :rtype: Optional[ControlImplementation]
+        """
+        # Get control implementations for the parent
+        implementations = self._get_control_implementations(parent_id, parent_module)
+
+        # Get all variations of the control ID for matching
+        search_variations = self._get_control_id_variations(control_id)
+        if not search_variations:
+            logger.warning(f"Could not parse control ID: {control_id}")
+            return None
+
+        # Try to find matching implementation with variation matching
+        for impl_key, impl in implementations.items():
+            impl_variations = self._get_control_id_variations(impl_key)
+            if impl_variations & search_variations:  # Set intersection
+                return impl
+
+        # If catalog ID provided, try to find via security control
+        if catalog_id:
+            control = self.find_control_in_catalog(control_id, catalog_id)
+            if control:
+                # Search implementations by control ID
+                for impl in implementations.values():
+                    if impl.controlID == control.id:
+                        return impl
+
+        return None
+
+    def match_controls_to_implementations(
+        self,
+        control_ids: List[str],
+        parent_id: int,
+        parent_module: str = "securityplans",
+        catalog_id: Optional[int] = None,
+    ) -> Dict[str, Optional[ControlImplementation]]:
+        """
+        Match multiple control IDs to their implementations.
+
+        :param List[str] control_ids: List of control ID strings
+        :param int parent_id: Parent entity ID
+        :param str parent_module: Parent module type
+        :param Optional[int] catalog_id: Optional catalog ID
+        :return: Dictionary mapping control IDs to implementations
+        :rtype: Dict[str, Optional[ControlImplementation]]
+        """
+        results = {}
+
+        for control_id in control_ids:
+            impl = self.find_control_implementation(control_id, parent_id, parent_module, catalog_id)
+            results[control_id] = impl
+
+        return results
+
+    def get_security_plan_controls(self, security_plan_id: int) -> Dict[str, ControlImplementation]:
+        """
+        Get all control implementations for a security plan.
+
+        :param int security_plan_id: The security plan ID
+        :return: Dictionary of control implementations keyed by control ID
+        :rtype: Dict[str, ControlImplementation]
+        """
+        return self._get_control_implementations(security_plan_id, "securityplans")
+
+    def find_controls_by_pattern(self, pattern: str, catalog_id: int) -> List[SecurityControl]:
+        """
+        Find all controls in a catalog matching a pattern.
+
+        :param str pattern: Regex pattern or substring to match
+        :param int catalog_id: Catalog ID to search in
+        :return: List of matching SecurityControl objects
+        :rtype: List[SecurityControl]
+        """
+        controls = self._get_catalog_controls(catalog_id)
+        matched = []
+
+        for control in controls:
+            if (re.search(pattern, control.controlId, re.IGNORECASE)) or (
+                control.title and re.search(pattern, control.title, re.IGNORECASE)
+            ):
+                matched.append(control)
+
+        return matched
+
+    def bulk_match_controls(
+        self,
+        control_mappings: Dict[str, str],
+        parent_id: int,
+        parent_module: str = "securityplans",
+        catalog_id: Optional[int] = None,
+    ) -> Dict[str, Optional[ControlImplementation]]:
+        """
+        Bulk match control IDs to their implementations.
+
+        :param Dict[str, str] control_mappings: Dict of {external_id: control_id}
+        :param int parent_id: Parent entity ID
+        :param str parent_module: Parent module type
+        :param Optional[int] catalog_id: Catalog ID for controls
+        :return: Dictionary mapping external IDs to ControlImplementations (None if not found)
+        :rtype: Dict[str, Optional[ControlImplementation]]
+        """
+        results = {}
+
+        for external_id, control_id in control_mappings.items():
+            impl = self.find_control_implementation(control_id, parent_id, parent_module, catalog_id)
+            results[external_id] = impl
+
+        return results
+
+    def _get_catalog_controls(self, catalog_id: int) -> List[SecurityControl]:
+        """
+        Get all controls for a catalog (with caching).
+
+        :param int catalog_id: Catalog ID
+        :return: List of SecurityControl objects
+        :rtype: List[SecurityControl]
+        """
+        if catalog_id not in self._catalog_cache:
+            try:
+                controls = SecurityControl.get_list_by_catalog(catalog_id)
+                self._catalog_cache[catalog_id] = controls
+            except Exception as e:
+                logger.error(f"Failed to get controls for catalog {catalog_id}: {e}")
+                return []
+
+        return self._catalog_cache.get(catalog_id, [])
+
+    def _normalize_control_id(self, control_id: str) -> Optional[str]:
+        """
+        Normalize a control ID by removing leading zeros from all numeric parts.
+
+        Examples:
+        - AC-01 -> AC-1
+        - AC-17(02) -> AC-17.2
+        - AC-1.01 -> AC-1.1
+
+        :param str control_id: The control ID to normalize
+        :return: Normalized control ID or None if invalid
+        :rtype: Optional[str]
+        """
+        parsed = self.parse_control_id(control_id)
+        if not parsed:
+            return None
+
+        # Split by '-' to get family and number parts
+        parts = parsed.split("-")
+        if len(parts) != 2:
+            return None
+
+        family = parts[0]
+        number_part = parts[1]
+
+        # Handle enhancement notation (both . and parentheses are normalized to .)
+        if "." in number_part:
+            main_num, enhancement = number_part.split(".", 1)
+            # Remove leading zeros from both parts
+            main_num = str(int(main_num))
+            enhancement = str(int(enhancement))
+            return f"{family}-{main_num}.{enhancement}"
+        else:
+            # Just main control number
+            main_num = str(int(number_part))
+            return f"{family}-{main_num}"
+
+    def _get_control_id_variations(self, control_id: str) -> set:
+        """
+        Generate all valid variations of a control ID (with and without leading zeros).
+
+        Examples:
+        - AC-1 -> {AC-1, AC-01}
+        - AC-17.2 -> {AC-17.2, AC-17.02, AC-17(2), AC-17(02)}
+
+        :param str control_id: The control ID to generate variations for
+        :return: Set of all valid variations
+        :rtype: set
+        """
+        parsed = self.parse_control_id(control_id)
+        if not parsed:
+            return set()
+
+        variations = set()
+
+        # Split by '-' to get family and number parts
+        parts = parsed.split("-")
+        if len(parts) != 2:
+            return set()
+
+        family = parts[0]
+        number_part = parts[1]
+
+        # Handle enhancement notation
+        if "." in number_part:
+            main_num, enhancement = number_part.split(".", 1)
+            main_int = int(main_num)
+            enh_int = int(enhancement)
+
+            # Generate all combinations: with/without leading zeros, dot/parenthesis notation
+            for main_fmt in [str(main_int), f"{main_int:02d}"]:
+                for enh_fmt in [str(enh_int), f"{enh_int:02d}"]:
+                    variations.add(f"{family}-{main_fmt}.{enh_fmt}")
+                    variations.add(f"{family}-{main_fmt}({enh_fmt})")
+        else:
+            # Just main control number
+            main_int = int(number_part)
+            variations.add(f"{family}-{main_int}")
+            variations.add(f"{family}-{main_int:02d}")
+
+        # Add uppercase versions to ensure consistency
+        return {v.upper() for v in variations}
+
+    def _get_control_implementations(self, parent_id: int, parent_module: str) -> Dict[str, ControlImplementation]:
+        """
+        Get control implementations for a parent (with caching).
+
+        :param int parent_id: Parent ID
+        :param str parent_module: Parent module
+        :return: Dict of implementations keyed by control ID
+        :rtype: Dict[str, ControlImplementation]
+        """
+        cache_key = (parent_id, parent_module)
+
+        if cache_key not in self._control_impl_cache:
+            try:
+                # Get the label map which maps control IDs to implementation IDs
+                label_map = ControlImplementation.get_control_label_map_by_parent(parent_id, parent_module)
+
+                implementations = {}
+                for control_label, impl_id in label_map.items():
+                    impl = ControlImplementation.get_object(impl_id)
+                    if impl:
+                        implementations[control_label] = impl
+
+                self._control_impl_cache[cache_key] = implementations
+            except Exception as e:
+                logger.error(f"Failed to get implementations for {parent_module}/{parent_id}: {e}")
+                return {}
+
+        return self._control_impl_cache.get(cache_key, {})
+
+    def clear_cache(self):
+        """Clear all cached data."""
+        self._catalog_cache.clear()
+        self._control_impl_cache.clear()
+        logger.info("Cleared control matcher cache")

