regscale-cli 6.25.1.0__py3-none-any.whl → 6.27.0.0__py3-none-any.whl

regscale/integrations/scanner_integration.py

@@ -27,6 +27,7 @@ from regscale.integrations.commercial.durosuite.process_devices import scan_duro
 from regscale.integrations.commercial.durosuite.variables import DuroSuiteVariables
 from regscale.integrations.commercial.stig_mapper_integration.mapping_engine import StigMappingEngine as STIGMapper
 from regscale.integrations.due_date_handler import DueDateHandler
+from regscale.integrations.milestone_manager import MilestoneManager
 from regscale.integrations.public.cisa import pull_cisa_kev
 from regscale.integrations.variables import ScannerVariables
 from regscale.models import DateTimeEncoder, OpenIssueDict, Property, regscale_models
@@ -672,6 +673,9 @@ class ScannerIntegration(ABC):
         # Initialize due date handler for this integration
         self.due_date_handler = DueDateHandler(self.title, config=self.app.config)
 
+        # Initialize milestone manager for this integration
+        self.milestone_manager = None  # Lazy initialization after scan_date is set
+
         if self.is_component:
             self.component = regscale_models.Component.get_object(self.plan_id)
             self.parent_module: str = regscale_models.Component.get_module_string()
@@ -709,6 +713,9 @@ class ScannerIntegration(ABC):
         self._no_ccis: bool = False
         self.cci_to_control_map_lock: threading.Lock = threading.Lock()
 
+        # Lock for thread-safe scan history count updates
+        self.scan_history_lock: threading.RLock = threading.RLock()
+
         self.assessment_map: ThreadSafeDict[int, regscale_models.Assessment] = ThreadSafeDict()
         self.assessor_id: str = self.get_assessor_id()
         self.asset_progress: Progress = create_progress_object()
@@ -737,6 +744,21 @@ class ScannerIntegration(ABC):
                     cls._lock_registry[key] = lock
         return lock
 
+    def get_milestone_manager(self) -> MilestoneManager:
+        """
+        Get or initialize the milestone manager.
+
+        :return: MilestoneManager instance
+        :rtype: MilestoneManager
+        """
+        if self.milestone_manager is None:
+            self.milestone_manager = MilestoneManager(
+                integration_title=self.title,
+                assessor_id=self.assessor_id,
+                scan_date=self.scan_date or get_current_datetime(),
+            )
+        return self.milestone_manager
+
     @staticmethod
     def load_stig_mapper() -> Optional[STIGMapper]:
         """
@@ -997,15 +1019,18 @@ class ScannerIntegration(ABC):
             return res[:450]
         return prefix[:450]
 
-    def get_or_create_assessment(self, control_implementation_id: int) -> regscale_models.Assessment:
+    def get_or_create_assessment(
+        self, control_implementation_id: int, status: Optional[regscale_models.AssessmentResultsStatus] = None
+    ) -> regscale_models.Assessment:
         """
-        Gets or creates a RegScale assessment
+        Gets or creates a RegScale assessment.
 
         :param int control_implementation_id: The ID of the control implementation
+        :param Optional[regscale_models.AssessmentResultsStatus] status: Optional status override (used by cci_assessment)
         :return: The assessment
         :rtype: regscale_models.Assessment
         """
-        logger.info("Getting or create assessment for control implementation %d", control_implementation_id)
+        logger.debug("Getting or create assessment for control implementation %d", control_implementation_id)
         assessment: Optional[regscale_models.Assessment] = self.assessment_map.get(control_implementation_id)
         if assessment:
             logger.debug(
@@ -1017,7 +1042,7 @@ class ScannerIntegration(ABC):
                 plannedStart=get_current_datetime(),
                 plannedFinish=get_current_datetime(),
                 status=regscale_models.AssessmentStatus.COMPLETE.value,
-                assessmentResult=regscale_models.AssessmentResultsStatus.FAIL.value,
+                assessmentResult=status.value if status else regscale_models.AssessmentResultsStatus.FAIL.value,
                 actualFinish=get_current_datetime(),
                 leadAssessorId=self.assessor_id,
                 parentId=control_implementation_id,
@@ -2284,87 +2309,26 @@ class ScannerIntegration(ABC):
         """
         Create milestones for an issue based on status transitions.
 
