cartography 0.96.0rc1__py3-none-any.whl → 0.96.0rc2__py3-none-any.whl

cartography/cli.py

@@ -9,6 +9,7 @@ import cartography.config
 import cartography.sync
 import cartography.util
 from cartography.intel.aws.util.common import parse_and_validate_aws_requested_syncs
+from cartography.intel.semgrep.dependencies import parse_and_validate_semgrep_ecosystems
 
 
 logger = logging.getLogger(__name__)
@@ -524,6 +525,17 @@ class CLI:
                 'Required if you are using the Semgrep intel module. Ignored otherwise.'
             ),
         )
+        parser.add_argument(
+            '--semgrep-dependency-ecosystems',
+            type=str,
+            default=None,
+            help=(
+                'Comma-separated list of language ecosystems for which dependencies will be retrieved from Semgrep. '
+                'For example, a value of "gomod,npm" will retrieve Go and NPM dependencies. '
+                'See the full list of supported ecosystems in source code at cartography.intel.semgrep.dependencies. '
+                'Required if you are using the Semgrep dependencies intel module. Ignored otherwise.'
+            ),
+        )
         parser.add_argument(
             '--snipeit-base-uri',
             type=str,
@@ -734,6 +746,9 @@ class CLI:
             config.semgrep_app_token = os.environ.get(config.semgrep_app_token_env_var)
         else:
             config.semgrep_app_token = None
+        if config.semgrep_dependency_ecosystems:
+            # No need to store the returned value; we're using this for input validation.
+            parse_and_validate_semgrep_ecosystems(config.semgrep_dependency_ecosystems)
 
         # CVE feed config
         if config.cve_api_key_env_var:

cartography/config.py

@@ -107,6 +107,8 @@ class Config:
     :param duo_api_hostname: The Duo api hostname, e.g. "api-abc123.duosecurity.com". Optional.
     :param semgrep_app_token: The Semgrep api token. Optional.
     :type semgrep_app_token: str
+    :param semgrep_dependency_ecosystems: Comma-separated list of Semgrep dependency ecosystems to fetch. Optional.
+    :type semgrep_dependency_ecosystems: str
     :type snipeit_base_uri: string
     :param snipeit_base_uri: SnipeIT data provider base URI. Optional.
     :type snipeit_token: string
@@ -170,6 +172,7 @@ class Config:
         duo_api_secret=None,
         duo_api_hostname=None,
         semgrep_app_token=None,
+        semgrep_dependency_ecosystems=None,
         snipeit_base_uri=None,
         snipeit_token=None,
         snipeit_tenant_id=None,
@@ -227,6 +230,7 @@ class Config:
         self.duo_api_secret = duo_api_secret
         self.duo_api_hostname = duo_api_hostname
         self.semgrep_app_token = semgrep_app_token
+        self.semgrep_dependency_ecosystems = semgrep_dependency_ecosystems
         self.snipeit_base_uri = snipeit_base_uri
         self.snipeit_token = snipeit_token
         self.snipeit_tenant_id = snipeit_tenant_id

cartography/data/indexes.cypher

@@ -305,8 +305,7 @@ CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.host_info_local_
 CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SQSQueue) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:SQSQueue) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:User) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:User) ON (n.lastupdated);
+CREATE INDEX IF NOT EXISTS FOR (n:UserAccount) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AzureTenant) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AzureTenant) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AzurePrincipal) ON (n.email);

cartography/data/jobs/cleanup/aws_import_identity_center_cleanup.json

@@ -0,0 +1,16 @@
+{
+  "statements": [
+
+    {
+      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(:AWSSSOUser)<-[r:CAN_ASSUME_IDENTITY]-(:OktaUser) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r) RETURN COUNT(*) as TotalDeleted",
+      "iterative": true,
+      "iterationsize": 100
+    },
+    {
+      "query": "MATCH (:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(:AWSRole)-[r:ALLOWED_BY]->(:AWSSSOUser) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r) RETURN COUNT(*) as TotalDeleted",
+      "iterative": true,
+      "iterationsize": 100
+    }
+  ],
+  "name": "cleanup AWS Identity Center Instances and Related Data"
+}

cartography/data/jobs/cleanup/{github_users_cleanup.json → github_org_and_users_cleanup.json}

@@ -18,6 +18,11 @@
     "query": "MATCH (:GitHubUser)-[r:MEMBER_OF]->(:GitHubOrganization) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
     "iterative": true,
     "iterationsize": 100
+  },
+  {
+    "query": "MATCH (:GitHubUser)-[r:UNAFFILIATED]->(:GitHubOrganization) WHERE r.lastupdated <> $UPDATE_TAG WITH r LIMIT $LIMIT_SIZE DELETE (r)",
+    "iterative": true,
+    "iterationsize": 100
   }],
   "name": "cleanup GitHub users data"
 }

