regscale-cli 6.27.3.0__py3-none-any.whl → 6.28.1.0__py3-none-any.whl

regscale/integrations/scanner_integration.py

@@ -22,7 +22,7 @@ from regscale.core.app.application import Application
 from regscale.core.app.utils.api_handler import APIHandler
 from regscale.core.app.utils.app_utils import create_progress_object, get_current_datetime
 from regscale.core.app.utils.catalog_utils.common import objective_to_control_dot
-from regscale.core.utils.date import date_obj, date_str, datetime_str, get_day_increment
+from regscale.core.utils.date import date_obj, date_str, datetime_str
 from regscale.integrations.commercial.durosuite.process_devices import scan_durosuite_devices
 from regscale.integrations.commercial.durosuite.variables import DuroSuiteVariables
 from regscale.integrations.commercial.stig_mapper_integration.mapping_engine import StigMappingEngine as STIGMapper
@@ -649,6 +649,9 @@ class ScannerIntegration(ABC):
     # Error suppression options
     suppress_asset_not_found_errors = False
 
+    # CCI mapping flag - set to False for integrations that don't use CCI references
+    enable_cci_mapping = True
+
     def __init__(self, plan_id: int, tenant_id: int = 1, is_component: bool = False, **kwargs):
         """
         Initialize the ScannerIntegration.
@@ -658,6 +661,7 @@ class ScannerIntegration(ABC):
         :param bool is_component: Whether this is a component integration
         :param kwargs: Additional keyword arguments
             - suppress_asset_not_found_errors (bool): If True, suppress "Asset not found" error messages
+            - import_all_findings (bool): If True, import findings even if they are not associated to an asset
         """
         self.app = Application()
         self.alerted_assets: Set[str] = set()
@@ -669,6 +673,7 @@ class ScannerIntegration(ABC):
 
         # Set configuration options from kwargs
         self.suppress_asset_not_found_errors = kwargs.get("suppress_asset_not_found_errors", False)
+        self.import_all_findings = kwargs.get("import_all_findings", False)
 
         # Initialize due date handler for this integration
         self.due_date_handler = DueDateHandler(self.title, config=self.app.config)
@@ -711,6 +716,7 @@ class ScannerIntegration(ABC):
 
         self.cci_to_control_map: ThreadSafeDict[str, set[int]] = ThreadSafeDict()
         self._no_ccis: bool = False
+        self._cci_map_loaded: bool = False
         self.cci_to_control_map_lock: threading.Lock = threading.Lock()
 
         # Lock for thread-safe scan history count updates
@@ -726,6 +732,12 @@ class ScannerIntegration(ABC):
         thread_safe_kev_data.update(kev_data)
         self._kev_data = thread_safe_kev_data
 
+        # Issue lookup cache for performance optimization
+        # Eliminates N+1 API calls by caching issues and indexing by integrationFindingId
+        # Populated lazily on first use during findings processing
+        self._integration_finding_id_cache: Optional[ThreadSafeDict[str, List[regscale_models.Issue]]] = None
+        self._issue_cache_lock: threading.RLock = threading.RLock()
+
     @classmethod
     def _get_lock(cls, key: str) -> threading.RLock:
         """
@@ -864,15 +876,33 @@ class ScannerIntegration(ABC):
         :return: The CCI to control map
         :rtype: ThreadSafeDict[str, set[int]] | dict
         """
+        # If we know there are no CCIs, return immediately
         if self._no_ccis:
             return self.cci_to_control_map
+
+        # If we've already loaded (or attempted to load) the map, return it
+        if self._cci_map_loaded:
+            return self.cci_to_control_map
+
         with self.cci_to_control_map_lock:
-            if any(self.cci_to_control_map):
+            # Double-check inside the lock
+            if self._cci_map_loaded:
                 return self.cci_to_control_map
-            logger.info("Getting CCI to control map...")
-            self.cci_to_control_map = regscale_models.map_ccis_to_control_ids(parent_id=self.plan_id)  # type: ignore
-            if not any(self.cci_to_control_map):
+
+            logger.debug("Loading CCI to control map...")
+            try:
+                loaded_map = regscale_models.map_ccis_to_control_ids(parent_id=self.plan_id)  # type: ignore
+                if loaded_map:
+                    self.cci_to_control_map.update(loaded_map)
+                else:
+                    self._no_ccis = True
+            except Exception as e:
+                logger.debug(f"Could not load CCI to control map: {e}")
                 self._no_ccis = True
+            finally:
+                # Mark as loaded regardless of success/failure to prevent repeated attempts
+                self._cci_map_loaded = True
+
             return self.cci_to_control_map
 
