PyPI - cartography - Versions diffs - 0.102.0rc1__py3-none-any.whl → 0.103.0__py3-none-any.whl - Mend

cartography 0.102.0rc1py3-none-any.whl → 0.103.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of cartography might be problematic. Click here for more details.

Files changed (297) hide show

cartography/__main__.py +1 -2
cartography/_version.py +2 -2
cartography/cli.py +376 -249
cartography/client/core/tx.py +39 -18
cartography/config.py +28 -0
cartography/driftdetect/__main__.py +1 -2
cartography/driftdetect/add_shortcut.py +10 -2
cartography/driftdetect/cli.py +71 -75
cartography/driftdetect/detect_deviations.py +7 -3
cartography/driftdetect/get_states.py +20 -8
cartography/driftdetect/model.py +5 -5
cartography/driftdetect/serializers.py +8 -6
cartography/driftdetect/storage.py +2 -2
cartography/graph/cleanupbuilder.py +35 -15
cartography/graph/job.py +46 -17
cartography/graph/querybuilder.py +165 -80
cartography/graph/statement.py +35 -26
cartography/intel/analysis.py +4 -1
cartography/intel/aws/__init__.py +114 -55
cartography/intel/aws/apigateway.py +134 -63
cartography/intel/aws/cloudtrail.py +127 -0
cartography/intel/aws/cloudwatch.py +93 -0
cartography/intel/aws/config.py +56 -20
cartography/intel/aws/dynamodb.py +108 -40
cartography/intel/aws/ec2/__init__.py +2 -2
cartography/intel/aws/ec2/auto_scaling_groups.py +181 -78
cartography/intel/aws/ec2/elastic_ip_addresses.py +41 -13
cartography/intel/aws/ec2/images.py +49 -20
cartography/intel/aws/ec2/instances.py +234 -136
cartography/intel/aws/ec2/internet_gateways.py +40 -11
cartography/intel/aws/ec2/key_pairs.py +44 -20
cartography/intel/aws/ec2/launch_templates.py +101 -59
cartography/intel/aws/ec2/load_balancer_v2s.py +104 -39
cartography/intel/aws/ec2/load_balancers.py +82 -42
cartography/intel/aws/ec2/network_acls.py +89 -65
cartography/intel/aws/ec2/network_interfaces.py +146 -87
cartography/intel/aws/ec2/reserved_instances.py +45 -16
cartography/intel/aws/ec2/route_tables.py +327 -0
cartography/intel/aws/ec2/security_groups.py +71 -21
cartography/intel/aws/ec2/snapshots.py +61 -22
cartography/intel/aws/ec2/subnets.py +54 -18
cartography/intel/aws/ec2/tgw.py +100 -34
cartography/intel/aws/ec2/util.py +1 -1
cartography/intel/aws/ec2/volumes.py +69 -41
cartography/intel/aws/ec2/vpc.py +37 -12
cartography/intel/aws/ec2/vpc_peerings.py +83 -24
cartography/intel/aws/ecr.py +88 -32
cartography/intel/aws/ecs.py +83 -47
cartography/intel/aws/efs.py +93 -0
cartography/intel/aws/eks.py +55 -29
cartography/intel/aws/elasticache.py +42 -18
cartography/intel/aws/elasticsearch.py +57 -20
cartography/intel/aws/emr.py +61 -23
cartography/intel/aws/iam.py +401 -145
cartography/intel/aws/iam_instance_profiles.py +22 -22
cartography/intel/aws/identitycenter.py +71 -37
cartography/intel/aws/inspector.py +159 -89
cartography/intel/aws/kms.py +92 -38
cartography/intel/aws/lambda_function.py +103 -34
cartography/intel/aws/organizations.py +30 -10
cartography/intel/aws/permission_relationships.py +133 -51
cartography/intel/aws/rds.py +249 -85
cartography/intel/aws/redshift.py +107 -46
cartography/intel/aws/resourcegroupstaggingapi.py +120 -66
cartography/intel/aws/resources.py +57 -44
cartography/intel/aws/route53.py +108 -61
cartography/intel/aws/s3.py +168 -83
cartography/intel/aws/s3accountpublicaccessblock.py +157 -0
cartography/intel/aws/secretsmanager.py +24 -12
cartography/intel/aws/securityhub.py +20 -9
cartography/intel/aws/sns.py +166 -0
cartography/intel/aws/sqs.py +60 -28
cartography/intel/aws/ssm.py +70 -30
cartography/intel/aws/util/arns.py +7 -7
cartography/intel/aws/util/common.py +31 -4
cartography/intel/azure/__init__.py +78 -19
cartography/intel/azure/compute.py +101 -27
cartography/intel/azure/cosmosdb.py +496 -170
cartography/intel/azure/sql.py +296 -105
cartography/intel/azure/storage.py +322 -113
cartography/intel/azure/subscription.py +39 -23
cartography/intel/azure/tenant.py +13 -4
cartography/intel/azure/util/credentials.py +95 -55
cartography/intel/bigfix/__init__.py +2 -2
cartography/intel/bigfix/computers.py +93 -65
cartography/intel/cloudflare/__init__.py +74 -0
cartography/intel/cloudflare/accounts.py +57 -0
cartography/intel/cloudflare/dnsrecords.py +64 -0
cartography/intel/cloudflare/members.py +75 -0
cartography/intel/cloudflare/roles.py +65 -0
cartography/intel/cloudflare/zones.py +64 -0
cartography/intel/create_indexes.py +3 -2
cartography/intel/crowdstrike/__init__.py +11 -9
cartography/intel/crowdstrike/endpoints.py +5 -1
cartography/intel/crowdstrike/spotlight.py +8 -3
cartography/intel/cve/__init__.py +46 -13
cartography/intel/cve/feed.py +48 -12
cartography/intel/digitalocean/__init__.py +22 -13
cartography/intel/digitalocean/compute.py +75 -108
cartography/intel/digitalocean/management.py +44 -80
cartography/intel/digitalocean/platform.py +48 -43
cartography/intel/dns.py +36 -10
cartography/intel/duo/__init__.py +21 -16
cartography/intel/duo/api_host.py +14 -9
cartography/intel/duo/endpoints.py +50 -45
cartography/intel/duo/groups.py +18 -14