cartography/intel/aws/identitycenter.py

@@ -0,0 +1,307 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+
+import boto3
+import neo4j
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.identitycenter.awsidentitycenter import AWSIdentityCenterInstanceSchema
+from cartography.models.aws.identitycenter.awspermissionset import AWSPermissionSetSchema
+from cartography.models.aws.identitycenter.awsssouser import AWSSSOUserSchema
+from cartography.util import aws_handle_regions
+from cartography.util import run_cleanup_job
+from cartography.util import timeit
+logger = logging.getLogger(__name__)
+
+
+@timeit
+@aws_handle_regions
+def get_identity_center_instances(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
+    """
+    Get all AWS IAM Identity Center instances in the current region
+    """
+    client = boto3_session.client('sso-admin', region_name=region)
+    instances = []
+
+    paginator = client.get_paginator('list_instances')
+    for page in paginator.paginate():
+        instances.extend(page.get('Instances', []))
+
+    return instances
+
+
+@timeit
+def load_identity_center_instances(
+    neo4j_session: neo4j.Session,
+    instance_data: List[Dict],
+    region: str,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load Identity Center instances into the graph
+    """
+    logger.info(f"Loading {len(instance_data)} Identity Center instances for region {region}")
+    load(
+        neo4j_session,
+        AWSIdentityCenterInstanceSchema(),
+        instance_data,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
+
+
+@timeit
+def get_permission_sets(boto3_session: boto3.session.Session, instance_arn: str, region: str) -> List[Dict]:
+    """
+    Get all permission sets for a given Identity Center instance
+    """
+    client = boto3_session.client('sso-admin', region_name=region)
+    permission_sets = []
+
+    paginator = client.get_paginator('list_permission_sets')
+    for page in paginator.paginate(InstanceArn=instance_arn):
+        # Get detailed info for each permission set
+        for arn in page.get('PermissionSets', []):
+            details = client.describe_permission_set(
+                InstanceArn=instance_arn,
+                PermissionSetArn=arn,
+            )
+            permission_set = details.get('PermissionSet', {})
+            if permission_set:
+                permission_set['RoleHint'] = (
+                    f":role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_{permission_set.get('Name')}"
+                )
+                permission_sets.append(permission_set)
+
+    return permission_sets
+
+
+@timeit
+def get_permission_set_roles(
+    boto3_session: boto3.session.Session,
+    instance_arn: str,
+    permission_set_arn: str,
+    region: str,
+) -> List[Dict]:
+    """
+    Get all accounts associated with a given permission set
+    """
+    client = boto3_session.client('sso-admin', region_name=region)
+    accounts = []
+
+    paginator = client.get_paginator('list_accounts_for_provisioned_permission_set')
+    for page in paginator.paginate(InstanceArn=instance_arn, PermissionSetArn=permission_set_arn):
+        accounts.extend(page.get('AccountIds', []))
+
+    return accounts
+
+
+@timeit
+def load_permission_sets(
+    neo4j_session: neo4j.Session,
+    permission_sets: List[Dict],
+    instance_arn: str,
+    region: str,
+    aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load Identity Center permission sets into the graph
+    """
+    logger.info(f"Loading {len(permission_sets)} permission sets for instance {instance_arn} in region {region}")
+
+    load(
+        neo4j_session,
+        AWSPermissionSetSchema(),
+        permission_sets,
+        lastupdated=aws_update_tag,
+        InstanceArn=instance_arn,
+        Region=region,
+        AWS_ID=aws_account_id,
+    )
+
+
+@timeit
+def get_sso_users(
+    boto3_session: boto3.session.Session,
+    identity_store_id: str,
+    region: str,
+) -> List[Dict]:
+    """
+    Get all SSO users for a given Identity Store
+    """
+    client = boto3_session.client('identitystore', region_name=region)
+    users = []
+
+    paginator = client.get_paginator('list_users')
+    for page in paginator.paginate(IdentityStoreId=identity_store_id):
+        user_page = page.get('Users', [])
+        for user in user_page:
+            if user.get('ExternalIds', None):
+                user['ExternalId'] = user.get('ExternalIds')[0].get('Id')
+            users.append(user)
+
+    return users
+
+
+@timeit
+def load_sso_users(
+    neo4j_session: neo4j.Session,
+    users: List[Dict],
+    identity_store_id: str,
+    region: str,
+    aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load SSO users into the graph
+    """
+    logger.info(f"Loading {len(users)} SSO users for identity store {identity_store_id} in region {region}")
+
+    load(
+        neo4j_session,
+        AWSSSOUserSchema(),
+        users,
+        lastupdated=aws_update_tag,
+        IdentityStoreId=identity_store_id,
+        AWS_ID=aws_account_id,
+        Region=region,
+    )
+
+
+@timeit
+def get_role_assignments(
+    boto3_session: boto3.session.Session,
+    users: List[Dict],
+    instance_arn: str,
+    region: str,
+) -> List[Dict]:
+    """
+    Get role assignments for SSO users
+    """
+
+    logger.info(f"Getting role assignments for {len(users)} users")
+    client = boto3_session.client('sso-admin', region_name=region)
+    role_assignments = []
+
+    for user in users:
+        user_id = user['UserId']
+        paginator = client.get_paginator('list_account_assignments_for_principal')
+        for page in paginator.paginate(InstanceArn=instance_arn, PrincipalId=user_id, PrincipalType='USER'):
+            for assignment in page.get('AccountAssignments', []):
+                role_assignments.append({
+                    'UserId': user_id,
+                    'PermissionSetArn': assignment.get('PermissionSetArn'),
+                    'AccountId': assignment.get('AccountId'),
+                })
+
+    return role_assignments
+
+
+@timeit
+def load_role_assignments(
+    neo4j_session: neo4j.Session,
+    role_assignments: List[Dict],
+    aws_update_tag: int,
+) -> None:
+    """
+    Load role assignments into the graph
+    """
+    logger.info(f"Loading {len(role_assignments)} role assignments")
+    if role_assignments:
+        neo4j_session.run(
+            """
+            UNWIND $role_assignments AS ra
+            MATCH (acc:AWSAccount{id:ra.AccountId}) -[:RESOURCE]->
+            (role:AWSRole)<-[:ASSIGNED_TO_ROLE]-
+            (permset:AWSPermissionSet {id: ra.PermissionSetArn})
+            MATCH (sso:AWSSSOUser {id: ra.UserId})
+            MERGE (role)-[r:ALLOWED_BY]->(sso)
+            SET r.lastupdated = $aws_update_tag,
+            r.permission_set_arn = ra.PermissionSetArn
+            """,
+            role_assignments=role_assignments,
+            aws_update_tag=aws_update_tag,
+        )
+
+
+def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any]) -> None:
+    GraphJob.from_node_schema(AWSIdentityCenterInstanceSchema(), common_job_parameters).run(neo4j_session)
+    GraphJob.from_node_schema(AWSPermissionSetSchema(), common_job_parameters).run(neo4j_session)
+    GraphJob.from_node_schema(AWSSSOUserSchema(), common_job_parameters).run(neo4j_session)
+    run_cleanup_job(
+        'aws_import_identity_center_cleanup.json',
+        neo4j_session,
+        common_job_parameters,
+    )
+
+
+@timeit
+def sync_identity_center_instances(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
+) -> None:
+    """
+    Sync Identity Center instances, their permission sets, and SSO users
+    """
+    logger.info(f"Syncing Identity Center instances for regions {regions}")
+    for region in regions:
+        logger.info(f"Syncing Identity Center instances for region {region}")
+        instances = get_identity_center_instances(boto3_session, region)
+        load_identity_center_instances(
+            neo4j_session,
+            instances,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
+
+        # For each instance, get and load its permission sets and SSO users
+        for instance in instances:
+            instance_arn = instance['InstanceArn']
+            identity_store_id = instance['IdentityStoreId']
+
+            permission_sets = get_permission_sets(boto3_session, instance_arn, region)
+
+            load_permission_sets(
+                neo4j_session,
+                permission_sets,
+                instance_arn,
+                region,
+                current_aws_account_id,
+                update_tag,
+            )
+
+            users = get_sso_users(boto3_session, identity_store_id, region)
+            load_sso_users(
+                neo4j_session,
+                users,
+                identity_store_id,
+                region,
+                current_aws_account_id,
+                update_tag,
+            )
+
+            # Get and load role assignments
+            role_assignments = get_role_assignments(
+                boto3_session,
+                users,
+                instance_arn,
+                region,
+            )
+            load_role_assignments(
+                neo4j_session,
+                role_assignments,
+                update_tag,
+            )
+
+    cleanup(neo4j_session, common_job_parameters)

