CLI 6.37.39

[6.37.39] - 2026-07-15

Added

  • eMASS API hardware and software baseline sync commands to pull asset inventory from eMASS, create or update RegScale assets, and push new assets back to eMASS
  • Stakeholder records now expose the v2 address fields (type, city, stateProvince, postalCode, country) so callers can supply structured address data on create and update
  • CAC/PIV smart card (PKCS#11) authentication for regscale emass_api register, enabling mTLS with an on-card private key that never leaves the device

Changed

  • Airflow container image now built on a FIPS 140-3 compliant base

Fixed

  • Airflow container no longer ships a Starlette version affected by high-severity security advisories
  • Jira Data Center issue sync now records an error for the affected issue and continues instead of aborting the whole batch when Jira returns an unexpected error while updating or closing one issue
  • File uploads through the API (such as checklist import) no longer fail with an HTTP 415 error caused by an incorrect JSON content type on multipart requests
  • Jira task sync no longer crashes when a Jira issue has no priority assigned; such issues now use the default due-date timeline instead of aborting the entire sync
  • Jira sync now renders rich-text (ADF) issue descriptions to plain text so tasks and issues sync successfully instead of being rejected with an empty request body
  • CSAM system security plan import now creates plans successfully instead of failing when the source identifier is numeric
  • CSAM control implementation import now retrieves control statements correctly instead of failing on the report query endpoint
  • CSAM front matter import now maps the Sub-Organization field correctly
  • AWS Security Hub, EC2, and ECR issue imports now post successfully to the batch endpoint instead of being silently rejected and retried one issue at a time, making those syncs faster and quieter
  • Scanner-imported issues now link to their assets in the Related Assets view instead of remaining unlinked
  • Wiz issue titles no longer repeat the CVE identifier (for example "CVE-2024-30105: CVE-2024-30105")
  • Wiz issue remediation guidance no longer reads "Update to version None" and now uses the rule's remediation instructions
  • Wiz issue last-seen date is now populated from the scan time instead of being left empty
  • Wiz synchronization now refreshes its access token during long-running syncs instead of failing partway through when the token expires
  • Wiz synchronization now reports a clear "not configured" error when the Wiz client ID or secret is left at its placeholder value instead of returning an opaque authentication failure
  • Security patches for bundled Python dependencies
  • FedRAMP SSP party imports no longer fail to create stakeholders when the OSCAL party has an address but no country, by populating structured address fields (with country) when available and otherwise sending no address fields
  • StakeHolder model field validator that converts None to empty string for nullable text fields now actually runs, so callers passing explicit None values get coerced to "" as documented
  • eMASS SLCM workbook import now retries failed control implementation updates through the bulk /batchUpdate endpoint instead of a manual single-record fallback
  • Jira Data Center sync commands now honor the configured TLS verification setting instead of always verifying certificates unless the CLI flag was passed
  • Jira Data Center CSV import no longer drops the first row's key when the export file starts with a UTF-8 byte-order mark, and XML import no longer crashes on a non-numeric attachment size
  • Jira Data Center sync now reports a clear configuration error for a non-numeric page size or timeout instead of crashing, and quote characters in project keys or task titles no longer break the generated Jira query
  • Jira Data Center sync no longer stops after the first page of results when the server enforces a smaller page size, so all matching issues are imported