+        Delegates to MilestoneManager for cleaner separation of concerns.
+        Also ensures existing issues have creation milestones (backfills if missing).
+
         :param regscale_models.Issue issue: The issue to create milestones for
         :param IntegrationFinding finding: The finding data
         :param Optional[regscale_models.Issue] existing_issue: Existing issue for comparison
         """
-        if not (ScannerVariables.useMilestones and issue.id):
-            return
-
-        if self._should_create_reopened_milestone(existing_issue, issue):
-            self._create_milestone_safe(
-                issue, finding, "Issue reopened from", get_current_datetime(), "reopened milestone"
-            )
-        elif self._should_create_closed_milestone(existing_issue, issue):
-            self._create_milestone_safe(issue, finding, "Issue closed from", issue.dateCompleted, "closed milestone")
-        elif not existing_issue:
-            self._create_milestone_safe(issue, finding, "Issue created from", self.scan_date, "new issue milestone")
-        else:
-            logger.debug("No milestone created for issue %s from finding %s", issue.id, finding.external_id)
-
-    def _should_create_reopened_milestone(
-        self, existing_issue: Optional[regscale_models.Issue], issue: regscale_models.Issue
-    ) -> bool:
-        """
-        Check if a reopened milestone should be created.
+        milestone_manager = self.get_milestone_manager()
 
-        :param Optional[regscale_models.Issue] existing_issue: The existing issue
-        :param regscale_models.Issue issue: The current issue
-        :return: True if reopened milestone should be created
-        :rtype: bool
-        """
-        return (
-            existing_issue
-            and existing_issue.status == regscale_models.IssueStatus.Closed
-            and issue.status == regscale_models.IssueStatus.Open
-        )
-
-    def _should_create_closed_milestone(
-        self, existing_issue: Optional[regscale_models.Issue], issue: regscale_models.Issue
-    ) -> bool:
-        """
-        Check if a closed milestone should be created.
+        # For existing issues, ensure they have a creation milestone (backfill if missing)
+        if existing_issue:
+            milestone_manager.ensure_creation_milestone_exists(issue=issue, finding=finding)
 
-        :param Optional[regscale_models.Issue] existing_issue: The existing issue
-        :param regscale_models.Issue issue: The current issue
-        :return: True if closed milestone should be created
-        :rtype: bool
-        """
-        return (
-            existing_issue
-            and existing_issue.status == regscale_models.IssueStatus.Open
-            and issue.status == regscale_models.IssueStatus.Closed
+        # Handle status transition milestones
+        milestone_manager.create_milestones_for_issue(
+            issue=issue,
+            finding=finding,
+            existing_issue=existing_issue,
         )
 
-    def _create_milestone_safe(
-        self,
-        issue: regscale_models.Issue,
-        finding: IntegrationFinding,
-        title_prefix: str,
-        milestone_date: str,
-        milestone_type: str,
-    ) -> None:
-        """
-        Safely create a milestone with error handling.
-
-        :param regscale_models.Issue issue: The issue to create milestone for
-        :param IntegrationFinding finding: The finding data
-        :param str title_prefix: Prefix for milestone title
-        :param str milestone_date: Date for the milestone
-        :param str milestone_type: Description for logging purposes
-        """
-        try:
-            regscale_models.Milestone(
-                title=f"{title_prefix} {self.title} scan",
-                milestoneDate=milestone_date,
-                responsiblePersonId=self.assessor_id,
-                parentID=issue.id,
-                parentModule="issues",
-            ).create_or_update()
-            logger.debug("Added milestone for issue %s from finding %s", issue.id, finding.external_id)
-        except Exception as e:
-            logger.warning("Failed to create %s: %s", milestone_type, str(e))
-
     @staticmethod
     def extra_data_to_properties(finding: IntegrationFinding, issue_id: int) -> None:
         """
@@ -2530,6 +2494,8 @@ class ScannerIntegration(ABC):
             if found_issue.controlImplementationIds:
                 for control_id in found_issue.controlImplementationIds:
                     self.update_control_implementation_status_after_close(control_id)
+                    # Update assessment status to reflect the control implementation status
+                    self.update_assessment_status_from_control_implementation(control_id)
 
