regscale-cli 6.27.2.0__py3-none-any.whl → 6.28.0.0__py3-none-any.whl

regscale/core/login.py

@@ -6,6 +6,7 @@ from os import getenv
 from typing import Optional, Tuple
 from urllib.parse import urljoin
 
+from requests.exceptions import HTTPError
 from regscale.core.app.api import Api
 from regscale.core.app.utils.app_utils import error_and_exit
 
@@ -14,10 +15,11 @@ logger = logging.getLogger("regscale")
 
 def get_regscale_token(
     api: Api,
-    username: str = getenv("REGSCALE_USER"),
-    password: str = getenv("REGSCALE_PASSWORD"),
-    domain: str = getenv("REGSCALE_DOMAIN"),
+    username: Optional[str] = getenv("REGSCALE_USER"),
+    password: Optional[str] = getenv("REGSCALE_PASSWORD"),
+    domain: Optional[str] = getenv("REGSCALE_DOMAIN"),
     mfa_token: Optional[str] = "",
+    app_id: Optional[int] = 1,
 ) -> Tuple[str, str]:
     """
     Authenticate with RegScale and return a token
@@ -27,6 +29,7 @@ def get_regscale_token(
     :param str password: a string defaulting to the envar REGSCALE_PASSWORD
     :param str domain: a string representing the RegScale domain, checks environment REGSCALE_DOMAIN
     :param Optional[str] mfa_token: MFA token to login with
+    :param Optional[int] app_id: The app ID to login with
     :raises EnvironmentError: if domain is not passed or retrieved
     :return: a tuple of user_id and auth_token
     :rtype: Tuple[str, str]
@@ -47,7 +50,19 @@ def get_regscale_token(
     logger.info("Logging into: %s", domain)
     # suggest structuring the login paths so that they all exist in one place
     url = urljoin(domain, "/api/authentication/login")
-    response = api.post(url=url, json=auth, headers={})
+    try:
+        # Try to authenticate with the new API version
+        auth["appId"] = app_id
+        response = api.post(url=url, json=auth, headers={"X-Api-Version": "2.0"})
+        if response is None:
+            raise HTTPError("No response received from api.post(). Possible connection issue or internal error.")
+        response.raise_for_status()
+        app_id_compatible = True
+    except HTTPError:
+        # Fallback to the old API version
+        del auth["appId"]
+        response = api.post(url=url, json=auth, headers={})
+        app_id_compatible = False
     error_msg = "Unable to authenticate with RegScale. Please check your credentials."
     if response is None:
         logger.error("No response received from api.post(). Possible connection issue or internal error.")
@@ -63,4 +78,6 @@ def get_regscale_token(
         error_and_exit(f"{error_msg}\n{response.status_code}: {response.text}")
     if isinstance(response_dict, str):
         response_dict = json.loads(response_dict)
+    if app_id_compatible:
+        return response_dict["accessToken"]["id"], response_dict["accessToken"]["authToken"]
     return response_dict["id"], response_dict["auth_token"]

regscale/core/utils/date.py

@@ -2,8 +2,10 @@
 # -*- coding: utf-8 -*-
 """Utility functions for handling date and datetime conversions"""
 
+import calendar
 import datetime
 import logging
+import re
 from typing import Any, List, Optional, Union
 
 
@@ -39,7 +41,8 @@ def date_str(date_object: Union[str, datetime.datetime, datetime.date, None], da
             return date_object.strftime(date_format)
 
         return date_object.isoformat()
-    except Exception:
+    except (AttributeError, TypeError, ValueError) as e:
+        logger.debug(f"Error converting date object to string: {e}")
         return ""
 
 
@@ -82,6 +85,7 @@ def date_obj(date_str: Union[str, datetime.datetime, datetime.date, int, None])
 def datetime_obj(date_str: Union[str, datetime.datetime, datetime.date, int, None]) -> Optional[datetime.datetime]:
     """
     Convert a string, datetime, date, integer, or timestamp string to a datetime object.
+    If the day of the month is invalid (e.g., November 31), adjusts to the last valid day of that month.
 
