cartography 0.93.0rc1__py3-none-any.whl → 0.123.0__py3-none-any.whl

cartography/data/indexes.cypher

@@ -21,33 +21,12 @@ CREATE INDEX IF NOT EXISTS FOR (n:AWSDNSRecord) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSDNSZone) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSDNSZone) ON (n.zoneid);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSDNSZone) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSGroup) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSGroup) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSInternetGateway) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSInternetGateway) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSIpv4CidrBlock) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSIpv4CidrBlock) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSIpv6CidrBlock) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSIpv6CidrBlock) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambda) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambda) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaEventSourceMapping) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaEventSourceMapping) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaFunctionAlias) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaFunctionAlias) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaLayer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSLambdaLayer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPeeringConnection) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPeeringConnection) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicy) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicy) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicy) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicyStatement) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPolicyStatement) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPrincipal) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSPrincipal) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSRole) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSRole) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTag) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTag) ON (n.key);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTag) ON (n.lastupdated);
@@ -56,20 +35,8 @@ CREATE INDEX IF NOT EXISTS FOR (n:AWSTransitGateway) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTransitGateway) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTransitGatewayAttachment) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AWSTransitGatewayAttachment) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSUser) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSUser) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSUser) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSVpc) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AWSVpc) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AccountAccessKey) ON (n.accesskeyid);
-CREATE INDEX IF NOT EXISTS FOR (n:AccountAccessKey) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AutoScalingGroup) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:AutoScalingGroup) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ChromeExtension) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ChromeExtension) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:CrowdstrikeHost) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:CrowdstrikeHost) ON (n.instance_id);
-CREATE INDEX IF NOT EXISTS FOR (n:CrowdstrikeHost) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:CVE) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:CVE) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:Dependency) ON (n.id);
@@ -86,14 +53,9 @@ CREATE INDEX IF NOT EXISTS FOR (n:DODroplet) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:DODroplet) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:DOProject) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:DOProject) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:EBSSnapshot) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:EBSSnapshot) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:EC2KeyPair) ON (n.keyfingerprint);
 CREATE INDEX IF NOT EXISTS FOR (n:EC2ReservedInstance) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:EC2ReservedInstance) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECRImage) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECRImage) ON (n.digest);
-CREATE INDEX IF NOT EXISTS FOR (n:ECRImage) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRRepository) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRRepository) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRRepository) ON (n.uri);
@@ -104,21 +66,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:ECRRepositoryImage) ON (n.tag);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRRepositoryImage) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRScanFinding) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ECRScanFinding) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSCluster) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSCluster) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerInstance) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerInstance) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTaskDefinition) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTask) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSTask) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerDefinition) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainerDefinition) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:ECSContainer) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:ElasticacheCluster) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ElasticacheCluster) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:ElasticacheCluster) ON (n.lastupdated);
@@ -134,12 +81,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:ESDomain) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:ESDomain) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:ESDomain) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:ESDomain) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPDNSZone) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPDNSZone) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPRecordSet) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPRecordSet) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPFolder) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPFolder) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPForwardingRule) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPForwardingRule) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPInstance) ON (n.id);
@@ -150,59 +91,24 @@ CREATE INDEX IF NOT EXISTS FOR (n:GCPNetworkTag) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPNetworkTag) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPNicAccessConfig) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPNicAccessConfig) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPOrganization) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPOrganization) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPProject) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPProject) ON (n.projectnumber);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPProject) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPBucket) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPBucket) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPBucketLabel) ON (n.key);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPBucketLabel) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPSubnet) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GCPSubnet) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPVpc) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GCPVpc) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GitHubOrganization) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GitHubOrganization) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:GitHubRepository) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:GitHubRepository) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GitHubUser) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GitHubUser) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GKECluster) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GKECluster) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteGroup) ON (n.email);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteGroup) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteGroup) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteUser) ON (n.email);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteUser) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:GSuiteUser) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:Ip) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:Ip) ON (n.ip);
 CREATE INDEX IF NOT EXISTS FOR (n:Ip) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:IpPermissionInbound) ON (n.ruleid);
-CREATE INDEX IF NOT EXISTS FOR (n:IpPermissionInbound) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:IpPermissionsEgress) ON (n.ruleid);
