regscale-cli 6.26.0.0__py3-none-any.whl → 6.27.0.0__py3-none-any.whl

regscale/integrations/public/fedramp/fedramp_five.py

@@ -2257,7 +2257,7 @@ def create_ports_and_protocols(ports_and_protocols: List[PortsAndProtocolData],
             startPort=port.start_port,
             endPort=port.end_port,
             protocol=port.protocol,
-            purpose=port.purpose,
+            purpose=port.purpose or "N/A",
             usedBy=port.used_by,
             parentId=ssp_id,
             parentModule="securityplans",

regscale/integrations/scanner_integration.py

@@ -713,6 +713,9 @@ class ScannerIntegration(ABC):
         self._no_ccis: bool = False
         self.cci_to_control_map_lock: threading.Lock = threading.Lock()
 
+        # Lock for thread-safe scan history count updates
+        self.scan_history_lock: threading.RLock = threading.RLock()
+
         self.assessment_map: ThreadSafeDict[int, regscale_models.Assessment] = ThreadSafeDict()
         self.assessor_id: str = self.get_assessor_id()
         self.asset_progress: Progress = create_progress_object()
@@ -2654,17 +2657,45 @@ class ScannerIntegration(ABC):
 
     def get_asset_by_identifier(self, identifier: str) -> Optional[regscale_models.Asset]:
         """
-        Gets an asset by its identifier
+        Gets an asset by its identifier with fallback lookups.
+
+        REG-17044: Enhanced to support multiple identifier fields (qualysId, IP, FQDN)
+        to improve asset matching and reduce "asset not found" errors.
 
         :param str identifier: The identifier of the asset
         :return: The asset
         :rtype: Optional[regscale_models.Asset]
         """
-        asset = self.asset_map_by_identifier.get(identifier)
+        # Try primary identifier field first
+        if asset := self.asset_map_by_identifier.get(identifier):
+            return asset
+
+        # Fallback: Try common identifier fields
+        # This helps when asset_identifier_field doesn't match or assets use different identifiers
+        if not asset and identifier:
+            for cached_asset in self.asset_map_by_identifier.values():
+                # Try IP address lookup
+                if getattr(cached_asset, "ipAddress", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by IP address fallback: {identifier}")
+                    return cached_asset
+                # Try FQDN lookup
+                if getattr(cached_asset, "fqdn", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by FQDN fallback: {identifier}")
+                    return cached_asset
+                # Try DNS lookup
+                if getattr(cached_asset, "dns", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by DNS fallback: {identifier}")
+                    return cached_asset
+
+        # Log error if still not found
         if not asset and identifier not in self.alerted_assets:
             self.alerted_assets.add(identifier)
             if not getattr(self, "suppress_asset_not_found_errors", False):
-                self.log_error("1. Asset not found for identifier %s", identifier)
+                self.log_error(
+                    "Asset not found for identifier '%s' (tried %s, ipAddress, fqdn, dns)",
+                    identifier,
+                    self.asset_identifier_field,
+                )
         return asset
 
     def get_issue_by_integration_finding_id(self, integration_finding_id: str) -> Optional[regscale_models.Issue]:
@@ -2862,7 +2893,7 @@ class ScannerIntegration(ABC):
     def _finalize_finding_processing(
         self, scan_history: regscale_models.ScanHistory, current_vulnerabilities: Dict[int, Set[int]]
     ) -> None:
-        """Finalize the finding processing by saving scan history and closing outdated issues."""
+        """Finalize the finding processing by saving scan history and closing outdated vulnerabilities and issues."""
         logger.info(
             f"Saving scan history with final counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
         )
@@ -2881,6 +2912,7 @@ class ScannerIntegration(ABC):
 
         self._results["scan_history"] = scan_history
         self.update_result_counts("issues", regscale_models.Issue.bulk_save(progress_context=self.finding_progress))
+        self.close_outdated_vulnerabilities(current_vulnerabilities)
         self.close_outdated_issues(current_vulnerabilities)
         self._perform_batch_operations(self.finding_progress)
 
@@ -2986,24 +3018,25 @@ class ScannerIntegration(ABC):
             self._process_checklist_finding(finding)
 
         # Process vulnerability if applicable
-        if finding.status != regscale_models.IssueStatus.Closed or ScannerVariables.ingestClosedIssues:
-            vulnerability_created = self._process_vulnerability_finding(finding, scan_history, current_vulnerabilities)
+        # IMPORTANT: Always track vulnerabilities regardless of status to enable proper issue closure logic
+        # This ensures that current_vulnerabilities dict accurately reflects the scan state
+        vulnerability_created = self._process_vulnerability_finding(finding, scan_history, current_vulnerabilities)
 
+        # Only create/update issues for non-closed findings (unless ingestClosedIssues is enabled)
+        if finding.status != regscale_models.IssueStatus.Closed or ScannerVariables.ingestClosedIssues:
             self.handle_failing_finding(
                 issue_title=finding.issue_title or finding.title,
                 finding=finding,
             )
 
-            # Update scan history severity counts only if vulnerability was successfully created
-            if vulnerability_created:
-                logger.debug(
-                    f"Updating severity count for successfully created vulnerability with severity: {finding.severity}"
-                )
-                self.set_severity_count_for_scan(finding.severity, scan_history)
-            else:
-                logger.debug(
-                    f"Skipping severity count update for finding {finding.external_id} - no vulnerability created"
-                )
+        # Update scan history severity counts only if vulnerability was successfully created
+        if vulnerability_created:
+            logger.debug(
+                f"Updating severity count for successfully created vulnerability with severity: {finding.severity}"
+            )
+            self.set_severity_count_for_scan(finding.severity, scan_history, self.scan_history_lock)
+        else:
+            logger.debug(f"Skipping severity count update for finding {finding.external_id} - no vulnerability created")
 
     def _process_checklist_finding(self, finding: IntegrationFinding) -> None:
         """Process a checklist finding."""
@@ -3260,13 +3293,34 @@ class ScannerIntegration(ABC):
                 vuln_list.append(vuln)
         return vuln_list
 
-    def close_outdated_vulnerabilities(self, current_vulnerabilities: Dict[int, Set[int]]) -> None:
+    def close_outdated_vulnerabilities(self, current_vulnerabilities: Dict[int, Set[int]]) -> int:
         """
         Closes vulnerabilities that are not in the current set of vulnerability IDs for each asset.
 
         :param Dict[int, Set[int]] current_vulnerabilities: Dictionary of asset IDs to lists of current vulnerability IDs
-        :rtype: None
+        :return: Number of vulnerabilities closed
+        :rtype: int
         """
+        if not self.close_outdated_findings:
+            logger.info("Skipping closing outdated vulnerabilities.")
+            return 0
+
+        # Check global preventAutoClose setting
+        from regscale.core.app.application import Application
+
+        app = Application()
+        if app.config.get("preventAutoClose", False):
+            logger.info("Skipping closing outdated vulnerabilities due to global preventAutoClose setting.")
+            return 0
+
+        # REG-17044: Add defensive logging to track vulnerability closure state
+        logger.debug(f"Vulnerability Closure Analysis for {self.title}:")
+        logger.debug(f"  - Assets with current vulnerabilities: {len(current_vulnerabilities)}")
+        total_current_vulns = sum(len(vuln_set) for vuln_set in current_vulnerabilities.values())
+        logger.debug(f"  - Total current vulnerabilities tracked: {total_current_vulns}")
+        if total_current_vulns == 0:
+            logger.warning("No current vulnerabilities tracked - this may close all vulnerabilities!")
+
         # Get all current vulnerability IDs
         current_vuln_ids = {vuln_id for vuln_ids in current_vulnerabilities.values() for vuln_id in vuln_ids}
 
@@ -3289,9 +3343,14 @@ class ScannerIntegration(ABC):
                 vuln.dateClosed = get_current_datetime()
                 vuln.save()
                 closed_count += 1
-                logger.info("Closed vulnerability %d", vuln.id)
+                logger.debug("Closed vulnerability %d", vuln.id)
 
-        logger.info("Closed %d outdated vulnerabilities.", closed_count)
+        (
+            logger.info("Closed %d outdated vulnerabilities.", closed_count)
+            if closed_count > 0
+            else logger.info("No outdated vulnerabilities to close.")
+        )
+        return closed_count
 
     @classmethod
     def close_mappings_list(cls, vuln: regscale_models.Vulnerability) -> None:
@@ -3341,6 +3400,13 @@ class ScannerIntegration(ABC):
             logger.info("Skipping closing outdated issues due to global preventAutoClose setting.")
             return 0
 
+        # REG-17044: Add defensive logging to track issue closure state
+        logger.debug(f"Issue Closure Analysis for {self.title}:")
+        total_current_vulns = sum(len(vuln_set) for vuln_set in current_vulnerabilities.values())
+        logger.debug(f"  - Total current vulnerabilities to check against: {total_current_vulns}")
+        if total_current_vulns == 0:
+            logger.warning("No current vulnerabilities tracked - this may close all issues!")
+
         closed_count = 0
         affected_control_ids = set()
         count_lock = threading.Lock()
@@ -3621,51 +3687,55 @@ class ScannerIntegration(ABC):
         return True
 
     @staticmethod
-    def set_severity_count_for_scan(severity: str, scan_history: regscale_models.ScanHistory) -> None:
+    def set_severity_count_for_scan(
+        severity: str, scan_history: regscale_models.ScanHistory, lock: Optional[threading.RLock] = None
+    ) -> None:
         """
-        Increments the count of the severity
+        Increments the count of the severity in a thread-safe manner.
+
+        NOTE: This method does NOT save the scan_history object. The caller is responsible
+        for saving the scan_history after all increments are complete to avoid race conditions
+        and excessive database writes in multi-threaded environments.
+
         :param str severity: Severity of the vulnerability
         :param regscale_models.ScanHistory scan_history: Scan history object
+        :param Optional[threading.RLock] lock: Thread lock for synchronization (recommended in multi-threaded context)
         :rtype: None
         """
-        logger.debug(f"Setting severity count for scan {scan_history.id}: severity='{severity}'")
-        logger.debug(
-            f"Current counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
-        )
 
-        if severity == regscale_models.IssueSeverity.Low.value:
-            scan_history.vLow += 1
-            logger.debug(f"Incremented vLow count to {scan_history.vLow}")
-        elif severity == regscale_models.IssueSeverity.Moderate.value:
-            scan_history.vMedium += 1
-            logger.debug(f"Incremented vMedium count to {scan_history.vMedium}")
-        elif severity == regscale_models.IssueSeverity.High.value:
-            scan_history.vHigh += 1
-            logger.debug(f"Incremented vHigh count to {scan_history.vHigh}")
-        elif severity == regscale_models.IssueSeverity.Critical.value:
-            scan_history.vCritical += 1
-            logger.debug(f"Incremented vCritical count to {scan_history.vCritical}")
-        else:
-            scan_history.vInfo += 1
-            logger.debug(f"Incremented vInfo count to {scan_history.vInfo}")
+        def _increment_severity():
+            """Internal method to perform the actual increment."""
+            logger.debug(f"Setting severity count for scan {scan_history.id}: severity='{severity}'")
+            logger.debug(
+                f"Current counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
+            )
 
-        logger.debug(
-            f"Final counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
-        )
+            if severity.lower() == regscale_models.IssueSeverity.Low.value.lower():
+                scan_history.vLow += 1
+                logger.debug(f"Incremented vLow count to {scan_history.vLow}")
+            elif severity.lower() == regscale_models.IssueSeverity.Moderate.value.lower():
+                scan_history.vMedium += 1
+                logger.debug(f"Incremented vMedium count to {scan_history.vMedium}")
+            elif severity.lower() == regscale_models.IssueSeverity.High.value.lower():
+                scan_history.vHigh += 1
+                logger.debug(f"Incremented vHigh count to {scan_history.vHigh}")
+            elif severity.lower() == regscale_models.IssueSeverity.Critical.value.lower():
+                scan_history.vCritical += 1
+                logger.debug(f"Incremented vCritical count to {scan_history.vCritical}")
+            else:
+                scan_history.vInfo += 1
+                logger.debug(f"Incremented vInfo count to {scan_history.vInfo}")
 
-        # Save the scan history immediately to persist the count changes
-        try:
-            scan_history.save()
-            logger.debug(f"Successfully saved scan history {scan_history.id} with updated counts")
-        except Exception as e:
-            logger.error(f"Error saving scan history {scan_history.id} after updating counts: {e}")
-            # Try to save again with a fresh fetch
-            try:
-                scan_history.fetch()
-                scan_history.save()
-                logger.debug(f"Successfully saved scan history {scan_history.id} after retry")
-            except Exception as e2:
-                logger.error(f"Failed to save scan history {scan_history.id} after retry: {e2}")
+            logger.debug(
+                f"Updated counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
+            )
+
+        # Use lock if provided for thread-safe increments
+        if lock:
+            with lock:
+                _increment_severity()
+        else:
+            _increment_severity()
 
     @classmethod
     def cci_assessment(cls, plan_id: int) -> None:

regscale/models/integration_models/cisa_kev_data.json

@@ -1,9 +1,132 @@
 {
     "title": "CISA Catalog of Known Exploited Vulnerabilities",
-    "catalogVersion": "2025.10.02",
-    "dateReleased": "2025-10-02T14:59:13.7696Z",
-    "count": 1427,
+    "catalogVersion": "2025.10.09",
+    "dateReleased": "2025-10-09T16:52:28.6547Z",
+    "count": 1436,
     "vulnerabilities": [
+        {
+            "cveID": "CVE-2021-43798",
+            "vendorProject": "Grafana Labs",
+            "product": "Grafana",
+            "vulnerabilityName": "Grafana Path Traversal Vulnerability",
+            "dateAdded": "2025-10-09",
+            "shortDescription": "Grafana contains a path traversal vulnerability that could allow access to local files.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-30",
+            "knownRansomwareCampaignUse": "Unknown",
+            "notes": "https:\/\/grafana.com\/blog\/2021\/12\/07\/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix\/ ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-43798",
+            "cwes": [
+                "CWE-22"
+            ]
+        },
+        {
+            "cveID": "CVE-2025-27915",
+            "vendorProject": "Synacor",
+            "product": "Zimbra Collaboration Suite (ZCS)",
+            "vulnerabilityName": "Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability",
+            "dateAdded": "2025-10-07",
+            "shortDescription": "Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a tag. This allows an attacker to run arbitrary JavaScript within the victim's session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim's account, including e-mail redirection and data exfiltration.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-28",
+            "knownRansomwareCampaignUse": "Unknown",
+            "notes": "https:\/\/wiki.zimbra.com\/wiki\/Security_Center ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-27915",
+            "cwes": [
+                "CWE-79"
+            ]
+        },
+        {
+            "cveID": "CVE-2021-22555",
+            "vendorProject": "Linux",
+            "product": "Kernel",
+            "vulnerabilityName": "Linux Kernel Heap Out-of-Bounds Write Vulnerability",
+            "dateAdded": "2025-10-06",
+            "shortDescription": "Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-27",
+            "knownRansomwareCampaignUse": "Unknown",
+            "notes": "https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/net\/netfilter\/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21 ; https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/net\/netfilter\/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801d ; https:\/\/security.netapp.com\/advisory\/ntap-20210805-0010\/ ; https:\/\/github.com\/google\/security-research\/security\/advisories\/GHSA-xxx5-8mvq-3528 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-22555",
+            "cwes": [
+                "CWE-787"
+            ]
+        },
+        {
+            "cveID": "CVE-2010-3962",
+            "vendorProject": "Microsoft",
+            "product": "Internet Explorer",
+            "vulnerabilityName": "Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability",
+            "dateAdded": "2025-10-06",
+            "shortDescription": "Microsoft Internet Explorer contains an uninitialized memory corruption vulnerability that could allow for remote code execution. The impacted product could be end-of-life (EoL) and\/or end-of-service (EoS). Users should discontinue product utilization.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-27",
+            "knownRansomwareCampaignUse": "Unknown",
+            "notes": "https:\/\/learn.microsoft.com\/en-us\/security-updates\/SecurityAdvisories\/2010\/2458511?redirectedfrom=MSDN ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2010-3962",
+            "cwes": []
+        },
+        {
+            "cveID": "CVE-2021-43226",
+            "vendorProject": "Microsoft",
+            "product": "Windows",
+            "vulnerabilityName": "Microsoft Windows Privilege Escalation Vulnerability",
+            "dateAdded": "2025-10-06",
+            "shortDescription": "Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-27",
+            "knownRansomwareCampaignUse": "Unknown",
+            "notes": "https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-43226 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-43226",
+            "cwes": []
+        },
+        {
+            "cveID": "CVE-2013-3918",
+            "vendorProject": "Microsoft",
+            "product": "Windows",
+            "vulnerabilityName": "Microsoft Windows Out-of-Bounds Write Vulnerability",
+            "dateAdded": "2025-10-06",
+            "shortDescription": "Microsoft Windows contains an out-of-bounds write vulnerability in the InformationCardSigninHelper Class ActiveX control, icardie.dll. An attacker could exploit the vulnerability by constructing a specially crafted webpage. When a user views the webpage, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. The impacted product could be end-of-life (EoL) and\/or end-of-service (EoS). Users should discontinue product utilization.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-27",
+            "knownRansomwareCampaignUse": "Unknown",
+            "notes": "https:\/\/docs.microsoft.com\/en-us\/security-updates\/securitybulletins\/2013\/ms13-090 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2013-3918",
+            "cwes": []
+        },
+        {
+            "cveID": "CVE-2011-3402",
+            "vendorProject": "Microsoft",
+            "product": "Windows",
+            "vulnerabilityName": "Microsoft Windows Remote Code Execution Vulnerability",
+            "dateAdded": "2025-10-06",
+            "shortDescription": "Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-27",
+            "knownRansomwareCampaignUse": "Unknown",
+            "notes": "https:\/\/docs.microsoft.com\/en-us\/security-updates\/securitybulletins\/2011\/ms11-087 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2011-3402",
+            "cwes": []
+        },
+        {
+            "cveID": "CVE-2010-3765",
+            "vendorProject": "Mozilla",
+            "product": "Multiple Products",
+            "vulnerabilityName": "Mozilla Multiple Products Remote Code Execution Vulnerability",
+            "dateAdded": "2025-10-06",
+            "shortDescription": "Mozilla Firefox, SeaMonkey, and Thunderbird contain an unspecified vulnerability when JavaScript is enabled. This allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-27",
+            "knownRansomwareCampaignUse": "Unknown",
+            "notes": "https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2010-73 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2010-3765",
+            "cwes": []
+        },
+        {
+            "cveID": "CVE-2025-61882",
+            "vendorProject": "Oracle",
+            "product": "E-Business Suite",
+            "vulnerabilityName": "Oracle E-Business Suite Unspecified Vulnerability",
+            "dateAdded": "2025-10-06",
+            "shortDescription": "Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing.",
+            "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
+            "dueDate": "2025-10-27",
+            "knownRansomwareCampaignUse": "Known",
+            "notes": "https:\/\/www.oracle.com\/security-alerts\/alert-cve-2025-61882.html ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-61882",
+            "cwes": []
+        },
         {
             "cveID": "CVE-2014-6278",
             "vendorProject": "GNU",
@@ -117,7 +240,7 @@
             "shortDescription": "Fortra GoAnywhere MFT contains a deserialization of untrusted data vulnerability allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.",
             "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
             "dueDate": "2025-10-20",
-            "knownRansomwareCampaignUse": "Unknown",
+            "knownRansomwareCampaignUse": "Known",
             "notes": "https:\/\/www.fortra.com\/security\/advisories\/product-security\/fi-2025-012 ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-10035",
             "cwes": [
                 "CWE-502",
@@ -5205,7 +5328,7 @@
             "shortDescription": "Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.",
             "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
             "dueDate": "2024-03-05",
-            "knownRansomwareCampaignUse": "Unknown",
+            "knownRansomwareCampaignUse": "Known",
             "notes": "https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2024-21412; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21412",
             "cwes": [
                 "CWE-693"
@@ -5295,8 +5418,8 @@
             "shortDescription": "Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) vulnerability in the SAML component that allows an attacker to access certain restricted resources without authentication.",
             "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
             "dueDate": "2024-02-02",
-            "knownRansomwareCampaignUse": "Unknown",
-            "notes": "https:\/\/forums.ivanti.com\/s\/article\/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US;  https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21893",
+            "knownRansomwareCampaignUse": "Known",
+            "notes": "https:\/\/forums.ivanti.com\/s\/article\/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21893",
             "cwes": [
                 "CWE-918"
             ]
@@ -5445,7 +5568,7 @@
             "shortDescription": "Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the web component that allows an attacker to access restricted resources by bypassing control checks. This vulnerability can be leveraged in conjunction with CVE-2024-21887, a command injection vulnerability.",
             "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
             "dueDate": "2024-01-22",
-            "knownRansomwareCampaignUse": "Unknown",
+            "knownRansomwareCampaignUse": "Known",
             "notes": "Please apply mitigations per vendor instructions. For more information, please see: https:\/\/forums.ivanti.com\/s\/article\/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US ;  https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-46805",
             "cwes": [
                 "CWE-287"
@@ -5460,7 +5583,7 @@
             "shortDescription": "Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web components of these products, which can allow an authenticated administrator to send crafted requests to execute code on affected appliances. This vulnerability can be leveraged in conjunction with CVE-2023-46805, an authenticated bypass issue.",
             "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
             "dueDate": "2024-01-22",
-            "knownRansomwareCampaignUse": "Unknown",
+            "knownRansomwareCampaignUse": "Known",
             "notes": "Please apply mitigations per vendor instructions. For more information, please see: https:\/\/forums.ivanti.com\/s\/article\/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US ; https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-21887",
             "cwes": [
                 "CWE-77"