     def get_control_to_cci_map(self) -> dict[int, set[str]]:
@@ -1905,16 +1935,74 @@ class ScannerIntegration(ABC):
 
         return None
 
+    def _populate_issue_lookup_cache(self) -> None:
+        """
+        Populate the issue lookup cache by fetching all issues for the plan and indexing by integrationFindingId.
+
+        This eliminates N+1 API calls during findings processing by creating an in-memory index.
+        Thread-safe for concurrent access.
+        """
+        with self._issue_cache_lock:
+            # Double-check locking pattern - check if cache already populated
+            if self._integration_finding_id_cache is not None:
+                return
+
+            module_str = "component" if self.is_component else "security plan"
+            logger.info(f"Building issue lookup index for {module_str} {self.plan_id}...")
+            start_time = time.time()
+
+            # Fetch all issues for the security plan
+            all_issues = regscale_models.Issue.fetch_issues_by_ssp(app=self.app, ssp_id=self.plan_id)
+
+            # Build index: integrationFindingId -> List[Issue]
+            cache = ThreadSafeDict()
+            indexed_count = 0
+
+            for issue in all_issues:
+                if issue.integrationFindingId:
+                    finding_id = issue.integrationFindingId
+                    if finding_id not in cache:
+                        cache[finding_id] = []
+                    cache[finding_id].append(issue)
+                    indexed_count += 1
+
+            self._integration_finding_id_cache = cache
+
+            elapsed = time.time() - start_time
+            logger.info(
+                f"Issue lookup index built: {indexed_count} issues indexed from {len(all_issues)} total issues "
+                f"({len(cache)} unique finding IDs) in {elapsed:.2f}s"
+            )
+
     def _get_existing_issues_for_finding(
         self, finding_id: str, finding: IntegrationFinding
     ) -> List[regscale_models.Issue]:
-        """Get existing issues for the finding using various lookup methods."""
-        existing_issues = regscale_models.Issue.find_by_integration_finding_id(finding_id)
+        """
+        Get existing issues for the finding using cached lookup (fast) or API fallback (slow).
+
+        NEW BEHAVIOR:
+        - First lookup uses cache (O(1) dictionary lookup, no API call)
+        - Cache is populated lazily on first call
+        - Falls back to API only if finding not in cache and has external_id
+        """
+        # Populate cache on first use (lazy initialization)
+        if self._integration_finding_id_cache is None:
+            self._populate_issue_lookup_cache()
+
+        # FAST PATH: Check cache first (O(1) lookup, no API call)
+        existing_issues = self._integration_finding_id_cache.get(finding_id, [])
 
-        # If no issues found by integrationFindingId, try fallback lookup by identifier fields
+        # FALLBACK PATH: Only if no issues found in cache AND external_id exists
+        # This handles edge cases where integrationFindingId might be missing but other identifiers exist
         if not existing_issues and finding.external_id:
+            logger.debug(f"Issue not found in cache for finding_id={finding_id}, trying identifier fallback")
             existing_issues = self._find_issues_by_identifier_fallback(finding.external_id)
 
+            # Cache the fallback result to avoid future API lookups
+            if existing_issues:
+                with self._issue_cache_lock:
+                    self._integration_finding_id_cache[finding_id] = existing_issues
+
         return existing_issues
 
     def _find_issue_for_open_status(
@@ -2805,11 +2893,29 @@ class ScannerIntegration(ABC):
         scan_history = self.create_scan_history()
         current_vulnerabilities: Dict[int, Set[int]] = defaultdict(set)
         processed_findings_count = 0
+
+        # Convert iterator to list so we can check findings and avoid re-iteration issues
+        findings_list = list(findings)
+
+        # Set the number of findings to process for progress tracking
+        self.num_findings_to_process = len(findings_list)
         loading_findings = self._setup_finding_progress()
 