cartography/intel/duo/phones.py +37 -34
cartography/intel/duo/tokens.py +26 -23
cartography/intel/duo/users.py +54 -50
cartography/intel/duo/web_authn_credentials.py +30 -25
cartography/intel/entra/__init__.py +25 -7
cartography/intel/entra/ou.py +112 -0
cartography/intel/entra/users.py +69 -63
cartography/intel/gcp/__init__.py +185 -49
cartography/intel/gcp/compute.py +418 -231
cartography/intel/gcp/crm.py +96 -43
cartography/intel/gcp/dns.py +60 -19
cartography/intel/gcp/gke.py +72 -38
cartography/intel/gcp/iam.py +61 -41
cartography/intel/gcp/storage.py +84 -55
cartography/intel/github/__init__.py +13 -11
cartography/intel/github/repos.py +270 -137
cartography/intel/github/teams.py +170 -88
cartography/intel/github/users.py +70 -39
cartography/intel/github/util.py +36 -34
cartography/intel/gsuite/__init__.py +47 -26
cartography/intel/gsuite/api.py +73 -30
cartography/intel/jamf/__init__.py +19 -1
cartography/intel/jamf/computers.py +30 -7
cartography/intel/jamf/util.py +7 -2
cartography/intel/kandji/__init__.py +6 -3
cartography/intel/kandji/devices.py +14 -8
cartography/intel/kubernetes/namespaces.py +7 -4
cartography/intel/kubernetes/pods.py +7 -4
cartography/intel/kubernetes/services.py +8 -4
cartography/intel/lastpass/__init__.py +2 -2
cartography/intel/lastpass/users.py +23 -12
cartography/intel/oci/__init__.py +44 -11
cartography/intel/oci/iam.py +134 -38
cartography/intel/oci/organizations.py +13 -6
cartography/intel/oci/utils.py +43 -20
cartography/intel/okta/__init__.py +66 -15
cartography/intel/okta/applications.py +42 -20
cartography/intel/okta/awssaml.py +93 -33
cartography/intel/okta/factors.py +16 -4
cartography/intel/okta/groups.py +56 -29
cartography/intel/okta/organization.py +5 -1
cartography/intel/okta/origins.py +6 -2
cartography/intel/okta/roles.py +15 -5
cartography/intel/okta/users.py +20 -8
cartography/intel/okta/utils.py +6 -4
cartography/intel/openai/__init__.py +86 -0
cartography/intel/openai/adminapikeys.py +90 -0
cartography/intel/openai/apikeys.py +96 -0
cartography/intel/openai/projects.py +94 -0
cartography/intel/openai/serviceaccounts.py +82 -0
cartography/intel/openai/users.py +78 -0
cartography/intel/openai/util.py +29 -0
cartography/intel/pagerduty/__init__.py +8 -7
cartography/intel/pagerduty/escalation_policies.py +18 -6
cartography/intel/pagerduty/schedules.py +12 -4
cartography/intel/pagerduty/services.py +11 -4
cartography/intel/pagerduty/teams.py +8 -3
cartography/intel/pagerduty/users.py +3 -1
cartography/intel/pagerduty/vendors.py +3 -1
cartography/intel/semgrep/__init__.py +24 -6
cartography/intel/semgrep/dependencies.py +50 -28
cartography/intel/semgrep/deployment.py +3 -1
cartography/intel/semgrep/findings.py +42 -18
cartography/intel/snipeit/__init__.py +17 -3
cartography/intel/snipeit/asset.py +12 -6
cartography/intel/snipeit/user.py +8 -5
cartography/intel/snipeit/util.py +9 -4
cartography/intel/tailscale/__init__.py +77 -0
cartography/intel/tailscale/acls.py +146 -0
cartography/intel/tailscale/devices.py +127 -0
cartography/intel/tailscale/postureintegrations.py +81 -0
cartography/intel/tailscale/tailnets.py +76 -0
cartography/intel/tailscale/users.py +80 -0
cartography/intel/tailscale/utils.py +132 -0
cartography/models/aws/apigateway.py +21 -17
cartography/models/aws/apigatewaycertificate.py +28 -22
cartography/models/aws/apigatewayresource.py +28 -20
cartography/models/aws/apigatewaystage.py +33 -25
cartography/models/aws/cloudtrail/__init__.py +0 -0
cartography/models/aws/cloudtrail/trail.py +61 -0
cartography/models/aws/cloudwatch/__init__.py +0 -0
cartography/models/aws/cloudwatch/loggroup.py +52 -0
cartography/models/aws/dynamodb/gsi.py +30 -22
cartography/models/aws/dynamodb/tables.py +25 -17
cartography/models/aws/ec2/auto_scaling_groups.py +102 -82
cartography/models/aws/ec2/images.py +36 -34
cartography/models/aws/ec2/instances.py +51 -45
cartography/models/aws/ec2/keypair.py +21 -16
cartography/models/aws/ec2/keypair_instance.py +28 -21
cartography/models/aws/ec2/launch_configurations.py +30 -26
cartography/models/aws/ec2/launch_template_versions.py +48 -38
cartography/models/aws/ec2/launch_templates.py +21 -17
cartography/models/aws/ec2/load_balancer_listeners.py +27 -23
cartography/models/aws/ec2/load_balancers.py +47 -37
cartography/models/aws/ec2/network_acl_rules.py +38 -30
cartography/models/aws/ec2/network_acls.py +38 -29
cartography/models/aws/ec2/networkinterface_instance.py +52 -39
cartography/models/aws/ec2/networkinterfaces.py +53 -37
cartography/models/aws/ec2/privateip_networkinterface.py +32 -22
cartography/models/aws/ec2/reservations.py +18 -14
cartography/models/aws/ec2/route_table_associations.py +97 -0
cartography/models/aws/ec2/route_tables.py +128 -0
cartography/models/aws/ec2/routes.py +85 -0
cartography/models/aws/ec2/securitygroup_instance.py +29 -20
cartography/models/aws/ec2/securitygroup_networkinterface.py +24 -15
cartography/models/aws/ec2/subnet_instance.py +24 -19
cartography/models/aws/ec2/subnet_networkinterface.py +40 -31
cartography/models/aws/ec2/volumes.py +47 -40