-CREATE INDEX IF NOT EXISTS FOR (n:IpPermissionsEgress) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:IpRange) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:IpRange) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:IpRule) ON (n.ruleid);
-CREATE INDEX IF NOT EXISTS FOR (n:IpRule) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:JamfComputerGroup) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:JamfComputerGroup) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSKey) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSKey) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSKey) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSAlias) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSAlias) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSGrant) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KMSGrant) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.dnsname);
-CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancerV2) ON (n.dnsname);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancerV2) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancerV2) ON (n.lastupdated);
@@ -239,9 +145,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:OCITenancy) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.ocid);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:OCIUser) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:Package) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:PagerDutyEscalationPolicy) ON (n.lastupdated);
@@ -297,8 +200,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.arn);
 CREATE INDEX IF NOT EXISTS FOR (n:S3Bucket) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:SecretsManagerSecret) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:SecretsManagerSecret) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SecurityHub) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:SecurityHub) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.id);
@@ -307,106 +208,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.host_info_local_
 CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SQSQueue) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:SQSQueue) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:User) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:User) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureTenant) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureTenant) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzurePrincipal) ON (n.email);
-CREATE INDEX IF NOT EXISTS FOR (n:AzurePrincipal) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSubscription) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSubscription) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBAccount) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBAccount) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBLocation) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBLocation) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCorsPolicy) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCorsPolicy) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBAccountFailoverPolicy) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBAccountFailoverPolicy) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCDBPrivateEndpointConnection) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCDBPrivateEndpointConnection) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBVirtualNetworkRule) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBVirtualNetworkRule) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBSqlDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBSqlDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCassandraKeyspace) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCassandraKeyspace) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBMongoDBDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBMongoDBDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBTableResource) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBTableResource) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBSqlContainer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBSqlContainer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCassandraTable) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBCassandraTable) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBMongoDBCollection) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureCosmosDBMongoDBCollection) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageAccount) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageAccount) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageQueueService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageQueueService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageTableService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageTableService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageFileService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageFileService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageBlobService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageBlobService) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageQueue) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageQueue) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageTable) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageTable) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageFileShare) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageFileShare) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageBlobContainer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureStorageBlobContainer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSQLServer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSQLServer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureServerDNSAlias) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureServerDNSAlias) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureServerADAdministrator) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureServerADAdministrator) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRecoverableDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRecoverableDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRestorableDroppedDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRestorableDroppedDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureFailoverGroup) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureFailoverGroup) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureElasticPool) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureElasticPool) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSQLDatabase) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureSQLDatabase) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureReplicationLink) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureReplicationLink) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDatabaseThreatDetectionPolicy) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDatabaseThreatDetectionPolicy) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRestorePoint) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureRestorePoint) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureTransparentDataEncryption) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureTransparentDataEncryption) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureVirtualMachine) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureVirtualMachine) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDataDisk) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDataDisk) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDisk) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:AzureDisk) ON (n.lastupdated);
+CREATE INDEX IF NOT EXISTS FOR (n:UserAccount) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AzureSnapshot) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AzureSnapshot) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesCluster) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesCluster) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesCluster) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesNamespace) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesNamespace) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesNamespace) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesPod) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesPod) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesPod) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesContainer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesContainer) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesContainer) ON (n.image);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesContainer) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesSecret) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesSecret) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesSecret) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesService) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesService) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:KubernetesService) ON (n.lastupdated);

