cartography 0.74.0__tar.gz → 0.75.0__tar.gz

{cartography-0.74.0/cartography.egg-info → cartography-0.75.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cartography
-Version: 0.74.0
+Version: 0.75.0
 Summary: Explore assets and their relationships across your technical infrastructure.
 Home-page: https://www.github.com/lyft/cartography
 Maintainer: Lyft

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/indexes.cypher

@@ -140,6 +140,7 @@ CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerInstance) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ECSService) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ECSService) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.id);
+CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ECSTask) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ECSTask) ON (n.lastupdated);

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/analysis/aws_ec2_asset_exposure.json

@@ -1,12 +1,12 @@
 {
   "statements": [
   {
-    "query": "MATCH (n) where EXISTS(n.exposed_internet) AND labels(n) IN ['AutoScalingGroup', 'EC2Instance', 'LoadBalancer', 'LoadBalancerV2'] WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type return COUNT(*) as TotalCompleted",
+    "query": "MATCH (n) where n.exposed_internet IS NOT NULL AND labels(n) IN ['AutoScalingGroup', 'EC2Instance', 'LoadBalancer', 'LoadBalancerV2'] WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type return COUNT(*) as TotalCompleted",
     "iterative": true,
     "iterationsize": 1000
   },
   {
-    "query": "MATCH (:IpRange{id: '0.0.0.0/0'})-[:MEMBER_OF_IP_RULE]->(:IpPermissionInbound)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(group:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP|NETWORK_INTERFACE*..2]-(instance:EC2Instance)\nWITH instance\nWHERE (EXISTS(instance.publicipaddress)) AND (NOT EXISTS(instance.exposed_internet_type)) OR (NOT 'direct' IN instance.exposed_internet_type)\nSET instance.exposed_internet = true, instance.exposed_internet_type = coalesce(instance.exposed_internet_type , []) + 'direct';",
+    "query": "MATCH (:IpRange{id: '0.0.0.0/0'})-[:MEMBER_OF_IP_RULE]->(:IpPermissionInbound)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(group:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP|NETWORK_INTERFACE*..2]-(instance:EC2Instance)\nWITH instance\nWHERE (instance.publicipaddress IS NOT NULL) AND (instance.exposed_internet_type IS NULL) OR (NOT 'direct' IN instance.exposed_internet_type)\nSET instance.exposed_internet = true, instance.exposed_internet_type = coalesce(instance.exposed_internet_type , []) + 'direct';",
     "iterative": false
   },
   {
@@ -18,15 +18,15 @@
     "iterative": false
   },
   {
-    "query": "MATCH (elb:LoadBalancer{exposed_internet: true})-[:EXPOSE]->(e:EC2Instance)\nWITH e\nWHERE (NOT EXISTS(e.exposed_internet_type)) OR (NOT 'elb' IN e.exposed_internet_type)\nSET e.exposed_internet = true, e.exposed_internet_type = coalesce(e.exposed_internet_type, []) + 'elb'",
+    "query": "MATCH (elb:LoadBalancer{exposed_internet: true})-[:EXPOSE]->(e:EC2Instance)\nWITH e\nWHERE (e.exposed_internet_type IS NULL) OR (NOT 'elb' IN e.exposed_internet_type)\nSET e.exposed_internet = true, e.exposed_internet_type = coalesce(e.exposed_internet_type, []) + 'elb'",
     "iterative": false
   },
   {
-    "query": "MATCH (elbv2:LoadBalancerV2{exposed_internet: true})-[:EXPOSE]->(e:EC2Instance)\nWITH e\nWHERE (NOT EXISTS(e.exposed_internet_type)) OR (NOT 'elbv2' IN e.exposed_internet_type)\nSET e.exposed_internet = true, e.exposed_internet_type = coalesce(e.exposed_internet_type, []) + 'elbv2'",
+    "query": "MATCH (elbv2:LoadBalancerV2{exposed_internet: true})-[:EXPOSE]->(e:EC2Instance)\nWITH e\nWHERE (e.exposed_internet_type IS NULL) OR (NOT 'elbv2' IN e.exposed_internet_type)\nSET e.exposed_internet = true, e.exposed_internet_type = coalesce(e.exposed_internet_type, []) + 'elbv2'",
     "iterative": false
   },
   {
-    "query": "MATCH (instance:EC2Instance{exposed_internet: true})-[:MEMBER_AUTO_SCALE_GROUP]->(asg:AutoScalingGroup)\nWITH distinct instance.exposed_internet_type as types, asg\nUNWIND types as type\nWITH type, asg\nWHERE NOT EXISTS(asg.exposed_internet_type) OR (NOT type IN asg.exposed_internet_type)\nSET asg.exposed_internet = true, asg.exposed_internet_type = coalesce(asg.exposed_internet_type, []) + type;",
+    "query": "MATCH (instance:EC2Instance{exposed_internet: true})-[:MEMBER_AUTO_SCALE_GROUP]->(asg:AutoScalingGroup)\nWITH distinct instance.exposed_internet_type as types, asg\nUNWIND types as type\nWITH type, asg\nWHERE asg.exposed_internet_type IS NULL OR (NOT type IN asg.exposed_internet_type)\nSET asg.exposed_internet = true, asg.exposed_internet_type = coalesce(asg.exposed_internet_type, []) + type;",
     "iterative": false
   }
 ],