cartography/intel/aws/resources.py

@@ -10,6 +10,7 @@ from . import elasticache
 from . import elasticsearch
 from . import emr
 from . import iam
+from . import identitycenter
 from . import inspector
 from . import kms
 from . import lambda_function
@@ -88,4 +89,5 @@ RESOURCE_FUNCTIONS: Dict = {
     'ssm': ssm.sync,
     'inspector': inspector.sync,
     'config': config.sync,
+    'identitycenter': identitycenter.sync_identity_center_instances,
 }

cartography/intel/github/users.py

@@ -1,4 +1,5 @@
 import logging
+from copy import deepcopy
 from typing import Any
 from typing import Dict
 from typing import List
@@ -6,7 +7,11 @@ from typing import Tuple
 
 import neo4j
 
+from cartography.client.core.tx import load
 from cartography.intel.github.util import fetch_all
+from cartography.models.github.orgs import GitHubOrganizationSchema
+from cartography.models.github.users import GitHubOrganizationUserSchema
+from cartography.models.github.users import GitHubUnaffiliatedUserSchema
 from cartography.stats import get_stats_client
 from cartography.util import merge_module_sync_metadata
 from cartography.util import run_cleanup_job
@@ -44,17 +49,46 @@ GITHUB_ORG_USERS_PAGINATED_GRAPHQL = """
     }
     """
 
+GITHUB_ENTERPRISE_OWNER_USERS_PAGINATED_GRAPHQL = """
+    query($login: String!, $cursor: String) {
+    organization(login: $login)
+        {
+            url
+            login
+            enterpriseOwners(first:100, after: $cursor){
+                edges {
+                    node {
+                        url
+                        login
+                        name
+                        isSiteAdmin
+                        email
+                        company
+                    }
+                    organizationRole
+                }
+                pageInfo{
+                    endCursor
+                    hasNextPage
+                }
+            }
+        }
+    }
+    """
+
 
 @timeit
-def get(token: str, api_url: str, organization: str) -> Tuple[List[Dict], Dict]:
+def get_users(token: str, api_url: str, organization: str) -> Tuple[List[Dict], Dict]:
     """
     Retrieve a list of users from the given GitHub organization as described in
     https://docs.github.com/en/graphql/reference/objects#organizationmemberedge.
     :param token: The Github API token as string.
     :param api_url: The Github v4 API endpoint as string.
     :param organization: The name of the target Github organization as string.
-    :return: A 2-tuple containing 1. a list of dicts representing users - see tests.data.github.users.GITHUB_USER_DATA
-    for shape, and 2. data on the owning GitHub organization - see tests.data.github.users.GITHUB_ORG_DATA for shape.
+    :return: A 2-tuple containing
+        1. a list of dicts representing users and
+        2. data on the owning GitHub organization
+        see tests.data.github.users.GITHUB_USER_DATA for shape of both
     """
     users, org = fetch_all(
         token,
@@ -66,56 +100,139 @@ def get(token: str, api_url: str, organization: str) -> Tuple[List[Dict], Dict]:
     return users.edges, org
 
