PyPI - cartography - Versions diffs - 0.104.0rc2__py3-none-any.whl → 0.123.0__py3-none-any.whl - Mend

cartography 0.104.0rc2py3-none-any.whl → 0.123.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (642) hide show

cartography/_version.py +16 -3
cartography/cli.py +466 -5
cartography/client/aws/__init__.py +19 -0
cartography/client/aws/ecr.py +51 -0
cartography/client/core/tx.py +357 -8
cartography/config.py +153 -0
cartography/data/azure_permission_relationships.yaml +20 -0
cartography/data/gcp_permission_relationships.yaml +21 -0
cartography/data/indexes.cypher +0 -186
cartography/data/jobs/analysis/aws_ec2_keypair_analysis.json +2 -2
cartography/data/jobs/analysis/keycloak_inheritance.json +30 -0
cartography/data/jobs/cleanup/gcp_compute_vpc_cleanup.json +0 -12
cartography/data/jobs/cleanup/github_repos_cleanup.json +2 -0
cartography/driftdetect/cli.py +3 -2
cartography/graph/cleanupbuilder.py +198 -41
cartography/graph/job.py +54 -6
cartography/graph/querybuilder.py +528 -27
cartography/graph/statement.py +5 -1
cartography/intel/airbyte/__init__.py +105 -0
cartography/intel/airbyte/connections.py +120 -0
cartography/intel/airbyte/destinations.py +81 -0
cartography/intel/airbyte/organizations.py +59 -0
cartography/intel/airbyte/sources.py +78 -0
cartography/intel/airbyte/tags.py +64 -0
cartography/intel/airbyte/users.py +106 -0
cartography/intel/airbyte/util.py +122 -0
cartography/intel/airbyte/workspaces.py +63 -0
cartography/intel/aws/__init__.py +24 -9
cartography/intel/aws/acm.py +124 -0
cartography/intel/aws/apigateway.py +253 -22
cartography/intel/aws/apigatewayv2.py +116 -0
cartography/intel/aws/cloudtrail.py +17 -39
cartography/intel/aws/cloudtrail_management_events.py +962 -0
cartography/intel/aws/cloudwatch.py +150 -4
cartography/intel/aws/codebuild.py +132 -0
cartography/intel/aws/cognito.py +201 -0
cartography/intel/aws/config.py +7 -3
cartography/intel/aws/ec2/elastic_ip_addresses.py +3 -1
cartography/intel/aws/ec2/instances.py +25 -1
cartography/intel/aws/ec2/internet_gateways.py +4 -2
cartography/intel/aws/ec2/load_balancer_v2s.py +11 -5
cartography/intel/aws/ec2/network_interfaces.py +5 -1
cartography/intel/aws/ec2/reserved_instances.py +3 -1
cartography/intel/aws/ec2/security_groups.py +140 -122
cartography/intel/aws/ec2/snapshots.py +47 -84
cartography/intel/aws/ec2/subnets.py +37 -63
cartography/intel/aws/ec2/tgw.py +11 -5
cartography/intel/aws/ec2/volumes.py +1 -1
cartography/intel/aws/ec2/vpc.py +140 -124
cartography/intel/aws/ec2/vpc_peerings.py +262 -125
cartography/intel/aws/ecr.py +269 -98
cartography/intel/aws/ecr_image_layers.py +923 -0
cartography/intel/aws/ecs.py +251 -380
cartography/intel/aws/efs.py +179 -11
cartography/intel/aws/elasticache.py +102 -79
cartography/intel/aws/elasticsearch.py +13 -4
cartography/intel/aws/eventbridge.py +164 -0
cartography/intel/aws/glue.py +181 -0
cartography/intel/aws/guardduty.py +443 -0
cartography/intel/aws/iam.py +750 -493
cartography/intel/aws/identitycenter.py +605 -83
cartography/intel/aws/inspector.py +221 -105
cartography/intel/aws/kms.py +173 -201
cartography/intel/aws/lambda_function.py +272 -189
cartography/intel/aws/organizations.py +10 -9
cartography/intel/aws/permission_relationships.py +10 -20
cartography/intel/aws/rds.py +337 -446
cartography/intel/aws/redshift.py +9 -4
cartography/intel/aws/resourcegroupstaggingapi.py +78 -19
cartography/intel/aws/resources.py +18 -0
cartography/intel/aws/route53.py +386 -332
cartography/intel/aws/s3.py +322 -14
cartography/intel/aws/secretsmanager.py +81 -49
cartography/intel/aws/securityhub.py +3 -1
cartography/intel/aws/sns.py +62 -2
cartography/intel/aws/sqs.py +36 -90
cartography/intel/aws/ssm.py +3 -5
cartography/intel/azure/__init__.py +202 -48
cartography/intel/azure/aks.py +175 -0
cartography/intel/azure/app_service.py +105 -0
cartography/intel/azure/compute.py +59 -112
cartography/intel/azure/container_instances.py +95 -0
cartography/intel/azure/cosmosdb.py +222 -361
cartography/intel/azure/data_factory.py +85 -0
cartography/intel/azure/data_factory_dataset.py +128 -0
cartography/intel/azure/data_factory_linked_service.py +119 -0
cartography/intel/azure/data_factory_pipeline.py +142 -0
cartography/intel/azure/data_lake.py +124 -0
cartography/intel/azure/event_grid.py +94 -0
cartography/intel/azure/functions.py +124 -0
cartography/intel/azure/load_balancers.py +263 -0
cartography/intel/azure/logic_apps.py +101 -0
cartography/intel/azure/monitor.py +105 -0
cartography/intel/azure/network.py +467 -0
cartography/intel/azure/permission_relationships.py +466 -0
cartography/intel/azure/rbac.py +309 -0
cartography/intel/azure/resource_groups.py +82 -0
cartography/intel/azure/security_center.py +106 -0
cartography/intel/azure/sql.py +145 -292
cartography/intel/azure/storage.py +185 -262
cartography/intel/azure/subscription.py +21 -43
cartography/intel/azure/tenant.py +39 -30
cartography/intel/azure/util/common.py +13 -0
cartography/intel/azure/util/credentials.py +49 -174
cartography/intel/azure/util/tag.py +41 -0
cartography/intel/create_indexes.py +2 -1
cartography/intel/crowdstrike/spotlight.py +5 -2
cartography/intel/dns.py +5 -2
cartography/intel/entra/__init__.py +100 -1
cartography/intel/entra/app_role_assignments.py +284 -0
cartography/intel/entra/applications.py +182 -0
cartography/intel/entra/federation/__init__.py +0 -0
cartography/intel/entra/federation/aws_identity_center.py +77 -0
cartography/intel/entra/groups.py +198 -0
cartography/intel/entra/ou.py +48 -24
cartography/intel/entra/service_principals.py +217 -0
cartography/intel/entra/users.py +105 -57
cartography/intel/gcp/__init__.py +334 -396
cartography/intel/gcp/bigtable_app_profile.py +101 -0
cartography/intel/gcp/bigtable_backup.py +91 -0
cartography/intel/gcp/bigtable_cluster.py +93 -0
cartography/intel/gcp/bigtable_instance.py +86 -0
cartography/intel/gcp/bigtable_table.py +87 -0
cartography/intel/gcp/cai.py +292 -0
cartography/intel/gcp/clients.py +112 -0
cartography/intel/gcp/compute.py +128 -119
cartography/intel/gcp/crm/__init__.py +0 -0
cartography/intel/gcp/crm/folders.py +114 -0
cartography/intel/gcp/crm/orgs.py +70 -0
cartography/intel/gcp/crm/projects.py +120 -0
cartography/intel/gcp/dns.py +83 -169
cartography/intel/gcp/gke.py +72 -113
cartography/intel/gcp/iam.py +111 -91
cartography/intel/gcp/permission_relationships.py +394 -0
cartography/intel/gcp/policy_bindings.py +225 -0
cartography/intel/gcp/storage.py +75 -159
cartography/intel/github/__init__.py +62 -25
cartography/intel/github/commits.py +423 -0
cartography/intel/github/repos.py +463 -85
cartography/intel/github/teams.py +3 -3
cartography/intel/github/users.py +5 -0
cartography/intel/github/util.py +12 -0
cartography/intel/googleworkspace/__init__.py +193 -0
cartography/intel/googleworkspace/devices.py +254 -0
cartography/intel/googleworkspace/groups.py +568 -0
cartography/intel/googleworkspace/oauth_apps.py +259 -0
cartography/intel/googleworkspace/tenant.py +85 -0
cartography/intel/googleworkspace/users.py +138 -0
cartography/intel/gsuite/__init__.py +17 -9
cartography/intel/gsuite/groups.py +291 -0
cartography/intel/gsuite/users.py +142 -0
cartography/intel/jamf/computers.py +7 -1
cartography/intel/keycloak/__init__.py +153 -0
cartography/intel/keycloak/authenticationexecutions.py +322 -0
cartography/intel/keycloak/authenticationflows.py +77 -0
cartography/intel/keycloak/clients.py +187 -0
cartography/intel/keycloak/groups.py +126 -0
cartography/intel/keycloak/identityproviders.py +94 -0