+        # Pre-load CCI to control map before threading ONLY if:
+        # 1. The integration has CCI mapping enabled (enable_cci_mapping = True)
+        # 2. Findings contain actual CCI references
+        # This avoids expensive unnecessary API calls for integrations that don't use CCIs (e.g., AWS)
+        if self.enable_cci_mapping:
+            has_cci_refs = any(
+                getattr(f, "cci_ref", None) is not None and getattr(f, "cci_ref", None) != "" for f in findings_list
+            )
+            if has_cci_refs:
+                logger.debug("Pre-loading CCI to control map...")
+                _ = self.get_cci_to_control_map()
+
         # Process findings
         processed_findings_count = self._process_findings_with_threading(
-            findings, scan_history, current_vulnerabilities, loading_findings
+            iter(findings_list), scan_history, current_vulnerabilities, loading_findings
         )
 
         # Finalize processing
@@ -2818,6 +2924,8 @@ class ScannerIntegration(ABC):
         # Complete the finding progress bar
         self._complete_finding_progress(loading_findings, processed_findings_count)
 
+        logger.info(f"Successfully processed {processed_findings_count} findings from {self.title}")
+
         return processed_findings_count
 
     def _setup_finding_progress(self):
@@ -3055,10 +3163,12 @@ class ScannerIntegration(ABC):
 
     def _process_checklist_finding(self, finding: IntegrationFinding) -> None:
         """Process a checklist finding."""
-        if not (asset := self.get_asset_by_identifier(finding.asset_identifier)):
+        asset = self.get_asset_by_identifier(finding.asset_identifier)
+        if not asset:
             if not getattr(self, "suppress_asset_not_found_errors", False):
                 logger.error("2. Asset not found for identifier %s", finding.asset_identifier)
-            return
+            if not getattr(self, "import_all_findings", False):
+                return
 
         tool = regscale_models.ChecklistTool.STIGs
         if finding.vulnerability_type == "Vulnerability Scan":
@@ -3073,7 +3183,7 @@ class ScannerIntegration(ABC):
         logger.debug("Create or update checklist for %s", finding.external_id)
         regscale_models.Checklist(
             status=checklist_status_str,
-            assetId=asset.id,
+            assetId=asset.id if asset else None,
             tool=tool,
             baseline=finding.baseline,
             vulnerabilityId=finding.vulnerability_number,
@@ -3108,7 +3218,8 @@ class ScannerIntegration(ABC):
         """Process a vulnerability finding and return whether vulnerability was created."""
         logger.debug(f"Processing vulnerability for finding {finding.external_id} with status {finding.status}")
 
-        if asset := self.get_asset_by_identifier(finding.asset_identifier):
+        asset = self.get_asset_by_identifier(finding.asset_identifier)
+        if asset:
             logger.debug(f"Found asset {asset.id} for finding {finding.external_id}")
             if vulnerability_id := self.handle_vulnerability(finding, asset, scan_history):
                 current_vulnerabilities[asset.id].add(vulnerability_id)
@@ -3120,6 +3231,15 @@ class ScannerIntegration(ABC):
                 logger.debug(f"Vulnerability creation failed for finding {finding.external_id}")
         else:
             logger.debug(f"No asset found for finding {finding.external_id} with identifier {finding.asset_identifier}")
+            if getattr(self, "import_all_findings", False):
+                logger.debug("import_all_findings is True, attempting to create vulnerability without asset")
+                if vulnerability_id := self.handle_vulnerability(finding, None, scan_history):
+                    logger.debug(
+                        f"Vulnerability created successfully for finding {finding.external_id} with ID {vulnerability_id}"
+                    )
+                    return True
+                else:
+                    logger.debug(f"Vulnerability creation failed for finding {finding.external_id}")
 
         return False
 
@@ -3140,109 +3260,190 @@ class ScannerIntegration(ABC):
         """
         logger.debug(f"Processing vulnerability for finding: {finding.external_id} - {finding.title}")
 
