regscale-cli 6.25.1.0__py3-none-any.whl → 6.27.0.0__py3-none-any.whl

regscale/integrations/commercial/wizv2/{policy_compliance_helpers.py → compliance/helpers.py}

@@ -266,32 +266,39 @@ class IssueFieldSetter:
             )
 
             for impl in implementations:
-                if not hasattr(impl, "controlID") or not impl.controlID:
-                    continue
-
-                # Check cache for security control
-                security_control = self.cache.get_security_control(impl.controlID)
-                if not security_control:
-                    security_control = regscale_models.SecurityControl.get_object(object_id=impl.controlID)
-                    if security_control:
-                        self.cache.set_security_control(impl.controlID, security_control)
-
-                if security_control and hasattr(security_control, "controlId"):
-                    from regscale.integrations.commercial.wizv2.policy_compliance import WizPolicyComplianceIntegration
-
-                    impl_control_id = WizPolicyComplianceIntegration._normalize_control_id_string(
-                        security_control.controlId
-                    )
-
-                    if impl_control_id == control_id:
-                        logger.debug(f"✓ Found control implementation {impl.id} for control {control_id}")
-                        return impl.id
+                if impl_id := self._check_implementation_match(impl, control_id):
+                    return impl_id
 
             return None
         except Exception as e:
             logger.error(f"Error finding control implementation for {control_id}: {e}")
             return None
 
+    def _check_implementation_match(self, impl, control_id: str) -> Optional[int]:
+        """Check if implementation matches the control ID."""
+        if not hasattr(impl, "controlID") or not impl.controlID:
+            return None
+
+        # Check cache for security control
+        security_control = self.cache.get_security_control(impl.controlID)
+        if not security_control:
+            security_control = regscale_models.SecurityControl.get_object(object_id=impl.controlID)
+            if security_control:
+                self.cache.set_security_control(impl.controlID, security_control)
+
+        if not security_control or not hasattr(security_control, "controlId"):
+            return None
+
+        from regscale.integrations.commercial.wizv2.policy_compliance import WizPolicyComplianceIntegration
+
+        impl_control_id = WizPolicyComplianceIntegration._normalize_control_id_string(security_control.controlId)
+
+        if impl_control_id == control_id:
+            logger.debug(f"✓ Found control implementation {impl.id} for control {control_id}")
+            return impl.id
+
+        return None
+
     def _get_or_find_assessment_id(self, impl_id: int) -> Optional[int]:
         """
         Get assessment ID from cache or database.
@@ -480,22 +487,26 @@ class ControlAssessmentProcessor:
             assessments = regscale_models.Assessment.get_all_by_parent(parent_id=impl_id, parent_module="controls")
 
             for assessment in assessments:
-                if hasattr(assessment, "actualFinish") and assessment.actualFinish:
-                    try:
-                        if isinstance(assessment.actualFinish, str):
-                            assessment_date = regscale_string_to_datetime(assessment.actualFinish).date()
-                        elif hasattr(assessment.actualFinish, "date"):
-                            assessment_date = assessment.actualFinish.date()
-                        else:
-                            assessment_date = assessment.actualFinish
+                if assessment_date := self._get_assessment_date(assessment):
+                    if assessment_date == today:
+                        self.cache.set_assessment(impl_id, assessment)
+                        return assessment
 
-                        if assessment_date == today:
-                            self.cache.set_assessment(impl_id, assessment)
-                            return assessment
-                    except Exception:
-                        continue
+            return None
+        except Exception:
+            return None
 
+    def _get_assessment_date(self, assessment):
+        """Extract date from assessment actualFinish field."""
+        if not hasattr(assessment, "actualFinish") or not assessment.actualFinish:
             return None
+
+        try:
+            if isinstance(assessment.actualFinish, str):
+                return regscale_string_to_datetime(assessment.actualFinish).date()
+            if hasattr(assessment.actualFinish, "date"):
+                return assessment.actualFinish.date()
+            return assessment.actualFinish
         except Exception:
             return None
 
@@ -511,8 +522,14 @@ class ControlAssessmentProcessor:
         result_color = "#d32f2f" if result == "Fail" else "#2e7d32"
         bg_color = "#ffebee" if result == "Fail" else "#e8f5e8"
 