regscale/integrations/due_date_handler.py

@@ -4,7 +4,7 @@
 
 import logging
 from datetime import datetime
-from typing import Any, Dict, Optional
+from typing import Any, Dict, Optional, Union
 
 from regscale.core.app.application import Application
 from regscale.core.utils.date import get_day_increment
@@ -53,9 +53,13 @@ class DueDateHandler:
         # Default due date timelines (days)
         self.default_timelines = {
             regscale_models.IssueSeverity.Critical: 30,
+            "critical": 30,
             regscale_models.IssueSeverity.High: 60,
+            "high": 60,
             regscale_models.IssueSeverity.Moderate: 120,
+            "moderate": 120,
             regscale_models.IssueSeverity.Low: 364,
+            "low": 364,
         }
 
         # Load integration-specific timelines from config
@@ -66,10 +70,10 @@ class DueDateHandler:
 
     def _load_integration_timelines(self) -> Dict[regscale_models.IssueSeverity, int]:
         """
-        Load timeline configurations for this integration from init.yaml
-
-        :return: Dictionary mapping severity to days
-        :rtype: Dict[regscale_models.IssueSeverity, int]
+                Load timeline configurations for this integration from init.yaml
+        mv
+                :return: Dictionary mapping severity to days
+                :rtype: Dict[regscale_models.IssueSeverity, int]
         """
         timelines = self.default_timelines.copy()
 
@@ -184,7 +188,7 @@ class DueDateHandler:
 
     def calculate_due_date(
         self,
-        severity: regscale_models.IssueSeverity,
+        severity: Union[regscale_models.IssueSeverity, str],
         created_date: str,
         cve: Optional[str] = None,
         title: Optional[str] = None,
@@ -192,7 +196,7 @@ class DueDateHandler:
         """
         Calculate the due date for an issue based on severity, KEV status, and integration config
 
-        :param regscale_models.IssueSeverity severity: The severity of the issue
+        :param Union[regscale_models.IssueSeverity, str] severity: The severity of the issue
         :param str created_date: The creation date of the issue
         :param Optional[str] cve: The CVE identifier (if applicable)
         :param Optional[str] title: The title of the issue (for additional context)
@@ -244,7 +248,9 @@ class DueDateHandler:
         # Ensure due date is never in the past (allow yesterday for timezone differences)
         due_date = self._ensure_future_due_date(calculated_due_date, days)
 
-        logger.debug(f"Using {self.integration_name} timeline: {severity.name} = {days} days, due date = {due_date}")
+        logger.debug(
+            f"Using {self.integration_name} timeline: {severity.name if isinstance(severity, regscale_models.IssueSeverity) else severity} = {days} days, due date = {due_date}"
+        )
 
         return due_date