cartography/intel/keycloak/organizations.py +163 -0
cartography/intel/keycloak/realms.py +61 -0
cartography/intel/keycloak/roles.py +202 -0
cartography/intel/keycloak/scopes.py +73 -0
cartography/intel/keycloak/users.py +70 -0
cartography/intel/keycloak/util.py +47 -0
cartography/intel/kubernetes/__init__.py +60 -14
cartography/intel/kubernetes/clusters.py +86 -0
cartography/intel/kubernetes/eks.py +402 -0
cartography/intel/kubernetes/namespaces.py +59 -57
cartography/intel/kubernetes/pods.py +168 -75
cartography/intel/kubernetes/rbac.py +597 -0
cartography/intel/kubernetes/secrets.py +95 -45
cartography/intel/kubernetes/services.py +131 -67
cartography/intel/kubernetes/util.py +142 -14
cartography/intel/oci/iam.py +23 -9
cartography/intel/oci/organizations.py +3 -1
cartography/intel/oci/utils.py +28 -5
cartography/intel/okta/applications.py +15 -5
cartography/intel/okta/awssaml.py +14 -10
cartography/intel/okta/factors.py +3 -1
cartography/intel/okta/groups.py +5 -2
cartography/intel/okta/organization.py +3 -1
cartography/intel/okta/origins.py +3 -1
cartography/intel/okta/roles.py +5 -2
cartography/intel/okta/users.py +10 -2
cartography/intel/ontology/__init__.py +44 -0
cartography/intel/ontology/devices.py +54 -0
cartography/intel/ontology/users.py +54 -0
cartography/intel/ontology/utils.py +176 -0
cartography/intel/pagerduty/escalation_policies.py +13 -6
cartography/intel/pagerduty/schedules.py +9 -4
cartography/intel/pagerduty/services.py +7 -3
cartography/intel/pagerduty/teams.py +5 -2
cartography/intel/pagerduty/users.py +3 -1
cartography/intel/pagerduty/vendors.py +3 -1
cartography/intel/scaleway/__init__.py +127 -0
cartography/intel/scaleway/iam/__init__.py +0 -0
cartography/intel/scaleway/iam/apikeys.py +71 -0
cartography/intel/scaleway/iam/applications.py +71 -0
cartography/intel/scaleway/iam/groups.py +71 -0
cartography/intel/scaleway/iam/users.py +71 -0
cartography/intel/scaleway/instances/__init__.py +0 -0
cartography/intel/scaleway/instances/flexibleips.py +86 -0
cartography/intel/scaleway/instances/instances.py +92 -0
cartography/intel/scaleway/projects.py +79 -0
cartography/intel/scaleway/storage/__init__.py +0 -0
cartography/intel/scaleway/storage/snapshots.py +86 -0
cartography/intel/scaleway/storage/volumes.py +84 -0
cartography/intel/scaleway/utils.py +37 -0
cartography/intel/sentinelone/__init__.py +75 -0
cartography/intel/sentinelone/account.py +140 -0
cartography/intel/sentinelone/agent.py +139 -0
cartography/intel/sentinelone/api.py +124 -0
cartography/intel/sentinelone/application.py +248 -0
cartography/intel/sentinelone/cve.py +119 -0
cartography/intel/sentinelone/utils.py +28 -0
cartography/intel/slack/__init__.py +78 -0
cartography/intel/slack/channels.py +80 -0
cartography/intel/slack/groups.py +90 -0
cartography/intel/slack/teams.py +65 -0
cartography/intel/slack/users.py +57 -0
cartography/intel/slack/utils.py +29 -0
cartography/intel/spacelift/__init__.py +161 -0
cartography/intel/spacelift/account.py +73 -0
cartography/intel/spacelift/ec2_ownership.py +280 -0
cartography/intel/spacelift/runs.py +463 -0
cartography/intel/spacelift/spaces.py +112 -0
cartography/intel/spacelift/stacks.py +119 -0
cartography/intel/spacelift/util.py +122 -0
cartography/intel/spacelift/workerpools.py +131 -0
cartography/intel/spacelift/workers.py +128 -0
cartography/intel/trivy/__init__.py +272 -0
cartography/intel/trivy/scanner.py +386 -0
cartography/models/airbyte/__init__.py +0 -0
cartography/models/airbyte/connection.py +138 -0
cartography/models/airbyte/destination.py +75 -0
cartography/models/airbyte/organization.py +19 -0
cartography/models/airbyte/source.py +75 -0
cartography/models/airbyte/stream.py +74 -0
cartography/models/airbyte/tag.py +69 -0
cartography/models/airbyte/user.py +115 -0
cartography/models/airbyte/workspace.py +46 -0
cartography/models/anthropic/apikey.py +4 -0
cartography/models/anthropic/user.py +4 -0
cartography/models/aws/acm/__init__.py +0 -0
cartography/models/aws/acm/certificate.py +75 -0
cartography/models/aws/apigateway/__init__.py +0 -0
cartography/models/aws/apigateway/apigatewaydeployment.py +74 -0
cartography/models/aws/apigateway/apigatewayintegration.py +79 -0
cartography/models/aws/apigateway/apigatewaymethod.py +74 -0
cartography/models/aws/apigatewayv2/__init__.py +0 -0
cartography/models/aws/apigatewayv2/apigatewayv2.py +53 -0
cartography/models/aws/cloudtrail/management_events.py +153 -0
cartography/models/aws/cloudtrail/trail.py +45 -0
cartography/models/aws/cloudwatch/log_metric_filter.py +79 -0
cartography/models/aws/cloudwatch/metric_alarm.py +53 -0
cartography/models/aws/codebuild/__init__.py +0 -0
cartography/models/aws/codebuild/project.py +49 -0
cartography/models/aws/cognito/__init__.py +0 -0
cartography/models/aws/cognito/identity_pool.py +70 -0
cartography/models/aws/cognito/user_pool.py +47 -0
cartography/models/aws/dynamodb/tables.py +2 -0
cartography/models/aws/ec2/instances.py +25 -1
cartography/models/aws/ec2/networkinterfaces.py +4 -0
cartography/models/aws/ec2/security_group_rules.py +109 -0
cartography/models/aws/ec2/security_groups.py +90 -0
cartography/models/aws/ec2/snapshots.py +58 -0
cartography/models/aws/ec2/subnet_instance.py +2 -0
cartography/models/aws/ec2/subnet_networkinterface.py +2 -0
cartography/models/aws/ec2/subnets.py +65 -0
cartography/models/aws/ec2/volumes.py +20 -0
cartography/models/aws/ec2/vpc.py +46 -0
cartography/models/aws/ec2/vpc_cidr.py +102 -0
cartography/models/aws/ec2/vpc_peering.py +157 -0
cartography/models/aws/ecr/__init__.py +0 -0
cartography/models/aws/ecr/image.py +146 -0
cartography/models/aws/ecr/image_layer.py +107 -0
cartography/models/aws/ecr/repository.py +72 -0
cartography/models/aws/ecr/repository_image.py +95 -0
cartography/models/aws/ecs/__init__.py +0 -0
cartography/models/aws/ecs/clusters.py +64 -0
cartography/models/aws/ecs/container_definitions.py +93 -0
cartography/models/aws/ecs/container_instances.py +84 -0
cartography/models/aws/ecs/containers.py +101 -0
cartography/models/aws/ecs/services.py +134 -0
cartography/models/aws/ecs/task_definitions.py +135 -0
cartography/models/aws/ecs/tasks.py +134 -0
cartography/models/aws/efs/access_point.py +77 -0
cartography/models/aws/efs/file_system.py +60 -0
cartography/models/aws/efs/mount_target.py +29 -2
cartography/models/aws/elasticache/__init__.py +0 -0
cartography/models/aws/elasticache/cluster.py +65 -0
cartography/models/aws/elasticache/topic.py +67 -0
cartography/models/aws/eventbridge/__init__.py +0 -0
cartography/models/aws/eventbridge/rule.py +77 -0
cartography/models/aws/eventbridge/target.py +71 -0
cartography/models/aws/glue/__init__.py +0 -0
cartography/models/aws/glue/connection.py +51 -0
cartography/models/aws/glue/job.py +69 -0
cartography/models/aws/guardduty/__init__.py +1 -0
cartography/models/aws/guardduty/detectors.py +50 -0
cartography/models/aws/guardduty/findings.py +121 -0
cartography/models/aws/iam/access_key.py +103 -0
cartography/models/aws/iam/account_role.py +24 -0
cartography/models/aws/iam/federated_principal.py +60 -0
cartography/models/aws/iam/group.py +60 -0
cartography/models/aws/iam/group_membership.py +27 -0
cartography/models/aws/iam/inline_policy.py +78 -0
cartography/models/aws/iam/managed_policy.py +51 -0
cartography/models/aws/iam/policy_statement.py +57 -0
cartography/models/aws/iam/role.py +83 -0
cartography/models/aws/iam/root_principal.py +52 -0
cartography/models/aws/iam/service_principal.py +30 -0