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/analysis/aws_ec2_keypair_analysis.json

@@ -3,12 +3,12 @@
     "statements": [
         {
             "__comment__": "Delete the attribute user_uploaded",
-            "query": "MATCH (k:EC2KeyPair) WHERE EXISTS (k.user_uploaded) REMOVE k.user_uploaded return COUNT(*) as TotalCompleted",
+            "query": "MATCH (k:EC2KeyPair) WHERE k.user_uploaded IS NOT NULL REMOVE k.user_uploaded return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "Delete the attribute duplicate_keyfingerprint",
-            "query": "MATCH (k:EC2KeyPair) WHERE EXISTS (k.duplicate_keyfingerprint) REMOVE k.duplicate_keyfingerprint return COUNT(*) as TotalCompleted",
+            "query": "MATCH (k:EC2KeyPair) WHERE k.duplicate_keyfingerprint IS NOT NULL REMOVE k.duplicate_keyfingerprint return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/analysis/aws_eks_asset_exposure.json

@@ -2,7 +2,7 @@
   "statements": [
     {
       "__comment": "This is a clean-up statement to remove custom attributes",
-      "query": "MATCH (cluster:EKSCluster) WHERE EXISTS(cluster.exposed_internet) REMOVE cluster.exposed_internet return COUNT(*) as TotalCompleted",
+      "query": "MATCH (cluster:EKSCluster) WHERE cluster.exposed_internet IS NOT NULL REMOVE cluster.exposed_internet return COUNT(*) as TotalCompleted",
       "iterative": false
     },
     {

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/analysis/aws_foreign_accounts.json

@@ -2,12 +2,12 @@
   "statements": [
     {
       "__comment": "This analyze AWS accounts we created and tag the ones that are foreign. Foreign accounts are ones that were not in the sync scope",
-      "query": "MATCH (foreign:AWSAccount) where NOT EXISTS(foreign.inscope) SET foreign.foreign = true",
+      "query": "MATCH (foreign:AWSAccount) where foreign.inscope IS NULL SET foreign.foreign = true",
       "iterative": false
     },
     {
       "__comment": "Remove accounts that were set with foreign and inscope. This can happen as we finish the list of sync accounts through assume role mapping and vpc peering",
-      "query": "MATCH (a:AWSAccount) where EXISTS(a.inscope) AND EXISTS(a.foreign) REMOVE a.foreign",
+      "query": "MATCH (a:AWSAccount) where a.inscope IS NOT NULL AND a.foreign IS NOT NULL REMOVE a.foreign",
       "iterative": false
     }
   ],

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/analysis/gcp_compute_asset_inet_exposure.json

@@ -1,7 +1,7 @@
 {
   "statements": [
   {
-    "query": "MATCH (n) where EXISTS(n.exposed_internet) AND labels(n) IN ['GCPInstance'] WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type return COUNT(*) as TotalCompleted",
+    "query": "MATCH (n) where n.exposed_internet IS NOT NULL AND labels(n) IN ['GCPInstance'] WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type return COUNT(*) as TotalCompleted",
     "iterative": true,
     "iterationsize": 1000,
     "__comment__": "Delete exposed_internet off nodes so we can start fresh"
@@ -22,17 +22,17 @@
     "__comment__": "Delete stale firewall ingress relationships"
   },
   {
-    "query": "MATCH (ac:GCPNicAccessConfig)<-[:RESOURCE]-(:GCPNetworkInterface)<-[:NETWORK_INTERFACE]-(n:GCPInstance)<-[:FIREWALL_INGRESS]-(firewall_a:GCPFirewall)<-[:ALLOWED_BY]-(allow_rule:GCPIpRule{protocol:'tcp'})<-[:MEMBER_OF_IP_RULE]-(:IpRange{id:\"0.0.0.0/0\"})\nOPTIONAL MATCH (n)<-[:FIREWALL_INGRESS]-(firewall_b:GCPFirewall)<-[:DENIED_BY]-(deny_rule:GCPIpRule{protocol:'tcp'})\nWHERE exists(ac.public_ip) and (\n\tdeny_rule is NULL\n\tOR firewall_b.priority > firewall_a.priority\n\tOR NOT allow_rule.fromport IN RANGE(deny_rule.fromport, deny_rule.toport)\n\tOR NOT allow_rule.toport IN RANGE(deny_rule.fromport, deny_rule.toport)\n)\nSET n.exposed_internet = True, n.exposed_internet_type='direct'\nRETURN count(*) as TotalCompleted",
+    "query": "MATCH (ac:GCPNicAccessConfig)<-[:RESOURCE]-(:GCPNetworkInterface)<-[:NETWORK_INTERFACE]-(n:GCPInstance)<-[:FIREWALL_INGRESS]-(firewall_a:GCPFirewall)<-[:ALLOWED_BY]-(allow_rule:GCPIpRule{protocol:'tcp'})<-[:MEMBER_OF_IP_RULE]-(:IpRange{id:\"0.0.0.0/0\"})\nOPTIONAL MATCH (n)<-[:FIREWALL_INGRESS]-(firewall_b:GCPFirewall)<-[:DENIED_BY]-(deny_rule:GCPIpRule{protocol:'tcp'})\nWHERE ac.public_ip IS NOT NULL and (\n\tdeny_rule is NULL\n\tOR firewall_b.priority > firewall_a.priority\n\tOR NOT allow_rule.fromport IN RANGE(deny_rule.fromport, deny_rule.toport)\n\tOR NOT allow_rule.toport IN RANGE(deny_rule.fromport, deny_rule.toport)\n)\nSET n.exposed_internet = True, n.exposed_internet_type='direct'\nRETURN count(*) as TotalCompleted",
     "iterative": false,
     "__comment__": "Mark a GCP instance with exposed_internet = True and exposed_internet_type = 'direct' if its attached firewalls and TCP rules expose it to the internet."
   },
   {
-    "query": "MATCH (ac:GCPNicAccessConfig)<-[:RESOURCE]-(:GCPNetworkInterface)<-[:NETWORK_INTERFACE]-(n:GCPInstance)<-[:FIREWALL_INGRESS]-(firewall_a:GCPFirewall)<-[:ALLOWED_BY]-(allow_rule:GCPIpRule{protocol:'udp'})<-[:MEMBER_OF_IP_RULE]-(:IpRange{id:\"0.0.0.0/0\"})\nOPTIONAL MATCH (n)<-[:FIREWALL_INGRESS]-(firewall_b:GCPFirewall)<-[:DENIED_BY]-(deny_rule:GCPIpRule{protocol:'udp'})\nWHERE exists(ac.public_ip) and (\n\tdeny_rule is NULL\n\tOR firewall_b.priority > firewall_a.priority\n\tOR NOT allow_rule.fromport IN RANGE(deny_rule.fromport, deny_rule.toport)\n\tOR NOT allow_rule.toport IN RANGE(deny_rule.fromport, deny_rule.toport)\n)\nSET n.exposed_internet = True, n.exposed_internet_type='direct'\nRETURN count(*) as TotalCompleted",
+    "query": "MATCH (ac:GCPNicAccessConfig)<-[:RESOURCE]-(:GCPNetworkInterface)<-[:NETWORK_INTERFACE]-(n:GCPInstance)<-[:FIREWALL_INGRESS]-(firewall_a:GCPFirewall)<-[:ALLOWED_BY]-(allow_rule:GCPIpRule{protocol:'udp'})<-[:MEMBER_OF_IP_RULE]-(:IpRange{id:\"0.0.0.0/0\"})\nOPTIONAL MATCH (n)<-[:FIREWALL_INGRESS]-(firewall_b:GCPFirewall)<-[:DENIED_BY]-(deny_rule:GCPIpRule{protocol:'udp'})\nWHERE ac.public_ip IS NOT NULL and (\n\tdeny_rule is NULL\n\tOR firewall_b.priority > firewall_a.priority\n\tOR NOT allow_rule.fromport IN RANGE(deny_rule.fromport, deny_rule.toport)\n\tOR NOT allow_rule.toport IN RANGE(deny_rule.fromport, deny_rule.toport)\n)\nSET n.exposed_internet = True, n.exposed_internet_type='direct'\nRETURN count(*) as TotalCompleted",
     "iterative": false,
     "__comment__": "Mark a GCP instance with exposed_internet = True and exposed_internet_type = 'direct' if its attached firewalls and UDP rules expose it to the internet."
   },
   {
-    "query": "MATCH (ac:GCPNicAccessConfig)<-[:RESOURCE]-(:GCPNetworkInterface)<-[:NETWORK_INTERFACE]-(n:GCPInstance)<-[:FIREWALL_INGRESS]-(firewall_a:GCPFirewall)<-[:ALLOWED_BY]-(allow_rule:GCPIpRule{protocol:'all'})<-[:MEMBER_OF_IP_RULE]-(:IpRange{id:\"0.0.0.0/0\"})\nOPTIONAL MATCH (n)<-[:FIREWALL_INGRESS]-(firewall_b:GCPFirewall)<-[:DENIED_BY]-(deny_rule:GCPIpRule{protocol:'all'})\nWHERE exists(ac.public_ip) and exists(allow_rule.fromport) and exists(allow_rule.toport) and (\n\tdeny_rule is NULL\n\tOR firewall_b.priority > firewall_a.priority\n\tOR NOT allow_rule.fromport IN RANGE(deny_rule.fromport, deny_rule.toport)\n\tOR NOT allow_rule.toport IN RANGE(deny_rule.fromport, deny_rule.toport)\n)\nSET n.exposed_internet = True, n.exposed_internet_type='direct'\nRETURN count(*) as TotalCompleted",
+    "query": "MATCH (ac:GCPNicAccessConfig)<-[:RESOURCE]-(:GCPNetworkInterface)<-[:NETWORK_INTERFACE]-(n:GCPInstance)<-[:FIREWALL_INGRESS]-(firewall_a:GCPFirewall)<-[:ALLOWED_BY]-(allow_rule:GCPIpRule{protocol:'all'})<-[:MEMBER_OF_IP_RULE]-(:IpRange{id:\"0.0.0.0/0\"})\nOPTIONAL MATCH (n)<-[:FIREWALL_INGRESS]-(firewall_b:GCPFirewall)<-[:DENIED_BY]-(deny_rule:GCPIpRule{protocol:'all'})\nWHERE ac.public_ip IS NOT NULL and allow_rule.fromport IS NOT NULL and allow_rule.toport IS NOT NULL and (\n\tdeny_rule is NULL\n\tOR firewall_b.priority > firewall_a.priority\n\tOR NOT allow_rule.fromport IN RANGE(deny_rule.fromport, deny_rule.toport)\n\tOR NOT allow_rule.toport IN RANGE(deny_rule.fromport, deny_rule.toport)\n)\nSET n.exposed_internet = True, n.exposed_internet_type='direct'\nRETURN count(*) as TotalCompleted",
     "iterative": false,
     "__comment__": "Mark a GCP instance with exposed_internet = True and exposed_internet_type = 'direct' if its attached firewalls and ALL rules expose it to the internet."
   }