     def handle_failing_checklist(
         self,
@@ -2554,11 +2520,13 @@ class ScannerIntegration(ABC):
                 if failing_objective.name.lower().startswith("cci-"):
                     implementation_id = self.get_control_implementation_id_for_cci(failing_objective.name)
                 else:
-                    control_label = objective_to_control_dot(failing_objective.name)
-                    if control_label not in self.control_implementation_id_map:
-                        logger.warning("Control %s not found for %s", control_label, control_label)
-                        continue
-                    implementation_id = self.control_implementation_id_map[control_label]
+                    implementation_id = self._fallback_implementation_id(failing_objective)
+
+                if not implementation_id or implementation_id is None:
+                    logger.warning(
+                        "Could not map objective to a Control Implementation for objective #%i.", failing_objective.id
+                    )
+                    continue
 
                 failing_option = regscale_models.ImplementationOption(
                     name="Failed STIG",
@@ -2580,13 +2548,36 @@ class ScannerIntegration(ABC):
                 ).create_or_update()
 
                 # Create assessment and control test result
-                assessment = self.get_or_create_assessment(implementation_id)
+                assessment = self.get_or_create_assessment(
+                    implementation_id, status=regscale_models.AssessmentResultsStatus.FAIL
+                )
                 if implementation_id:
                     control_test = self.create_or_get_control_test(finding, implementation_id)
                     self.create_control_test_result(
                         finding, control_test, assessment, regscale_models.ControlTestResultStatus.FAIL
                     )
 
+    def _fallback_implementation_id(self, objective: regscale_models.ControlObjective) -> Optional[int]:
+        """
+        Fallback method to get control implementation ID from objective name if CCI mapping fails.
+
+        :param regscale_models.ControlObjective objective: The control objective
+        :return: The control implementation ID if found, None otherwise
+        :rtype: Optional[int]
+        """
+        control_label = objective_to_control_dot(objective.name)
+        if implementation_id := self.control_implementation_id_map.get(control_label):
+            return implementation_id
+
+        if control_id := self.control_id_to_implementation_map.get(objective.securityControlId):
+            if control_label := self.control_map.get(control_id):
+                implementation_id = self.control_implementation_id_map.get(control_label)
+                if not implementation_id:
+                    print("No dice.")
+                return implementation_id
+        logger.debug("Could not find fallback implementation ID for objective #%i", objective.id)
+        return None
+
     def handle_passing_checklist(
         self,
         finding: IntegrationFinding,
@@ -2610,15 +2601,12 @@ class ScannerIntegration(ABC):
                 if passing_objective.name.lower().startswith("cci-"):
                     implementation_id = self.get_control_implementation_id_for_cci(passing_objective.name)
                 else:
-                    control_label = objective_to_control_dot(passing_objective.name)
-                    if control_label not in self.control_implementation_id_map:
-                        logger.warning("Control %s not found for %s", control_label, control_label)
-                        continue
-                    implementation_id = self.control_implementation_id_map[control_label]
-
-                # Skip if we couldn't determine the implementation ID
-                if implementation_id is None:
-                    logger.warning("Could not determine implementation ID for objective %s", passing_objective.name)
+                    implementation_id = self._fallback_implementation_id(passing_objective)
+
+                if not implementation_id or implementation_id is None:
+                    logger.warning(
+                        "Could not map objective to a Control Implementation for objective #%i.", passing_objective.id
+                    )
                     continue
 
                 passing_option = regscale_models.ImplementationOption(
@@ -2641,7 +2629,9 @@ class ScannerIntegration(ABC):
                 ).create_or_update()
 