 
+def get_enterprise_owners(token: str, api_url: str, organization: str) -> Tuple[List[Dict], Dict]:
+    """
+    Retrieve a list of enterprise owners from the given GitHub organization as described in
+    https://docs.github.com/en/graphql/reference/objects#organizationenterpriseowneredge.
+    :param token: The Github API token as string.
+    :param api_url: The Github v4 API endpoint as string.
+    :param organization: The name of the target Github organization as string.
+    :return: A 2-tuple containing
+        1. a list of dicts representing users who are enterprise owners
+        3. data on the owning GitHub organization
+        see tests.data.github.users.GITHUB_ENTERPRISE_OWNER_DATA for shape
+    """
+    owners, org = fetch_all(
+        token,
+        api_url,
+        organization,
+        GITHUB_ENTERPRISE_OWNER_USERS_PAGINATED_GRAPHQL,
+        'enterpriseOwners',
+    )
+    return owners.edges, org
+
+
 @timeit
-def load_organization_users(
-    neo4j_session: neo4j.Session, user_data: List[Dict], org_data: Dict,
+def transform_users(user_data: List[Dict], owners_data: List[Dict], org_data: Dict) -> Tuple[List[Dict], List[Dict]]:
+    """
+    Taking raw user and owner data, return two lists of processed user data:
+    * organization users aka affiliated users (users directly affiliated with an organization)
+    * unaffiliated users (user who, for example, are enterprise owners but not members of the target organization).
+
+    :param token: The Github API token as string.
+    :param api_url: The Github v4 API endpoint as string.
+    :param organization: The name of the target Github organization as string.
+    :return: A 2-tuple containing
+        1. a list of dicts representing users who are affiliated with the target org
+           see tests.data.github.users.GITHUB_USER_DATA for shape
+        2. a list of dicts representing users who are not affiliated (e.g. enterprise owners who are not also in
+           the target org) — see tests.data.github.users.GITHUB_ENTERPRISE_OWNER_DATA for shape
+        3. data on the owning GitHub organization
+    """
+
+    users_dict = {}
+    for user in user_data:
+        processed_user = deepcopy(user['node'])
+        processed_user['role'] = user['role']
+        processed_user['hasTwoFactorEnabled'] = user['hasTwoFactorEnabled']
+        processed_user['MEMBER_OF'] = org_data['url']
+        users_dict[processed_user['url']] = processed_user
+
+    owners_dict = {}
+    for owner in owners_data:
+        processed_owner = deepcopy(owner['node'])
+        processed_owner['isEnterpriseOwner'] = True
+        if owner['organizationRole'] == 'UNAFFILIATED':
+            processed_owner['UNAFFILIATED'] = org_data['url']
+        else:
+            processed_owner['MEMBER_OF'] = org_data['url']
+        owners_dict[processed_owner['url']] = processed_owner
+
+    affiliated_users = []  # users affiliated with the target org
+    for url, user in users_dict.items():
+        user['isEnterpriseOwner'] = url in owners_dict
+        affiliated_users.append(user)
+
+    unaffiliated_users = []  # users not affiliated with the target org
+    for url, owner in owners_dict.items():
+        if url not in users_dict:
+            unaffiliated_users.append(owner)
+
+    return affiliated_users, unaffiliated_users
+
+
+@timeit
+def load_users(
+    neo4j_session: neo4j.Session,
+    node_schema: GitHubOrganizationUserSchema | GitHubUnaffiliatedUserSchema,
+    user_data: List[Dict],
+    org_data: Dict,
     update_tag: int,
 ) -> None:
-    query = """
-    MERGE (org:GitHubOrganization{id: $OrgUrl})
-    ON CREATE SET org.firstseen = timestamp()
-    SET org.username = $OrgLogin,
-    org.lastupdated = $UpdateTag
-    WITH org
-
-    UNWIND $UserData as user
-
-    MERGE (u:GitHubUser{id: user.node.url})
-    ON CREATE SET u.firstseen = timestamp()
-    SET u.fullname = user.node.name,
-    u.username = user.node.login,
-    u.has_2fa_enabled = user.hasTwoFactorEnabled,
-    u.role = user.role,
-    u.is_site_admin = user.node.isSiteAdmin,
-    u.email = user.node.email,
-    u.company = user.node.company,
-    u.lastupdated = $UpdateTag
-
-    MERGE (u)-[r:MEMBER_OF]->(org)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $UpdateTag
-    """
-    neo4j_session.run(
-        query,
-        OrgUrl=org_data['url'],
-        OrgLogin=org_data['login'],
-        UserData=user_data,
-        UpdateTag=update_tag,
+    logger.info(f"Loading {len(user_data)} GitHub users to the graph")
+    load(
+        neo4j_session,
+        node_schema,
+        user_data,
+        lastupdated=update_tag,
+        org_url=org_data['url'],
+    )
+
+
+@timeit
+def load_organization(
+    neo4j_session: neo4j.Session,
+    node_schema: GitHubOrganizationSchema,
+    org_data: List[Dict[str, Any]],
+    update_tag: int,
+) -> None:
+    logger.info(f"Loading {len(org_data)} GitHub organization to the graph")
+    load(
+        neo4j_session,
+        node_schema,
+        org_data,
+        lastupdated=update_tag,
     )
 
 
 @timeit
 def sync(
         neo4j_session: neo4j.Session,
-        common_job_parameters: Dict[str, Any],
+        common_job_parameters: Dict,
         github_api_key: str,
         github_url: str,
         organization: str,
 ) -> None:
     logger.info("Syncing GitHub users")
-    user_data, org_data = get(github_api_key, github_url, organization)
-    load_organization_users(neo4j_session, user_data, org_data, common_job_parameters['UPDATE_TAG'])
-    run_cleanup_job('github_users_cleanup.json', neo4j_session, common_job_parameters)
+    user_data, org_data = get_users(github_api_key, github_url, organization)
+    owners_data, org_data = get_enterprise_owners(github_api_key, github_url, organization)
+    processed_affiliated_user_data, processed_unaffiliated_user_data = (
+        transform_users(user_data, owners_data, org_data)
+    )
+    load_organization(
+        neo4j_session, GitHubOrganizationSchema(), [org_data],
+        common_job_parameters['UPDATE_TAG'],
+    )
+    load_users(
+        neo4j_session, GitHubOrganizationUserSchema(), processed_affiliated_user_data, org_data,
+        common_job_parameters['UPDATE_TAG'],
+    )
+    load_users(
+        neo4j_session, GitHubUnaffiliatedUserSchema(), processed_unaffiliated_user_data, org_data,
+        common_job_parameters['UPDATE_TAG'],
+    )
+    # no automated cleanup job for users because user node has no sub_resource_relationship
+    run_cleanup_job('github_org_and_users_cleanup.json', neo4j_session, common_job_parameters)
     merge_module_sync_metadata(
         neo4j_session,
         group_type='GitHubOrganization',