-        # Check for required fields - either plugin_name or cve must be present
+        # Validate required fields
+        if not self._has_required_vulnerability_fields(finding):
+            return None
+
+        # Check asset requirements
+        if not self._check_asset_requirements(finding, asset):
+            return None
+
+        if asset:
+            logger.debug(f"Found asset: {asset.id} for finding {finding.external_id}")
+
+        # Create vulnerability with retry logic
+        return self._create_vulnerability_with_retry(finding, asset, scan_history)
+
+    def _has_required_vulnerability_fields(self, finding: IntegrationFinding) -> bool:
+        """Check if finding has required fields (plugin_name or cve)."""
         plugin_name = getattr(finding, "plugin_name", None)
         cve = getattr(finding, "cve", None)
 
         if not plugin_name and not cve:
             logger.warning("No Plugin Name or CVE found for finding %s", finding.title)
             logger.debug(f"Finding plugin_name: {plugin_name}, cve: {cve}")
-            return None
-
-        if not asset:
-            if not getattr(self, "suppress_asset_not_found_errors", False):
-                logger.warning(
-                    "VulnerabilityMapping Error: Asset not found for identifier %s", finding.asset_identifier
-                )
-            return None
+            return False
 
-        logger.debug(f"Found asset: {asset.id} for finding {finding.external_id}")
         logger.debug(f"Finding plugin_name: {plugin_name}, cve: {cve}")
+        return True
+
+    def _check_asset_requirements(self, finding: IntegrationFinding, asset: Optional[regscale_models.Asset]) -> bool:
+        """Check if asset requirements are met."""
+        if asset:
+            return True
+
+        if getattr(self, "import_all_findings", False):
+            logger.debug("Asset not found but import_all_findings is True, continuing without asset")
+            return True
+
+        if not getattr(self, "suppress_asset_not_found_errors", False):
+            logger.warning("VulnerabilityMapping Error: Asset not found for identifier %s", finding.asset_identifier)
+        return False
 
-        # Add retry logic for vulnerability creation
+    def _create_vulnerability_with_retry(
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> Optional[int]:
+        """Create vulnerability with retry logic."""
         max_retries = 3
         retry_delay = 2  # seconds
 
         for attempt in range(max_retries):
-            try:
-                logger.debug(f"Creating vulnerability for finding {finding.external_id} (attempt {attempt + 1})")
-                vulnerability = self.create_vulnerability_from_finding(finding, asset, scan_history)
-                finding.vulnerability_id = vulnerability.id
-                logger.debug(f"Successfully created vulnerability {vulnerability.id} for finding {finding.external_id}")
-
-                if ScannerVariables.vulnerabilityCreation.lower() != "noissue":
-                    # Handle associated issue
-                    self.create_or_update_issue_from_finding(
-                        title=finding.title,
-                        finding=finding,
-                    )
+            vulnerability_id = self._try_create_vulnerability(
+                finding, asset, scan_history, attempt, max_retries, retry_delay
+            )
+            if vulnerability_id is not None:
+                return vulnerability_id
 
-                return vulnerability.id
+            if attempt < max_retries - 1:
+                time.sleep(retry_delay)
+                retry_delay *= 2  # Exponential backoff
 
-            except Exception as e:
-                if attempt < max_retries - 1:
-                    logger.warning(
-                        f"Vulnerability creation failed for finding {finding.external_id} (attempt {attempt + 1}/{max_retries}): {e}. Retrying in {retry_delay} seconds..."
-                    )
-                    import time
+        return None
 