cartography/data/jobs/analysis/aws_ec2_asset_exposure.json

@@ -1,12 +1,27 @@
 {
   "statements": [
   {
-    "query": "MATCH (n) where n.exposed_internet IS NOT NULL AND labels(n) IN ['AutoScalingGroup', 'EC2Instance', 'LoadBalancer', 'LoadBalancerV2'] WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type return COUNT(*) as TotalCompleted",
+    "query": "MATCH (n:AutoScalingGroup) where n.exposed_internet IS NOT NULL WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type",
     "iterative": true,
     "iterationsize": 1000
   },
   {
-    "query": "MATCH (:IpRange{id: '0.0.0.0/0'})-[:MEMBER_OF_IP_RULE]->(:IpPermissionInbound)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(group:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP|NETWORK_INTERFACE*..2]-(instance:EC2Instance)\nWITH instance\nWHERE (instance.publicipaddress IS NOT NULL) AND (instance.exposed_internet_type IS NULL) OR (NOT 'direct' IN instance.exposed_internet_type)\nSET instance.exposed_internet = true, instance.exposed_internet_type = coalesce(instance.exposed_internet_type , []) + 'direct';",
+    "query": "MATCH (n:EC2Instance) where n.exposed_internet IS NOT NULL WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type",
+    "iterative": true,
+    "iterationsize": 1000
+  },
+  {
+    "query": "MATCH (n:LoadBalancer) where n.exposed_internet IS NOT NULL WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type",
+    "iterative": true,
+    "iterationsize": 1000
+  },
+  {
+    "query": "MATCH (n:LoadBalancerV2) where n.exposed_internet IS NOT NULL WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type",
+    "iterative": true,
+    "iterationsize": 1000
+  },
+  {
+    "query": "MATCH (:IpRange{id: '0.0.0.0/0'})-[:MEMBER_OF_IP_RULE]->(:IpPermissionInbound)-[:MEMBER_OF_EC2_SECURITY_GROUP]->(group:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP|NETWORK_INTERFACE*..2]-(instance:EC2Instance) WITH instance WHERE (instance.publicipaddress IS NOT NULL) AND (instance.exposed_internet_type IS NULL OR NOT 'direct' IN instance.exposed_internet_type) SET instance.exposed_internet = true, instance.exposed_internet_type = CASE WHEN instance.exposed_internet_type IS NULL THEN ['direct'] WHEN NOT 'direct' IN instance.exposed_internet_type THEN instance.exposed_internet_type + ['direct'] ELSE instance.exposed_internet_type END;",
     "iterative": false
   },
   {

cartography/data/jobs/analysis/aws_ec2_keypair_analysis.json

@@ -22,8 +22,8 @@
             "iterative": false
         },
         {
-            "__comment__": "Attach EC2KeyPairs with matching fingerprints to eachother and set duplicate_keyfingerprint = True",
-            "query": "MATCH (k1:EC2KeyPair), (k2:EC2KeyPair) WHERE k1.id <> k2.id AND k1.keyfingerprint = k2.keyfingerprint SET k1.duplicate_keyfingerprint = True, k2.duplicate_keyfingerprint = True MERGE (k1)-[r:MATCHING_FINGERPRINT]-(k2) ON CREATE SET r.firstseen = $UPDATE_TAG SET r.lastupdated = $UPDATE_TAG return COUNT(*) as TotalCompleted",
+            "__comment__": "Attach EC2KeyPairs with matching fingerprints to each other and set duplicate_keyfingerprint = True. Use id(k1) < id(k2) to avoid Cartesian product warning and ensure O(1) comparison.",
+            "query": "MATCH (k1:EC2KeyPair) MATCH (k2:EC2KeyPair) WHERE id(k1) < id(k2) AND k1.keyfingerprint = k2.keyfingerprint SET k1.duplicate_keyfingerprint = True, k2.duplicate_keyfingerprint = True MERGE (k1)-[r:MATCHING_FINGERPRINT]-(k2) ON CREATE SET r.firstseen = $UPDATE_TAG SET r.lastupdated = $UPDATE_TAG RETURN COUNT(*) as TotalCompleted",
             "iterative": false
         }
     ]

cartography/data/jobs/analysis/gcp_compute_asset_inet_exposure.json

@@ -1,7 +1,7 @@
 {
   "statements": [
   {
-    "query": "MATCH (n) where n.exposed_internet IS NOT NULL AND labels(n) IN ['GCPInstance'] WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type return COUNT(*) as TotalCompleted",
+    "query": "MATCH (n:GCPInstance) where n.exposed_internet IS NOT NULL WITH n LIMIT $LIMIT_SIZE REMOVE n.exposed_internet, n.exposed_internet_type",
     "iterative": true,
     "iterationsize": 1000,
     "__comment__": "Delete exposed_internet off nodes so we can start fresh"

cartography/data/jobs/analysis/keycloak_inheritance.json

@@ -0,0 +1,30 @@
+{
+  "statements": [
+    {
+        "__comment__": "Inherit group memberships from subgroups to parent groups",
+        "query": "MATCH (u:KeycloakUser)-[:MEMBER_OF]->(g:KeycloakGroup)-[:SUBGROUP_OF*1..5]->(pg:KeycloakGroup) MERGE (u)-[r:INHERITED_MEMBER_OF]->(pg) ON CREATE SET r.firstseen = $UPDATE_TAG SET r.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    },
+    {
+        "__comment__": "Assign roles to users based on group memberships",
+        "query": "MATCH (u:KeycloakUser)-[:MEMBER_OF|INHERITED_MEMBER_OR]->(g:KeycloakGroup)-[:GRANTS]->(r:KeycloakRole) MERGE (u)-[r0:ASSUME_ROLE]-(r) ON CREATE SET r0.firstseen = $UPDATE_TAG SET r0.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    },
+    {
+        "__comment__": "Propagate role grants to composite roles",
+        "query": "MATCH (r:KeycloakRole)-[:INCLUDES*1..5]->(c:KeycloakRole)-[:GRANTS]->(s:KeycloakScope) MERGE (r)-[r0:INDIRECT_GRANTS]-(s) ON CREATE SET r0.firstseen = $UPDATE_TAG SET r0.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    },
+    {
+        "__comment__": "Identify legitimate scopes for users based on assumed roles",
+        "query": "MATCH (u:KeycloakUser)-[:ASSUME_ROLE]-(:KeycloakRole)-[:GRANTS|INDIRECT_GRANTS]->(s:KeycloakScope) MERGE (u)-[r:ASSUME_SCOPE]->(s) ON CREATE SET r.firstseen = $UPDATE_TAG SET r.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    },
+    {
+        "__comment__": "Assign assumed scopes to users for orphan scopes (scopes not granted by any role)",
+        "query": "MATCH (s:KeycloakScope)<-[:RESOURCE]-(r:KeycloakRealm) MATCH (u:KeycloakUser)<-[:RESOURCE]-(r) WHERE NOT (s)<-[:GRANTS|INDIRECT_GRANTS]-(:KeycloakRole) MERGE (u)-[r0:ASSUME_SCOPE]->(s) SET r0.firstseen = $UPDATE_TAG SET r0.lastupdated = $UPDATE_TAG",
+        "iterative": false
+    }
+  ],
+  "name": "Keycloak inheritance analysis"
+}

cartography/data/jobs/cleanup/crowdstrike_import_cleanup.json

@@ -5,11 +5,6 @@
       "iterative": true,
       "iterationsize": 100
     },
-    {
-      "query": "MATCH (h:CrowdstrikeHost) WHERE h.lastupdated <> $UPDATE_TAG WITH h LIMIT $LIMIT_SIZE DETACH DELETE (h)",
-      "iterative": true,
-      "iterationsize": 100
-    },
     {
       "query": "MATCH (:CrowdstrikeFinding)<-[hc:HAS_CVE]-(:SpotlightVulnerability) WHERE hc.lastupdated <> $UPDATE_TAG WITH hc LIMIT $LIMIT_SIZE DELETE (hc)",
       "iterative": true,

cartography/data/jobs/cleanup/gcp_compute_vpc_cleanup.json

@@ -1,17 +1,5 @@
 {
   "statements": [
-    {
-      "query": "MATCH (n:GCPVpc) WHERE n.lastupdated <> $UPDATE_TAG WITH n LIMIT $LIMIT_SIZE DETACH DELETE (n)",
-      "iterative": true,
-      "iterationsize": 100,
-      "__comment__": "Delete GCP VPCs that no longer exist and detach them from all previously connected nodes."
-    },
-    {
-      "query": "MATCH (:GCPVpc)<-[r:RESOURCE]-(:GCPProject) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
-      "iterative": true,
-      "iterationsize": 100,
-      "__comment__": "Remove GCP VPC-to-Project relationships that are out of date."
-    },
     {
       "query": "MATCH (:GCPInstance)-[r:MEMBER_OF_GCP_VPC]->(:GCPVpc) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
       "iterative": true,