cartography/models/aws/iam/sts_assumerole_allow.py +38 -0
cartography/models/aws/iam/user.py +59 -0
cartography/models/aws/identitycenter/awsidentitycenter.py +1 -0
cartography/models/aws/identitycenter/awspermissionset.py +70 -0
cartography/models/aws/identitycenter/awssogroup.py +70 -0
cartography/models/aws/identitycenter/awsssouser.py +49 -9
cartography/models/aws/inspector/findings.py +37 -0
cartography/models/aws/inspector/packages.py +1 -31
cartography/models/aws/kms/__init__.py +0 -0
cartography/models/aws/kms/aliases.py +86 -0
cartography/models/aws/kms/grants.py +65 -0
cartography/models/aws/kms/keys.py +88 -0
cartography/models/aws/lambda_function/__init__.py +0 -0
cartography/models/aws/lambda_function/alias.py +74 -0
cartography/models/aws/lambda_function/event_source_mapping.py +88 -0
cartography/models/aws/lambda_function/lambda_function.py +91 -0
cartography/models/aws/lambda_function/layer.py +72 -0
cartography/models/aws/rds/__init__.py +0 -0
cartography/models/aws/rds/cluster.py +91 -0
cartography/models/aws/rds/event_subscription.py +146 -0
cartography/models/aws/rds/instance.py +156 -0
cartography/models/aws/rds/snapshot.py +108 -0
cartography/models/aws/rds/subnet_group.py +101 -0
cartography/models/aws/route53/__init__.py +0 -0
cartography/models/aws/route53/dnsrecord.py +235 -0
cartography/models/aws/route53/nameserver.py +63 -0
cartography/models/aws/route53/subzone.py +40 -0
cartography/models/aws/route53/zone.py +47 -0
cartography/models/aws/s3/notification.py +24 -0
cartography/models/aws/secretsmanager/secret.py +106 -0
cartography/models/aws/secretsmanager/secret_version.py +0 -2
cartography/models/aws/sns/topic_subscription.py +74 -0
cartography/models/aws/sqs/__init__.py +0 -0
cartography/models/aws/sqs/queue.py +89 -0
cartography/models/azure/__init__.py +0 -0
cartography/models/azure/aks_cluster.py +54 -0
cartography/models/azure/aks_nodepool.py +54 -0
cartography/models/azure/app_service.py +59 -0
cartography/models/azure/container_instance.py +57 -0
cartography/models/azure/cosmosdb/__init__.py +0 -0
cartography/models/azure/cosmosdb/account.py +77 -0
cartography/models/azure/cosmosdb/accountfailoverpolicy.py +77 -0
cartography/models/azure/cosmosdb/cassandrakeyspace.py +82 -0
cartography/models/azure/cosmosdb/cassandratable.py +81 -0
cartography/models/azure/cosmosdb/corspolicy.py +74 -0
cartography/models/azure/cosmosdb/dblocation.py +120 -0
cartography/models/azure/cosmosdb/mongodbcollection.py +82 -0
cartography/models/azure/cosmosdb/mongodbdatabase.py +78 -0
cartography/models/azure/cosmosdb/privateendpointconnection.py +81 -0
cartography/models/azure/cosmosdb/sqlcontainer.py +88 -0
cartography/models/azure/cosmosdb/sqldatabase.py +78 -0
cartography/models/azure/cosmosdb/tableresource.py +76 -0
cartography/models/azure/cosmosdb/virtualnetworkrule.py +78 -0
cartography/models/azure/data_factory/__init__.py +0 -0
cartography/models/azure/data_factory/data_factory.py +51 -0
cartography/models/azure/data_factory/data_factory_dataset.py +94 -0
cartography/models/azure/data_factory/data_factory_linked_service.py +78 -0
cartography/models/azure/data_factory/data_factory_pipeline.py +93 -0
cartography/models/azure/data_lake_filesystem.py +51 -0
cartography/models/azure/event_grid_topic.py +57 -0
cartography/models/azure/function_app.py +59 -0
cartography/models/azure/load_balancer/__init__.py +0 -0
cartography/models/azure/load_balancer/load_balancer.py +49 -0
cartography/models/azure/load_balancer/load_balancer_backend_pool.py +73 -0
cartography/models/azure/load_balancer/load_balancer_frontend_ip.py +75 -0
cartography/models/azure/load_balancer/load_balancer_inbound_nat_rule.py +78 -0
cartography/models/azure/load_balancer/load_balancer_rule.py +108 -0
cartography/models/azure/logic_apps.py +56 -0
cartography/models/azure/monitor.py +54 -0
cartography/models/azure/network_interface.py +112 -0
cartography/models/azure/network_security_group.py +50 -0
cartography/models/azure/permission_relationships.py +60 -0
cartography/models/azure/principal.py +41 -0
cartography/models/azure/public_ip_address.py +50 -0
cartography/models/azure/rbac.py +268 -0
cartography/models/azure/resource_groups.py +52 -0
cartography/models/azure/security_center.py +50 -0
cartography/models/azure/sql/__init__.py +0 -0
cartography/models/azure/sql/databasethreatdetectionpolicy.py +85 -0
cartography/models/azure/sql/elasticpool.py +77 -0
cartography/models/azure/sql/failovergroup.py +73 -0
cartography/models/azure/sql/recoverabledatabase.py +75 -0
cartography/models/azure/sql/replicationlink.py +81 -0
cartography/models/azure/sql/restorabledroppeddatabase.py +82 -0
cartography/models/azure/sql/restorepoint.py +74 -0
cartography/models/azure/sql/serveradadministrator.py +74 -0
cartography/models/azure/sql/serverdnsalias.py +71 -0
cartography/models/azure/sql/sqldatabase.py +85 -0
cartography/models/azure/sql/sqlserver.py +50 -0
cartography/models/azure/sql/transparentdataencryption.py +76 -0
cartography/models/azure/storage/__init__.py +0 -0
cartography/models/azure/storage/account.py +59 -0
cartography/models/azure/storage/blobcontainer.py +85 -0
cartography/models/azure/storage/blobservice.py +71 -0
cartography/models/azure/storage/fileservice.py +71 -0
cartography/models/azure/storage/fileshare.py +82 -0
cartography/models/azure/storage/queue.py +71 -0
cartography/models/azure/storage/queueservice.py +73 -0
cartography/models/azure/storage/table.py +72 -0
cartography/models/azure/storage/tableservice.py +73 -0
cartography/models/azure/subnet.py +101 -0
cartography/models/azure/subscription.py +47 -0
cartography/models/azure/tags/__init__.py +0 -0
cartography/models/azure/tags/storage_tag.py +40 -0
cartography/models/azure/tags/tag.py +37 -0
cartography/models/azure/tenant.py +17 -0
cartography/models/azure/virtual_network.py +49 -0
cartography/models/azure/vm/__init__.py +0 -0
cartography/models/azure/vm/datadisk.py +80 -0
cartography/models/azure/vm/disk.py +55 -0
cartography/models/azure/vm/snapshot.py +56 -0
cartography/models/azure/vm/virtualmachine.py +59 -0
cartography/models/bigfix/bigfix_computer.py +1 -1
cartography/models/cloudflare/member.py +4 -0
cartography/models/core/common.py +1 -0
cartography/models/core/nodes.py +15 -2
cartography/models/core/relationships.py +44 -0
cartography/models/crowdstrike/hosts.py +1 -1
cartography/models/digitalocean/droplet.py +2 -0
cartography/models/duo/endpoint.py +1 -1
cartography/models/duo/phone.py +2 -2
cartography/models/duo/user.py +4 -0
cartography/models/entra/app_role_assignment.py +115 -0
cartography/models/entra/application.py +49 -0
cartography/models/entra/entra_user_to_aws_sso.py +41 -0
cartography/models/entra/group.py +117 -0
cartography/models/entra/service_principal.py +104 -0
cartography/models/entra/user.py +42 -51
cartography/models/gcp/__init__.py +0 -0
cartography/models/gcp/bigtable/__init__.py +0 -0
cartography/models/gcp/bigtable/app_profile.py +94 -0
cartography/models/gcp/bigtable/backup.py +91 -0
cartography/models/gcp/bigtable/cluster.py +73 -0
cartography/models/gcp/bigtable/instance.py +52 -0
cartography/models/gcp/bigtable/table.py +69 -0
cartography/models/gcp/compute/__init__.py +0 -0
cartography/models/gcp/compute/subnet.py +74 -0
cartography/models/gcp/compute/vpc.py +50 -0
cartography/models/gcp/crm/__init__.py +0 -0
cartography/models/gcp/crm/folders.py +98 -0
cartography/models/gcp/crm/organizations.py +21 -0
cartography/models/gcp/crm/projects.py +100 -0