-                    time.sleep(retry_delay)
-                    retry_delay *= 2  # Exponential backoff
-                else:
-                    logger.error(
-                        f"Failed to create vulnerability for finding {finding.external_id} after {max_retries} attempts: {e}"
-                    )
-                    return None
+    def _try_create_vulnerability(
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+        attempt: int,
+        max_retries: int,
+        retry_delay: int,
+    ) -> Optional[int]:
+        """Try to create vulnerability for a single attempt."""
+        try:
+            logger.debug(f"Creating vulnerability for finding {finding.external_id} (attempt {attempt + 1})")
+            vulnerability = self.create_vulnerability_from_finding(finding, asset, scan_history)
+            finding.vulnerability_id = vulnerability.id
+            logger.debug(f"Successfully created vulnerability {vulnerability.id} for finding {finding.external_id}")
+
+            self._handle_associated_issue(finding)
+            return vulnerability.id
+
+        except Exception as e:
+            self._handle_vulnerability_creation_error(e, finding, attempt, max_retries, retry_delay)
+            return None
+
+    def _handle_associated_issue(self, finding: IntegrationFinding) -> None:
+        """Handle associated issue creation if needed."""
+        if ScannerVariables.vulnerabilityCreation.lower() != "noissue":
+            self.create_or_update_issue_from_finding(
+                title=finding.title,
+                finding=finding,
+            )
+
+    def _handle_vulnerability_creation_error(
+        self, error: Exception, finding: IntegrationFinding, attempt: int, max_retries: int, retry_delay: int
+    ) -> None:
+        """Handle error during vulnerability creation."""
+        if attempt < max_retries - 1:
+            logger.warning(
+                f"Vulnerability creation failed for finding {finding.external_id} "
+                f"(attempt {attempt + 1}/{max_retries}): {error}. "
+                f"Retrying in {retry_delay} seconds..."
+            )
+        else:
+            logger.error(
+                f"Failed to create vulnerability for finding {finding.external_id} "
+                f"after {max_retries} attempts: {error}"
+            )
 
     def create_vulnerability_from_finding(
-        self, finding: IntegrationFinding, asset: regscale_models.Asset, scan_history: regscale_models.ScanHistory
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
     ) -> regscale_models.Vulnerability:
         """
         Creates a vulnerability from an integration finding.
 
         :param IntegrationFinding finding: The integration finding
-        :param regscale_models.Asset asset: The associated asset
+        :param Optional[regscale_models.Asset] asset: The associated asset (can be None if import_all_findings is True)
         :param regscale_models.ScanHistory scan_history: The scan history
         :return: The created vulnerability
         :rtype: regscale_models.Vulnerability
         """
         logger.debug(f"Creating vulnerability object for finding {finding.external_id}")
 
-        logger.debug(f"Finding severity: '{finding.severity}' (type: {type(finding.severity)})")
-        mapped_severity = self.issue_to_vulnerability_map.get(
-            finding.severity, regscale_models.VulnerabilitySeverity.Low
-        )
-        logger.debug(f"Mapped severity: {mapped_severity}")
+        # Create vulnerability object
+        vulnerability = self._build_vulnerability_object(finding, asset, scan_history)
+
+        # Save vulnerability
+        logger.debug(f"Calling create_or_update for vulnerability with title: {vulnerability.title}")
+        vulnerability = vulnerability.create_or_update()
+        logger.debug(f"Vulnerability created/updated with ID: {vulnerability.id}")
+
+        # Create mapping if asset exists
+        if asset:
+            self._create_vulnerability_mapping(vulnerability, finding, asset, scan_history)
+        else:
+            logger.debug(
+                f"Skipping VulnerabilityMapping creation for vulnerability {vulnerability.id} - no asset provided"
+            )
 