-        html_parts = [
-            f"""
+        header_html = self._create_report_header(control_id, result, result_color, bg_color, len(compliance_items))
+        summary_html = self._create_report_summary(compliance_items) if compliance_items else ""
+
+        return "\n".join([header_html, summary_html])
+
+    def _create_report_header(self, control_id: str, result: str, result_color: str, bg_color: str, total: int) -> str:
+        """Create HTML header section for assessment report."""
+        return f"""
             <div style="margin-bottom: 20px; padding: 15px; border: 2px solid {result_color};
                         border-radius: 5px; background-color: {bg_color};">
                 <h3 style="margin: 0 0 10px 0; color: {result_color};">
@@ -522,34 +539,24 @@ class ControlAssessmentProcessor:
                    <span style="color: {result_color}; font-weight: bold;">{result}</span></p>
                 <p><strong>Assessment Date:</strong> {self.scan_date}</p>
                 <p><strong>Framework:</strong> {self.framework}</p>
-                <p><strong>Total Policy Assessments:</strong> {len(compliance_items)}</p>
+                <p><strong>Total Policy Assessments:</strong> {total}</p>
             </div>
             """
-        ]
-
-        if compliance_items:
-            pass_count = len(
-                [
-                    item
-                    for item in compliance_items
-                    if hasattr(item, "compliance_result")
-                    and item.compliance_result in ["PASS", "PASSED", "pass", "passed"]
-                ]
-            )
-            fail_count = len(compliance_items) - pass_count
 
-            unique_resources = set()
-            unique_policies = set()
+    def _create_report_summary(self, compliance_items: List[Any]) -> str:
+        """Create HTML summary section for assessment report."""
+        pass_count = len(
+            [
+                item
+                for item in compliance_items
+                if hasattr(item, "compliance_result") and item.compliance_result in ["PASS", "PASSED", "pass", "passed"]
+            ]
+        )
+        fail_count = len(compliance_items) - pass_count
 
-            for item in compliance_items:
-                if hasattr(item, "resource_id"):
-                    unique_resources.add(item.resource_id)
-                if hasattr(item, "description") and item.description:
-                    policy_desc = item.description[:50] + "..." if len(item.description) > 50 else item.description
-                    unique_policies.add(policy_desc)
+        unique_resources, unique_policies = self._extract_unique_items(compliance_items)
 
-            html_parts.append(
-                f"""
+        return f"""
             <div style="margin-top: 20px;">
                 <h4>Assessment Summary</h4>
                 <p><strong>Policy Assessments:</strong> {len(compliance_items)} total</p>
@@ -559,6 +566,17 @@ class ControlAssessmentProcessor:
                 <p><strong>Failing:</strong> <span style="color: #d32f2f;">{fail_count}</span></p>
             </div>
             """
-            )
 
-        return "\n".join(html_parts)
+    def _extract_unique_items(self, compliance_items: List[Any]):
+        """Extract unique resources and policies from compliance items."""
+        unique_resources = set()
+        unique_policies = set()
+
+        for item in compliance_items:
+            if hasattr(item, "resource_id"):
+                unique_resources.add(item.resource_id)
+            if hasattr(item, "description") and item.description:
+                policy_desc = item.description[:50] + "..." if len(item.description) > 50 else item.description
+                unique_policies.add(policy_desc)
+
+        return unique_resources, unique_policies

regscale/integrations/commercial/wizv2/compliance_report.py

@@ -15,10 +15,12 @@ from regscale.core.app.utils.app_utils import get_current_datetime
 from regscale.integrations.commercial.wizv2.file_cleanup import ReportFileCleanup
 from regscale.integrations.commercial.wizv2.reports import WizReportManager
 from regscale.integrations.commercial.wizv2.variables import WizVariables
-from regscale.integrations.commercial.wizv2.wiz_auth import wiz_authenticate
+from regscale.integrations.commercial.wizv2.core.auth import wiz_authenticate
 from regscale.integrations.compliance_integration import ComplianceIntegration, ComplianceItem
+from regscale.integrations.control_matcher import ControlMatcher
 from regscale.models import regscale_models
-from regscale.models.regscale_models.control_implementation import ControlImplementation, ControlImplementationStatus
+from regscale.models.regscale_models.control_implementation import ControlImplementation
+from regscale.models.regscale_models.issue import IssueIdentification
 
 logger = logging.getLogger("regscale")
 