cartography/models/gcp/dns.py +109 -0
cartography/models/gcp/gke.py +69 -0
cartography/models/gcp/iam.py +3 -0
cartography/models/gcp/permission_relationships.py +61 -0
cartography/models/gcp/policy_bindings.py +93 -0
cartography/models/gcp/storage/__init__.py +0 -0
cartography/models/gcp/storage/bucket.py +119 -0
cartography/models/github/commits.py +63 -0
cartography/models/github/dependencies.py +73 -0
cartography/models/github/manifests.py +49 -0
cartography/models/github/users.py +10 -0
cartography/models/googleworkspace/__init__.py +0 -0
cartography/models/googleworkspace/device.py +132 -0
cartography/models/googleworkspace/group.py +382 -0
cartography/models/googleworkspace/oauth_app.py +124 -0
cartography/models/googleworkspace/tenant.py +30 -0
cartography/models/googleworkspace/user.py +113 -0
cartography/models/gsuite/__init__.py +0 -0
cartography/models/gsuite/group.py +218 -0
cartography/models/gsuite/tenant.py +29 -0
cartography/models/gsuite/user.py +107 -0
cartography/models/kandji/device.py +1 -2
cartography/models/keycloak/__init__.py +0 -0
cartography/models/keycloak/authenticationexecution.py +160 -0
cartography/models/keycloak/authenticationflow.py +54 -0
cartography/models/keycloak/client.py +179 -0
cartography/models/keycloak/group.py +101 -0
cartography/models/keycloak/identityprovider.py +89 -0
cartography/models/keycloak/organization.py +116 -0
cartography/models/keycloak/organizationdomain.py +73 -0
cartography/models/keycloak/realm.py +173 -0
cartography/models/keycloak/role.py +126 -0
cartography/models/keycloak/scope.py +73 -0
cartography/models/keycloak/user.py +55 -0
cartography/models/kubernetes/__init__.py +0 -0
cartography/models/kubernetes/clusterrolebindings.py +138 -0
cartography/models/kubernetes/clusterroles.py +52 -0
cartography/models/kubernetes/clusters.py +26 -0
cartography/models/kubernetes/containers.py +133 -0
cartography/models/kubernetes/groups.py +107 -0
cartography/models/kubernetes/namespaces.py +51 -0
cartography/models/kubernetes/oidc.py +51 -0
cartography/models/kubernetes/pods.py +80 -0
cartography/models/kubernetes/rolebindings.py +159 -0
cartography/models/kubernetes/roles.py +76 -0
cartography/models/kubernetes/secrets.py +79 -0
cartography/models/kubernetes/serviceaccounts.py +77 -0
cartography/models/kubernetes/services.py +108 -0
cartography/models/kubernetes/users.py +105 -0
cartography/models/lastpass/user.py +4 -0
cartography/models/ontology/__init__.py +0 -0
cartography/models/ontology/device.py +137 -0
cartography/models/ontology/mapping/__init__.py +76 -0
cartography/models/ontology/mapping/data/__init__.py +0 -0
cartography/models/ontology/mapping/data/apikeys.py +93 -0
cartography/models/ontology/mapping/data/computeinstance.py +95 -0
cartography/models/ontology/mapping/data/containers.py +88 -0
cartography/models/ontology/mapping/data/databases.py +182 -0
cartography/models/ontology/mapping/data/devices.py +194 -0
cartography/models/ontology/mapping/data/thirdpartyapps.py +140 -0
cartography/models/ontology/mapping/data/useraccounts.py +416 -0
cartography/models/ontology/mapping/data/users.py +63 -0
cartography/models/ontology/mapping/specs.py +85 -0
cartography/models/ontology/user.py +51 -0
cartography/models/openai/adminapikey.py +4 -0
cartography/models/openai/apikey.py +4 -0
cartography/models/openai/user.py +4 -0
cartography/models/scaleway/__init__.py +0 -0
cartography/models/scaleway/iam/__init__.py +0 -0
cartography/models/scaleway/iam/apikey.py +100 -0
cartography/models/scaleway/iam/application.py +52 -0
cartography/models/scaleway/iam/group.py +95 -0
cartography/models/scaleway/iam/user.py +64 -0
cartography/models/scaleway/instance/__init__.py +0 -0
cartography/models/scaleway/instance/flexibleip.py +52 -0
cartography/models/scaleway/instance/instance.py +120 -0
cartography/models/scaleway/organization.py +19 -0
cartography/models/scaleway/project.py +48 -0
cartography/models/scaleway/storage/__init__.py +0 -0
cartography/models/scaleway/storage/snapshot.py +78 -0
cartography/models/scaleway/storage/volume.py +51 -0
cartography/models/sentinelone/__init__.py +1 -0
cartography/models/sentinelone/account.py +40 -0
cartography/models/sentinelone/agent.py +50 -0
cartography/models/sentinelone/application.py +44 -0
cartography/models/sentinelone/application_version.py +96 -0
cartography/models/sentinelone/cve.py +73 -0
cartography/models/slack/__init__.py +0 -0
cartography/models/slack/channels.py +92 -0
cartography/models/slack/group.py +129 -0
cartography/models/slack/team.py +22 -0
cartography/models/slack/user.py +62 -0
cartography/models/snipeit/asset.py +2 -0
cartography/models/snipeit/user.py +4 -0
cartography/models/spacelift/__init__.py +0 -0
cartography/models/spacelift/cloudtrailevent.py +120 -0
cartography/models/spacelift/run.py +162 -0
cartography/models/spacelift/space.py +131 -0
cartography/models/spacelift/spaceliftaccount.py +31 -0
cartography/models/spacelift/spaceliftgitcommit.py +157 -0
cartography/models/spacelift/stack.py +96 -0
cartography/models/spacelift/user.py +63 -0
cartography/models/spacelift/worker.py +97 -0
cartography/models/spacelift/workerpool.py +90 -0
cartography/models/tailscale/device.py +2 -1
cartography/models/tailscale/user.py +6 -1
cartography/models/trivy/__init__.py +0 -0
cartography/models/trivy/findings.py +66 -0
cartography/models/trivy/fix.py +66 -0
cartography/models/trivy/package.py +71 -0
cartography/rules/README.md +1 -0
cartography/rules/__init__.py +0 -0
cartography/rules/cli.py +261 -0
cartography/rules/data/__init__.py +0 -0
cartography/rules/data/rules/__init__.py +46 -0
cartography/rules/data/rules/cloud_security_product_deactivated.py +49 -0
cartography/rules/data/rules/compute_instance_exposed.py +51 -0
cartography/rules/data/rules/database_instance_exposed.py +53 -0
cartography/rules/data/rules/delegation_boundary_modifiable.py +90 -0
cartography/rules/data/rules/identity_administration_privileges.py +100 -0
cartography/rules/data/rules/inactive_user_active_accounts.py +48 -0
cartography/rules/data/rules/malicious_npm_dependencies_shai_hulud.py +2222 -0
cartography/rules/data/rules/mfa_missing.py +46 -0
cartography/rules/data/rules/object_storage_public.py +100 -0
cartography/rules/data/rules/policy_administration_privileges.py +104 -0
cartography/rules/data/rules/unmanaged_accounts.py +43 -0
cartography/rules/data/rules/workload_identity_admin_capabilities.py +193 -0
cartography/rules/formatters.py +108 -0
cartography/rules/runners.py +216 -0
cartography/rules/spec/__init__.py +0 -0
cartography/rules/spec/model.py +267 -0
cartography/rules/spec/result.py +38 -0
cartography/sync.py +25 -5
cartography/util.py +101 -31
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/METADATA +61 -22
cartography-0.123.0.dist-info/RECORD +856 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/entry_points.txt +1 -0
cartography/data/jobs/cleanup/aws_dns_cleanup.json +0 -65
cartography/data/jobs/cleanup/aws_import_account_access_key_cleanup.json +0 -17
cartography/data/jobs/cleanup/aws_import_ec2_security_groupinfo_cleanup.json +0 -24
cartography/data/jobs/cleanup/aws_import_groups_cleanup.json +0 -13
cartography/data/jobs/cleanup/aws_import_identity_center_cleanup.json +0 -16
cartography/data/jobs/cleanup/aws_import_lambda_cleanup.json +0 -50
cartography/data/jobs/cleanup/aws_import_principals_cleanup.json +0 -30
cartography/data/jobs/cleanup/aws_import_rds_clusters_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_rds_instances_cleanup.json +0 -47