-        vulnerability = regscale_models.Vulnerability(
+        return vulnerability
+
+    def _build_vulnerability_object(
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> regscale_models.Vulnerability:
+        """Build the vulnerability object from finding data."""
+        # Get mapped values
+        severity = self._get_mapped_severity(finding)
+        ip_address = self._get_ip_address(finding, asset)
+        dns = self._get_dns(asset)
+        operating_system = self._get_operating_system(asset)
+
+        return regscale_models.Vulnerability(
             title=finding.title,
             cve=finding.cve,
-            vprScore=(
-                finding.vpr_score if hasattr(finding, "vprScore") else None
-            ),  # If this is the VPR score, otherwise use a different field
-            cvsSv3BaseScore=finding.cvss_v3_base_score or finding.cvss_v3_score or finding.cvss_score,
+            vprScore=self._get_vpr_score(finding),
+            cvsSv3BaseScore=self._get_cvss_v3_score(finding),
             cvsSv2BaseScore=finding.cvss_v2_score,
             cvsSv3BaseVector=finding.cvss_v3_vector,
             cvsSv2BaseVector=finding.cvss_v2_vector,
             scanId=scan_history.id,
-            severity=mapped_severity,
+            severity=severity,
             description=finding.description,
             dateLastUpdated=finding.date_last_updated,
             parentId=self.plan_id,
             parentModule=self.parent_module,
-            dns=asset.fqdn or "unknown",
+            dns=dns,
             status=regscale_models.VulnerabilityStatus.Open,
-            ipAddress=finding.ip_address or asset.ipAddress or "",
+            ipAddress=ip_address,
             firstSeen=finding.first_seen,
             lastSeen=finding.last_seen,
-            plugInName=finding.cve or finding.plugin_name,  # Use CVE if available, otherwise use plugin name
-            plugInId=finding.plugin_id,
-            exploitAvailable=None,  # Set this if you have information about exploit availability
-            plugInText=finding.plugin_text
-            or finding.observations,  # or finding.evidence, whichever is more appropriate
-            port=finding.port if hasattr(finding, "port") else None,
-            protocol=finding.protocol if hasattr(finding, "protocol") else None,
-            operatingSystem=asset.operatingSystem if hasattr(asset, "operatingSystem") else None,
+            plugInName=finding.cve or finding.plugin_name,
+            plugInId=finding.plugin_id or finding.external_id,
+            exploitAvailable=None,
+            plugInText=finding.plugin_text or finding.observations,
+            port=getattr(finding, "port", None),
+            protocol=getattr(finding, "protocol", None),
+            operatingSystem=operating_system,
             fixedVersions=finding.fixed_versions,
             buildVersion=finding.build_version,
             fixStatus=finding.fix_status,
@@ -3253,14 +3454,68 @@ class ScannerIntegration(ABC):
             affectedPackages=finding.affected_packages,
         )
 
-        logger.debug(f"Calling create_or_update for vulnerability with title: {vulnerability.title}")
-        vulnerability = vulnerability.create_or_update()
-        logger.debug(f"Vulnerability created/updated with ID: {vulnerability.id}")
+    def _get_mapped_severity(self, finding: IntegrationFinding) -> regscale_models.VulnerabilitySeverity:
+        """Get mapped severity for the finding."""
+        logger.debug(f"Finding severity: '{finding.severity}' (type: {type(finding.severity)})")
+        mapped_severity = self.issue_to_vulnerability_map.get(
+            finding.severity, regscale_models.VulnerabilitySeverity.Low
+        )
+        logger.debug(f"Mapped severity: {mapped_severity}")
+        return mapped_severity
+
+    def _get_ip_address(self, finding: IntegrationFinding, asset: Optional[regscale_models.Asset]) -> str:
+        """Get IP address from finding or asset."""
+        if finding.ip_address:
+            return finding.ip_address
+        if asset and hasattr(asset, "ipAddress") and asset.ipAddress:
+            return asset.ipAddress
+        return ""
+
+    def _get_dns(self, asset: Optional[regscale_models.Asset]) -> str:
+        """Get DNS from asset."""
+        if asset and hasattr(asset, "fqdn") and asset.fqdn:
+            return asset.fqdn
+        return "unknown"
+
+    def _get_operating_system(self, asset: Optional[regscale_models.Asset]) -> Optional[str]:
+        """Get operating system from asset."""
+        if asset and hasattr(asset, "operatingSystem"):
+            return asset.operatingSystem
+        return None
 
+    def _get_vpr_score(self, finding: IntegrationFinding) -> Optional[float]:
+        """Get VPR score from finding."""
+        if hasattr(finding, "vprScore"):
+            return finding.vpr_score
+        return None
+
+    def _get_cvss_v3_score(self, finding: IntegrationFinding) -> Optional[float]:
+        """Get CVSS v3 score from finding."""
+        return finding.cvss_v3_base_score or finding.cvss_v3_score or finding.cvss_score
+
+    def _create_vulnerability_mapping(
+        self,
+        vulnerability: regscale_models.Vulnerability,
+        finding: IntegrationFinding,
+        asset: regscale_models.Asset,
+        scan_history: regscale_models.ScanHistory,
+    ) -> None:
+        """Create vulnerability mapping with retry logic."""
         logger.debug(f"Creating vulnerability mapping for vulnerability {vulnerability.id}")
         logger.debug(f"Scan History ID: {scan_history.id}, Asset ID: {asset.id}, Plan ID: {self.plan_id}")
 
