cartography 0.104.0rc2__py3-none-any.whl → 0.105.0__py3-none-any.whl

cartography/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.104.0rc2'
-__version_tuple__ = version_tuple = (0, 104, 0, 'rc2')
+__version__ = version = '0.105.0'
+__version_tuple__ = version_tuple = (0, 105, 0)

cartography/cli.py

@@ -637,6 +637,24 @@ class CLI:
                 "Required if you are using the Anthropic intel module. Ignored otherwise."
             ),
         )
+        parser.add_argument(
+            "--trivy-s3-bucket",
+            type=str,
+            default=None,
+            help=(
+                "The S3 bucket name containing Trivy scan results. "
+                "Required if you are using the Trivy module. Ignored otherwise."
+            ),
+        )
+        parser.add_argument(
+            "--trivy-s3-prefix",
+            type=str,
+            default=None,
+            help=(
+                "The S3 prefix path containing Trivy scan results. "
+                "Required if you are using the Trivy module. Ignored otherwise."
+            ),
+        )
 
         return parser
 
@@ -914,7 +932,7 @@ class CLI:
                 config.snipeit_token = os.environ.get("SNIPEIT_TOKEN")
             else:
                 logger.warning("A SnipeIT base URI was provided but a token was not.")
-                config.kandji_token = None
+                config.snipeit_token = None
         else:
             logger.warning("A SnipeIT base URI was not provided.")
             config.snipeit_base_uri = None
@@ -955,6 +973,13 @@ class CLI:
         else:
             config.anthropic_apikey = None
 
+        # Trivy config
+        if config.trivy_s3_bucket:
+            logger.debug(f"Trivy S3 bucket: {config.trivy_s3_bucket}")
+
+        if config.trivy_s3_prefix:
+            logger.debug(f"Trivy S3 prefix: {config.trivy_s3_prefix}")
+
         # Run cartography
         try:
             return cartography.sync.run_with_config(self.sync, config)

cartography/client/aws/__init__.py

@@ -0,0 +1,19 @@
+from typing import List
+
+import neo4j
+
+from cartography.client.core.tx import read_list_of_values_tx
+from cartography.util import timeit
+
+
+@timeit
+def list_accounts(neo4j_session: neo4j.Session) -> List[str]:
+    """
+    :param neo4j_session: The neo4j session object.
+    :return: A list of all AWS account IDs in the graph
+    """
+    # See https://community.neo4j.com/t/extract-list-of-nodes-and-labels-from-path/13665/4
+    query = """
+    MATCH (a:AWSAccount) RETURN a.id
+    """
+    return neo4j_session.read_transaction(read_list_of_values_tx, query)

cartography/client/aws/ecr.py

@@ -0,0 +1,51 @@
+from typing import Set
+from typing import Tuple
+
+import neo4j
+
+from cartography.client.core.tx import read_list_of_tuples_tx
+from cartography.util import timeit
+
+
+@timeit
+def get_ecr_images(
+    neo4j_session: neo4j.Session, aws_account_id: str
+) -> Set[Tuple[str, str, str, str, str]]:
+    """
+    Queries the graph for all ECR images and their parent images.
+    Returns 5-tuples of ECR repository regions, tags, URIs, names, and binary digests. This is used to identify which
+    images to scan.
+    :param neo4j_session: The neo4j session object.
+    :param aws_account_id: The AWS account ID to get ECR repo data for.
+    :return: 5-tuples of repo region, image tag, image URI, repo_name, and image_digest.
+    """
+    # See https://community.neo4j.com/t/extract-list-of-nodes-and-labels-from-path/13665/4
+    query = """
+MATCH (e1:ECRRepositoryImage)<-[:REPO_IMAGE]-(repo:ECRRepository)
+MATCH (repo)<-[:RESOURCE]-(:AWSAccount {id: $AWS_ID})
+
+// OPTIONAL traversal of parent hierarchy
+OPTIONAL MATCH path = (e1)-[:PARENT*1..]->(ancestor:ECRRepositoryImage)
+WITH e1,
+     CASE
+         WHEN path IS NULL THEN [e1]
+         ELSE [n IN nodes(path) | n] + [e1]
+     END AS repo_img_collection_unflattened
+
+// Flatten and dedupe
+UNWIND repo_img_collection_unflattened AS repo_img
+WITH DISTINCT repo_img
+
+// Match image metadata
+MATCH (er:ECRRepository)-[:REPO_IMAGE]->(repo_img)-[:IMAGE]->(img:ECRImage)
+
+RETURN DISTINCT
+    er.region AS region,
+    repo_img.tag AS tag,
+    repo_img.id AS uri,
+    er.name AS repo_name,
+    img.digest AS digest
+    """
+    return neo4j_session.read_transaction(
+        read_list_of_tuples_tx, query, AWS_ID=aws_account_id
+    )