cartography/models/aws/efs/__init__.py +0 -0
cartography/models/aws/efs/mount_target.py +52 -0
cartography/models/aws/eks/clusters.py +23 -21
cartography/models/aws/emr.py +32 -30
cartography/models/aws/iam/instanceprofile.py +33 -24
cartography/models/aws/identitycenter/awsidentitycenter.py +18 -14
cartography/models/aws/identitycenter/awspermissionset.py +37 -29
cartography/models/aws/identitycenter/awsssouser.py +23 -21
cartography/models/aws/inspector/findings.py +77 -65
cartography/models/aws/inspector/packages.py +35 -29
cartography/models/aws/s3/__init__.py +0 -0
cartography/models/aws/s3/account_public_access_block.py +51 -0
cartography/models/aws/sns/__init__.py +0 -0
cartography/models/aws/sns/topic.py +50 -0
cartography/models/aws/ssm/instance_information.py +51 -39
cartography/models/aws/ssm/instance_patch.py +32 -26
cartography/models/bigfix/bigfix_computer.py +42 -38
cartography/models/bigfix/bigfix_root.py +3 -3
cartography/models/cloudflare/__init__.py +0 -0
cartography/models/cloudflare/account.py +25 -0
cartography/models/cloudflare/dnsrecord.py +55 -0
cartography/models/cloudflare/member.py +82 -0
cartography/models/cloudflare/role.py +44 -0
cartography/models/cloudflare/zone.py +59 -0
cartography/models/core/common.py +12 -10
cartography/models/core/nodes.py +5 -2
cartography/models/core/relationships.py +14 -6
cartography/models/crowdstrike/hosts.py +37 -35
cartography/models/cve/cve.py +34 -32
cartography/models/cve/cve_feed.py +6 -6
cartography/models/digitalocean/__init__.py +0 -0
cartography/models/digitalocean/account.py +21 -0
cartography/models/digitalocean/droplet.py +56 -0
cartography/models/digitalocean/project.py +48 -0
cartography/models/duo/api_host.py +3 -3
cartography/models/duo/endpoint.py +43 -41
cartography/models/duo/group.py +14 -14
cartography/models/duo/phone.py +27 -27
cartography/models/duo/token.py +16 -16
cartography/models/duo/user.py +46 -44
cartography/models/duo/web_authn_credential.py +27 -19
cartography/models/entra/ou.py +48 -0
cartography/models/entra/tenant.py +24 -18
cartography/models/entra/user.py +64 -48
cartography/models/gcp/iam.py +23 -23
cartography/models/github/orgs.py +5 -4
cartography/models/github/teams.py +37 -31
cartography/models/github/users.py +34 -23
cartography/models/kandji/device.py +22 -16
cartography/models/kandji/tenant.py +6 -4
cartography/models/lastpass/tenant.py +3 -3
cartography/models/lastpass/user.py +32 -28
cartography/models/openai/__init__.py +0 -0
cartography/models/openai/adminapikey.py +90 -0
cartography/models/openai/apikey.py +84 -0
cartography/models/openai/organization.py +17 -0
cartography/models/openai/project.py +70 -0
cartography/models/openai/serviceaccount.py +50 -0
cartography/models/openai/user.py +49 -0
cartography/models/semgrep/dependencies.py +36 -24
cartography/models/semgrep/deployment.py +5 -5
cartography/models/semgrep/findings.py +58 -42
cartography/models/semgrep/locations.py +27 -21
cartography/models/snipeit/asset.py +30 -21
cartography/models/snipeit/tenant.py +6 -4
cartography/models/snipeit/user.py +19 -12
cartography/models/tailscale/__init__.py +0 -0
cartography/models/tailscale/device.py +95 -0
cartography/models/tailscale/group.py +86 -0
cartography/models/tailscale/postureintegration.py +58 -0
cartography/models/tailscale/tag.py +102 -0
cartography/models/tailscale/tailnet.py +29 -0
cartography/models/tailscale/user.py +52 -0
cartography/stats.py +3 -3
cartography/sync.py +113 -31
cartography/util.py +84 -62
{cartography-0.102.0rc1.dist-info → cartography-0.103.0.dist-info}/METADATA +8 -15
cartography-0.103.0.dist-info/RECORD +442 -0
{cartography-0.102.0rc1.dist-info → cartography-0.103.0.dist-info}/WHEEL +1 -1
cartography-0.102.0rc1.dist-info/RECORD +0 -377
{cartography-0.102.0rc1.dist-info → cartography-0.103.0.dist-info}/entry_points.txt +0 -0
{cartography-0.102.0rc1.dist-info → cartography-0.103.0.dist-info}/licenses/LICENSE +0 -0
{cartography-0.102.0rc1.dist-info → cartography-0.103.0.dist-info}/top_level.txt +0 -0

cartography/intel/aws/iam_instance_profiles.py CHANGED Viewed

@@ -13,11 +13,11 @@ from cartography.util import timeit
 @timeit
 @aws_handle_regions
 def get_iam_instance_profiles(boto3_session: boto3.Session) -> list[dict[str, Any]]:
-    client = boto3_session.client('iam', config=get_botocore_config())
-    paginator = client.get_paginator('list_instance_profiles')
+    client = boto3_session.client("iam", config=get_botocore_config())
+    paginator = client.get_paginator("list_instance_profiles")
     instance_profiles = []
     for page in paginator.paginate():
-        instance_profiles.extend(page['InstanceProfiles'])
+        instance_profiles.extend(page["InstanceProfiles"])
     return instance_profiles
@@ -25,12 +25,12 @@ def transform_instance_profiles(data: list[dict[str, Any]]) -> list[dict[str, An
     transformed = []
     for profile in data:
         transformed_profile = {
-            'Arn': profile['Arn'],
-            'CreateDate': profile['CreateDate'],
