Inconsistent ref_id in PCI-DSS 4 compliance

[ab-smith]

Steps to Reproduce

Hello guys,

As discussed with Toni, when I was working on an integration between Prowler and CISO Assistant, I've noticed that the controls reference that the compliance part is sending is not consistent with the framework.
I've re-checked the official PDF and they don't exist.

Here is a sample of problematic ref_id:

see below on my OSCF export

Did I miss something? Maybe you have a specific split or definition?

Thank you

Expected behavior

Use conventional ref_id that can be used for compliance tracking.

Actual Result with Screenshots or Logs

How did you install Prowler?

From brew (brew install prowler)

Environment Resource

M4 Mac

OS used

MacOS

Prowler version

5.4.0

Pip version

Context

No response

[pedrooot]

Hey! @ab-smith the issue here is that I took the Audit Manager Mapping for PCI DSS 4.0 as reference to create this compliance framework.

If you have a look at this file inside Rules mapped to controls, you'll find out that many controlTitle have the same name but a different description. For example, 1.4.2 appear 51 times:

The "official" Requirement ID would be 1.4.2 but to don't have the same ReqID multiple times we are adding a value for this requirement (1.4.2.1 , 1.4.2.2, 1.4.2.3 ...) this way we always have unique Requirements ID.

If you want to get the "original" requirement ID (the one from the official docs) check the value under Attributes.Section to get it. Hope that it helps! Tell me if you need anything else