                 # Create assessment and control test result
-                assessment = self.get_or_create_assessment(implementation_id)
+                assessment = self.get_or_create_assessment(
+                    implementation_id, status=regscale_models.AssessmentResultsStatus.PASS
+                )
                 control_test = self.create_or_get_control_test(finding, implementation_id)
                 self.create_control_test_result(
                     finding, control_test, assessment, regscale_models.ControlTestResultStatus.PASS
@@ -2667,17 +2657,45 @@ class ScannerIntegration(ABC):
 
     def get_asset_by_identifier(self, identifier: str) -> Optional[regscale_models.Asset]:
         """
-        Gets an asset by its identifier
+        Gets an asset by its identifier with fallback lookups.
+
+        REG-17044: Enhanced to support multiple identifier fields (qualysId, IP, FQDN)
+        to improve asset matching and reduce "asset not found" errors.
 
         :param str identifier: The identifier of the asset
         :return: The asset
         :rtype: Optional[regscale_models.Asset]
         """
-        asset = self.asset_map_by_identifier.get(identifier)
+        # Try primary identifier field first
+        if asset := self.asset_map_by_identifier.get(identifier):
+            return asset
+
+        # Fallback: Try common identifier fields
+        # This helps when asset_identifier_field doesn't match or assets use different identifiers
+        if not asset and identifier:
+            for cached_asset in self.asset_map_by_identifier.values():
+                # Try IP address lookup
+                if getattr(cached_asset, "ipAddress", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by IP address fallback: {identifier}")
+                    return cached_asset
+                # Try FQDN lookup
+                if getattr(cached_asset, "fqdn", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by FQDN fallback: {identifier}")
+                    return cached_asset
+                # Try DNS lookup
+                if getattr(cached_asset, "dns", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by DNS fallback: {identifier}")
+                    return cached_asset
+
+        # Log error if still not found
         if not asset and identifier not in self.alerted_assets:
             self.alerted_assets.add(identifier)
             if not getattr(self, "suppress_asset_not_found_errors", False):
-                self.log_error("1. Asset not found for identifier %s", identifier)
+                self.log_error(
+                    "Asset not found for identifier '%s' (tried %s, ipAddress, fqdn, dns)",
+                    identifier,
+                    self.asset_identifier_field,
+                )
         return asset
 
     def get_issue_by_integration_finding_id(self, integration_finding_id: str) -> Optional[regscale_models.Issue]:
@@ -2706,7 +2724,11 @@ class ScannerIntegration(ABC):
                 logger.error("2. Asset not found for identifier %s", finding.asset_identifier)
             return 0
 
-        tool = regscale_models.ChecklistTool.STIGs
+        tool = (
+            regscale_models.ChecklistTool.CISBenchmarks
+            if "simp.cis" in str(finding.vulnerability_number).lower()
+            else regscale_models.ChecklistTool.STIGs
+        )
         if finding.vulnerability_type == "Vulnerability Scan":
             tool = regscale_models.ChecklistTool.VulnerabilityScanner
 
@@ -2871,7 +2893,7 @@ class ScannerIntegration(ABC):
     def _finalize_finding_processing(
         self, scan_history: regscale_models.ScanHistory, current_vulnerabilities: Dict[int, Set[int]]
     ) -> None:
-        """Finalize the finding processing by saving scan history and closing outdated issues."""
+        """Finalize the finding processing by saving scan history and closing outdated vulnerabilities and issues."""
         logger.info(
             f"Saving scan history with final counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
         )
@@ -2890,6 +2912,7 @@ class ScannerIntegration(ABC):
 
         self._results["scan_history"] = scan_history
         self.update_result_counts("issues", regscale_models.Issue.bulk_save(progress_context=self.finding_progress))
+        self.close_outdated_vulnerabilities(current_vulnerabilities)
         self.close_outdated_issues(current_vulnerabilities)
         self._perform_batch_operations(self.finding_progress)
 
@@ -2995,24 +3018,25 @@ class ScannerIntegration(ABC):
             self._process_checklist_finding(finding)
 