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/analysis/gcp_gke_asset_exposure.json

@@ -2,7 +2,7 @@
   "statements": [
     {
       "__comment": "This is a clean-up statement to remove custom attributes",
-      "query": "MATCH (cluster:GKECluster) WHERE EXISTS(cluster.exposed_internet) REMOVE cluster.exposed_internet return COUNT(*) as TotalCompleted",
+      "query": "MATCH (cluster:GKECluster) WHERE cluster.exposed_internet IS NOT NULL REMOVE cluster.exposed_internet return COUNT(*) as TotalCompleted",
       "iterative": false
     },
     {

cartography-0.75.0/cartography/data/jobs/analysis/gcp_gke_basic_auth.json

@@ -0,0 +1,15 @@
+{
+  "statements": [
+    {
+      "__comment": "This is a clean-up statement to remove custom attributes",
+      "query": "MATCH (cluster:GKECluster) WHERE cluster.basic_auth IS NOT NULL REMOVE cluster.basic_auth return COUNT(*) as TotalCompleted",
+      "iterative": false
+    },
+    {
+      "__comment": "This sets the basic_auth attribute",
+      "query": "MATCH (cluster:GKECluster) WHERE (cluster.masterauth_username IS NOT NULL AND NOT cluster.masterauth_username = '') AND (cluster.masterauth_password IS NOT NULL AND NOT cluster.masterauth.password = '') SET cluster.basic_auth = true",
+      "iterative": false
+    }
+  ],
+  "name": "GCP GKE basic authentication exposure"
+}

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/cleanup/aws_apigateway_details.json

@@ -1,7 +1,7 @@
 {
   "statements": [
     {
-      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:RestAPI) WHERE EXISTS(s.anonymous_access)\n WITH s LIMIT $LIMIT_SIZE\nREMOVE s.anonymous_access, s.anonymous_actions",
+      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:RestAPI) WHERE s.anonymous_access IS NOT NULL\n WITH s LIMIT $LIMIT_SIZE\nREMOVE s.anonymous_access, s.anonymous_actions",
       "iterative": true,
       "iterationsize": 100
     }

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/cleanup/aws_kms_details.json

@@ -1,7 +1,7 @@
 {
   "statements": [
     {
-      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:KMSKey) WHERE EXISTS(s.anonymous_access)\n WITH s LIMIT $LIMIT_SIZE\nREMOVE s.anonymous_access, s.anonymous_actions",
+      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:KMSKey) WHERE s.anonymous_access IS NOT NULL\n WITH s LIMIT $LIMIT_SIZE\nREMOVE s.anonymous_access, s.anonymous_actions",
       "iterative": true,
       "iterationsize": 100
     }

{cartography-0.74.0 → cartography-0.75.0}/cartography/data/jobs/cleanup/aws_s3_details.json

@@ -1,7 +1,7 @@
 {
   "statements": [
     {
-      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:S3Bucket) WHERE EXISTS(s.anonymous_access)\n WITH s LIMIT $LIMIT_SIZE\nREMOVE s.anonymous_access, s.anonymous_actions",
+      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:S3Bucket) WHERE s.anonymous_access IS NOT NULL\n WITH s LIMIT $LIMIT_SIZE\nREMOVE s.anonymous_access, s.anonymous_actions",
       "iterative": true,
       "iterationsize": 100
     }

{cartography-0.74.0 → cartography-0.75.0}/cartography/graph/querybuilder.py

@@ -109,6 +109,28 @@ def _build_match_clause(matcher: TargetNodeMatcher) -> str:
     return ', '.join(match.safe_substitute(Key=key, PropRef=prop_ref) for key, prop_ref in matcher_asdict.items())
 
 
+def _build_where_clause_for_rel_match(node_var: str, matcher: TargetNodeMatcher) -> str:
+    """
+    Same as _build_match_clause, but puts the matching logic in a WHERE clause.
+    This is intended specifically to use for joining with relationships where we need a case-insensitive match.
+    :param matcher: A TargetNodeMatcher object
+    :return: a Neo4j where clause
+    """
+    match = Template("$node_var.$key = $prop_ref")
+    case_insensitive_match = Template("toLower($node_var.$key) = toLower($prop_ref)")
+
+    matcher_asdict = asdict(matcher)
+
+    result = []
+    for key, prop_ref in matcher_asdict.items():
+        if prop_ref.ignore_case:
+            prop_line = case_insensitive_match.safe_substitute(node_var=node_var, key=key, prop_ref=prop_ref)
+        else:
+            prop_line = match.safe_substitute(node_var=node_var, key=key, prop_ref=prop_ref)
+        result.append(prop_line)
+    return ' AND\n'.join(result)
+
+
 def _asdict_with_validate_relprops(link: CartographyRelSchema) -> Dict[str, PropertyRef]:
     """
     Give a helpful error message when forgetting to put `()` when instantiating a CartographyRelSchema, as this
@@ -146,6 +168,7 @@ def _build_attach_sub_resource_statement(sub_resource_link: Optional[Cartography
 
     sub_resource_attach_template = Template(
         """
+        WITH i, item
         OPTIONAL MATCH (j:$SubResourceLabel{$MatchClause})
         WITH i, item, j WHERE j IS NOT NULL
         $RelMergeClause
@@ -192,7 +215,9 @@ def _build_attach_additional_links_statement(
     additional_links_template = Template(
         """
         WITH i, item
-        OPTIONAL MATCH ($node_var:$AddlLabel{$MatchClause})
+        OPTIONAL MATCH ($node_var:$AddlLabel)
+        WHERE
+            $WhereClause
         WITH i, item, $node_var WHERE $node_var IS NOT NULL
         $RelMerge
         ON CREATE SET $rel_var.firstseen = timestamp()
@@ -220,7 +245,7 @@ def _build_attach_additional_links_statement(
 
         additional_ref = additional_links_template.safe_substitute(
             AddlLabel=link.target_node_label,
-            MatchClause=_build_match_clause(link.target_node_matcher),
+            WhereClause=_build_where_clause_for_rel_match(node_var, link.target_node_matcher),
             node_var=node_var,
             rel_var=rel_var,
             RelMerge=rel_merge,
@@ -259,7 +284,6 @@ def _build_attach_relationships_statement(
         """
         WITH i, item
         CALL {
-            WITH i, item
             $attach_relationships_statement
         }
         """,

{cartography-0.74.0 → cartography-0.75.0}/cartography/graph/statement.py

@@ -4,6 +4,7 @@ import os
 from pathlib import Path
 from typing import Any
 from typing import Dict
+from typing import Optional
 from typing import Union
 
 import neo4j
@@ -40,8 +41,13 @@ class GraphStatement:
     """
 
     def __init__(
-        self, query: str, parameters: Dict = None, iterative: bool = False, iterationsize: int = 0,
-        parent_job_name: str = None, parent_job_sequence_num: int = None,
+            self,
+            query: str,
+            parameters: Optional[Dict[Any, Any]] = None,
+            iterative: bool = False,
+            iterationsize: int = 0,
+            parent_job_name: Optional[str] = None,
+            parent_job_sequence_num: Optional[int] = None,
     ):
         self.query = query
         self.parameters = parameters or {}
@@ -122,7 +128,12 @@ class GraphStatement:
             result.consume()
 
     @classmethod
-    def create_from_json(cls, json_obj: Dict, short_job_name: str = None, job_sequence_num: int = None):
+    def create_from_json(
+            cls,
+            json_obj: Dict[str, Any],
+            short_job_name: Optional[str] = None,
+            job_sequence_num: Optional[int] = None,
+    ):
         """
         Create a statement from a JSON blob.
         """

{cartography-0.74.0 → cartography-0.75.0}/cartography/intel/aws/apigateway.py

@@ -171,7 +171,7 @@ def _load_apigateway_policies(
 def _set_default_values(neo4j_session: neo4j.Session, aws_account_id: str) -> None:
     set_defaults = """
     MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(restApi:APIGatewayRestAPI)
-    where NOT EXISTS(restApi.anonymous_actions)
+    where restApi.anonymous_actions IS NULL
     SET restApi.anonymous_access = false, restApi.anonymous_actions = []
     """
 

{cartography-0.74.0 → cartography-0.75.0}/cartography/intel/aws/ecs.py

@@ -91,16 +91,16 @@ def get_ecs_services(cluster_arn: str, boto3_session: boto3.session.Session, reg
 
 @timeit
 @aws_handle_regions
-def get_ecs_task_definitions(boto3_session: boto3.session.Session, region: str) -> List[Dict[str, Any]]:
+def get_ecs_task_definitions(
+    boto3_session: boto3.session.Session,
+    region: str,
+    tasks: List[Dict[str, Any]],
+) -> List[Dict[str, Any]]:
     client = boto3_session.client('ecs', region_name=region)
-    paginator = client.get_paginator('list_task_definitions')
     task_definitions: List[Dict[str, Any]] = []
-    task_definition_arns: List[str] = []
-    for page in paginator.paginate():
-        task_definition_arns.extend(page.get('taskDefinitionArns', []))
-    for arn in task_definition_arns:
+    for task in tasks:
         task_definition = client.describe_task_definition(
-            taskDefinition=arn,
+            taskDefinition=task['taskDefinitionArn'],
         )
         task_definitions.append(task_definition['taskDefinition'])
     return task_definitions
@@ -294,7 +294,8 @@ def load_ecs_task_definitions(
     UNWIND $Definitions AS def
         MERGE (d:ECSTaskDefinition{id: def.taskDefinitionArn})
         ON CREATE SET d.firstseen = timestamp()
-        SET d.arn = def.taskDefinitionArn, d.region = $Region,
+        SET d.arn = def.taskDefinitionArn,
+            d.region = $Region,
             d.family = def.family,
             d.task_role_arn = def.taskRoleArn,
             d.execution_role_arn = def.executionRoleArn,
@@ -317,6 +318,11 @@ def load_ecs_task_definitions(
             d.ephemeral_storage_size_in_gib = def.ephemeralStorage.sizeInGiB,
             d.lastupdated = $aws_update_tag
         WITH d
+        MATCH (task:ECSTask{task_definition_arn: d.arn})
+        MERGE (task)-[r:HAS_TASK_DEFINITION]->(d)
+        ON CREATE SET r.firstseen = timestamp()
+        SET r.lastupdated = $aws_update_tag
+        WITH d
         MATCH (owner:AWSAccount{id: $AWS_ACCOUNT_ID})
         MERGE (owner)-[r:RESOURCE]->(d)
         ON CREATE SET r.firstseen = timestamp()
@@ -565,17 +571,6 @@ def sync(
                 current_aws_account_id,
                 update_tag,
             )
-            task_definitions = get_ecs_task_definitions(
-                boto3_session,
-                region,
-            )
-            load_ecs_task_definitions(
-                neo4j_session,
-                task_definitions,
-                region,
-                current_aws_account_id,
-                update_tag,
-            )
             services = get_ecs_services(
                 cluster_arn,
                 boto3_session,
@@ -602,4 +597,16 @@ def sync(
                 current_aws_account_id,
                 update_tag,
             )
+            task_definitions = get_ecs_task_definitions(
+                boto3_session,
+                region,
+                tasks,
+            )
+            load_ecs_task_definitions(
+                neo4j_session,
+                task_definitions,
+                region,
+                current_aws_account_id,
+                update_tag,
+            )
     cleanup_ecs(neo4j_session, common_job_parameters)

{cartography-0.74.0 → cartography-0.75.0}/cartography/intel/aws/iam.py

@@ -309,11 +309,15 @@ def load_roles(
     neo4j_session: neo4j.Session, roles: List[Dict], current_aws_account_id: str, aws_update_tag: int,
 ) -> None:
     ingest_role = """
-    MERGE (rnode:AWSRole{arn: $Arn})
-    ON CREATE SET rnode:AWSPrincipal, rnode.roleid = $RoleId, rnode.firstseen = timestamp(),
-    rnode.createdate = $CreateDate
-    ON MATCH SET rnode.name = $RoleName, rnode.path = $Path
-    SET rnode.lastupdated = $aws_update_tag
+    MERGE (rnode:AWSPrincipal{arn: $Arn})
+    ON CREATE SET rnode.firstseen = timestamp()
+    SET
+        rnode:AWSRole,
+        rnode.roleid = $RoleId,
+        rnode.createdate = $CreateDate,
+        rnode.name = $RoleName,
+        rnode.path = $Path,
+        rnode.lastupdated = $aws_update_tag
     WITH rnode
     MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
     MERGE (aa)-[r:RESOURCE]->(rnode)

{cartography-0.74.0 → cartography-0.75.0}/cartography/intel/aws/kms.py

@@ -189,7 +189,7 @@ def _load_kms_key_policies(neo4j_session: neo4j.Session, policies: List[Dict], u
 
 def _set_default_values(neo4j_session: neo4j.Session, aws_account_id: str) -> None:
     set_defaults = """
-    MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(kmskey:KMSKey) where NOT EXISTS(kmskey.anonymous_actions)
+    MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(kmskey:KMSKey) where kmskey.anonymous_actions IS NULL
     SET kmskey.anonymous_access = false, kmskey.anonymous_actions = []
     """
 

{cartography-0.74.0 → cartography-0.75.0}/cartography/intel/aws/s3.py

@@ -345,7 +345,7 @@ def _load_s3_public_access_block(
     MATCH (s:S3Bucket) where s.name = public_access_block.bucket
     SET s.block_public_acls = public_access_block.block_public_acls,
         s.ignore_public_acls = public_access_block.ignore_public_acls,
-        s.block_public_acls = public_access_block.block_public_acls,
+        s.block_public_policy = public_access_block.block_public_policy,
         s.restrict_public_buckets = public_access_block.restrict_public_buckets,
         s.lastupdated = $UpdateTag
     """
@@ -359,7 +359,7 @@ def _load_s3_public_access_block(
 
 def _set_default_values(neo4j_session: neo4j.Session, aws_account_id: str) -> None:
     set_defaults = """
-    MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:S3Bucket) where NOT EXISTS(s.anonymous_actions)
+    MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:S3Bucket) where s.anonymous_actions IS NULL
     SET s.anonymous_access = false, s.anonymous_actions = []
     """
     neo4j_session.run(
@@ -368,7 +368,7 @@ def _set_default_values(neo4j_session: neo4j.Session, aws_account_id: str) -> No
     )
 
     set_encryption_defaults = """
-    MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:S3Bucket) where NOT EXISTS(s.default_encryption)
+    MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(s:S3Bucket) where s.default_encryption IS NULL
     SET s.default_encryption = false
     """
     neo4j_session.run(

{cartography-0.74.0 → cartography-0.75.0}/cartography/intel/azure/util/credentials.py

@@ -19,8 +19,13 @@ AUTHORITY_HOST_URI = 'https://login.microsoftonline.com'
 class Credentials:
 
     def __init__(
-        self, arm_credentials: Any, aad_graph_credentials: Any, tenant_id: str = None, subscription_id: str = None,
-        context: adal.AuthenticationContext = None, current_user: str = None,
+            self,
+            arm_credentials: Any,
+            aad_graph_credentials: Any,
+            tenant_id: Optional[str] = None,
+            subscription_id: Optional[str] = None,
+            context: Optional[adal.AuthenticationContext] = None,
+            current_user: Optional[str] = None,
     ) -> None:
         self.arm_credentials = arm_credentials  # Azure Resource Manager API credentials
         self.aad_graph_credentials = aad_graph_credentials  # Azure AD Graph API credentials
@@ -129,7 +134,12 @@ class Authenticator:
 
             raise e
 
-    def authenticate_sp(self, tenant_id: str = None, client_id: str = None, client_secret: str = None) -> Credentials:
+    def authenticate_sp(
+            self,
+            tenant_id: Optional[str] = None,
+            client_id: Optional[str] = None,
+            client_secret: Optional[str] = None,
+    ) -> Credentials:
         """
         Implements authentication for the Azure provider
         """

{cartography-0.74.0 → cartography-0.75.0}/cartography/intel/oci/iam.py

@@ -316,7 +316,7 @@ def sync_policies(
             "Syncing OCI policies for compartment '%s' in account '%s'.", compartment['ocid'], current_tenancy_id,
         )
         data = get_policy_list_data(iam, compartment["ocid"])
-        if(data["Policies"]):
+        if (data["Policies"]):
             load_policies(neo4j_session, data["Policies"], current_tenancy_id, oci_update_tag)
     run_cleanup_job('oci_import_policies_cleanup.json', neo4j_session, common_job_parameters)
 

{cartography-0.74.0 → cartography-0.75.0}/cartography/models/core/common.py

@@ -8,7 +8,7 @@ class PropertyRef:
     (PropertyRef.set_in_kwargs=True).
     """
 
-    def __init__(self, name: str, set_in_kwargs=False, extra_index=False):
+    def __init__(self, name: str, set_in_kwargs=False, extra_index=False, ignore_case=False):
         """
         :param name: The name of the property
         :param set_in_kwargs: Optional. If True, the property is not defined on the data dict, and we expect to find the
@@ -22,10 +22,22 @@ class PropertyRef:
             `ensure_indexes()`.
           - All properties included in target node matchers will always have indexes created for them.
             Defaults to False.
+        :param ignore_case: If True, performs a case-insensitive match when comparing the value of this property during
+        relationship creation. Defaults to False. This only has effect as part of a TargetNodeMatcher, and this is not
+        supported for the sub resource relationship.
+            Example on why you would set this to True:
+            GitHub usernames can have both uppercase and lowercase characters, but GitHub itself treats usernames as
+            case-insensitive. Suppose your company's internal personnel database stores GitHub usernames all as
+            lowercase. If you wanted to map your company's employees to their GitHub identities, you would need to
+            perform a case-insensitive match between your company's record of a user's GitHub username and your
+            cartography catalog of GitHubUser nodes. Therefore, you would need `ignore_case=True` in the PropertyRef
+            that points to the GitHubUser node's name field, otherwise if one of your employees' GitHub usernames
+            contains capital letters, you would not be able to map them properly to a GitHubUser node in your graph.
         """
         self.name = name
         self.set_in_kwargs = set_in_kwargs
         self.extra_index = extra_index
+        self.ignore_case = ignore_case
 
     def _parameterize_name(self) -> str:
         return f"${self.name}"

{cartography-0.74.0 → cartography-0.75.0/cartography.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cartography
-Version: 0.74.0
+Version: 0.75.0
 Summary: Explore assets and their relationships across your technical infrastructure.
 Home-page: https://www.github.com/lyft/cartography
 Maintainer: Lyft

{cartography-0.74.0 → cartography-0.75.0}/setup.py

@@ -1,7 +1,7 @@
 from setuptools import find_packages
 from setuptools import setup
 
-__version__ = '0.74.0'
+__version__ = '0.75.0'
 
 
 setup(

cartography-0.74.0/cartography/data/jobs/analysis/gcp_gke_basic_auth.json

@@ -1,15 +0,0 @@
-{
-  "statements": [
-    {
-      "__comment": "This is a clean-up statement to remove custom attributes",
-      "query": "MATCH (cluster:GKECluster) WHERE EXISTS(cluster.basic_auth) REMOVE cluster.basic_auth return COUNT(*) as TotalCompleted",
-      "iterative": false
-    },
-    {
-      "__comment": "This sets the basic_auth attribute",
-      "query": "MATCH (cluster:GKECluster) WHERE (EXISTS(cluster.masterauth_username) AND NOT cluster.masterauth_username = '') AND (EXISTS(cluster.masterauth_password) AND NOT cluster.masterauth.password = '') SET cluster.basic_auth = true",
-      "iterative": false
-    }
-  ],
-  "name": "GCP GKE basic authentication exposure"
-}