cartography/data/jobs/cleanup/aws_import_rds_snapshots_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_roles_cleanup.json +0 -13
cartography/data/jobs/cleanup/aws_import_secrets_cleanup.json +0 -8
cartography/data/jobs/cleanup/aws_import_snapshots_cleanup.json +0 -30
cartography/data/jobs/cleanup/aws_import_users_cleanup.json +0 -8
cartography/data/jobs/cleanup/aws_import_vpc_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_vpc_peering_cleanup.json +0 -45
cartography/data/jobs/cleanup/aws_kms_details.json +0 -10
cartography/data/jobs/cleanup/azure_cosmosdb_cassandra_keyspace_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_cors_details.json +0 -15
cartography/data/jobs/cleanup/azure_cosmosdb_mongodb_database_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_sql_database_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_table_resources_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_database_account_cleanup.json +0 -85
cartography/data/jobs/cleanup/azure_import_disks_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_import_snapshots_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_import_virtual_machines_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_sql_server_cleanup.json +0 -125
cartography/data/jobs/cleanup/azure_storage_account_cleanup.json +0 -95
cartography/data/jobs/cleanup/azure_subscriptions_cleanup.json +0 -14
cartography/data/jobs/cleanup/azure_tenant_cleanup.json +0 -9
cartography/data/jobs/cleanup/gcp_compute_vpc_subnet_cleanup.json +0 -35
cartography/data/jobs/cleanup/gcp_crm_folder_cleanup.json +0 -23
cartography/data/jobs/cleanup/gcp_crm_organization_cleanup.json +0 -17
cartography/data/jobs/cleanup/gcp_crm_project_cleanup.json +0 -23
cartography/data/jobs/cleanup/gcp_dns_cleanup.json +0 -29
cartography/data/jobs/cleanup/gcp_gke_cluster_cleanup.json +0 -17
cartography/data/jobs/cleanup/gcp_storage_bucket_cleanup.json +0 -29
cartography/data/jobs/cleanup/gsuite_ingest_groups_cleanup.json +0 -23
cartography/data/jobs/cleanup/gsuite_ingest_users_cleanup.json +0 -11
cartography/data/jobs/cleanup/kubernetes_import_cleanup.json +0 -70
cartography/intel/gcp/crm.py +0 -355
cartography/intel/gsuite/api.py +0 -342
cartography-0.104.0rc2.dist-info/RECORD +0 -455
/cartography/data/jobs/{analysis → scoped_analysis}/aws_s3acl_analysis.json +0 -0
/cartography/models/aws/{apigateway.py → apigateway/apigateway.py} +0 -0
/cartography/models/aws/{apigatewaycertificate.py → apigateway/apigatewaycertificate.py} +0 -0
/cartography/models/aws/{apigatewayresource.py → apigateway/apigatewayresource.py} +0 -0
/cartography/models/aws/{apigatewaystage.py → apigateway/apigatewaystage.py} +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/WHEEL +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/licenses/LICENSE +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/top_level.txt +0 -0

cartography/intel/aws/ecr_image_layers.py ADDED Viewed

@@ -0,0 +1,923 @@
+"""
+ECR Image Layers module - fetches and syncs detailed container image layer information.
+This is separate from the main ECR module to allow independent execution since layer
+fetching can be significantly slower than basic ECR repository/image syncing.
+"""
+import asyncio
+import json
+import logging
+from typing import Any
+from typing import Optional
+import aioboto3
+import httpx
+import neo4j
+from botocore.exceptions import ClientError
+from types_aiobotocore_ecr import ECRClient
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.ecr.image import ECRImageSchema
+from cartography.models.aws.ecr.image_layer import ECRImageLayerSchema
+from cartography.util import timeit
+logger = logging.getLogger(__name__)
+EMPTY_LAYER_DIFF_ID = (
+    "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
+)
+# Keep per-transaction memory low; each record fan-outs to many relationships.
+ECR_LAYER_BATCH_SIZE = 200
+# ECR manifest media types
+ECR_DOCKER_INDEX_MT = "application/vnd.docker.distribution.manifest.list.v2+json"
+ECR_DOCKER_MANIFEST_MT = "application/vnd.docker.distribution.manifest.v2+json"
+ECR_OCI_INDEX_MT = "application/vnd.oci.image.index.v1+json"
+ECR_OCI_MANIFEST_MT = "application/vnd.oci.image.manifest.v1+json"
+ALL_ACCEPTED = [
+    ECR_OCI_INDEX_MT,
+    ECR_DOCKER_INDEX_MT,
+    ECR_OCI_MANIFEST_MT,
+    ECR_DOCKER_MANIFEST_MT,
+]
+INDEX_MEDIA_TYPES = {ECR_OCI_INDEX_MT, ECR_DOCKER_INDEX_MT}
+INDEX_MEDIA_TYPES_LOWER = {mt.lower() for mt in INDEX_MEDIA_TYPES}
+# Media types that should be skipped when processing manifests
+SKIP_CONFIG_MEDIA_TYPE_FRAGMENTS = {"buildkit", "attestation", "in-toto"}
+def extract_repo_uri_from_image_uri(image_uri: str) -> str:
+    """
+    Extract repository URI from image URI by removing tag or digest.
+    Examples:
+        "repo@sha256:digest" -> "repo"
+        "repo:tag" -> "repo"
+        "repo" -> "repo"
+    """
+    if "@sha256:" in image_uri:
+        return image_uri.split("@", 1)[0]
+    elif ":" in image_uri:
+        return image_uri.rsplit(":", 1)[0]
+    else:
+        return image_uri
+def extract_platform_from_manifest(manifest_ref: dict) -> str:
+    """Extract platform string from manifest reference."""
+    platform_info = manifest_ref.get("platform", {})
+    return _format_platform(
+        platform_info.get("os"),
+        platform_info.get("architecture"),
+        platform_info.get("variant"),
+    )
+def _format_platform(
+    os_name: Optional[str],
+    architecture: Optional[str],
+    variant: Optional[str] = None,
+) -> str:
+    components = [os_name or "unknown", architecture or "unknown"]
+    if variant:
+        components.append(variant)
+    return "/".join(components)
+async def batch_get_manifest(
+    ecr_client: ECRClient, repo: str, image_ref: str, accepted_media_types: list[str]
+) -> tuple[dict, str]:
+    """Get image manifest using batch_get_image API."""
+    try:
+        resp = await ecr_client.batch_get_image(
+            repositoryName=repo,
+            imageIds=(
+                [{"imageDigest": image_ref}]
+                if image_ref.startswith("sha256:")
+                else [{"imageTag": image_ref}]
+            ),
+            acceptedMediaTypes=accepted_media_types,
+        )
+    except ClientError as error:
+        error_code = error.response.get("Error", {}).get("Code", "")
+        if error_code == "ImageNotFoundException":
+            logger.warning(
+                "Image %s:%s not found while fetching manifest", repo, image_ref
+            )
+            return {}, ""
+        # Fail loudly on throttling or unexpected AWS errors
+        logger.error(
+            "Failed to get manifest for %s:%s due to AWS error %s",
+            repo,
+            image_ref,
+            error_code,
+        )
+        raise
+    except Exception:
+        logger.exception(
+            "Unexpected error fetching manifest for %s:%s", repo, image_ref
+        )
+        raise
+    if not resp.get("images"):
+        logger.warning(f"No image found for {repo}:{image_ref}")
+        return {}, ""
+    manifest_json = json.loads(resp["images"][0]["imageManifest"])
+    media_type = resp["images"][0].get("imageManifestMediaType", "")
+    return manifest_json, media_type
+async def get_blob_json_via_presigned(
+    ecr_client: ECRClient,
+    repo: str,
+    digest: str,
+    http_client: httpx.AsyncClient,
+) -> dict:
+    """Download and parse JSON blob using presigned URL."""