         # Process vulnerability if applicable
-        if finding.status != regscale_models.IssueStatus.Closed or ScannerVariables.ingestClosedIssues:
-            vulnerability_created = self._process_vulnerability_finding(finding, scan_history, current_vulnerabilities)
+        # IMPORTANT: Always track vulnerabilities regardless of status to enable proper issue closure logic
+        # This ensures that current_vulnerabilities dict accurately reflects the scan state
+        vulnerability_created = self._process_vulnerability_finding(finding, scan_history, current_vulnerabilities)
 
+        # Only create/update issues for non-closed findings (unless ingestClosedIssues is enabled)
+        if finding.status != regscale_models.IssueStatus.Closed or ScannerVariables.ingestClosedIssues:
             self.handle_failing_finding(
                 issue_title=finding.issue_title or finding.title,
                 finding=finding,
             )
 
-            # Update scan history severity counts only if vulnerability was successfully created
-            if vulnerability_created:
-                logger.debug(
-                    f"Updating severity count for successfully created vulnerability with severity: {finding.severity}"
-                )
-                self.set_severity_count_for_scan(finding.severity, scan_history)
-            else:
-                logger.debug(
-                    f"Skipping severity count update for finding {finding.external_id} - no vulnerability created"
-                )
+        # Update scan history severity counts only if vulnerability was successfully created
+        if vulnerability_created:
+            logger.debug(
+                f"Updating severity count for successfully created vulnerability with severity: {finding.severity}"
+            )
+            self.set_severity_count_for_scan(finding.severity, scan_history, self.scan_history_lock)
+        else:
+            logger.debug(f"Skipping severity count update for finding {finding.external_id} - no vulnerability created")
 
     def _process_checklist_finding(self, finding: IntegrationFinding) -> None:
         """Process a checklist finding."""
@@ -3269,13 +3293,34 @@ class ScannerIntegration(ABC):
                 vuln_list.append(vuln)
         return vuln_list
 
-    def close_outdated_vulnerabilities(self, current_vulnerabilities: Dict[int, Set[int]]) -> None:
+    def close_outdated_vulnerabilities(self, current_vulnerabilities: Dict[int, Set[int]]) -> int:
         """
         Closes vulnerabilities that are not in the current set of vulnerability IDs for each asset.
 
         :param Dict[int, Set[int]] current_vulnerabilities: Dictionary of asset IDs to lists of current vulnerability IDs
-        :rtype: None
+        :return: Number of vulnerabilities closed
+        :rtype: int
         """
+        if not self.close_outdated_findings:
+            logger.info("Skipping closing outdated vulnerabilities.")
+            return 0
+
+        # Check global preventAutoClose setting
+        from regscale.core.app.application import Application
+
+        app = Application()
+        if app.config.get("preventAutoClose", False):
+            logger.info("Skipping closing outdated vulnerabilities due to global preventAutoClose setting.")
+            return 0
+
+        # REG-17044: Add defensive logging to track vulnerability closure state
+        logger.debug(f"Vulnerability Closure Analysis for {self.title}:")
+        logger.debug(f"  - Assets with current vulnerabilities: {len(current_vulnerabilities)}")
+        total_current_vulns = sum(len(vuln_set) for vuln_set in current_vulnerabilities.values())
+        logger.debug(f"  - Total current vulnerabilities tracked: {total_current_vulns}")
+        if total_current_vulns == 0:
+            logger.warning("No current vulnerabilities tracked - this may close all vulnerabilities!")
+
         # Get all current vulnerability IDs
         current_vuln_ids = {vuln_id for vuln_ids in current_vulnerabilities.values() for vuln_id in vuln_ids}
 
@@ -3298,9 +3343,14 @@ class ScannerIntegration(ABC):
                 vuln.dateClosed = get_current_datetime()
                 vuln.save()
                 closed_count += 1
-                logger.info("Closed vulnerability %d", vuln.id)
+                logger.debug("Closed vulnerability %d", vuln.id)
 
-        logger.info("Closed %d outdated vulnerabilities.", closed_count)
+        (
+            logger.info("Closed %d outdated vulnerabilities.", closed_count)
+            if closed_count > 0
+            else logger.info("No outdated vulnerabilities to close.")
+        )
+        return closed_count
 