@@ -135,7 +137,12 @@ class WizComplianceReportItem(ComplianceItem):
     def _format_control_id(self, base_control: str, enhancement: str) -> str:
         """Format control ID with optional enhancement."""
         if enhancement:
-            return f"{base_control}({enhancement})"
+            # Normalize enhancement number to remove leading zeros
+            try:
+                normalized_enhancement = str(int(enhancement))
+            except ValueError:
+                normalized_enhancement = enhancement
+            return f"{base_control}({normalized_enhancement})"
         else:
             return base_control
 
@@ -277,6 +284,10 @@ class WizComplianceReportProcessor(ComplianceIntegration):
 
         self.report_manager = WizReportManager(WizVariables.wizUrl, access_token)
 
+        # Initialize control matcher for robust control ID matching (inherited from parent but ensure it's set)
+        if not hasattr(self, "_control_matcher"):
+            self._control_matcher = ControlMatcher()
+
     def parse_csv_report(self, file_path: str) -> List[WizComplianceReportItem]:
         """
         Parse CSV compliance report.
@@ -782,25 +793,26 @@ class WizComplianceReportProcessor(ComplianceIntegration):
         :rtype: Optional[str]
         """
         try:
-            # Filter for compliance reports for this specific project
-            filter_by = {"project": [self.wiz_project_id], "type": ["COMPLIANCE_ASSESSMENTS"]}
+            # Filter for compliance reports (projectId not supported in ReportFilters, using name-based lookup)
+            filter_by = {"type": ["COMPLIANCE_ASSESSMENTS"]}
 
             logger.debug(f"Searching for existing compliance reports with filter: {filter_by}")
             reports = self.report_manager.list_reports(filter_by=filter_by)
 
             if not reports:
-                logger.info("No existing compliance reports found for this project")
+                logger.info("No existing compliance reports found")
                 return None
 
-            # Look for reports named "Compliance Report" (the default name)
-            compliance_reports = [report for report in reports if report.get("name", "").strip() == "Compliance Report"]
+            # Look for report with project-specific name
+            expected_name = f"Compliance Report - {self.wiz_project_id}"
+            matching_reports = [report for report in reports if report.get("name", "").strip() == expected_name]
 
-            if not compliance_reports:
-                logger.info("No compliance reports with standard name found")
+            if not matching_reports:
+                logger.info(f"No existing compliance report found with name: {expected_name}")
                 return None
 
             # Return the first matching report (most recent will be used)
-            selected_report = compliance_reports[0]
+            selected_report = matching_reports[0]
             report_id = selected_report.get("id")
             report_name = selected_report.get("name", "Unknown")
 
@@ -876,76 +888,66 @@ class WizComplianceReportProcessor(ComplianceIntegration):
         """
         Update passing controls to 'Implemented' status in RegScale.
 
+        Uses ControlMatcher for robust control ID matching with leading zero normalization.
+
         :param list[str] passing_control_ids: List of control IDs that passed
         """
         if not passing_control_ids:
             return
 
-        # Initialize Application for control implementation updates
-        # app = Application()  # Will be used through self.app
-
         try:
-            # Use the existing method that works for getting control name to implementation ID mapping
-            control_impl_map = ControlImplementation.get_control_label_map_by_parent(
-                parent_id=self.plan_id, parent_module=self.parent_module
-            )
-
-            logger.debug(
-                f"Built control implementation map with {len(control_impl_map)} entries using get_control_label_map_by_parent"
-            )
-            if control_impl_map:
-                sample_keys = list(control_impl_map.keys())[:10]
-                logger.debug(f"Sample control names in map: {sample_keys}")
-
             logger.debug(f"Looking for passing control IDs: {passing_control_ids}")
 