+    try:
+        url_response = await ecr_client.get_download_url_for_layer(
+            repositoryName=repo,
+            layerDigest=digest,
+        )
+    except ClientError as error:
+        logger.error(
+            "Failed to request download URL for layer %s in repo %s: %s",
+            digest,
+            repo,
+            error.response.get("Error", {}).get("Code", "unknown"),
+        )
+        raise
+    url = url_response["downloadUrl"]
+    try:
+        response = await http_client.get(url, timeout=30.0)
+        response.raise_for_status()
+    except httpx.HTTPError as error:
+        logger.error(
+            "HTTP error downloading blob %s for repo %s: %s",
+            digest,
+            repo,
+            error,
+        )
+        raise
+    return response.json()
+async def _extract_parent_image_from_attestation(
+    ecr_client: ECRClient,
+    repo_name: str,
+    attestation_manifest_digest: str,
+    http_client: httpx.AsyncClient,
+) -> Optional[dict[str, str]]:
+    """
+    Extract parent image information from an in-toto provenance attestation.
+    This function fetches an attestation manifest, downloads its in-toto layer,
+    and extracts the parent image reference from the SLSA provenance materials.
+    :param ecr_client: ECR client for fetching manifests and layers
+    :param repo_name: ECR repository name
+    :param attestation_manifest_digest: Digest of the attestation manifest
+    :param http_client: HTTP client for downloading blobs
+    :return: Dict with parent_image_uri and parent_image_digest, or None if no parent image found
+    """
+    try:
+        attestation_manifest, _ = await batch_get_manifest(
+            ecr_client,
+            repo_name,
+            attestation_manifest_digest,
+            [ECR_OCI_MANIFEST_MT, ECR_DOCKER_MANIFEST_MT],
+        )
+        if not attestation_manifest:
+            logger.debug(
+                "No attestation manifest found for digest %s in repo %s",
+                attestation_manifest_digest,
+                repo_name,
+            )
+            return None
+        # Get the in-toto layer from the attestation manifest
+        layers = attestation_manifest.get("layers", [])
+        intoto_layer = next(
+            (
+                layer
+                for layer in layers
+                if "in-toto" in layer.get("mediaType", "").lower()
+            ),
+            None,
+        )
+        if not intoto_layer:
+            logger.debug(
+                "No in-toto layer found in attestation manifest %s",
+                attestation_manifest_digest,
+            )
+            return None
+        # Download the in-toto attestation blob
+        intoto_digest = intoto_layer.get("digest")
+        if not intoto_digest:
+            logger.debug("No digest found for in-toto layer")
+            return None
+        attestation_blob = await get_blob_json_via_presigned(
+            ecr_client,
+            repo_name,
+            intoto_digest,
+            http_client,
+        )
+        if not attestation_blob:
+            logger.debug("Failed to download attestation blob")
+            return None
+        # Extract parent image from SLSA provenance materials
+        materials = attestation_blob.get("predicate", {}).get("materials", [])
+        for material in materials:
+            uri = material.get("uri", "")
+            uri_l = uri.lower()
+            # Look for container image URIs that are NOT the dockerfile itself
+            is_container_ref = (
+                uri_l.startswith("pkg:docker/")
+                or uri_l.startswith("pkg:oci/")
+                or uri_l.startswith("oci://")
+            )
+            if is_container_ref and "dockerfile" not in uri_l:
+                digest_obj = material.get("digest", {})
+                sha256_digest = digest_obj.get("sha256")
+                if sha256_digest:
+                    return {
+                        "parent_image_uri": uri,
+                        "parent_image_digest": f"sha256:{sha256_digest}",
+                    }
+        logger.debug(
+            "No parent image found in attestation materials for %s",
+            attestation_manifest_digest,
+        )
+        return None
+    except Exception as e:
+        logger.warning(
+            "Error extracting parent image from attestation %s in repo %s: %s",
+            attestation_manifest_digest,
+            repo_name,
+            e,
+        )
+        return None
+async def _diff_ids_for_manifest(
+    ecr_client: ECRClient,
+    repo_name: str,
+    manifest_doc: dict[str, Any],
+    http_client: httpx.AsyncClient,
+    platform_hint: Optional[str],
+) -> dict[str, list[str]]:
+    config = manifest_doc.get("config", {})
+    config_media_type = config.get("mediaType", "").lower()
+    # Skip certain media types
+    if any(
+        skip_fragment in config_media_type
+        for skip_fragment in SKIP_CONFIG_MEDIA_TYPE_FRAGMENTS
+    ):
+        return {}
+    layers = manifest_doc.get("layers", [])
+    if layers and all(
+        "in-toto" in layer.get("mediaType", "").lower() for layer in layers
+    ):
+        return {}
+    cfg_digest = config.get("digest")
+    if not cfg_digest:
+        return {}
+    cfg_json = await get_blob_json_via_presigned(
+        ecr_client,
+        repo_name,
+        cfg_digest,
+        http_client,
+    )
+    if not cfg_json:
+        return {}
+    # Docker API uses inconsistent casing - check for known variations
+    rootfs = cfg_json.get("rootfs") or cfg_json.get("RootFS") or {}
+    diff_ids = rootfs.get("diff_ids") or rootfs.get("DiffIDs") or []
+    if not diff_ids:
+        return {}
+    if platform_hint:
+        platform = platform_hint
+    else:
+        # Docker API uses inconsistent casing for platform components
+        platform = _format_platform(
+            cfg_json.get("os") or cfg_json.get("OS"),
+            cfg_json.get("architecture") or cfg_json.get("Architecture"),
+            cfg_json.get("variant") or cfg_json.get("Variant"),
+        )
+    return {platform: diff_ids}
+def transform_ecr_image_layers(
+    image_layers_data: dict[str, dict[str, list[str]]],
+    image_digest_map: dict[str, str],
+    image_attestation_map: Optional[dict[str, dict[str, str]]] = None,
+    existing_properties_map: Optional[dict[str, dict[str, Any]]] = None,
+) -> tuple[list[dict], list[dict]]:
+    """
+    Transform image layer data into format suitable for Neo4j ingestion.
+    Creates linked list structure with NEXT relationships and HEAD/TAIL markers.
+    :param image_layers_data: Map of image URI to platform to diff_ids
+    :param image_digest_map: Map of image URI to image digest
+    :param image_attestation_map: Map of image URI to attestation data (parent_image_uri, parent_image_digest)
+    :param existing_properties_map: Map of image digest to existing ECRImage properties (type, architecture, etc.)
+    :return: List of layer objects ready for ingestion
+    """
+    if image_attestation_map is None:
+        image_attestation_map = {}
+    if existing_properties_map is None:
+        existing_properties_map = {}
+    layers_by_diff_id: dict[str, dict[str, Any]] = {}
+    memberships_by_digest: dict[str, dict[str, Any]] = {}
+    for image_uri, platforms in image_layers_data.items():
+        # fetch_image_layers_async guarantees every uri in image_layers_data has a digest
+        image_digest = image_digest_map[image_uri]
+        # Check if this is a manifest list
+        is_manifest_list = False
+        if image_digest in existing_properties_map:
+            image_type = existing_properties_map[image_digest].get("type")
+            is_manifest_list = image_type == "manifest_list"
+        # Skip creating layer relationships for manifest lists
+        if is_manifest_list:
+            continue
+        ordered_layers_for_image: Optional[list[str]] = None
+        for _, diff_ids in platforms.items():
+            if not diff_ids:
+                continue
+            if ordered_layers_for_image is None:
+                ordered_layers_for_image = list(diff_ids)
+            # Process each layer in the chain
+            for i, diff_id in enumerate(diff_ids):
+                # Get or create layer
+                if diff_id not in layers_by_diff_id:
+                    layers_by_diff_id[diff_id] = {
+                        "diff_id": diff_id,
+                        "is_empty": diff_id == EMPTY_LAYER_DIFF_ID,
+                        "next_diff_ids": set(),
+                        "head_image_ids": set(),
+                        "tail_image_ids": set(),
+                    }
+                layer = layers_by_diff_id[diff_id]
+                # Add NEXT relationship if not the last layer
+                if i < len(diff_ids) - 1:
+                    layer["next_diff_ids"].add(diff_ids[i + 1])
+                # Track which images this layer is HEAD or TAIL of
+                if i == 0:
+                    layer["head_image_ids"].add(image_digest)
+                if i == len(diff_ids) - 1:
+                    layer["tail_image_ids"].add(image_digest)
+        if ordered_layers_for_image:
+            membership: dict[str, Any] = {
+                "layer_diff_ids": ordered_layers_for_image,
+            }
+            # Preserve existing ECRImage properties (type, architecture, os, variant, etc.)