-            'InstanceProfileId': profile['InstanceProfileId'],
-            'InstanceProfileName': profile['InstanceProfileName'],
-            'Path': profile['Path'],
-            'Roles': [role['Arn'] for role in profile.get('Roles', [])],
+            "Arn": profile["Arn"],
+            "CreateDate": profile["CreateDate"],
+            "InstanceProfileId": profile["InstanceProfileId"],
+            "InstanceProfileName": profile["InstanceProfileName"],
+            "Path": profile["Path"],
+            "Roles": [role["Arn"] for role in profile.get("Roles", [])],
         }
         transformed.append(transformed_profile)
     return transformed
@@ -38,11 +38,11 @@ def transform_instance_profiles(data: list[dict[str, Any]]) -> list[dict[str, An
 @timeit
 def load_iam_instance_profiles(
-        neo4j_session: neo4j.Session,
-        data: list[dict[str, Any]],
-        current_aws_account_id: str,
-        update_tag: int,
-        common_job_parameters: dict[str, Any],
+    neo4j_session: neo4j.Session,
+    data: list[dict[str, Any]],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: dict[str, Any],
 ) -> None:
     load(
         neo4j_session,
@@ -55,19 +55,19 @@ def load_iam_instance_profiles(
 @timeit
 def sync_iam_instance_profiles(
-        boto3_session: boto3.Session,
-        neo4j_session: neo4j.Session,
-        current_aws_account_id: str,
-        update_tag: int,
-        regions: list[str],
-        common_job_parameters: dict[str, Any],
+    boto3_session: boto3.Session,
+    neo4j_session: neo4j.Session,
+    current_aws_account_id: str,
+    update_tag: int,
+    regions: list[str],
+    common_job_parameters: dict[str, Any],
 ) -> None:
     profiles = get_iam_instance_profiles(boto3_session)
     profiles = transform_instance_profiles(profiles)
     load_iam_instance_profiles(
         neo4j_session,
         profiles,
-        common_job_parameters['AWS_ID'],
-        common_job_parameters['UPDATE_TAG'],
+        common_job_parameters["AWS_ID"],
+        common_job_parameters["UPDATE_TAG"],
         common_job_parameters,
     )

cartography/intel/aws/identitycenter.py CHANGED Viewed

@@ -8,27 +8,35 @@ import neo4j
 from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
-from cartography.models.aws.identitycenter.awsidentitycenter import AWSIdentityCenterInstanceSchema
-from cartography.models.aws.identitycenter.awspermissionset import AWSPermissionSetSchema
+from cartography.models.aws.identitycenter.awsidentitycenter import (
+    AWSIdentityCenterInstanceSchema,
+)
+from cartography.models.aws.identitycenter.awspermissionset import (
+    AWSPermissionSetSchema,
+)
 from cartography.models.aws.identitycenter.awsssouser import AWSSSOUserSchema
 from cartography.util import aws_handle_regions
 from cartography.util import run_cleanup_job
 from cartography.util import timeit
 logger = logging.getLogger(__name__)
 @timeit
 @aws_handle_regions
-def get_identity_center_instances(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
+def get_identity_center_instances(
+    boto3_session: boto3.session.Session,
+    region: str,
+) -> List[Dict]:
     """
     Get all AWS IAM Identity Center instances in the current region
     """
-    client = boto3_session.client('sso-admin', region_name=region)
+    client = boto3_session.client("sso-admin", region_name=region)
     instances = []
-    paginator = client.get_paginator('list_instances')
+    paginator = client.get_paginator("list_instances")
     for page in paginator.paginate():
-        instances.extend(page.get('Instances', []))
+        instances.extend(page.get("Instances", []))
     return instances
@@ -44,7 +52,9 @@ def load_identity_center_instances(
     """
     Load Identity Center instances into the graph
     """
-    logger.info(f"Loading {len(instance_data)} Identity Center instances for region {region}")
+    logger.info(
+        f"Loading {len(instance_data)} Identity Center instances for region {region}",
+    )
     load(
         neo4j_session,
         AWSIdentityCenterInstanceSchema(),
@@ -57,24 +67,28 @@ def load_identity_center_instances(
 @timeit
 @aws_handle_regions
-def get_permission_sets(boto3_session: boto3.session.Session, instance_arn: str, region: str) -> List[Dict]:
+def get_permission_sets(
+    boto3_session: boto3.session.Session,
+    instance_arn: str,
+    region: str,
+) -> List[Dict]:
     """
     Get all permission sets for a given Identity Center instance
     """
-    client = boto3_session.client('sso-admin', region_name=region)
+    client = boto3_session.client("sso-admin", region_name=region)
     permission_sets = []
-    paginator = client.get_paginator('list_permission_sets')
+    paginator = client.get_paginator("list_permission_sets")
     for page in paginator.paginate(InstanceArn=instance_arn):
         # Get detailed info for each permission set
-        for arn in page.get('PermissionSets', []):
+        for arn in page.get("PermissionSets", []):
             details = client.describe_permission_set(
                 InstanceArn=instance_arn,