cartography/intel/okta/users.py

@@ -150,7 +150,8 @@ def _load_okta_users(
     new_user.okta_last_updated = user_data.okta_last_updated,
     new_user.password_changed = user_data.password_changed,
     new_user.transition_to_status = user_data.transition_to_status,
-    new_user.lastupdated = $okta_update_tag
+    new_user.lastupdated = $okta_update_tag,
+    new_user :UserAccount
     WITH new_user, org
     MERGE (org)-[org_r:RESOURCE]->(new_user)
     ON CREATE SET org_r.firstseen = timestamp()

cartography/intel/semgrep/__init__.py

@@ -26,5 +26,5 @@ def start_semgrep_ingestion(
     # sync_deployment must be called first since it populates common_job_parameters
     # with the deployment ID and slug, which are required by the other sync functions
     sync_deployment(neo4j_session, config.semgrep_app_token, config.update_tag, common_job_parameters)
-    sync_dependencies(neo4j_session, config.semgrep_app_token, config.update_tag, common_job_parameters)
+    sync_dependencies(neo4j_session, config.semgrep_app_token, config.semgrep_dependency_ecosystems, config.update_tag, common_job_parameters)  # noqa: E501
     sync_findings(neo4j_session, config.semgrep_app_token, config.update_tag, common_job_parameters)

cartography/intel/semgrep/dependencies.py

@@ -12,6 +12,7 @@ from requests.exceptions import ReadTimeout
 from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
 from cartography.models.semgrep.dependencies import SemgrepGoLibrarySchema
+from cartography.models.semgrep.dependencies import SemgrepNpmLibrarySchema
 from cartography.stats import get_stats_client
 from cartography.util import merge_module_sync_metadata
 from cartography.util import timeit
@@ -22,16 +23,38 @@ _PAGE_SIZE = 10000
 _TIMEOUT = (60, 60)
 _MAX_RETRIES = 3
 
+# The keys in this dictionary must be in Semgrep's list of supported ecosystems, defined here:
+# https://semgrep.dev/api/v1/docs/#tag/SupplyChainService/operation/semgrep_app.products.sca.handlers.dependency.list_dependencies_conexxion
+ECOSYSTEM_TO_SCHEMA: Dict = {
+    'gomod': SemgrepGoLibrarySchema,
+    'npm': SemgrepNpmLibrarySchema,
+}
+
+
+def parse_and_validate_semgrep_ecosystems(ecosystems: str) -> List[str]:
+    validated_ecosystems: List[str] = []
+    for ecosystem in ecosystems.split(','):
+        ecosystem = ecosystem.strip().lower()
+
+        if ecosystem in ECOSYSTEM_TO_SCHEMA:
+            validated_ecosystems.append(ecosystem)
+        else:
+            valid_ecosystems: str = ','.join(ECOSYSTEM_TO_SCHEMA.keys())
+            raise ValueError(
+                f'Error parsing `semgrep-dependency-ecosystems`. You specified "{ecosystems}". '
+                f'Please check that your input is formatted as comma-separated values, e.g. "gomod,npm". '
+                f'Full list of supported ecosystems: {valid_ecosystems}.',
+            )
+    return validated_ecosystems
+
 
 @timeit
-def get_dependencies(semgrep_app_token: str, deployment_id: str, ecosystems: List[str]) -> List[Dict[str, Any]]:
+def get_dependencies(semgrep_app_token: str, deployment_id: str, ecosystem: str) -> List[Dict[str, Any]]:
     """
-    Gets all dependencies for the given ecosystems within the given Semgrep deployment ID.
+    Gets all dependencies for the given ecosystem within the given Semgrep deployment ID.
     param: semgrep_app_token: The Semgrep App token to use for authentication.
     param: deployment_id: The Semgrep deployment ID to use for retrieving dependencies.
-    param: ecosystems: One or more ecosystems to import dependencies from, e.g. "gomod" or "pypi".
-    The list of supported ecosystems is defined here:
-    https://semgrep.dev/api/v1/docs/#tag/SupplyChainService/operation/semgrep_app.products.sca.handlers.dependency.list_dependencies_conexxion
+    param: ecosystem: The ecosystem to import dependencies from, e.g. "gomod" or "npm".
     """
     all_deps = []
     deps_url = f"https://semgrep.dev/api/v1/deployments/{deployment_id}/dependencies"
@@ -46,31 +69,31 @@ def get_dependencies(semgrep_app_token: str, deployment_id: str, ecosystems: Lis
     request_data: dict[str, Any] = {
         "pageSize": _PAGE_SIZE,
         "dependencyFilter": {
-            "ecosystem": ecosystems,
+            "ecosystem": [ecosystem],
         },
     }
 
-    logger.info(f"Retrieving Semgrep dependencies for deployment '{deployment_id}'.")
+    logger.info(f"Retrieving Semgrep {ecosystem} dependencies for deployment '{deployment_id}'.")
     while has_more:
         try:
             response = requests.post(deps_url, json=request_data, headers=headers, timeout=_TIMEOUT)
             response.raise_for_status()
             data = response.json()
         except (ReadTimeout, HTTPError):
-            logger.warning(f"Failed to retrieve Semgrep dependencies for page {page}. Retrying...")
+            logger.warning(f"Failed to retrieve Semgrep {ecosystem} dependencies for page {page}. Retrying...")
             retries += 1
             if retries >= _MAX_RETRIES:
                 raise
             continue
         deps = data.get("dependencies", [])
         has_more = data.get("hasMore", False)
-        logger.info(f"Processed page {page} of Semgrep dependencies.")
+        logger.info(f"Processed page {page} of Semgrep {ecosystem} dependencies.")
         all_deps.extend(deps)
         retries = 0
         page += 1
         request_data["cursor"] = data.get("cursor")
 
-    logger.info(f"Retrieved {len(all_deps)} Semgrep dependencies in {page} pages.")
+    logger.info(f"Retrieved {len(all_deps)} Semgrep {ecosystem} dependencies in {page} pages.")
     return all_deps
 
 
@@ -157,19 +180,18 @@ def load_dependencies(
 @timeit
 def cleanup(
     neo4j_session: neo4j.Session,
+    dependency_schema: Callable,
     common_job_parameters: Dict[str, Any],
 ) -> None:
-    logger.info("Running Semgrep Go Library cleanup job.")
-    go_libraries_cleanup_job = GraphJob.from_node_schema(
-        SemgrepGoLibrarySchema(), common_job_parameters,
-    )
-    go_libraries_cleanup_job.run(neo4j_session)
+    logger.info(f"Running Semgrep Dependencies cleanup job for {dependency_schema().label}.")
+    GraphJob.from_node_schema(dependency_schema(), common_job_parameters).run(neo4j_session)
 
 
 @timeit
 def sync_dependencies(
     neo4j_session: neo4j.Session,
     semgrep_app_token: str,
+    ecosystems_str: str,
     update_tag: int,
     common_job_parameters: Dict[str, Any],
 ) -> None:
@@ -177,19 +199,29 @@ def sync_dependencies(
     deployment_id = common_job_parameters.get("DEPLOYMENT_ID")
     if not deployment_id:
         logger.warning(
-            "Missing Semgrep deployment ID, ensure that sync_deployment() has been called."
+            "Missing Semgrep deployment ID, ensure that sync_deployment() has been called. "
             "Skipping Semgrep dependencies sync job.",
         )
         return
 
-    logger.info("Running Semgrep dependencies sync job.")
+    if not ecosystems_str:
+        logger.warning(
+            "Semgrep is not configured to import dependencies for any ecosystems, see docs to configure. "
+            "Skipping Semgrep dependencies sync job.",
+        )
+        return
+
+    # We don't expect an error here since we've already validated the input in cli.py
+    ecosystems = parse_and_validate_semgrep_ecosystems(ecosystems_str)
 
-    # fetch and load dependencies for the Go ecosystem
-    raw_go_deps = get_dependencies(semgrep_app_token, deployment_id, ecosystems=["gomod"])
-    go_deps = transform_dependencies(raw_go_deps)
-    load_dependencies(neo4j_session, SemgrepGoLibrarySchema, go_deps, deployment_id, update_tag)
+    logger.info("Running Semgrep dependencies sync job.")
 
-    cleanup(neo4j_session, common_job_parameters)
+    for ecosystem in ecosystems:
+        schema = ECOSYSTEM_TO_SCHEMA[ecosystem]
+        raw_deps = get_dependencies(semgrep_app_token, deployment_id, ecosystem)
+        deps = transform_dependencies(raw_deps)
+        load_dependencies(neo4j_session, schema, deps, deployment_id, update_tag)
+        cleanup(neo4j_session, schema, common_job_parameters)
 
     merge_module_sync_metadata(
         neo4j_session=neo4j_session,

cartography/models/github/orgs.py

@@ -0,0 +1,26 @@
+"""
+This schema does not handle the org's relationships.  Those are handled by other schemas, for example:
+* GitHubTeamSchema defines (GitHubOrganization)-[RESOURCE]->(GitHubTeam)
+* GitHubUserSchema defines (GitHubUser)-[MEMBER_OF|UNAFFILIATED]->(GitHubOrganization)
+(There may be others, these are just two examples.)
+"""
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+
+
+@dataclass(frozen=True)
+class GitHubOrganizationNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('url')
+    username: PropertyRef = PropertyRef('login', extra_index=True)
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class GitHubOrganizationSchema(CartographyNodeSchema):
+    label: str = 'GitHubOrganization'
+    properties: GitHubOrganizationNodeProperties = GitHubOrganizationNodeProperties()
+    other_relationships = None
+    sub_resource_relationship = None