             # Prepare batch updates for passing controls
             implementations_to_update = []
-
-            # Debug: Show what keys are actually in the control_impl_map
-            if control_impl_map:
-                logger.debug(f"Control implementation map keys: {list(control_impl_map.keys())[:20]}")
+            controls_not_found = []
 
             for control_id in passing_control_ids:
-                control_id_lower = control_id.lower()
-                logger.debug(f"Looking for control '{control_id_lower}' in implementation map")
-
-                if control_id_lower in control_impl_map:
-                    impl_id = control_impl_map[control_id_lower]
-                    logger.debug(f"Found matching implementation for '{control_id_lower}': {impl_id}")
-
-                    # Get the ControlImplementation object
-                    impl = ControlImplementation.get_object(object_id=impl_id)
-                    if impl:
-                        # Update status using compliance settings
-                        new_status = self._get_implementation_status_from_result("Pass")
-                        logger.debug(f"Setting control {control_id} status from 'Pass' result to: {new_status}")
-                        impl.status = new_status
-                        impl.dateLastAssessed = get_current_datetime()
-                        impl.lastAssessmentResult = "Pass"
-                        impl.bStatusImplemented = True
-
-                        # Ensure required fields are set if empty
-                        if not impl.responsibility:
-                            impl.responsibility = ControlImplementation.get_default_responsibility(
-                                parent_id=impl.parentId
-                            )
-                            logger.debug(
-                                f"Setting default responsibility for control {control_id}: {impl.responsibility}"
-                            )
-
-                        if not impl.implementation:
-                            impl.implementation = f"Implementation details for {control_id} will be documented."
-                            logger.debug(f"Setting default implementation statement for control {control_id}")
-
-                        # Set audit fields if available
-                        user_id = self.app.config.get("userId")
-                        if user_id:
-                            impl.lastUpdatedById = user_id
-                            impl.dateLastUpdated = get_current_datetime()
-
-                        implementations_to_update.append(impl.dict())
-                        logger.info(f"Marking control {control_id} as {new_status}")
+                # Use ControlMatcher to find implementation with robust control ID matching
+                impl = self._control_matcher.find_control_implementation(
+                    control_id=control_id, parent_id=self.plan_id, parent_module=self.parent_module
+                )
+
+                if impl:
+                    logger.debug(f"Found matching implementation for '{control_id}': {impl.id}")
+
+                    # Update status using compliance settings
+                    new_status = self._get_implementation_status_from_result("Pass")
+                    logger.debug(f"Setting control {control_id} status from 'Pass' result to: {new_status}")
+                    impl.status = new_status
+                    impl.dateLastAssessed = get_current_datetime()
+                    impl.lastAssessmentResult = "Pass"
+                    impl.bStatusImplemented = True
+
+                    # Ensure required fields are set if empty
+                    if not impl.responsibility:
+                        impl.responsibility = ControlImplementation.get_default_responsibility(parent_id=impl.parentId)
+                        logger.debug(f"Setting default responsibility for control {control_id}: {impl.responsibility}")
+
+                    if not impl.implementation:
+                        impl.implementation = f"Implementation details for {control_id} will be documented."
+                        logger.debug(f"Setting default implementation statement for control {control_id}")
+
+                    # Set audit fields if available
+                    user_id = self.app.config.get("userId")
+                    if user_id:
+                        impl.lastUpdatedById = user_id
+                        impl.dateLastUpdated = get_current_datetime()
+
+                    implementations_to_update.append(impl.dict())
+                    logger.info(f"Marking control {control_id} as {new_status}")
+                else:
+                    logger.debug(f"Control '{control_id}' not found in implementation map")
+                    controls_not_found.append(control_id)
+
+            # Log summary
+            if controls_not_found:
+                logger.info(f"Passing control IDs not found in plan: {', '.join(sorted(controls_not_found))}")
+
+            logger.info(
+                f"Control implementation status update summary: {len(implementations_to_update)} found, "
+                f"{len(controls_not_found)} not in plan"
+            )
 
             # Batch update all implementations
             if implementations_to_update:
@@ -957,104 +959,47 @@ class WizComplianceReportProcessor(ComplianceIntegration):
         except Exception as e:
             logger.error(f"Error updating control implementation status: {e}")
 