regscale/models/integration_models/qualys.py

@@ -7,9 +7,8 @@ import logging
 
 # pylint: disable=C0415
 import re
-from calendar import firstweekday
 from datetime import datetime
-from typing import Any, Iterator, List, Optional, TextIO, TypeVar, Union
+from typing import Iterator, List, Optional, TextIO, TypeVar, Union
 
 from openpyxl.reader.excel import load_workbook
 from pandas import Timestamp
@@ -119,7 +118,7 @@ class Qualys(FlatFileImporter):
         return IntegrationAsset(
             name=self.mapping.get_value(dat, DNS),
             ip_address=self.mapping.get_value(dat, IP),
-            status=AssetStatus.Active.value,
+            status=AssetStatus.Active,
             cpu=0,
             ram=0,
             asset_category="Hardware",
@@ -162,7 +161,7 @@ class Qualys(FlatFileImporter):
         description: str = self.mapping.get_value(dat, "Threat")
         title = self.mapping.get_value(dat, self.vuln_title)
         severity = self.mapping.get_value(dat, SEVERITY)
-        regscale_severity = map_qualys_severity_to_regscale(int(severity))[1]
+        regscale_severity, _ = map_qualys_severity_to_regscale(int(severity))
         if dat:
             finding = IntegrationFinding(
                 control_labels=[],  # Add an empty list for control_labels