cartography/data/jobs/cleanup/github_repos_cleanup.json

@@ -19,6 +19,7 @@
     "iterative": true,
     "iterationsize": 100
   },
+
   {
     "query": "MATCH (:GitHubBranch)-[r:BRANCH]->(:GitHubRepository) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
     "iterative": true,
@@ -39,6 +40,7 @@
     "iterative": true,
     "iterationsize": 100
   },
+
   {
     "query": "MATCH (:GitHubUser)-[r:OUTSIDE_COLLAB_ADMIN]->(:GitHubRepository) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
     "iterative": true,
@@ -63,6 +65,31 @@
     "query": "MATCH (:GitHubUser)-[r:OUTSIDE_COLLAB_WRITE]->(:GitHubRepository) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
     "iterative": true,
     "iterationsize": 100
+  },
+  {
+    "query": "MATCH (:GitHubUser)-[r:DIRECT_COLLAB_ADMIN]->(:GitHubRepository) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
+    "iterative": true,
+    "iterationsize": 100
+  },
+  {
+    "query": "MATCH (:GitHubUser)-[r:DIRECT_COLLAB_MAINTAIN]->(:GitHubRepository) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
+    "iterative": true,
+    "iterationsize": 100
+  },
+  {
+    "query": "MATCH (:GitHubUser)-[r:DIRECT_COLLAB_READ]->(:GitHubRepository) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
+    "iterative": true,
+    "iterationsize": 100
+  },
+  {
+    "query": "MATCH (:GitHubUser)-[r:DIRECT_COLLAB_TRIAGE]->(:GitHubRepository) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
+    "iterative": true,
+    "iterationsize": 100
+  },
+  {
+    "query": "MATCH (:GitHubUser)-[r:DIRECT_COLLAB_WRITE]->(:GitHubRepository) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
+    "iterative": true,
+    "iterationsize": 100
   }],
   "name": "cleanup GitHub repos data"
 }

cartography/data/jobs/scoped_analysis/aws_ec2_iaminstanceprofile.json

@@ -0,0 +1,15 @@
+{
+    "name": "EC2 Instances assume IAM roles",
+    "statements": [
+        {
+            "__comment": "Create STS_ASSUMEROLE_ALLOW relationships from EC2 instances to the IAM roles they can assume via their iaminstanceprofiles",
+            "query":"MATCH (aa:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(i:EC2Instance)-[:INSTANCE_PROFILE]->(p:AWSInstanceProfile)-[:ASSOCIATED_WITH]->(r:AWSRole)\nMERGE (i)-[s:STS_ASSUMEROLE_ALLOW]->(r)\nON CREATE SET s.firstseen = timestamp(), s.lastupdated = $UPDATE_TAG",
+            "iterative": true
+        },
+        {
+            "__comment": "Cleanup",
+            "query":"MATCH (aa:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(:EC2Instance)-[s:STS_ASSUMEROLE_ALLOW]->(:AWSRole)\nWHERE s.lastupdated <> $UPDATE_TAG\nDELETE s",
+            "iterative": true
+        }
+    ]
+}