-    def _update_failing_controls_to_in_remediation(self, control_ids: List[str]) -> None:
-        """
-        Update control implementation status to In Remediation for failing controls.
-
-        :param List[str] control_ids: List of control IDs that are failing
-        :return: None
-        :rtype: None
+    def _prepare_failing_control_update(self, control_id: str) -> Optional[dict]:
         """
-        if not control_ids:
-            return
-
-        try:
-            control_impl_map = self._get_control_implementation_map()
-            if not control_impl_map:
-                return
-
-            implementations_to_update, controls_not_found = self._process_failing_control_ids(
-                control_ids, control_impl_map
-            )
-
-            self._log_update_summary(implementations_to_update, controls_not_found)
-            self._batch_update_implementations(implementations_to_update)
-
-        except Exception as e:
-            logger.error(f"Error updating failing control implementation status: {e}")
-
-    def _get_control_implementation_map(self) -> dict:
-        """Get control implementation map and validate it exists."""
-
-        control_impl_map = ControlImplementation.get_control_label_map_by_parent(
-            parent_id=self.plan_id, parent_module=self.parent_module
-        )
-
-        if not control_impl_map:
-            logger.warning("No control implementation mapping found for security plan")
-            return {}
+        Prepare a single failing control for update.
 
-        logger.debug(f"Control implementation map contains {len(control_impl_map)} entries")
-        return control_impl_map
-
-    def _process_failing_control_ids(self, control_ids: List[str], control_impl_map: dict) -> tuple[list, list]:
-        """Process failing control IDs and return implementations to update and controls not found."""
-
-        logger.debug(f"Looking for failing control IDs: {control_ids}")
-        implementations_to_update = []
-        controls_not_found = []
-
-        # Debug: Show what keys are actually in the control_impl_map for comparison
-        if control_impl_map:
-            logger.debug(f"Control implementation map keys (first 20): {list(control_impl_map.keys())[:20]}")
-
-        for control_id in control_ids:
-            control_id_normalized = control_id.lower()
-            logger.debug(f"Looking for control '{control_id_normalized}' in implementation map")
-
-            if control_id_normalized in control_impl_map:
-                impl = self._update_single_control_implementation(
-                    control_id, control_id_normalized, control_impl_map[control_id_normalized]
-                )
-                if impl:
-                    implementations_to_update.append(impl)
-                else:
-                    controls_not_found.append(control_id)
-            else:
-                logger.debug(f"Control '{control_id_normalized}' not found in implementation map")
-                controls_not_found.append(control_id)
-
-        return implementations_to_update, controls_not_found
-
-    def _update_single_control_implementation(
-        self, control_id: str, control_id_normalized: str, impl_id: int
-    ) -> Optional[dict]:
-        """Update a single control implementation to In Remediation status.
-        :param str control_id: ID of the control to update
-        :param str control_id_normalized: ID of the control to update
-        :param int impl_id: ID of the implementation to update
-        :return: Updated implementation status if implementation exists
+        :param str control_id: Control ID to update
+        :return: Dictionary representation of updated implementation, or None if not found
         :rtype: Optional[dict]
         """
-        from regscale.core.app.utils.app_utils import get_current_datetime
-        from regscale.models.regscale_models import ControlImplementationStatus
-
-        logger.debug(f"Found matching implementation for '{control_id_normalized}': {impl_id}")
+        impl = self._control_matcher.find_control_implementation(
+            control_id=control_id, parent_id=self.plan_id, parent_module=self.parent_module
+        )
 
-        impl = ControlImplementation.get_object(object_id=impl_id)
         if not impl:
-            logger.warning(f"Could not retrieve implementation object for ID {impl_id}")
+            logger.debug(f"Control '{control_id}' not found in implementation map")
             return None
 
-        # Update status using compliance settings
+        logger.debug(f"Found matching implementation for '{control_id}': {impl.id}")
+
         new_status = self._get_implementation_status_from_result("Fail")
         logger.debug(f"Setting control {control_id} status from 'Fail' result to: {new_status}")
+
         impl.status = new_status
         impl.dateLastAssessed = get_current_datetime()
         impl.lastAssessmentResult = "Fail"
         impl.bStatusImplemented = False
 
-        # Ensure required fields are set if empty
+        self._set_default_fields_if_empty(impl, control_id)
+        self._set_audit_fields(impl)
+
+        logger.info(f"Marking control {control_id} as {new_status}")
+        return impl.dict()
+
+    def _set_default_fields_if_empty(self, impl: ControlImplementation, control_id: str) -> None:
+        """
+        Set default values for required fields if they are empty.
+
+        :param ControlImplementation impl: Implementation to update
+        :param str control_id: Control ID for logging
+        :return: None
+        :rtype: None
+        """
         if not impl.responsibility:
             impl.responsibility = ControlImplementation.get_default_responsibility(parent_id=impl.parentId)
             logger.debug(f"Setting default responsibility for control {control_id}: {impl.responsibility}")
@@ -1063,27 +1008,76 @@ class WizComplianceReportProcessor(ComplianceIntegration):
             impl.implementation = f"Implementation details for {control_id} will be documented."
             logger.debug(f"Setting default implementation statement for control {control_id}")
 