     :param Union[str, datetime.datetime, datetime.date, int, None] date_str: The value to convert.
     :return: The datetime object.
@@ -93,6 +97,10 @@ def datetime_obj(date_str: Union[str, datetime.datetime, datetime.date, int, Non
         try:
             return parse(date_str)
         except ParserError as e:
+            # Try to fix invalid day of month (e.g., 2023/11/31 -> 2023/11/30)
+            if fixed_date := _fix_invalid_day_of_month(date_str):
+                return fixed_date
+
             if date_str and str(date_str).lower() not in ["n/a", "none"]:
                 logger.warning(f"Warning could not parse date string: {date_str}\n{e}")
             return None
@@ -105,6 +113,74 @@ def datetime_obj(date_str: Union[str, datetime.datetime, datetime.date, int, Non
     return None
 
 
+def _parse_date_components(match_groups: tuple) -> tuple[int, int, int]:
+    """
+    Parse year, month, day from regex match groups.
+
+    :param tuple match_groups: Tuple of matched groups from regex
+    :return: Tuple of (year, month, day)
+    :rtype: tuple[int, int, int]
+    """
+    if len(match_groups[0]) == 4:  # First group is year (YYYY/MM/DD)
+        return int(match_groups[0]), int(match_groups[1]), int(match_groups[2])
+    # Last group is year (MM/DD/YYYY)
+    return int(match_groups[2]), int(match_groups[0]), int(match_groups[1])
+
+
+def _adjust_invalid_day(year: int, month: int, day: int) -> Optional[datetime.datetime]:
+    """
+    Adjust invalid day of month to last valid day.
+
+    :param int year: Year
+    :param int month: Month
+    :param int day: Day
+    :return: Adjusted datetime or None if invalid
+    :rtype: Optional[datetime.datetime]
+    """
+    last_valid_day = calendar.monthrange(year, month)[1]
+    if day <= last_valid_day:
+        return None
+
+    logger.warning(f"Invalid day {day} for month {month}/{year}. Adjusting to last valid day: {last_valid_day}")
+    try:
+        return datetime.datetime(year, month, last_valid_day)
+    except ValueError:
+        return None
+
+
+def _fix_invalid_day_of_month(date_str: str) -> Optional[datetime.datetime]:
+    """
+    Attempt to fix an invalid day of month in a date string.
+    For example, 2023/11/31 would become 2023/11/30.
+
+    :param str date_str: The date string to fix
+    :return: A datetime object with a valid day, or None if it can't be fixed
+    :rtype: Optional[datetime.datetime]
+    """
+    try:
+        patterns = [
+            r"(\d{4})[/-](\d{1,2})[/-](\d{1,2})",  # YYYY/MM/DD or YYYY-MM-DD
+            r"(\d{1,2})[/-](\d{1,2})[/-](\d{4})",  # MM/DD/YYYY or MM-DD-YYYY
+        ]
+
+        for pattern in patterns:
+            if not (match := re.search(pattern, date_str)):
+                continue
+
+            year, month, day = _parse_date_components(match.groups())
+
+            if not (1 <= month <= 12):
+                continue
+
+            if result := _adjust_invalid_day(year, month, day):
+                return result
+
+        return None
+    except (ValueError, TypeError, AttributeError, IndexError) as e:
+        logger.debug(f"Could not fix invalid day of month for: {date_str} - {e}")
+        return None
+
+
 def time_str(time_obj: Union[str, datetime.datetime, datetime.time]) -> str:
     """
     Convert a datetime/time object to a string.

regscale/dev/cli.py

@@ -2,8 +2,11 @@
 
 import contextlib
 import os
+import re
 import sys
 
+from pathlib import Path
+
 import click
 from rich.console import Console
 
@@ -231,5 +234,28 @@ def update_docs(readme_token: str, confluence_user: str, confluence_token: str,
                 update_confluence(api, confluence_url, root, file)
 