cartography/data/jobs/scoped_analysis/semgrep_sca_risk_analysis.json

@@ -13,47 +13,47 @@
         },
         {
             "__comment__": "not possible to identify if reachable && version specifier is the only flag of the vulnerability (likelihood = rare) && severity in [low, medium, high] -> Risk = Info",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'UNKNOWN_EXPOSURE', reachability_check:'VERSION_SPECIFIER', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW', 'MEDIUM', 'HIGH'] SET s.reachability_risk = 'INFO' return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'UNREACHABLE', reachability_check:'NO REACHABILITY ANALYSIS', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW', 'MEDIUM', 'HIGH'] SET s.reachability_risk = 'INFO' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "not possible to identify if reachable && version specifier is the only flag of the vulnerability (likelihood = rare) && severity = critical -> Risk = Low",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'UNKNOWN_EXPOSURE', reachability_check:'VERSION_SPECIFIER', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'UNREACHABLE', reachability_check:'NO REACHABILITY ANALYSIS', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
-            "__comment__": "manual review required to confirm && version specifier is the only flag of the vulnerability (likelihood = possible) && severity in [low, medium] -> Risk = Low",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'MANUAL_REVIEW_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW', 'MEDIUM'] SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
+            "__comment__": "manual review required to confirm exploitation when conditions met && identified version is vulnerable (likelihood = possible) && severity in [low, medium] -> Risk = Low",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'CONDITIONALLY REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW', 'MEDIUM'] SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
-            "__comment__": "manual review required to confirm && version specifier is the only flag of the vulnerability (likelihood = possible) && severity = high -> Risk = Medium",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'MANUAL_REVIEW_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'HIGH' SET s.reachability_risk = 'MEDIUM' return COUNT(*) as TotalCompleted",
+            "__comment__": "manual review required to confirm exploitation when conditions met && identified version is vulnerable (likelihood = possible) && severity = high -> Risk = Medium",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'CONDITIONALLY REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'HIGH' SET s.reachability_risk = 'MEDIUM' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
-            "__comment__": "manual review required to confirm && version specifier is the only flag of the vulnerability (likelihood = possible) &&  severity = critical -> Risk = High",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'MANUAL_REVIEW_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'HIGH' return COUNT(*) as TotalCompleted",
+            "__comment__": "manual review required to confirm exploitation when conditions met && identified version is vulnerable (likelihood = possible) &&  severity = critical -> Risk = High",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'CONDITIONALLY REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'HIGH' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "adding the vulnerable version flags it reachable (likelihood = likely) && severity in [low, medium] -> Risk = Low",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW','MEDIUM'] SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW','MEDIUM'] SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
-            "__comment__": "adding the vulnerable version flags it reachable (likelihood = likely) && severity = high -> Risk = Low",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'HIGH' SET s.reachability_risk = 'MEDIUM' return COUNT(*) as TotalCompleted",
+            "__comment__": "adding the vulnerable version flags it reachable (likelihood = likely) && severity = high -> Risk = Medium",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'HIGH' SET s.reachability_risk = 'MEDIUM' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "adding the vulnerable version flags it reachable (special case for critical, if something is so critical that needs to be fixed, likelihood = likely)) && severity = critical -> Risk = Critical",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'CRITICAL' return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'CRITICAL' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "if reachability analysis confirmed that is rechable (likelihood = certain) -> Risk = Severity",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'REACHABILITY', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) SET s.reachability_risk = s.severity return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) SET s.reachability_risk = s.severity return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {

cartography/driftdetect/__main__.py

@@ -2,6 +2,5 @@ import sys
 
 import cartography.driftdetect.cli
 
-
-if __name__ == '__main__':
+if __name__ == "__main__":
     sys.exit(cartography.driftdetect.cli.main())

cartography/driftdetect/add_shortcut.py

@@ -22,7 +22,13 @@ def run_add_shortcut(config):
         logger.error("Invalid Drift Detection Directory")
         return
     try:
-        add_shortcut(FileSystem, ShortcutSchema(), config.query_directory, config.shortcut, config.filename)
+        add_shortcut(
+            FileSystem,
+            ShortcutSchema(),
+            config.query_directory,
+            config.shortcut,
+            config.filename,
+        )
     except ValidationError as err:
         msg = "Could not load shortcut file from json file {} in query directory {}.".format(
             err.messages,
@@ -48,7 +54,9 @@ def add_shortcut(storage, shortcut_serializer, query_directory, alias, filename)
     :return:
     """
     if storage.has_file(os.path.join(query_directory, alias)):
-        logger.error(f"Shortcut {alias} is the name of another File in directory {query_directory}.")
+        logger.error(
+            f"Shortcut {alias} is the name of another File in directory {query_directory}.",
+        )
         return
     shortcut_path = os.path.join(query_directory, "shortcut.json")
     shortcut_data = storage.load(shortcut_path)