                 PermissionSetArn=arn,
             )
-            permission_set = details.get('PermissionSet', {})
+            permission_set = details.get("PermissionSet", {})
             if permission_set:
-                permission_set['RoleHint'] = (
+                permission_set["RoleHint"] = (
                     f":role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_{permission_set.get('Name')}"
                 )
                 permission_sets.append(permission_set)
@@ -94,7 +108,9 @@ def load_permission_sets(
     """
     Load Identity Center permission sets into the graph
     """
-    logger.info(f"Loading {len(permission_sets)} permission sets for instance {instance_arn} in region {region}")
+    logger.info(
+        f"Loading {len(permission_sets)} permission sets for instance {instance_arn} in region {region}",
+    )
     load(
         neo4j_session,
@@ -117,15 +133,15 @@ def get_sso_users(
     """
     Get all SSO users for a given Identity Store
     """
-    client = boto3_session.client('identitystore', region_name=region)
+    client = boto3_session.client("identitystore", region_name=region)
     users = []
-    paginator = client.get_paginator('list_users')
+    paginator = client.get_paginator("list_users")
     for page in paginator.paginate(IdentityStoreId=identity_store_id):
-        user_page = page.get('Users', [])
+        user_page = page.get("Users", [])
         for user in user_page:
-            if user.get('ExternalIds', None):
-                user['ExternalId'] = user.get('ExternalIds')[0].get('Id')
+            if user.get("ExternalIds", None):
+                user["ExternalId"] = user.get("ExternalIds")[0].get("Id")
             users.append(user)
     return users
@@ -143,7 +159,9 @@ def load_sso_users(
     """
     Load SSO users into the graph
     """
-    logger.info(f"Loading {len(users)} SSO users for identity store {identity_store_id} in region {region}")
+    logger.info(
+        f"Loading {len(users)} SSO users for identity store {identity_store_id} in region {region}",
+    )
     load(
         neo4j_session,
@@ -169,19 +187,25 @@ def get_role_assignments(
     """
     logger.info(f"Getting role assignments for {len(users)} users")
-    client = boto3_session.client('sso-admin', region_name=region)
+    client = boto3_session.client("sso-admin", region_name=region)
     role_assignments = []
     for user in users:
-        user_id = user['UserId']
-        paginator = client.get_paginator('list_account_assignments_for_principal')
-        for page in paginator.paginate(InstanceArn=instance_arn, PrincipalId=user_id, PrincipalType='USER'):
-            for assignment in page.get('AccountAssignments', []):
-                role_assignments.append({
-                    'UserId': user_id,
-                    'PermissionSetArn': assignment.get('PermissionSetArn'),
-                    'AccountId': assignment.get('AccountId'),
-                })
+        user_id = user["UserId"]
+        paginator = client.get_paginator("list_account_assignments_for_principal")
+        for page in paginator.paginate(
+            InstanceArn=instance_arn,
+            PrincipalId=user_id,
+            PrincipalType="USER",
+        ):
+            for assignment in page.get("AccountAssignments", []):
+                role_assignments.append(
+                    {
+                        "UserId": user_id,
+                        "PermissionSetArn": assignment.get("PermissionSetArn"),
+                        "AccountId": assignment.get("AccountId"),
+                    },
+                )
     return role_assignments
@@ -214,12 +238,22 @@ def load_role_assignments(
 @timeit
-def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any]) -> None:
-    GraphJob.from_node_schema(AWSIdentityCenterInstanceSchema(), common_job_parameters).run(neo4j_session)
-    GraphJob.from_node_schema(AWSPermissionSetSchema(), common_job_parameters).run(neo4j_session)
-    GraphJob.from_node_schema(AWSSSOUserSchema(), common_job_parameters).run(neo4j_session)
+def cleanup(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    GraphJob.from_node_schema(
+        AWSIdentityCenterInstanceSchema(),
+        common_job_parameters,
+    ).run(neo4j_session)
+    GraphJob.from_node_schema(AWSPermissionSetSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
+    GraphJob.from_node_schema(AWSSSOUserSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
     run_cleanup_job(
-        'aws_import_identity_center_cleanup.json',
+        "aws_import_identity_center_cleanup.json",
         neo4j_session,
         common_job_parameters,
     )
@@ -251,8 +285,8 @@ def sync_identity_center_instances(
         # For each instance, get and load its permission sets and SSO users
         for instance in instances:
-            instance_arn = instance['InstanceArn']
-            identity_store_id = instance['IdentityStoreId']
+            instance_arn = instance["InstanceArn"]