cartography/config.py

@@ -137,6 +137,10 @@ class Config:
     :param openai_org_id: OpenAI organization id. Optional.
     :type anthropic_apikey: string
     :param anthropic_apikey: Anthropic API key. Optional.
+    :type trivy_s3_bucket: str
+    :param trivy_s3_bucket: The S3 bucket name containing Trivy scan results. Optional.
+    :type trivy_s3_prefix: str
+    :param trivy_s3_prefix: The S3 prefix path containing Trivy scan results. Optional.
     """
 
     def __init__(
@@ -209,6 +213,8 @@ class Config:
         openai_apikey=None,
         openai_org_id=None,
         anthropic_apikey=None,
+        trivy_s3_bucket=None,
+        trivy_s3_prefix=None,
     ):
         self.neo4j_uri = neo4j_uri
         self.neo4j_user = neo4j_user
@@ -278,3 +284,5 @@ class Config:
         self.openai_apikey = openai_apikey
         self.openai_org_id = openai_org_id
         self.anthropic_apikey = anthropic_apikey
+        self.trivy_s3_bucket = trivy_s3_bucket
+        self.trivy_s3_prefix = trivy_s3_prefix

cartography/data/indexes.cypher

@@ -227,9 +227,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:OCITenancy) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.ocid);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.lastupdated);

cartography/data/jobs/cleanup/aws_import_lambda_cleanup.json

@@ -31,7 +31,7 @@
       "iterationsize": 100
     },
     {
-      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(:AWSLambda)-[r:STS_ASSUME_ROLE_ALLOW]->(:AWSPrincipal) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE r",
+      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(:AWSLambda)-[r:STS_ASSUMEROLE_ALLOW]->(:AWSPrincipal) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE r",
       "iterative": true,
       "iterationsize": 100
     },

cartography/graph/cleanupbuilder.py

@@ -15,33 +15,40 @@ from cartography.models.core.relationships import TargetNodeMatcher
 def build_cleanup_queries(node_schema: CartographyNodeSchema) -> List[str]:
     """
     Generates queries to clean up stale nodes and relationships from the given CartographyNodeSchema.
+    Properly handles cases where a node schema has a scoped cleanup or not.
     Note that auto-cleanups for a node with no relationships is not currently supported.
-
-    Algorithm:
-    1. If node_schema has no relationships at all, return empty.
-
-    Otherwise,
-
-    1. If node_schema doesn't have a sub_resource relationship, generate queries only to clean up its other
-    relationships. No nodes will be cleaned up.
-
-    Otherwise,
-
-    1. First delete all stale nodes attached to the node_schema's sub resource
-    2. Delete all stale node to sub resource relationships
-        - We don't expect this to be very common (never for AWS resources, at least), but in case it is possible for an
-          asset to change sub resources, we want to handle it properly.
-    3. For all relationships defined on the node schema, delete all stale ones.
     :param node_schema: The given CartographyNodeSchema
     :return: A list of Neo4j queries to clean up nodes and relationships.
     """
+    # If the node has no relationships, do not delete the node. Leave this behind for the user to manage.
+    # Oftentimes these are SyncMetadata nodes.
     if (
         not node_schema.sub_resource_relationship
         and not node_schema.other_relationships
     ):
         return []
 