+            if image_digest in existing_properties_map:
+                membership.update(existing_properties_map[image_digest])
+            # Add attestation data if available for this image
+            if image_uri in image_attestation_map:
+                attestation = image_attestation_map[image_uri]
+                membership["parent_image_uri"] = attestation["parent_image_uri"]
+                membership["parent_image_digest"] = attestation["parent_image_digest"]
+                membership["from_attestation"] = True
+                membership["confidence"] = "explicit"
+            memberships_by_digest[image_digest] = membership
+    # Convert sets back to lists for Neo4j ingestion
+    layers = []
+    for layer in layers_by_diff_id.values():
+        layer_dict: dict[str, Any] = {
+            "diff_id": layer["diff_id"],
+            "is_empty": layer["is_empty"],
+        }
+        if layer["next_diff_ids"]:
+            layer_dict["next_diff_ids"] = list(layer["next_diff_ids"])
+        if layer["head_image_ids"]:
+            layer_dict["head_image_ids"] = list(layer["head_image_ids"])
+        if layer["tail_image_ids"]:
+            layer_dict["tail_image_ids"] = list(layer["tail_image_ids"])
+        layers.append(layer_dict)
+    # Reconstruct memberships list with imageDigest field
+    memberships = [
+        {"imageDigest": digest, **membership_data}
+        for digest, membership_data in memberships_by_digest.items()
+    ]
+    return layers, memberships
+@timeit
+def load_ecr_image_layers(
+    neo4j_session: neo4j.Session,
+    image_layers: list[dict],
+    region: str,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load image layers into Neo4j.
+    Uses a conservative batch size (ECR_LAYER_LOAD_BATCH_SIZE) to avoid Neo4j
+    transaction memory limits, since layer objects can contain large arrays of
+    relationships.
+    """
+    logger.info(
+        f"Loading {len(image_layers)} image layers for region {region} into graph.",
+    )
+    load(
+        neo4j_session,
+        ECRImageLayerSchema(),
+        image_layers,
+        batch_size=ECR_LAYER_BATCH_SIZE,
+        lastupdated=aws_update_tag,
+        AWS_ID=current_aws_account_id,
+    )
+@timeit
+def load_ecr_image_layer_memberships(
+    neo4j_session: neo4j.Session,
+    memberships: list[dict[str, Any]],
+    region: str,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load image layer memberships into Neo4j.
+    Uses a conservative batch size (ECR_LAYER_MEMBERSHIP_BATCH_SIZE) to avoid
+    Neo4j transaction memory limits, since membership objects can contain large
+    arrays of layer diff_ids.
+    """
+    load(
+        neo4j_session,
+        ECRImageSchema(),
+        memberships,
+        batch_size=ECR_LAYER_BATCH_SIZE,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
+async def fetch_image_layers_async(
+    ecr_client: ECRClient,
+    repo_images_list: list[dict],
+    max_concurrent: int = 200,
+) -> tuple[dict[str, dict[str, list[str]]], dict[str, str], dict[str, dict[str, str]]]:
+    """
+    Fetch image layers for ECR images in parallel with caching and non-blocking I/O.
+    Returns:
+        - image_layers_data: Map of image URI to platform to diff_ids
+        - image_digest_map: Map of image URI to image digest
+        - image_attestation_map: Map of image URI to attestation data (parent_image_uri, parent_image_digest)
+    """
+    image_layers_data: dict[str, dict[str, list[str]]] = {}
+    image_digest_map: dict[str, str] = {}
+    image_attestation_map: dict[str, dict[str, str]] = {}
+    semaphore = asyncio.Semaphore(max_concurrent)
+    # Cache for manifest fetches keyed by (repo_name, imageDigest)
+    manifest_cache: dict[tuple[str, str], tuple[dict, str]] = {}
+    # Lock for thread-safe cache access
+    cache_lock = asyncio.Lock()
+    # In-flight requests to coalesce duplicate fetches
+    inflight: dict[tuple[str, str], asyncio.Task] = {}
+    async def _fetch_and_cache_manifest(
+        repo_name: str, digest_or_tag: str, accepted: list[str]
+    ) -> tuple[dict, str]:
+        """
+        Fetch and cache manifest with double-checked locking and in-flight coalescing.
+        """
+        key = (repo_name, digest_or_tag)
+        # Fast path: check cache without lock
+        if key in manifest_cache:
+            return manifest_cache[key]
+        # Check for existing in-flight request
+        task = inflight.get(key)
+        if task is None:
+            # Create new task for this manifest
+            async def _do() -> tuple[dict, str]:
+                # Fetch without holding the lock
+                doc, mt = await batch_get_manifest(
+                    ecr_client, repo_name, digest_or_tag, accepted
+                )
+                # Store result under lock (second check to avoid races)
+                async with cache_lock:
+                    return manifest_cache.setdefault(key, (doc, mt))
+            task = asyncio.create_task(_do())
+            inflight[key] = task
+        try:
+            return await task
+        finally:
+            # Clean up inflight entry
+            inflight.pop(key, None)
+    async def fetch_single_image_layers(
+        repo_image: dict,
+        http_client: httpx.AsyncClient,
+    ) -> Optional[
+        tuple[str, str, dict[str, list[str]], Optional[dict[str, dict[str, str]]]]
+    ]:
+        """
+        Fetch layers for a single image and extract attestation if present.
+        Returns tuple of (uri, digest, platform_layers, attestations_by_child_digest) where
+        attestations_by_child_digest maps child image digest to parent image info
+        """
+        async with semaphore:
+            # Caller guarantees these fields exist in every repo_image
+            uri = repo_image["uri"]
+            digest = repo_image["imageDigest"]
+            repo_uri = repo_image["repo_uri"]
+            # Extract repository name
+            parts = repo_uri.split("/", 1)
+            if len(parts) != 2:
+                raise ValueError(f"Unexpected ECR repository URI format: {repo_uri}")
+            repo_name = parts[1]
+            # Get manifest using optimized caching
+            doc, media_type = await _fetch_and_cache_manifest(
+                repo_name, digest, ALL_ACCEPTED
+            )
+            if not doc:
+                return None
+            manifest_media_type = (media_type or doc.get("mediaType", "")).lower()
+            platform_layers: dict[str, list[str]] = {}
+            attestation_data: Optional[dict[str, dict[str, str]]] = None
+            if doc.get("manifests") and manifest_media_type in INDEX_MEDIA_TYPES_LOWER:
+                async def _process_child_manifest(
+                    manifest_ref: dict,
+                ) -> tuple[dict[str, list[str]], Optional[tuple[str, dict[str, str]]]]:
+                    # Check if this is an attestation manifest
+                    if (
+                        manifest_ref.get("annotations", {}).get(
+                            "vnd.docker.reference.type"
+                        )
+                        == "attestation-manifest"
+                    ):
+                        # Extract which child image this attestation is for
+                        attests_child_digest = manifest_ref.get("annotations", {}).get(
+                            "vnd.docker.reference.digest"
+                        )
+                        if not attests_child_digest:
+                            return {}, None
+                        # Extract base image from attestation
+                        attestation_digest = manifest_ref.get("digest")
+                        if attestation_digest:
+                            attestation_info = (
+                                await _extract_parent_image_from_attestation(
+                                    ecr_client,
+                                    repo_name,
+                                    attestation_digest,
+                                    http_client,
+                                )
+                            )
+                            if attestation_info:
+                                # Return (attests_child_digest, parent_info) tuple
+                                return {}, (attests_child_digest, attestation_info)
+                        return {}, None
+                    child_digest = manifest_ref.get("digest")
+                    if not child_digest:
+                        return {}, None
+                    # Use optimized caching for child manifest
+                    child_doc, _ = await _fetch_and_cache_manifest(
+                        repo_name,
+                        child_digest,
+                        [ECR_OCI_MANIFEST_MT, ECR_DOCKER_MANIFEST_MT],
+                    )
+                    if not child_doc:
+                        return {}, None
+                    platform_hint = extract_platform_from_manifest(manifest_ref)
+                    diff_map = await _diff_ids_for_manifest(
+                        ecr_client,
+                        repo_name,
+                        child_doc,
+                        http_client,
+                        platform_hint,
+                    )
+                    return diff_map, None
+                # Process all child manifests in parallel
+                child_tasks = [
+                    _process_child_manifest(manifest_ref)
+                    for manifest_ref in doc.get("manifests", [])
+                ]
+                child_results = await asyncio.gather(
+                    *child_tasks, return_exceptions=True
+                )
+                # Merge results from successful child manifest processing
+                # Track attestation data by child digest for proper mapping
+                attestations_by_child_digest: dict[str, dict[str, str]] = {}
+                for result in child_results:
+                    if isinstance(result, tuple) and len(result) == 2:
+                        layer_data, attest_data = result
+                        if layer_data:
+                            platform_layers.update(layer_data)
+                        if attest_data:
+                            # attest_data is (child_digest, parent_info) tuple
+                            child_digest, parent_info = attest_data
+                            attestations_by_child_digest[child_digest] = parent_info
+                # Build attestation_data with child digest mapping
+                if attestations_by_child_digest:
+                    attestation_data = attestations_by_child_digest
+            else:
+                diff_map = await _diff_ids_for_manifest(
+                    ecr_client,
+                    repo_name,
+                    doc,
+                    http_client,
+                    None,
+                )
+                platform_layers.update(diff_map)
+            # Return if we found layers or attestation data
+            # Manifest lists may have attestation_data without platform_layers
+            if platform_layers or attestation_data:
+                return uri, digest, platform_layers, attestation_data
+            return None
+    async with httpx.AsyncClient() as http_client:
+        # Create tasks for all images
+        tasks = [
+            asyncio.create_task(
+                fetch_single_image_layers(repo_image, http_client),
+            )
+            for repo_image in repo_images_list
+        ]
+        # Process with progress logging
+        total = len(tasks)
+        logger.info(
+            f"Fetching layers for {total} images with {max_concurrent} concurrent connections..."