 
+@cli.command()
+@click.option("--version", "-v", type=click.STRING, help="The version to upgrade the CLI to use.")
+@click.option("--current", "-c", is_flag=True, help="Get the current version of the CLI.")
+def version(version: str, current: bool) -> None:
+    """Manage the version of the regscale-cli package."""
+    from regscale.dev.version import (
+        get_current_version,
+        update_fallback_version_in_version_py,
+        update_version_in_pyproject_toml,
+    )
+
+    if current:
+        print(get_current_version())
+        return
+
+    if not version:
+        print("❌ Please provide a version to upgrade to using the --version flag.")
+        return
+
+    update_version_in_pyproject_toml(version)
+    update_fallback_version_in_version_py(version)
+
+
 if __name__ == "__main__":
     cli()

regscale/dev/version.py

@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+"""Version management script for regscale-cli."""
+
+import re
+import sys
+from pathlib import Path
+from rich.console import Console
+
+console = Console()
+
+
+def update_version_in_pyproject_toml(version: str) -> None:
+    """
+    Update the version in pyproject.toml.
+
+    :param str version: The version to update to
+    """
+    pyproject_file = "pyproject.toml"
+
+    pyproject_path = Path(pyproject_file)
+    content = pyproject_path.read_text()
+
+    # Update the version
+    pattern = r'version\s*=\s*["\']([^"\']+)["\']'
+    replacement = f'version = "{version}"'
+
+    if re.search(pattern, content):
+        content = re.sub(pattern, replacement, content)
+        pyproject_path.write_text(content)
+        console.print(f"[green]Updated version to {version} in {pyproject_file}")
+    else:
+        console.print(f"[red]Could not find version in {pyproject_file}")
+
+
+def update_fallback_version_in_version_py(version: str) -> None:
+    """
+    Update the fallback version in regscale/_version.py.
+
+    :param str version: The version to update to
+    """
+    version_py_path = Path("regscale/_version.py")
+    content = version_py_path.read_text()
+    pattern = r'return\s*["\'](\d+\.\d+\.\d+\.\d+)["\']\s*# fallback version'
+    replacement = f'return "{version}"  # fallback version'
+    if re.search(pattern, content):
+        content = re.sub(pattern, replacement, content)
+        version_py_path.write_text(content)
+        console.print(f"[green]Updated fallback version to {version} in regscale/_version.py")
+    else:
+        console.print("[red]Could not find fallback version in regscale/_version.py")
+
+
+def get_current_version() -> str:
+    """
+    Get the current version from the package.
+
+    :return: The current version
+    :rtype: str
+    """
+    try:
+        # Add the project root to Python path to ensure we can import regscale
+        project_root = Path(__file__).parent.parent
+        if str(project_root) not in sys.path:
+            sys.path.insert(0, str(project_root))
+
+        from regscale import __version__
+
+        return __version__
+    except ImportError as e:
+        console.print(f"[red]Could not import version from regscale package: {e}")
+        console.print("[yellow]Make sure you're running this script from the project root directory")
+        sys.exit(1)

regscale/integrations/commercial/__init__.py

@@ -43,13 +43,27 @@ show_mapping(aqua, "aqua")
     cls=LazyGroup,
     lazy_subcommands={
         "sync_assets": "regscale.integrations.commercial.aws.cli.sync_assets",
+        "sync_findings": "regscale.integrations.commercial.aws.cli.sync_findings",
         "sync_findings_and_assets": "regscale.integrations.commercial.aws.cli.sync_findings_and_assets",
+        "sync_compliance": "regscale.integrations.commercial.aws.cli.sync_compliance",
+        "sync_config_compliance": "regscale.integrations.commercial.aws.cli.sync_config_compliance",
+        "sync_kms": "regscale.integrations.commercial.aws.cli.sync_kms",
+        "sync_org": "regscale.integrations.commercial.aws.cli.sync_org",
+        "sync_iam": "regscale.integrations.commercial.aws.cli.sync_iam",
+        "sync_guardduty": "regscale.integrations.commercial.aws.cli.sync_guardduty",
+        "sync_s3": "regscale.integrations.commercial.aws.cli.sync_s3",
+        "sync_cloudtrail": "regscale.integrations.commercial.aws.cli.sync_cloudtrail",
+        "sync_cloudwatch": "regscale.integrations.commercial.aws.cli.sync_cloudwatch",
+        "sync_ssm": "regscale.integrations.commercial.aws.cli.sync_ssm",
+        "inventory": "regscale.integrations.commercial.aws.cli.inventory",
+        "findings": "regscale.integrations.commercial.aws.cli.findings",
+        "auth": "regscale.integrations.commercial.aws.cli.auth",
         "inspector": "regscale.integrations.commercial.aws.cli.inspector",
     },
     name="aws",
 )
 def aws():
-    """AWS Integrations"""
+    """AWS Integrations - Asset sync, findings, compliance, and inventory collection"""
     pass
 
 

regscale/integrations/commercial/amazon/amazon/common.py

@@ -0,0 +1,204 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""RegScale AWS Integrations"""
+import re
+from datetime import datetime, timedelta
+from typing import Any, Optional, Tuple
+
+from botocore.client import BaseClient
+from botocore.exceptions import ClientError
+from dateutil import parser
+
+from regscale.core.app.utils.app_utils import create_logger
+
+logger = create_logger()
+
+# Error message constants
+ERROR_MSG_FETCHING_AWS_RESOURCES = "Unexpected error when fetching resources from AWS: %s"
+
+
+def check_finding_severity(comment: Optional[str]) -> str:
+    """Check the severity of the finding
+
+    :param Optional[str] comment: Comment from AWS Security Hub finding
+    :return: Severity of the finding
+    :rtype: str
+    """
+    result = ""
+    match = re.search(r"(?<=Finding Severity: ).*", comment)
+    if match:
+        severity = match.group()
+        result = severity  # Output: "High"
+    return result
+
+
+def get_due_date(earliest_date_performed: datetime, days: int) -> datetime:
+    """Returns the due date for an issue
+
+    :param datetime earliest_date_performed: Earliest date performed
+    :param int days: Days to add to the earliest date performed
+    :return: Due date
+    :rtype: datetime
+    """
+    fmt = "%Y-%m-%dT%H:%M:%S.%fZ"
+    try:
+        due_date = datetime.strptime(earliest_date_performed, fmt) + timedelta(days=days)
+    except ValueError:
+        # Try to determine the date format from a string
+        due_date = parser.parse(earliest_date_performed) + timedelta(days)
+    return due_date
+
+
+def determine_status_and_results(finding: Any) -> Tuple[str, Optional[str]]:
+    """
+    Determine Status and Results
+
+    :param Any finding: AWS Finding
+    :return: Status and Results
+    :rtype: Tuple[str, Optional[str]]
+    """
+    status = "Pass"
+    results = None
+    if "Compliance" in finding.keys():
+        status = "Fail" if finding["Compliance"]["Status"] == "FAILED" else "Pass"
+        results = ", ".join(finding.get("Compliance", {}).get("RelatedRequirements", [])) or "N/A"
+    if "FindingProviderFields" in finding.keys():
+        status = (
+            "Fail"
+            if finding.get("FindingProviderFields", {}).get("Severity", {}).get("Label", "")
+            in ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
+            else "Pass"
+        )
+    if "PatchSummary" in finding.keys() and not results:
+        results = (
+            f"{finding.get('PatchSummary', {}).get('MissingCount', 0)} Missing Patch(s) of "
+            "{finding.get('PatchSummary', {}).get('InstalledCount', 0)}"
+        )
+    return status, results
+
+
+def get_comments(finding: dict) -> str:
+    """
+    Get Comments
+
+    :param dict finding: AWS Finding
+    :return: Comments
+    :rtype: str
+    """
+    try:
+        return (
+            finding["Remediation"]["Recommendation"]["Text"]
+            + "<br></br>"
+            + finding["Remediation"]["Recommendation"]["Url"]
+            + "<br></br>"
+            + f"""Finding Severity: {finding["FindingProviderFields"]["Severity"]["Label"]}"""
+        )
+    except KeyError:
+        return "No remediation recommendation available"
+
+
+def fetch_aws_findings(
+    aws_client: BaseClient, minimum_severity: Optional[str] = None, posture_management_only: bool = False
+) -> list:
+    """Fetch AWS Findings with optimized rate limiting and pagination
+
+    :param BaseClient aws_client: AWS Security Hub Client
+    :param Optional[str] minimum_severity: Minimum severity to filter (CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL)
+    :param bool posture_management_only: If True, only fetch posture management findings (compliance checks)
+    :return: AWS Findings
+    :rtype: list
+    """
+    findings = []
+    try:
+        # Use optimized SecurityHubPuller for better performance
+        from regscale.integrations.commercial.aws.security_hub import SecurityHubPuller
+
+        # Extract region from the client
+        region = aws_client.meta.region_name
+
+        # Create SecurityHubPuller with same region as the client
+        puller = SecurityHubPuller(region_name=region)
+
+        # Use existing client instead of creating new one to maintain credentials
+        puller.client = aws_client
+
+        # Fetch all findings with optimized pagination and rate limiting
+        logger.info("Using optimized SecurityHubPuller for findings retrieval...")
+
+        # Determine severity labels if minimum_severity is provided
+        severity_labels = None
+        if minimum_severity:
+            severity_labels = SecurityHubPuller.get_severity_filters_from_minimum(minimum_severity)
+            logger.info(f"Applying minimum severity filter '{minimum_severity}': {severity_labels}")
+
+        # Fetch findings based on type requested
+        if posture_management_only:
+            logger.info("Fetching posture management findings only (security standards compliance checks)")
+            findings = puller.get_posture_management_findings(severity_labels=severity_labels)
+        elif severity_labels:
+            findings = puller.get_findings_by_severity(severity_labels=severity_labels)
+        else:
+            findings = puller.get_all_findings_with_retries()
+
+        logger.info(f"Successfully fetched {len(findings)} findings with rate limiting")
+
+    except ImportError:
+        # Fallback to original method if SecurityHubPuller not available
+        logger.warning("SecurityHubPuller not available, falling back to basic client")
+        findings = fallback_fetch_aws_findings(aws_client)
+    except ClientError as cex:
+        logger.error("Unexpected error: %s", cex)
+    except Exception as e:
+        logger.error("Error using SecurityHubPuller, falling back to basic client: %s", e)
+        findings = fallback_fetch_aws_findings(aws_client)
+
+    return findings
+
+
+def fallback_fetch_aws_findings(aws_client: BaseClient) -> list:
+    """Fallback method to fetch AWS Findings without pagination
+
+    :param BaseClient aws_client: AWS Security Hub Client
+    :return: AWS Findings
+    :rtype: list
+    """
+    findings = []
+    try:
+        response = aws_client.get_findings()
+        findings = response.get("Findings", [])
+    except ClientError as cex:
+        create_logger().error(ERROR_MSG_FETCHING_AWS_RESOURCES, cex)
+    return findings
+
+
+def fetch_aws_findings_v2(aws_client: BaseClient) -> list:
+    """Fetch AWS Findings
+
+    :param BaseClient aws_client: AWS Security Hub Client
+    :return: AWS Findings
+    :rtype: list
+    """
+    findings = []
+    try:
+        response = aws_client.get_findings_v2()
+        findings = response.get("Findings", [])
+    except ClientError as cex:
+        create_logger().error(ERROR_MSG_FETCHING_AWS_RESOURCES, cex)
+    return findings
+
+
+def fetch_aws_resources(aws_client: BaseClient) -> list:
+    """Fetch AWS Resources
+
+    :param BaseClient aws_client: AWS Security Hub Client
+    :return: AWS Resources
+    :rtype: list
+    """
+    resources = []
+    try:
+        response = aws_client.get_resources_v2()
+        resources = response.get("Resources", [])
+        logger.info(f"Fetched {len(resources)} resources from Security Hub")
+    except ClientError as cex:
+        create_logger().error(ERROR_MSG_FETCHING_AWS_RESOURCES, cex)
+    return resources