+            identity_store_id = instance["IdentityStoreId"]
             permission_sets = get_permission_sets(boto3_session, instance_arn, region)

cartography/intel/aws/inspector.py CHANGED Viewed

@@ -15,15 +15,33 @@ from cartography.util import aws_handle_regions
 from cartography.util import aws_paginate
 from cartography.util import timeit
 logger = logging.getLogger(__name__)
 # As of 7/22/24, Inspector is only available in the below regions. We will need to update this hardcoded list here over
 # time. :\ https://docs.aws.amazon.com/general/latest/gr/inspector2.html
 AWS_INSPECTOR_REGIONS = {
-    "us-east-2", "us-east-1", "us-west-1", "us-west-2", "af-south-1", "ap-east-1", "ap-southeast-3", "ap-south-1",
-    "ap-northeast-3", "ap-northeast-2", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1", "ca-central-1",
-    "eu-central-1", "eu-west-1", "eu-west-2", "eu-south-1", "eu-west-3", "eu-north-1", "eu-central-2", "me-south-1",
+    "us-east-2",
+    "us-east-1",
+    "us-west-1",
+    "us-west-2",
+    "af-south-1",
+    "ap-east-1",
+    "ap-southeast-3",
+    "ap-south-1",
+    "ap-northeast-3",
+    "ap-northeast-2",
+    "ap-southeast-1",
+    "ap-southeast-2",
+    "ap-northeast-1",
+    "ca-central-1",
+    "eu-central-1",
+    "eu-west-1",
+    "eu-west-2",
+    "eu-south-1",
+    "eu-west-3",
+    "eu-north-1",
+    "eu-central-2",
+    "me-south-1",
     "sa-east-1",
 }
@@ -31,9 +49,9 @@ AWS_INSPECTOR_REGIONS = {
 @timeit
 @aws_handle_regions
 def get_inspector_findings(
-        session: boto3.session.Session,
-        region: str,
-        current_aws_account_id: str,
+    session: boto3.session.Session,
+    region: str,
+    current_aws_account_id: str,
 ) -> List[Dict[str, Any]]:
     """
     We must list_findings by filtering the request, otherwise the request could tiemout.
@@ -42,28 +60,31 @@ def get_inspector_findings(
     list_members will get us all the accounts that
     have delegated access to the account specified by current_aws_account_id.
     """
-    client = session.client('inspector2', region_name=region)
+    client = session.client("inspector2", region_name=region)
-    members = aws_paginate(client, 'list_members', 'members')
+    members = aws_paginate(client, "list_members", "members")
     # the current host account may not be considered a "member", but we still fetch its findings
-    accounts = [current_aws_account_id] + [m['accountId'] for m in members]
+    accounts = [current_aws_account_id] + [m["accountId"] for m in members]
     findings = []
     for account in accounts:
-        logger.info(f'Getting findings for member account {account} in region {region}')
+        logger.info(f"Getting findings for member account {account} in region {region}")
         findings.extend(
             aws_paginate(
-                client, 'list_findings', 'findings', filterCriteria={
-                    'awsAccountId': [
+                client,
+                "list_findings",
+                "findings",
+                filterCriteria={
+                    "awsAccountId": [
                         {
-                            'comparison': 'EQUALS',
-                            'value': account,
+                            "comparison": "EQUALS",
+                            "value": account,
                         },
                     ],
-                    'findingStatus': [
+                    "findingStatus": [
                         {
-                            'comparison': 'NOT_EQUALS',
-                            'value': 'CLOSED',
+                            "comparison": "NOT_EQUALS",
+                            "value": "CLOSED",
                         },
                     ],
                 },
@@ -72,48 +93,70 @@ def get_inspector_findings(
     return findings
-def transform_inspector_findings(results: List[Dict[str, Any]]) -> Tuple[List[Dict[str, Any]], List[Dict[str, Any]]]:
+def transform_inspector_findings(
+    results: List[Dict[str, Any]],
+) -> Tuple[List[Dict[str, Any]], List[Dict[str, Any]]]:
     findings_list: List[Dict] = []
     packages: Dict[str, Any] = {}
     for f in results:
         finding: Dict = {}
-        finding['id'] = f['findingArn']
-        finding['arn'] = f['findingArn']
-        finding['severity'] = f['severity']
-        finding['name'] = f['title']
-        finding['firstobservedat'] = f['firstObservedAt']
-        finding['updatedat'] = f['updatedAt']
-        finding['awsaccount'] = f['awsAccountId']
-        finding['description'] = f['description']
-        finding['type'] = f['type']
-        finding['status'] = f['status']
-        if f.get('inspectorScoreDetails'):
-            finding['cvssscore'] = f['inspectorScoreDetails']['adjustedCvss']['score']
-        if f['resources'][0]['type'] == "AWS_EC2_INSTANCE":
-            finding['instanceid'] = f['resources'][0]['id']
-        if f['resources'][0]['type'] == "AWS_ECR_CONTAINER_IMAGE":
-            finding['ecrimageid'] = f['resources'][0]['id'].split('/')[2]