-    if not node_schema.sub_resource_relationship:
+    # Case 1 [Standard]: the node has a sub resource and scoped cleanup is true => clean up stale nodes
+    # of this type, scoped to the sub resource. Continue on to clean up the other_relationships too.
+    if node_schema.sub_resource_relationship and node_schema.scoped_cleanup:
+        queries = _build_cleanup_node_and_rel_queries(
+            node_schema,
+            node_schema.sub_resource_relationship,
+        )
+
+    # Case 2: The node has a sub resource but scoped cleanup is false => this does not make sense
+    # because if have a sub resource, we are implying that we are doing scoped cleanup.
+    elif node_schema.sub_resource_relationship and not node_schema.scoped_cleanup:
+        raise ValueError(
+            f"This is not expected: {node_schema.label} has a sub_resource_relationship but scoped_cleanup=False."
+            "Please check the class definition for this node schema. It doesn't make sense for a node to have a "
+            "sub resource relationship and an unscoped cleanup. Doing this will cause all stale nodes of this type "
+            "to be deleted regardless of the sub resource they are attached to."
+        )
+
+    # Case 3: The node has no sub resource but scoped cleanup is true => do not delete any nodes, but clean up stale relationships.
+    # Return early.
+    elif not node_schema.sub_resource_relationship and node_schema.scoped_cleanup:
         queries = []
         other_rels = (
             node_schema.other_relationships.rels
@@ -53,17 +60,20 @@ def build_cleanup_queries(node_schema: CartographyNodeSchema) -> List[str]:
             queries.append(query)
         return queries
 
-    result = _build_cleanup_node_and_rel_queries(
-        node_schema,
-        node_schema.sub_resource_relationship,
-    )
+    # Case 4: The node has no sub resource and scoped cleanup is false => clean up the stale nodes. Continue on to clean up the other_relationships too.
+    else:
+        queries = [_build_cleanup_node_query_unscoped(node_schema)]
+
     if node_schema.other_relationships:
         for rel in node_schema.other_relationships.rels:
-            # [0] is the delete node query, [1] is the delete relationship query. We only want the latter.
-            _, rel_query = _build_cleanup_node_and_rel_queries(node_schema, rel)
-            result.append(rel_query)
+            if node_schema.scoped_cleanup:
+                # [0] is the delete node query, [1] is the delete relationship query. We only want the latter.
+                _, rel_query = _build_cleanup_node_and_rel_queries(node_schema, rel)
+                queries.append(rel_query)
+            else:
+                queries.append(_build_cleanup_rel_queries_unscoped(node_schema, rel))
 
-    return result
+    return queries
 
 
 def _build_cleanup_rel_query_no_sub_resource(
@@ -94,6 +104,46 @@ def _build_cleanup_rel_query_no_sub_resource(
     )
 
 
+def _build_match_statement_for_cleanup(node_schema: CartographyNodeSchema) -> str:
+    """
+    Helper function to build a MATCH statement for a given node schema for cleanup.
+    """
+    if not node_schema.sub_resource_relationship and not node_schema.scoped_cleanup:
+        template = Template("MATCH (n:$node_label)")
+        return template.safe_substitute(
+            node_label=node_schema.label,
+        )
+
+    # if it has a sub resource relationship defined, we need to match on the sub resource to make sure we only delete
+    # nodes that are attached to the sub resource.
+    template = Template(
+        "MATCH (n:$node_label)$sub_resource_link(:$sub_resource_label{$match_sub_res_clause})"
+    )
+    sub_resource_link = ""
+    sub_resource_label = ""
+    match_sub_res_clause = ""
+
+    if node_schema.sub_resource_relationship:
+        # Draw sub resource rel with correct direction
+        if node_schema.sub_resource_relationship.direction == LinkDirection.INWARD:
+            sub_resource_link_template = Template("<-[s:$SubResourceRelLabel]-")
+        else:
+            sub_resource_link_template = Template("-[s:$SubResourceRelLabel]->")
+        sub_resource_link = sub_resource_link_template.safe_substitute(
+            SubResourceRelLabel=node_schema.sub_resource_relationship.rel_label,
+        )
+        sub_resource_label = node_schema.sub_resource_relationship.target_node_label
+        match_sub_res_clause = _build_match_clause(
+            node_schema.sub_resource_relationship.target_node_matcher,
+        )
+    return template.safe_substitute(
+        node_label=node_schema.label,
+        sub_resource_link=sub_resource_link,
+        sub_resource_label=sub_resource_label,
+        match_sub_res_clause=match_sub_res_clause,
+    )
+
+
 def _build_cleanup_node_and_rel_queries(
     node_schema: CartographyNodeSchema,
     selected_relationship: CartographyRelSchema,
@@ -120,15 +170,6 @@ def _build_cleanup_node_and_rel_queries(
             "verify the node class definition for the relationships that it has.",
         )
 