-        vulnerability_mapping = regscale_models.VulnerabilityMapping(
+        mapping = self._build_vulnerability_mapping(vulnerability, finding, asset, scan_history)
+        self._create_mapping_with_retry(mapping, vulnerability.id)
+
+    def _build_vulnerability_mapping(
+        self,
+        vulnerability: regscale_models.Vulnerability,
+        finding: IntegrationFinding,
+        asset: regscale_models.Asset,
+        scan_history: regscale_models.ScanHistory,
+    ) -> regscale_models.VulnerabilityMapping:
+        """Build vulnerability mapping object."""
+        return regscale_models.VulnerabilityMapping(
             vulnerabilityId=vulnerability.id,
             assetId=asset.id,
             scanId=scan_history.id,
@@ -3275,15 +3530,75 @@ class ScannerIntegration(ABC):
             dateLastUpdated=get_current_datetime(),
         )
 
-        logger.debug(
-            f"Vulnerability mapping payload: vulnerabilityId={vulnerability_mapping.vulnerabilityId}, "
-            f"assetId={vulnerability_mapping.assetId}, scanId={vulnerability_mapping.scanId}"
-        )
+    def _create_mapping_with_retry(self, mapping: regscale_models.VulnerabilityMapping, vulnerability_id: int) -> None:
+        """Create vulnerability mapping with retry logic."""
+        import logging
 
-        vulnerability_mapping.create_unique()
-        logger.debug(f"Vulnerability mapping created for vulnerability {vulnerability.id}")
+        max_retries = 3
+        retry_delay = 0.5
+        regscale_logger = logging.getLogger("regscale")
+        original_level = regscale_logger.level
 
-        return vulnerability
+        for attempt in range(max_retries):
+            if self._try_create_mapping(
+                mapping, vulnerability_id, attempt, max_retries, regscale_logger, original_level
+            ):
+                break
+
+            if attempt < max_retries - 1:
+                time.sleep(retry_delay)
+                retry_delay *= 2  # Exponential backoff
+
+    def _try_create_mapping(
+        self,
+        mapping: regscale_models.VulnerabilityMapping,
+        vulnerability_id: int,
+        attempt: int,
+        max_retries: int,
+        regscale_logger: logging.Logger,
+        original_level: int,
+    ) -> bool:
+        """Try to create mapping for a single attempt."""
+        try:
+            # Suppress error logging during retry attempts (but not the final attempt)
+            if attempt < max_retries - 1:
+                regscale_logger.setLevel(logging.CRITICAL)
+
+            mapping.create_unique()
+
+            # Restore original log level
+            regscale_logger.setLevel(original_level)
+
+            if attempt > 0:
+                logger.info(
+                    f"VulnerabilityMapping created successfully on attempt {attempt + 1} for vulnerability {vulnerability_id}"
+                )
+            else:
+                logger.debug(f"Vulnerability mapping created for vulnerability {vulnerability_id}")
+            return True
+
+        except Exception as mapping_error:
+            # Restore original log level before handling the exception
+            regscale_logger.setLevel(original_level)
+            return self._handle_mapping_error(mapping_error, attempt, max_retries)
+
+    def _handle_mapping_error(self, error: Exception, attempt: int, max_retries: int) -> bool:
+        """Handle error during mapping creation."""
+        if attempt >= max_retries - 1:
+            logger.error(f"Failed to create VulnerabilityMapping after {max_retries} attempts: {error}")
+            # Convert to a more specific exception type
+            raise RuntimeError(f"VulnerabilityMapping creation failed after {max_retries} attempts") from error
+
+        # Check if it's a reference error
+        error_str = str(error)
+        if "400" in error_str and "Object reference" in error_str:
+            logger.debug(
+                f"VulnerabilityMapping creation failed due to reference error (attempt {attempt + 1}/{max_retries}). Retrying..."
+            )
+            return False
+
+        # Different error, re-raise with more context
+        raise RuntimeError(f"Unexpected error during VulnerabilityMapping creation: {error}") from error
 
     def _filter_vulns_open_by_other_tools(
         self, all_vulns: list[regscale_models.Vulnerability]