     @classmethod
     def close_mappings_list(cls, vuln: regscale_models.Vulnerability) -> None:
@@ -3350,6 +3400,13 @@ class ScannerIntegration(ABC):
             logger.info("Skipping closing outdated issues due to global preventAutoClose setting.")
             return 0
 
+        # REG-17044: Add defensive logging to track issue closure state
+        logger.debug(f"Issue Closure Analysis for {self.title}:")
+        total_current_vulns = sum(len(vuln_set) for vuln_set in current_vulnerabilities.values())
+        logger.debug(f"  - Total current vulnerabilities to check against: {total_current_vulns}")
+        if total_current_vulns == 0:
+            logger.warning("No current vulnerabilities tracked - this may close all issues!")
+
         closed_count = 0
         affected_control_ids = set()
         count_lock = threading.Lock()
@@ -3381,6 +3438,8 @@ class ScannerIntegration(ABC):
 
         for control_id in affected_control_ids:
             self.update_control_implementation_status_after_close(control_id)
+            # Update assessment status to reflect the control implementation status
+            self.update_assessment_status_from_control_implementation(control_id)
 
         (
             logger.info("Closed %d outdated issues.", closed_count)
@@ -3483,9 +3542,70 @@ class ScannerIntegration(ABC):
         if control_implementation.status != new_status:
             control_implementation.status = new_status
             self.control_implementation_map[control_id] = control_implementation.save()
-            logger.info("Updated control implementation %d status to %s", control_id, new_status)
+            logger.debug("Updated control implementation %d status to %s", control_id, new_status)
 
-    def is_issue_protected_from_auto_close(self, issue: regscale_models.Issue) -> bool:
+    def update_assessment_status_from_control_implementation(self, control_implementation_id: int) -> None:
+        """
+        Updates the assessment status based on the control implementation status.
+        Treats the ControlImplementation status as the source of truth.
+
+        Sets assessment to PASS if ControlImplementation status is FULLY_IMPLEMENTED,
+        otherwise sets it to FAIL.
+
+        This method should be called after update_control_implementation_status_after_close
+        to ensure assessments reflect the final control implementation state.
+
+        :param int control_implementation_id: The ID of the control implementation
+        :rtype: None
+        """
+        # Get the cached assessment for this control implementation
+        assessment = self.assessment_map.get(control_implementation_id)
+
+        if not assessment:
+            logger.debug(
+                "No assessment found in cache for control implementation %d, skipping assessment update",
+                control_implementation_id,
+            )
+            return
+
+        # Get the control implementation to check its status
+        control_implementation = self.control_implementation_map.get(
+            control_implementation_id
+        ) or regscale_models.ControlImplementation.get_object(object_id=control_implementation_id)
+
+        if not control_implementation:
+            logger.warning("Control implementation %d not found, cannot update assessment", control_implementation_id)
+            return
+
+        # Determine assessment result based on control implementation status
+        # Treat ControlImplementation status as the source of truth
+        new_assessment_result = (
+            regscale_models.AssessmentResultsStatus.PASS
+            if control_implementation.status == regscale_models.ImplementationStatus.FULLY_IMPLEMENTED.value
+            else regscale_models.AssessmentResultsStatus.FAIL
+        )
+
+        # Only update if the status has changed
+        if assessment.assessmentResult != new_assessment_result.value:
+            assessment.assessmentResult = new_assessment_result.value
+            assessment.save()
+            logger.debug(
+                "Updated assessment %d for control implementation %d: assessmentResult=%s (based on control status: %s)",
+                assessment.id,
+                control_implementation_id,
+                new_assessment_result.value,
+                control_implementation.status,
+            )
+        else:
+            logger.debug(
+                "Assessment %d already has correct status %s for control implementation %d",
+                assessment.id,
+                assessment.assessmentResult,
+                control_implementation_id,
+            )
+
+    @staticmethod
+    def is_issue_protected_from_auto_close(issue: regscale_models.Issue) -> bool:
         """
         Check if an issue is protected from automatic closure.
 