cartography/models/github/users.py

@@ -0,0 +1,119 @@
+"""
+RE: Tenant relationship between GitHubUser and GitHubOrganization
+
+Note this relationship is implemented via 'other_relationships' and not via the 'sub_resource_relationship'
+as might be expected.
+
+The 'sub_resource_relationship' typically describes the relationship of a node to its tenant (the org, project, or
+other resource to which other nodes belong).  An assumption of that relationship is that if the tenant goes
+away, all nodes related to it should be cleaned up.
+
+In GitHub, though the GitHubUser's tenant seems to be GitHubOrganization, users actually exist independently.  There
+is a concept of 'UNAFFILIATED' users (https://docs.github.com/en/graphql/reference/enums#roleinorganization) like
+Enterprise Owners who are related to an org even if they are not direct members of it.  You would not want them to be
+cleaned up, if an org goes away, and you could want them in your graph even if they are not members of any org in
+the enterprise.
+
+To allow for this in the schema, this relationship is treated as any other node-to-node relationship, via
+'other_relationships', instead of as the typical 'sub_resource_relationship'.
+
+RE: GitHubOrganizationUserSchema vs GitHubUnaffiliatedUserSchema
+
+As noted above, there are implicitly two types of users, those that are part of, or affiliated, to a target
+GitHubOrganization, and those thare are not part, or unaffiliated.   Both are represented as GitHubUser nodes,
+but there are two schemas below to allow for some differences between them, e.g., unaffiliated lack these properties:
+  * the 'role' property, because unaffiliated have no 'role' in the target org
+  * the 'has_2fa_enabled' property, because the GitHub api does not return it, for these users
+The main importance of having two schemas is to allow the two sets of users to be loaded separately.  If we are loading
+an unaffiliated user, but the user already exists in the graph (perhaps they are members of another GitHub orgs for
+example), then loading the unaffiliated user will not blank out the 'role' and 'has_2fa_enabled' properties.
+"""
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class BaseGitHubUserNodeProperties(CartographyNodeProperties):
+    # core properties in all GitHubUser nodes
+    id: PropertyRef = PropertyRef('url')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+    fullname: PropertyRef = PropertyRef('name')
+    username: PropertyRef = PropertyRef('login', extra_index=True)
+    is_site_admin: PropertyRef = PropertyRef('isSiteAdmin')
+    is_enterprise_owner: PropertyRef = PropertyRef('isEnterpriseOwner')
+    email: PropertyRef = PropertyRef('email')
+    company: PropertyRef = PropertyRef('company')
+
+
+@dataclass(frozen=True)
+class GitHubOrganizationUserNodeProperties(BaseGitHubUserNodeProperties):
+    # specified for affiliated users only. The GitHub api does not return this property for unaffiliated users.
+    has_2fa_enabled: PropertyRef = PropertyRef('hasTwoFactorEnabled')
+    # specified for affiliated uers only.  Unaffiliated users do not have a 'role' in the target organization.
+    role: PropertyRef = PropertyRef('role')
+
+
+@dataclass(frozen=True)
+class GitHubUnaffiliatedUserNodeProperties(BaseGitHubUserNodeProperties):
+    # No additional properties needed
+    pass
+
+
+@dataclass(frozen=True)
+class GitHubUserToOrganizationRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class GitHubUserMemberOfOrganizationRel(CartographyRelSchema):
+    target_node_label: str = 'GitHubOrganization'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('MEMBER_OF')},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "MEMBER_OF"
+    properties: GitHubUserToOrganizationRelProperties = GitHubUserToOrganizationRelProperties()
+
+
+@dataclass(frozen=True)
+class GitHubUserUnaffiliatedOrganizationRel(CartographyRelSchema):
+    target_node_label: str = 'GitHubOrganization'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('UNAFFILIATED')},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "UNAFFILIATED"
+    properties: GitHubUserToOrganizationRelProperties = GitHubUserToOrganizationRelProperties()
+
+
+@dataclass(frozen=True)
+class GitHubOrganizationUserSchema(CartographyNodeSchema):
+    label: str = 'GitHubUser'
+    properties: GitHubOrganizationUserNodeProperties = GitHubOrganizationUserNodeProperties()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            GitHubUserMemberOfOrganizationRel(),
+        ],
+    )
+    sub_resource_relationship = None
+
+
+@dataclass(frozen=True)
+class GitHubUnaffiliatedUserSchema(CartographyNodeSchema):
+    label: str = 'GitHubUser'
+    properties: GitHubUnaffiliatedUserNodeProperties = GitHubUnaffiliatedUserNodeProperties()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            GitHubUserUnaffiliatedOrganizationRel(),
+        ],
+    )
+    sub_resource_relationship = None

cartography/models/semgrep/dependencies.py

@@ -75,3 +75,16 @@ class SemgrepGoLibrarySchema(CartographyNodeSchema):
             SemgrepDependencyToGithubRepoRel(),
         ],
     )
+
+
+@dataclass(frozen=True)
+class SemgrepNpmLibrarySchema(CartographyNodeSchema):
+    label: str = 'NpmLibrary'
+    extra_node_labels: Optional[ExtraNodeLabels] = ExtraNodeLabels(['Dependency', 'SemgrepDependency'])
+    properties: SemgrepDependencyNodeProperties = SemgrepDependencyNodeProperties()
+    sub_resource_relationship: SemgrepDependencyToSemgrepDeploymentSchema = SemgrepDependencyToSemgrepDeploymentSchema()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            SemgrepDependencyToGithubRepoRel(),
+        ],
+    )

{cartography-0.96.0rc1.dist-info → cartography-0.96.0rc2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cartography
-Version: 0.96.0rc1
+Version: 0.96.0rc2
 Summary: Explore assets and their relationships across your technical infrastructure.
 Home-page: https://www.github.com/cartography-cncf/cartography
 Maintainer: Cartography Contributors