-    # Draw sub resource rel with correct direction
-    if node_schema.sub_resource_relationship.direction == LinkDirection.INWARD:
-        sub_resource_link_template = Template("<-[s:$SubResourceRelLabel]-")
-    else:
-        sub_resource_link_template = Template("-[s:$SubResourceRelLabel]->")
-    sub_resource_link = sub_resource_link_template.safe_substitute(
-        SubResourceRelLabel=node_schema.sub_resource_relationship.rel_label,
-    )
-
     # The cleanup node query must always be before the cleanup rel query
     delete_action_clauses = [
         """
@@ -161,19 +202,14 @@ def _build_cleanup_node_and_rel_queries(
     # Ensure the node is attached to the sub resource and delete the node
     query_template = Template(
         """
-        MATCH (n:$node_label)$sub_resource_link(:$sub_resource_label{$match_sub_res_clause})
+        $match_statement
         $selected_rel_clause
         $delete_action_clause
         """,
     )
     return [
         query_template.safe_substitute(
-            node_label=node_schema.label,
-            sub_resource_link=sub_resource_link,
-            sub_resource_label=node_schema.sub_resource_relationship.target_node_label,
-            match_sub_res_clause=_build_match_clause(
-                node_schema.sub_resource_relationship.target_node_matcher,
-            ),
+            match_statement=_build_match_statement_for_cleanup(node_schema),
             selected_rel_clause=(
                 ""
                 if selected_relationship == node_schema.sub_resource_relationship
@@ -185,6 +221,80 @@ def _build_cleanup_node_and_rel_queries(
     ]
 
 
+def _build_cleanup_node_query_unscoped(
+    node_schema: CartographyNodeSchema,
+) -> str:
+    """
+    Generates a cleanup query for a node_schema to allow unscoped cleanup.
+    """
+    if node_schema.scoped_cleanup:
+        raise ValueError(
+            f"_build_cleanup_node_query_for_unscoped_cleanup() failed: '{node_schema.label}' does not have "
+            "scoped_cleanup=False, so we cannot generate a query to clean it up. Please verify that the class "
+            "definition is what you expect.",
+        )
+
+    # The cleanup node query must always be before the cleanup rel query
+    delete_action_clause = """
+        WHERE n.lastupdated <> $UPDATE_TAG
+        WITH n LIMIT $LIMIT_SIZE
+        DETACH DELETE n;
+    """
+
+    # Ensure the node is attached to the sub resource and delete the node
+    query_template = Template(
+        """
+        $match_statement
+        $delete_action_clause
+        """,
+    )
+    return query_template.safe_substitute(
+        match_statement=_build_match_statement_for_cleanup(node_schema),
+        delete_action_clause=delete_action_clause,
+    )
+
+
+def _build_cleanup_rel_queries_unscoped(
+    node_schema: CartographyNodeSchema,
+    selected_relationship: CartographyRelSchema,
+) -> str:
+    """
+    Generates relationship cleanup query for a node_schema with scoped_cleanup=False.
+    """
+    if node_schema.scoped_cleanup:
+        raise ValueError(
+            f"_build_cleanup_node_and_rel_queries_unscoped() failed: '{node_schema.label}' does not have "
+            "scoped_cleanup=False, so we cannot generate a query to clean it up. Please verify that the class "
+            "definition is what you expect.",
+        )
+    if not rel_present_on_node_schema(node_schema, selected_relationship):
+        raise ValueError(
+            f"_build_cleanup_node_query(): Attempted to build cleanup query for node '{node_schema.label}' and "
+            f"relationship {selected_relationship.rel_label} but that relationship is not present on the node. Please "
+            "verify the node class definition for the relationships that it has.",
+        )
+
+    # The cleanup node query must always be before the cleanup rel query
+    delete_action_clause = """WHERE r.lastupdated <> $UPDATE_TAG
+        WITH r LIMIT $LIMIT_SIZE
+        DELETE r;
+        """
+
+    # Ensure the node is attached to the sub resource and delete the node
+    query_template = Template(
+        """
+        $match_statement
+        $selected_rel_clause
+        $delete_action_clause
+        """,
+    )
+    return query_template.safe_substitute(
+        match_statement=_build_match_statement_for_cleanup(node_schema),
+        selected_rel_clause=_build_selected_rel_clause(selected_relationship),
+        delete_action_clause=delete_action_clause,
+    )
+
+
 def _build_selected_rel_clause(selected_relationship: CartographyRelSchema) -> str:
     """
     Draw selected relationship with correct direction. Returns a string that looks like either