@@ -3567,51 +3687,55 @@ class ScannerIntegration(ABC):
         return True
 
     @staticmethod
-    def set_severity_count_for_scan(severity: str, scan_history: regscale_models.ScanHistory) -> None:
+    def set_severity_count_for_scan(
+        severity: str, scan_history: regscale_models.ScanHistory, lock: Optional[threading.RLock] = None
+    ) -> None:
         """
-        Increments the count of the severity
+        Increments the count of the severity in a thread-safe manner.
+
+        NOTE: This method does NOT save the scan_history object. The caller is responsible
+        for saving the scan_history after all increments are complete to avoid race conditions
+        and excessive database writes in multi-threaded environments.
+
         :param str severity: Severity of the vulnerability
         :param regscale_models.ScanHistory scan_history: Scan history object
+        :param Optional[threading.RLock] lock: Thread lock for synchronization (recommended in multi-threaded context)
         :rtype: None
         """
-        logger.debug(f"Setting severity count for scan {scan_history.id}: severity='{severity}'")
-        logger.debug(
-            f"Current counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
-        )
 
-        if severity == regscale_models.IssueSeverity.Low.value:
-            scan_history.vLow += 1
-            logger.debug(f"Incremented vLow count to {scan_history.vLow}")
-        elif severity == regscale_models.IssueSeverity.Moderate.value:
-            scan_history.vMedium += 1
-            logger.debug(f"Incremented vMedium count to {scan_history.vMedium}")
-        elif severity == regscale_models.IssueSeverity.High.value:
-            scan_history.vHigh += 1
-            logger.debug(f"Incremented vHigh count to {scan_history.vHigh}")
-        elif severity == regscale_models.IssueSeverity.Critical.value:
-            scan_history.vCritical += 1
-            logger.debug(f"Incremented vCritical count to {scan_history.vCritical}")
-        else:
-            scan_history.vInfo += 1
-            logger.debug(f"Incremented vInfo count to {scan_history.vInfo}")
+        def _increment_severity():
+            """Internal method to perform the actual increment."""
+            logger.debug(f"Setting severity count for scan {scan_history.id}: severity='{severity}'")
+            logger.debug(
+                f"Current counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
+            )
 
-        logger.debug(
-            f"Final counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
-        )
+            if severity.lower() == regscale_models.IssueSeverity.Low.value.lower():
+                scan_history.vLow += 1
+                logger.debug(f"Incremented vLow count to {scan_history.vLow}")
+            elif severity.lower() == regscale_models.IssueSeverity.Moderate.value.lower():
+                scan_history.vMedium += 1
+                logger.debug(f"Incremented vMedium count to {scan_history.vMedium}")
+            elif severity.lower() == regscale_models.IssueSeverity.High.value.lower():
+                scan_history.vHigh += 1
+                logger.debug(f"Incremented vHigh count to {scan_history.vHigh}")
+            elif severity.lower() == regscale_models.IssueSeverity.Critical.value.lower():
+                scan_history.vCritical += 1
+                logger.debug(f"Incremented vCritical count to {scan_history.vCritical}")
+            else:
+                scan_history.vInfo += 1
+                logger.debug(f"Incremented vInfo count to {scan_history.vInfo}")
 
-        # Save the scan history immediately to persist the count changes
-        try:
-            scan_history.save()
-            logger.debug(f"Successfully saved scan history {scan_history.id} with updated counts")
-        except Exception as e:
-            logger.error(f"Error saving scan history {scan_history.id} after updating counts: {e}")
-            # Try to save again with a fresh fetch
-            try:
-                scan_history.fetch()
-                scan_history.save()
-                logger.debug(f"Successfully saved scan history {scan_history.id} after retry")
-            except Exception as e2:
-                logger.error(f"Failed to save scan history {scan_history.id} after retry: {e2}")
+            logger.debug(
+                f"Updated counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
+            )
+
+        # Use lock if provided for thread-safe increments
+        if lock:
+            with lock:
+                _increment_severity()
+        else:
+            _increment_severity()
 
     @classmethod
     def cci_assessment(cls, plan_id: int) -> None: