fix(compliance): multi-section undercount & leaked provider tab

[pedrooot]

Description

Fixes two bugs shared by every CLI compliance summary table generator:

• Multi-section undercount: per-section counters were gated by the global dedup list, so a finding mapped to several sections was only counted in the first one. Per-section counts are now deduplicated per section, while the overview totals stay deduplicated per finding (unchanged).
• Leaked/undefined provider: the Provider column used a leaked loop variable (compliance.Provider) that could point at another framework. It now uses the provider captured from the matched framework.

Affected: okta_idaas_stig, cis, ens, c5, ccc, asd_essential_eight, kisa_ismsp, mitre_attack, prowler_threatscore and the universal table renderer. Only the CLI table output is affected; CSV/JSON/OCSF files and the API/UI are unchanged.

License

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license.

Steps to review

Please add a detailed description of how to review this PR.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, uv, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

• Bug Fixes

  • Fixed undercounting of findings mapped to multiple sections/groups across compliance tables
  • Prevented double-counting of muted findings in per-section/group tallies
  • Corrected Provider attribution so table rows show the accurate framework/provider

• Tests

  • Added tests for multi-section counting accuracy
  • Added tests to verify Provider column uses the matched framework/provider

• Chores

  • Updated changelog entry for the release

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3d150943-825f-4cfb-beb7-c03b330ca78b

📥 Commits

Reviewing files that changed from the base of the PR and between bd67a08 and 448b5ff.

📒 Files selected for processing (1)

• prowler/CHANGELOG.md

---

📝 Walkthrough

Walkthrough

Refactors multiple compliance table builders to deduplicate counts per section/group/tactic/pillar while preserving framework-level overview totals and to fix Provider column attribution by using captured provider variables.

Changes

Compliance Framework Table Deduplication

Layer / File(s)	Summary
Per-section deduplication pattern prowler/lib/outputs/compliance/asd_essential_eight/asd_essential_eight.py, prowler/lib/outputs/compliance/c5/c5.py, prowler/lib/outputs/compliance/ccc/ccc.py, prowler/lib/outputs/compliance/kisa_ismsp/kisa_ismsp.py, prowler/lib/outputs/compliance/okta_idaas_stig/okta_idaas_stig.py	Each framework now uses per-section section_seen tracking to count findings once per section while maintaining framework-level overview counts (once per finding). Provider values are captured during compliance iteration and used consistently when populating table rows.
Specialized deduplication (CIS, ENS, MITRE, Prowler) prowler/lib/outputs/compliance/cis/cis.py, prowler/lib/outputs/compliance/ens/ens.py, prowler/lib/outputs/compliance/mitre_attack/mitre_attack.py, prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore.py	Domain-specific deduplication: CIS tracks muted findings per section, ENS per marco/categoria, MITRE per tactic, and Prowler per pillar. All apply per-category seen sets decoupled from framework-level overview counting, with provider attribution fixes.
Universal table deduplication prowler/lib/outputs/compliance/universal/universal_table.py	Extends per-group deduplication to grouped, split, and scored rendering modes. Introduces group_seen and group_muted_seen tracking so findings are counted once per group in all modes while framework-level overview totals remain unique per finding.
Deduplication test coverage tests/lib/outputs/compliance/okta_idaas_stig/okta_idaas_stig_table_test.py, tests/lib/outputs/compliance/universal/universal_table_test.py	New tests verify multi-section findings render correct per-section counts and that Provider columns use framework metadata instead of leaked loop variables.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

• alejandrobailo
• josema-xyz

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: fixing multi-section undercount and leaked provider issues in compliance tables.
Description check	✅ Passed	The description covers the main bugs fixed, affected modules, scope, and includes proper licensing confirmation, though some checklist items remain unchecked.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch PROWLER-1963-bug-okta-i-daa-s-stig-table-multi-section-undercount-and-undefined-compliance-reference-sdk

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[codecov]

Codecov Report

❌ Patch coverage is 24.40476% with 127 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.62%. Comparing base (a394c0f) to head (448b5ff).
⚠️ Report is 6 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (a394c0f) and HEAD (448b5ff). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (a394c0f)	HEAD (448b5ff)
api	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #11567       +/-   ##
===========================================
- Coverage   94.02%   73.62%   -20.41%     
===========================================
  Files         241      113      -128     
  Lines       35705     8746    -26959     
===========================================
- Hits        33573     6439    -27134     
- Misses       2132     2307      +175     

Flag	Coverage Δ
api	?
prowler-py3.10-external	21.57% <0.00%> (?)
prowler-py3.10-lib	73.62% <24.40%> (?)
prowler-py3.11-external	21.57% <0.00%> (?)
prowler-py3.11-lib	73.62% <24.40%> (?)
prowler-py3.12-external	21.57% <0.00%> (?)
prowler-py3.12-lib	73.62% <24.40%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	73.58% <24.40%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:2356bb7
Last scan: 2026-06-12 11:54:18 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	14
Total	14

9 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore.py (1)

8-15: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add return type hint and docstring.

The function get_prowler_threatscore_table is missing a return type hint and a docstring. As per coding guidelines, type hints are required for all public functions, and docstrings following Google style are required for all functions.

📝 Proposed addition

 def get_prowler_threatscore_table(
     findings: list,
     bulk_checks_metadata: dict,
     compliance_framework: str,
     output_filename: str,
     output_directory: str,
     compliance_overview: bool,
-):
+) -> None:
+    """Render ProwlerThreatScore compliance table with risk scoring per pillar.
+
+    Args:
+        findings: List of finding objects to process.
+        bulk_checks_metadata: Dictionary mapping CheckID to check metadata.
+        compliance_framework: Name of the compliance framework.
+        output_filename: Base name for output files.
+        output_directory: Directory path for output files.
+        compliance_overview: If True, show only overview without detailed table.
+    """
     pillar_table = {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore.py`
around lines 8 - 15, Add a return type hint to the public function
get_prowler_threatscore_table (e.g., -> str or -> Path-like/tuple depending on
what it returns) and insert a Google-style docstring immediately under the def
that describes the purpose, all parameters (findings: list,
bulk_checks_metadata: dict, compliance_framework: str, output_filename: str,
output_directory: str, compliance_overview: bool) with types and meanings, and
the return value and its type; ensure the docstring follows Google style (Args:,
Returns:, Raises: if applicable) and keep the signature and existing behavior
unchanged.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/lib/outputs/compliance/okta_idaas_stig/okta_idaas_stig_table_test.py`:
- Line 28: Add a Google-style docstring to the test class
TestOktaIDaaSSTIGTable: insert a short one-line summary describing the purpose
of the test class and, if helpful, a brief extended description or attributes
section explaining what behaviors or fixtures the tests cover; place the
docstring immediately below the class declaration in TestOktaIDaaSSTIGTable.

---

Outside diff comments:
In `@prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore.py`:
- Around line 8-15: Add a return type hint to the public function
get_prowler_threatscore_table (e.g., -> str or -> Path-like/tuple depending on
what it returns) and insert a Google-style docstring immediately under the def
that describes the purpose, all parameters (findings: list,
bulk_checks_metadata: dict, compliance_framework: str, output_filename: str,
output_directory: str, compliance_overview: bool) with types and meanings, and
the return value and its type; ensure the docstring follows Google style (Args:,
Returns:, Raises: if applicable) and keep the signature and existing behavior
unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d941c17e-3827-4473-9352-9e2b2f48c88f

📥 Commits

Reviewing files that changed from the base of the PR and between ca443b8 and bd67a08.

📒 Files selected for processing (12)

• prowler/lib/outputs/compliance/asd_essential_eight/asd_essential_eight.py
• prowler/lib/outputs/compliance/c5/c5.py
• prowler/lib/outputs/compliance/ccc/ccc.py
• prowler/lib/outputs/compliance/cis/cis.py
• prowler/lib/outputs/compliance/ens/ens.py
• prowler/lib/outputs/compliance/kisa_ismsp/kisa_ismsp.py
• prowler/lib/outputs/compliance/mitre_attack/mitre_attack.py
• prowler/lib/outputs/compliance/okta_idaas_stig/okta_idaas_stig.py
• prowler/lib/outputs/compliance/prowler_threatscore/prowler_threatscore.py
• prowler/lib/outputs/compliance/universal/universal_table.py
• tests/lib/outputs/compliance/okta_idaas_stig/okta_idaas_stig_table_test.py
• tests/lib/outputs/compliance/universal/universal_table_test.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add class docstring.

The test class TestOktaIDaaSSTIGTable is missing a docstring. As per coding guidelines, docstrings following Google style are required for all classes.

📝 Proposed addition

 class TestOktaIDaaSSTIGTable:
+    """Test cases for Okta IDaaS STIG compliance table rendering.
+    
+    Verifies multi-section counting and provider column attribution fixes.
+    """
     def test_multi_section_fail_not_undercounted(self, capsys):

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/lib/outputs/compliance/okta_idaas_stig/okta_idaas_stig_table_test.py`
at line 28, Add a Google-style docstring to the test class
TestOktaIDaaSSTIGTable: insert a short one-line summary describing the purpose
of the test class and, if helpful, a brief extended description or attributes
section explaining what behaviors or fixtures the tests cover; place the
docstring immediately below the class declaration in TestOktaIDaaSSTIGTable.

Source: Coding guidelines