cartography/intel/aws/acm.py

@@ -0,0 +1,124 @@
+import logging
+from typing import Any
+
+import boto3
+import neo4j
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.acm.certificate import ACMCertificateSchema
+from cartography.stats import get_stats_client
+from cartography.util import aws_handle_regions
+from cartography.util import merge_module_sync_metadata
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+stat_handler = get_stats_client(__name__)
+
+
+@timeit
+@aws_handle_regions
+def get_acm_certificates(
+    boto3_session: boto3.session.Session, region: str
+) -> list[dict[str, Any]]:
+    client = boto3_session.client("acm", region_name=region)
+    paginator = client.get_paginator("list_certificates")
+    summaries: list[dict[str, Any]] = []
+    for page in paginator.paginate():
+        summaries.extend(page.get("CertificateSummaryList", []))
+
+    details: list[dict[str, Any]] = []
+    for summary in summaries:
+        arn = summary["CertificateArn"]
+        resp = client.describe_certificate(CertificateArn=arn)
+        details.append(resp["Certificate"])
+    return details
+
+
+def transform_acm_certificates(
+    certificates: list[dict[str, Any]], region: str
+) -> list[dict[str, Any]]:
+    transformed: list[dict[str, Any]] = []
+    for cert in certificates:
+        item: dict[str, Any] = {
+            "Arn": cert["CertificateArn"],
+            "DomainName": cert.get("DomainName"),
+            "Type": cert.get("Type"),
+            "Status": cert.get("Status"),
+            "KeyAlgorithm": cert.get("KeyAlgorithm"),
+            "SignatureAlgorithm": cert.get("SignatureAlgorithm"),
+            "NotBefore": cert.get("NotBefore"),
+            "NotAfter": cert.get("NotAfter"),
+            "InUseBy": cert.get("InUseBy", []),
+            "Region": region,
+        }
+        # Extract ELBV2 Listener ARNs for relationship creation
+        listener_arns = [a for a in item["InUseBy"] if ":listener/" in a]
+        if listener_arns:
+            item["ELBV2ListenerArns"] = listener_arns
+        transformed.append(item)
+    return transformed
+
+
+@timeit
+def load_acm_certificates(
+    neo4j_session: neo4j.Session,
+    data: list[dict[str, Any]],
+    region: str,
+    current_aws_account_id: str,
+    update_tag: int,
+) -> None:
+    logger.info(f"Loading {len(data)} ACM certificates for region {region} into graph.")
+    load(
+        neo4j_session,
+        ACMCertificateSchema(),
+        data,
+        lastupdated=update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
+
+
+@timeit
+def cleanup_acm_certificates(
+    neo4j_session: neo4j.Session, common_job_parameters: dict[str, Any]
+) -> None:
+    logger.debug("Running ACM certificate cleanup job.")
+    GraphJob.from_node_schema(ACMCertificateSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: list[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: dict[str, Any],
+) -> None:
+    for region in regions:
+        logger.info(
+            f"Syncing ACM certificates for region {region} in account {current_aws_account_id}."
+        )
+        certs = get_acm_certificates(boto3_session, region)
+        transformed = transform_acm_certificates(certs, region)
+        load_acm_certificates(
+            neo4j_session,
+            transformed,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
+
+    cleanup_acm_certificates(neo4j_session, common_job_parameters)
+
+    merge_module_sync_metadata(
+        neo4j_session,
+        group_type="AWSAccount",
+        group_id=current_aws_account_id,
+        synced_type="ACMCertificate",
+        update_tag=update_tag,
+        stat_handler=stat_handler,
+    )

cartography/intel/aws/cloudtrail.py

@@ -4,7 +4,6 @@ from typing import Dict
 from typing import List
 
 import boto3
-import botocore.exceptions
 import neo4j
 
 from cartography.client.core.tx import load
@@ -25,10 +24,8 @@ def get_cloudtrail_trails(
     client = boto3_session.client(
         "cloudtrail", region_name=region, config=get_botocore_config()
     )
-    paginator = client.get_paginator("list_trails")
-    trails = []
-    for page in paginator.paginate():
-        trails.extend(page["Trails"])
+
+    trails = client.describe_trails()["trailList"]
 