+        )
+        if not tasks:
+            return image_layers_data, image_digest_map, image_attestation_map
+        progress_interval = max(1, min(100, total // 10 or 1))
+        completed = 0
+        for task in asyncio.as_completed(tasks):
+            result = await task
+            completed += 1
+            if completed % progress_interval == 0 or completed == total:
+                percent = (completed / total) * 100
+                logger.info(
+                    "Fetched layer metadata for %d/%d images (%.1f%%)",
+                    completed,
+                    total,
+                    percent,
+                )
+            if result:
+                uri, digest, layer_data, attestations_by_child_digest = result
+                if not digest:
+                    raise ValueError(f"Empty digest returned for image {uri}")
+                image_layers_data[uri] = layer_data
+                image_digest_map[uri] = digest
+                if attestations_by_child_digest:
+                    # Map attestation data by child digest URIs
+                    repo_uri = extract_repo_uri_from_image_uri(uri)
+                    for (
+                        child_digest,
+                        parent_info,
+                    ) in attestations_by_child_digest.items():
+                        child_uri = f"{repo_uri}@{child_digest}"
+                        image_attestation_map[child_uri] = parent_info
+                        # Also add to digest map so transform can look up the child digest
+                        image_digest_map[child_uri] = child_digest
+    logger.info(
+        f"Successfully fetched layers for {len(image_layers_data)}/{len(repo_images_list)} images"
+    )
+    if image_attestation_map:
+        logger.info(
+            f"Found attestations with base image info for {len(image_attestation_map)} images"
+        )
+    return image_layers_data, image_digest_map, image_attestation_map
+def cleanup(neo4j_session: neo4j.Session, common_job_parameters: dict) -> None:
+    logger.debug("Running image layer cleanup job.")
+    GraphJob.from_node_schema(ECRImageLayerSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    aioboto3_session: aioboto3.Session,
+    regions: list[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: dict,
+) -> None:
+    """
+    Sync ECR image layers. This fetches detailed layer information for ECR images
+    that already exist in the graph.
+    Prerequisites: Basic ECR data (repositories and images) must already be loaded
+    via the 'ecr' module before running this.
+    Layer fetching can be slow for accounts with many container images.
+    """
+    for region in regions:
+        logger.info(
+            "Syncing ECR image layers for region '%s' in account '%s'.",
+            region,
+            current_aws_account_id,
+        )
+        # Query for ECR images with all their existing properties to preserve during layer sync
+        query = """
+        MATCH (img:ECRImage)<-[:IMAGE]-(repo_img:ECRRepositoryImage)<-[:REPO_IMAGE]-(repo:ECRRepository)
+        MATCH (repo)<-[:RESOURCE]-(:AWSAccount {id: $AWS_ID})
+        WHERE repo.region = $Region
+        RETURN DISTINCT
+            img.digest AS digest,
+            repo_img.id AS uri,
+            repo.uri AS repo_uri,
+            img.type AS type,
+            img.architecture AS architecture,
+            img.os AS os,
+            img.variant AS variant,
+            img.attestation_type AS attestation_type,
+            img.attests_digest AS attests_digest,
+            img.media_type AS media_type,
+            img.artifact_media_type AS artifact_media_type,
+            img.child_image_digests AS child_image_digests
+        """
+        from cartography.client.core.tx import read_list_of_dicts_tx
+        ecr_images = neo4j_session.read_transaction(
+            read_list_of_dicts_tx, query, AWS_ID=current_aws_account_id, Region=region
+        )
+        # Build repo_images_list and existing_properties map
+        repo_images_list = []
+        existing_properties = {}
+        seen_digests = set()
+        for img_data in ecr_images:
+            digest = img_data["digest"]
+            image_type = img_data.get("type")
+            if digest not in seen_digests:
+                seen_digests.add(digest)
+                # Store existing properties for ALL images to preserve during updates
+                existing_properties[digest] = {
+                    "type": image_type,
+                    "architecture": img_data.get("architecture"),
+                    "os": img_data.get("os"),
+                    "variant": img_data.get("variant"),
+                    "attestation_type": img_data.get("attestation_type"),
+                    "attests_digest": img_data.get("attests_digest"),
+                    "media_type": img_data.get("media_type"),
+                    "artifact_media_type": img_data.get("artifact_media_type"),
+                    "child_image_digests": img_data.get("child_image_digests"),
+                }
+                repo_uri = img_data["repo_uri"]
+                digest_uri = f"{repo_uri}@{digest}"
+                # Fetch manifests for:
+                # - Platform-specific images (type="image") - to get their layers
+                # - Manifest lists (type="manifest_list") - to extract attestation parent image data
+                # Skip only attestations since they don't have useful layer or parent data
+                if image_type != "attestation":
+                    repo_images_list.append(
+                        {
+                            "imageDigest": digest,
+                            "uri": digest_uri,
+                            "repo_uri": repo_uri,
+                        }
+                    )
+        logger.info(
+            f"Found {len(repo_images_list)} distinct ECR image digests in graph for region {region}"
+        )
+        if not repo_images_list:
+            logger.warning(
+                f"No ECR images found in graph for region {region}. "
+                f"Run 'ecr' sync first to populate basic ECR data."
+            )
+            continue
+        # Fetch and load image layers using async ECR client
+        if repo_images_list:
+            logger.info(
+                f"Starting to fetch layers for {len(repo_images_list)} images..."
+            )
+            async def _fetch_with_async_client() -> tuple[
+                dict[str, dict[str, list[str]]],
+                dict[str, str],
+                dict[str, dict[str, str]],
+            ]:
+                async with aioboto3_session.client(
+                    "ecr", region_name=region
+                ) as ecr_client:
+                    return await fetch_image_layers_async(ecr_client, repo_images_list)
+            # Use get_event_loop() + run_until_complete() to avoid tearing down loop
+            try:
+                loop = asyncio.get_event_loop()
+            except RuntimeError:
+                # No event loop in current thread, create one
+                loop = asyncio.new_event_loop()
+                asyncio.set_event_loop(loop)
+            image_layers_data, image_digest_map, image_attestation_map = (
+                loop.run_until_complete(_fetch_with_async_client())
+            )
+            logger.info(
+                f"Successfully fetched layers for {len(image_layers_data)} images"
+            )
+            layers, memberships = transform_ecr_image_layers(
+                image_layers_data,
+                image_digest_map,
+                image_attestation_map,
+                existing_properties,
+            )
+            load_ecr_image_layers(
+                neo4j_session,
+                layers,
+                region,
+                current_aws_account_id,
+                update_tag,
+            )
+            load_ecr_image_layer_memberships(
+                neo4j_session,
+                memberships,
+                region,
+                current_aws_account_id,
+                update_tag,
+            )
+    cleanup(neo4j_session, common_job_parameters)

cartography 0.104.0rc2__py3-none-any.whl → 0.123.0__py3-none-any.whl

cartography 0.104.0rc2py3-none-any.whl → 0.123.0py3-none-any.whl