-        if f['resources'][0]['type'] == "AWS_ECR_REPOSITORY":
-            finding['ecrrepositoryid'] = f['resources'][0]['id']
-        if f.get('networkReachabilityDetails'):
-            finding['protocol'] = f['networkReachabilityDetails']['protocol']
-            finding['portrangebegin'] = f['networkReachabilityDetails']['openPortRange']['begin']
-            finding['portrangeend'] = f['networkReachabilityDetails']['openPortRange']['end']
-            finding['portrange'] = _port_range_string(f['networkReachabilityDetails'])
-        if f.get('packageVulnerabilityDetails'):
-            finding['vulnerabilityid'] = f['packageVulnerabilityDetails']['vulnerabilityId']
-            finding['referenceurls'] = f['packageVulnerabilityDetails'].get('referenceUrls')
-            finding['relatedvulnerabilities'] = f['packageVulnerabilityDetails'].get('relatedVulnerabilities')
-            finding['source'] = f['packageVulnerabilityDetails'].get('source')
-            finding['sourceurl'] = f['packageVulnerabilityDetails'].get('sourceUrl')
-            finding['vendorcreatedat'] = f['packageVulnerabilityDetails'].get('vendorCreatedAt')
-            finding['vendorseverity'] = f['packageVulnerabilityDetails'].get('vendorSeverity')
-            finding['vendorupdatedat'] = f['packageVulnerabilityDetails'].get('vendorUpdatedAt')
-            new_packages = _process_packages(f['packageVulnerabilityDetails'], f['awsAccountId'], f['findingArn'])
-            finding['vulnerablepackageids'] = list(new_packages.keys())
+        finding["id"] = f["findingArn"]
+        finding["arn"] = f["findingArn"]
+        finding["severity"] = f["severity"]
+        finding["name"] = f["title"]
+        finding["firstobservedat"] = f["firstObservedAt"]
+        finding["updatedat"] = f["updatedAt"]
+        finding["awsaccount"] = f["awsAccountId"]
+        finding["description"] = f["description"]
+        finding["type"] = f["type"]
+        finding["status"] = f["status"]
+        if f.get("inspectorScoreDetails"):
+            finding["cvssscore"] = f["inspectorScoreDetails"]["adjustedCvss"]["score"]
+        if f["resources"][0]["type"] == "AWS_EC2_INSTANCE":
+            finding["instanceid"] = f["resources"][0]["id"]
+        if f["resources"][0]["type"] == "AWS_ECR_CONTAINER_IMAGE":
+            finding["ecrimageid"] = f["resources"][0]["id"].split("/")[2]
+        if f["resources"][0]["type"] == "AWS_ECR_REPOSITORY":
+            finding["ecrrepositoryid"] = f["resources"][0]["id"]
+        if f.get("networkReachabilityDetails"):
+            finding["protocol"] = f["networkReachabilityDetails"]["protocol"]
+            finding["portrangebegin"] = f["networkReachabilityDetails"][
+                "openPortRange"
+            ]["begin"]
+            finding["portrangeend"] = f["networkReachabilityDetails"]["openPortRange"][
+                "end"
+            ]
+            finding["portrange"] = _port_range_string(f["networkReachabilityDetails"])
+        if f.get("packageVulnerabilityDetails"):
+            finding["vulnerabilityid"] = f["packageVulnerabilityDetails"][
+                "vulnerabilityId"
+            ]
+            finding["referenceurls"] = f["packageVulnerabilityDetails"].get(
+                "referenceUrls",
+            )
+            finding["relatedvulnerabilities"] = f["packageVulnerabilityDetails"].get(
+                "relatedVulnerabilities",
+            )
+            finding["source"] = f["packageVulnerabilityDetails"].get("source")
+            finding["sourceurl"] = f["packageVulnerabilityDetails"].get("sourceUrl")
+            finding["vendorcreatedat"] = f["packageVulnerabilityDetails"].get(
+                "vendorCreatedAt",
+            )
+            finding["vendorseverity"] = f["packageVulnerabilityDetails"].get(
+                "vendorSeverity",
+            )
+            finding["vendorupdatedat"] = f["packageVulnerabilityDetails"].get(
+                "vendorUpdatedAt",
+            )
+            new_packages = _process_packages(
+                f["packageVulnerabilityDetails"],
+                f["awsAccountId"],
+                f["findingArn"],
+            )
+            finding["vulnerablepackageids"] = list(new_packages.keys())
             packages = {**packages, **new_packages}
         findings_list.append(finding)
@@ -129,47 +172,51 @@ def transform_inspector_packages(packages: Dict[str, Any]) -> List[Dict[str, Any
     return packages_list
-def _process_packages(package_details: Dict[str, Any], aws_account_id: str, finding_arn: str) -> Dict[str, Any]:
+def _process_packages(
+    package_details: Dict[str, Any],
+    aws_account_id: str,
+    finding_arn: str,
+) -> Dict[str, Any]:
     packages: Dict[str, Any] = {}
-    for package in package_details['vulnerablePackages']:
+    for package in package_details["vulnerablePackages"]:
         new_package = {}
-        new_package['id'] = (
+        new_package["id"] = (
             f"{package.get('name', '')}|"
             f"{package.get('arch', '')}|"