     # CloudTrail multi-region trails are shown in list_trails,
     # but the get_trail call only works in the home region
@@ -36,28 +33,6 @@ def get_cloudtrail_trails(
     return trails_filtered
 
 
-@timeit
-def get_cloudtrail_trail(
-    boto3_session: boto3.Session,
-    region: str,
-    trail_name: str,
-) -> Dict[str, Any]:
-    client = boto3_session.client(
-        "cloudtrail", region_name=region, config=get_botocore_config()
-    )
-    trail_details: Dict[str, Any] = {}
-    try:
-        response = client.get_trail(Name=trail_name)
-        trail_details = response["Trail"]
-    except botocore.exceptions.ClientError as e:
-        code = e.response["Error"]["Code"]
-        msg = e.response["Error"]["Message"]
-        logger.warning(
-            f"Could not run CloudTrail get_trail due to boto3 error {code}: {msg}. Skipping.",
-        )
-    return trail_details
-
-
 @timeit
 def load_cloudtrail_trails(
     neo4j_session: neo4j.Session,
@@ -105,20 +80,10 @@ def sync(
             f"Syncing CloudTrail for region '{region}' in account '{current_aws_account_id}'.",
         )
         trails = get_cloudtrail_trails(boto3_session, region)
-        trail_data: List[Dict[str, Any]] = []
-        for trail in trails:
-            trail_name = trail["Name"]
-            trail_details = get_cloudtrail_trail(
-                boto3_session,
-                region,
-                trail_name,
-            )
-            if trail_details:
-                trail_data.append(trail_details)
 
         load_cloudtrail_trails(
             neo4j_session,
-            trail_data,
+            trails,
             region,
             current_aws_account_id,
             update_tag,

cartography/intel/aws/ecr.py

@@ -107,9 +107,12 @@ def load_ecr_repositories(
 def transform_ecr_repository_images(repo_data: Dict) -> List[Dict]:
     """
     Ensure that we only load ECRImage nodes to the graph if they have a defined imageDigest field.
+    Process repositories in a consistent order to handle overlapping image digests deterministically.
     """
     repo_images_list = []
-    for repo_uri, repo_images in repo_data.items():
+    # Sort repository URIs to ensure consistent processing order
+    for repo_uri in sorted(repo_data.keys()):
+        repo_images = repo_data[repo_uri]
         for img in repo_images:
             if "imageDigest" in img and img["imageDigest"]:
                 img["repo_uri"] = repo_uri
@@ -214,7 +217,9 @@ def _get_image_data(
         )
         image_data[repo["repositoryUri"]] = repo_image_obj
 
-    to_synchronous(*[async_get_images(repo) for repo in repositories])
+    # Sort repositories by name to ensure consistent processing order
+    sorted_repos = sorted(repositories, key=lambda x: x["repositoryName"])
+    to_synchronous(*[async_get_images(repo) for repo in sorted_repos])
 
     return image_data
 
@@ -237,6 +242,7 @@ def sync(
         image_data = {}
         repositories = get_ecr_repositories(boto3_session, region)
         image_data = _get_image_data(boto3_session, region, repositories)
+        # len here should be 1!
         load_ecr_repositories(
             neo4j_session,
             repositories,

cartography/intel/aws/iam.py

@@ -507,7 +507,7 @@ def sync_assumerole_relationships(
     common_job_parameters: Dict,
 ) -> None:
     # Must be called after load_role
-    # Computes and syncs the STS_ASSUME_ROLE allow relationship
+    # Computes and syncs the STS_ASSUMEROLE_ALLOW relationship
     logger.info(
         "Syncing assume role mappings for account '%s'.",
         current_aws_account_id,

cartography/intel/aws/lambda_function.py

@@ -74,7 +74,7 @@ def load_lambda_functions(
         SET r.lastupdated = $aws_update_tag
         WITH lambda, lf
         MATCH (role:AWSPrincipal{arn: lf.Role})
-        MERGE (lambda)-[r:STS_ASSUME_ROLE_ALLOW]->(role)
+        MERGE (lambda)-[r:STS_ASSUMEROLE_ALLOW]->(role)
         ON CREATE SET r.firstseen = timestamp()
         SET r.lastupdated = $aws_update_tag
     """