-        # Set audit fields if available
+    def _set_audit_fields(self, impl: ControlImplementation) -> None:
+        """
+        Set audit fields on implementation if user ID is available.
+
+        :param ControlImplementation impl: Implementation to update
+        :return: None
+        :rtype: None
+        """
         user_id = self.app.config.get("userId")
         if user_id:
             impl.lastUpdatedById = user_id
             impl.dateLastUpdated = get_current_datetime()
 
-        logger.info(f"Marking control {control_id} as {new_status}")
-        return impl.dict()
+    def _update_failing_controls_to_in_remediation(self, control_ids: List[str]) -> None:
+        """
+        Update control implementation status to In Remediation for failing controls.
+
+        Uses ControlMatcher for robust control ID matching with leading zero normalization.
+
+        :param List[str] control_ids: List of control IDs that are failing
+        :return: None
+        :rtype: None
+        """
+        if not control_ids:
+            return
 
-    def _log_update_summary(self, implementations_to_update: list, controls_not_found: list) -> None:
-        """Log summary of control implementation updates."""
+        try:
+            logger.debug(f"Looking for failing control IDs: {control_ids}")
+
+            implementations_to_update = []
+            controls_not_found = []
+
+            for control_id in control_ids:
+                impl_dict = self._prepare_failing_control_update(control_id)
+                if impl_dict:
+                    implementations_to_update.append(impl_dict)
+                else:
+                    controls_not_found.append(control_id)
+
+            self._log_update_summary(controls_not_found, implementations_to_update)
+            self._batch_update_implementations(implementations_to_update)
+
+        except Exception as e:
+            logger.error(f"Error updating failing control implementation status: {e}")
+
+    def _log_update_summary(self, controls_not_found: List[str], implementations_to_update: List[dict]) -> None:
+        """
+        Log summary of control update operation.
+
+        :param List[str] controls_not_found: List of controls not found
+        :param List[dict] implementations_to_update: List of implementations to update
+        :return: None
+        :rtype: None
+        """
         if controls_not_found:
-            skipped_list = ", ".join(controls_not_found[:5])
-            more_indicator = "..." if len(controls_not_found) > 5 else ""
-            logger.info(
-                f"Control implementation status update summary: {len(implementations_to_update)} found, "
-                f"{len(controls_not_found)} not in plan (skipped: {skipped_list}{more_indicator})"
-            )
+            logger.info(f"Control IDs not found in plan: {', '.join(sorted(controls_not_found))}")
+
+        logger.info(
+            f"Control implementation status update summary: {len(implementations_to_update)} found, "
+            f"{len(controls_not_found)} not in plan"
+        )
+
+    def _batch_update_implementations(self, implementations_to_update: List[dict]) -> None:
+        """
+        Perform batch update of control implementations.
 
-    def _batch_update_implementations(self, implementations_to_update: list) -> None:
-        """Perform batch update of control implementations."""
+        :param List[dict] implementations_to_update: List of implementations to update
+        :return: None
+        :rtype: None
+        """
         if implementations_to_update:
             ControlImplementation.put_batch_implementation(self.app, implementations_to_update)
             logger.debug(f"Updated {len(implementations_to_update)} Control Implementations, Successfully!")
@@ -1551,6 +1545,7 @@ class WizComplianceReportProcessor(ComplianceIntegration):
             rule_id=control_id,
             baseline=representative_item.framework,
             affected_controls=control_id,
+            identification=IssueIdentification.SecurityControlAssessment.value,
         )
 
     def _create_finding_from_compliance_item(self, compliance_item: ComplianceItem) -> Optional[Any]:
@@ -1587,6 +1582,7 @@ class WizComplianceReportProcessor(ComplianceIntegration):
                 rule_id=compliance_item.control_id,
                 baseline=compliance_item.framework,
                 affected_controls=compliance_item.affected_controls,  # Use our property with all control IDs
+                identification=IssueIdentification.SecurityControlAssessment.value,
             )
 
             return finding