             f"{package.get('version', '')}|"
             f"{package.get('release', '')}|"
             f"{package.get('epoch', '')}"
         )
-        new_package['name'] = package.get('name')
-        new_package['arch'] = package.get('arch')
-        new_package['version'] = package.get('version')
-        new_package['release'] = package.get('release')
-        new_package['epoch'] = package.get('epoch')
-        new_package['manager'] = package.get("packageManager")
-        new_package['filepath'] = package.get('filePath')
-        new_package['fixedinversion'] = package.get('fixedInVersion')
-        new_package['sourcelayerhash'] = package.get('sourceLayerHash')
-        new_package['awsaccount'] = aws_account_id
-        new_package['findingarn'] = finding_arn
-        packages[new_package['id']] = new_package
+        new_package["name"] = package.get("name")
+        new_package["arch"] = package.get("arch")
+        new_package["version"] = package.get("version")
+        new_package["release"] = package.get("release")
+        new_package["epoch"] = package.get("epoch")
+        new_package["manager"] = package.get("packageManager")
+        new_package["filepath"] = package.get("filePath")
+        new_package["fixedinversion"] = package.get("fixedInVersion")
+        new_package["sourcelayerhash"] = package.get("sourceLayerHash")
+        new_package["awsaccount"] = aws_account_id
+        new_package["findingarn"] = finding_arn
+        packages[new_package["id"]] = new_package
     return packages
 def _port_range_string(details: Dict[str, Any]) -> str:
-    begin = details['openPortRange']['begin']
-    end = details['openPortRange']['end']
+    begin = details["openPortRange"]["begin"]
+    end = details["openPortRange"]["end"]
     return f"{begin}-{end}"
 @timeit
 def load_inspector_findings(
-        neo4j_session: neo4j.Session,
-        findings: List[Dict[str, Any]],
-        region: str,
-        aws_update_tag: int,
-        current_aws_account_id: str,
+    neo4j_session: neo4j.Session,
+    findings: List[Dict[str, Any]],
+    region: str,
+    aws_update_tag: int,
+    current_aws_account_id: str,
 ) -> None:
     load(
         neo4j_session,
@@ -183,11 +230,11 @@ def load_inspector_findings(
 @timeit
 def load_inspector_packages(
-        neo4j_session: neo4j.Session,
-        packages: List[Dict[str, Any]],
-        region: str,
-        aws_update_tag: int,
-        current_aws_account_id: str,
+    neo4j_session: neo4j.Session,
+    packages: List[Dict[str, Any]],
+    region: str,
+    aws_update_tag: int,
+    current_aws_account_id: str,
 ) -> None:
     load(
         neo4j_session,
@@ -200,10 +247,17 @@ def load_inspector_packages(
 @timeit
-def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any]) -> None:
+def cleanup(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict[str, Any],
+) -> None:
     logger.info("Running AWS Inspector cleanup")
-    GraphJob.from_node_schema(AWSInspectorFindingSchema(), common_job_parameters).run(neo4j_session)
-    GraphJob.from_node_schema(AWSInspectorPackageSchema(), common_job_parameters).run(neo4j_session)
+    GraphJob.from_node_schema(AWSInspectorFindingSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
+    GraphJob.from_node_schema(AWSInspectorPackageSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
 @timeit
@@ -215,14 +269,30 @@ def sync(
     update_tag: int,
     common_job_parameters: Dict[str, Any],
 ) -> None:
-    inspector_regions = [region for region in regions if region in AWS_INSPECTOR_REGIONS]
+    inspector_regions = [
+        region for region in regions if region in AWS_INSPECTOR_REGIONS
+    ]
     for region in inspector_regions:
-        logger.info(f"Syncing AWS Inspector findings for account {current_aws_account_id} and region {region}")
+        logger.info(
+            f"Syncing AWS Inspector findings for account {current_aws_account_id} and region {region}",
+        )
         findings = get_inspector_findings(boto3_session, region, current_aws_account_id)
         finding_data, package_data = transform_inspector_findings(findings)
         logger.info(f"Loading {len(finding_data)} findings")
-        load_inspector_findings(neo4j_session, finding_data, region, update_tag, current_aws_account_id)
+        load_inspector_findings(
+            neo4j_session,
+            finding_data,
+            region,
+            update_tag,
+            current_aws_account_id,
+        )
         logger.info(f"Loading {len(package_data)} packages")
-        load_inspector_packages(neo4j_session, package_data, region, update_tag, current_aws_account_id)
+        load_inspector_packages(
+            neo4j_session,
+            package_data,
+            region,
+            update_tag,
+            current_aws_account_id,
+        )
         cleanup(neo4j_session, common_job_parameters)

cartography 0.102.0rc1__py3-none-any.whl → 0.103.0__py3-none-any.whl

Potentially problematic release.

cartography 0.102.0rc1py3-none-any.whl → 0.103.0py3-none-any.whl