{cartography-0.96.0rc1.dist-info → cartography-0.96.0rc2.dist-info}/RECORD

@@ -1,7 +1,7 @@
 cartography/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/__main__.py,sha256=JftXT_nUPkqcEh8uxCCT4n-OyHYqbldEgrDS-4ygy0U,101
-cartography/cli.py,sha256=tfIPOMh3DtQG7Dgmg9rNNqoTcxgocBu45k88CAM09Nk,32368
-cartography/config.py,sha256=QbFqwUb6P8-wdkf4ljE5HJhduXl_3Gt2xzBQRayq0sg,11566
+cartography/cli.py,sha256=LPjeOkx-cKhRkuhqMicB-0X3SHOjLXxEeGqsp2FtpC0,33285
+cartography/config.py,sha256=VpFCSQU88cz6GIfppQcc7LywthpR0lgYnKATyXVws_E,11846
 cartography/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/stats.py,sha256=dbybb9V2FuvSuHjjNwz6Vjwnd1hap2C7h960rLoKcl8,4406
 cartography/sync.py,sha256=ziD63T_774gXSuD5zdz6fLGvv1Kt2ntQySSVbmcCZb8,9708
@@ -12,7 +12,7 @@ cartography/client/aws/iam.py,sha256=dYsGikc36DEsSeR2XVOVFFUDwuU9yWj_EVkpgVYCFgM
 cartography/client/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/client/core/tx.py,sha256=4_kTBxrtlwsOM-e8Xtjf7wmmzwZ-DGRJL0rPFp0Xj0Q,10805
 cartography/data/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cartography/data/indexes.cypher,sha256=Ha8VemktSz8ikIS4On-8FTiv2-WwRx5j3l02gQnSWXk,27262
+cartography/data/indexes.cypher,sha256=zMEzytgcvMLgclMmCkFUdWp4t_EFsOEOp1M2v1vGctM,27208
 cartography/data/permission_relationships.yaml,sha256=RuKGGc_3ZUQ7ag0MssB8k_zaonCkVM5E8I_svBWTmGc,969
 cartography/data/jobs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/data/jobs/analysis/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -45,6 +45,7 @@ cartography/data/jobs/cleanup/aws_import_es_cleanup.json,sha256=VqRqiMcT0Ag0Qif2
 cartography/data/jobs/cleanup/aws_import_groups_cleanup.json,sha256=QSdWIpC_Ru4TFBm9I5mpI-ZHyusbzCzCePWN-yn8TQU,463
 cartography/data/jobs/cleanup/aws_import_groups_membership_cleanup.json,sha256=OSeasbv01pn47J1ib3yal_dAzbEOCZVJnldMqK0SAOQ,292
 cartography/data/jobs/cleanup/aws_import_groups_policy_cleanup.json,sha256=U_yKHAsjHoI9fiiTqGyhlMazgeZumlZwMO70CpJpuAM,309
+cartography/data/jobs/cleanup/aws_import_identity_center_cleanup.json,sha256=PSyerOlZkiLaWYFa3Hg1mqqX83FGwj36-p0BF1lR-Q8,650
 cartography/data/jobs/cleanup/aws_import_internet_gateways_cleanup.json,sha256=SHHrR9pX0V1r-RxwJggHGeFA7JVQAAK02D-n-vqOvdU,287
 cartography/data/jobs/cleanup/aws_import_kms_cleanup.json,sha256=NU9doXVk4UmAY59aYnld95Wc1b8DrfCbvJltUsATxko,1441
 cartography/data/jobs/cleanup/aws_import_lambda_cleanup.json,sha256=ntjEpy_WyLxD66Dxydi9GliBVK0DVZWza6908KYeoyA,2268
@@ -101,8 +102,8 @@ cartography/data/jobs/cleanup/gcp_crm_project_cleanup.json,sha256=JImcuuz9HI2TL0
 cartography/data/jobs/cleanup/gcp_dns_cleanup.json,sha256=NGs5UYFmm65Rq8gyqbzIe8_OnFchfpNFf9iAcIj_hyY,1286
 cartography/data/jobs/cleanup/gcp_gke_cluster_cleanup.json,sha256=3bMEJ44AEvjkj_1ibclk6Ys5r1LniUWefpZ_U5hTwHI,671
 cartography/data/jobs/cleanup/gcp_storage_bucket_cleanup.json,sha256=sGygB_meoCpGdGgEZtIlC4L-19meAXdfP99gkNJHD7o,1288
+cartography/data/jobs/cleanup/github_org_and_users_cleanup.json,sha256=vjaOlWdnjaCHmvmaWadOzHXqFnjpR1wW8cykb_M54fM,1010
 cartography/data/jobs/cleanup/github_repos_cleanup.json,sha256=tFXDcsWyCrr5C4Hzl157sv8GjF3aj9dsKKs94bhcEYA,2628
-cartography/data/jobs/cleanup/github_users_cleanup.json,sha256=wxqbOkOShVA3mYUdZwc8UuS4gH5Al8bc7rij6R0cyDQ,806
 cartography/data/jobs/cleanup/gsuite_ingest_groups_cleanup.json,sha256=ddXAUi6aVi2htf5R1bNn6YrC3SjshjLBgWtlzBgZ9Do,961
 cartography/data/jobs/cleanup/gsuite_ingest_users_cleanup.json,sha256=0qMLbVSTyq5F9vt4-TvVa3YAAvZCpPtzF9EwblaTxWg,353
 cartography/data/jobs/cleanup/jamf_import_computers_cleanup.json,sha256=sEF6VSkOcFO210y3VHFO45PDYi5ZePS6xRm3GL9lW7A,248
@@ -152,6 +153,7 @@ cartography/intel/aws/elasticache.py,sha256=fCI47aDFmIDyE26GiReKYb6XIZUwrzcvsXBQ
 cartography/intel/aws/elasticsearch.py,sha256=ZL7MkXF_bXRSoXuDSI1dwGckRLG2zDB8LuAD07vSLnE,8374
 cartography/intel/aws/emr.py,sha256=xhWBVZngxJRFjMEDxwq3G6SgytRGLq0v2a_CeDvByR0,3372
 cartography/intel/aws/iam.py,sha256=eLw0NkBGKzCI_tQ3wmrx3aUibQerrsxKJd3d0RCKcKQ,32374
+cartography/intel/aws/identitycenter.py,sha256=zIWe_JpXPC-kkWu26aFjYtGsClNG_GaQ3bdCeiRkApc,9475
 cartography/intel/aws/inspector.py,sha256=S22ZgRKEnmnBTJ-u0rodqRPB7_LkSIek47NeBxN4XJw,9336
 cartography/intel/aws/kms.py,sha256=bZUzMxAH_DsAcGTJBs08gg2tLKYu-QWjvMvV9C-6v50,11731
 cartography/intel/aws/lambda_function.py,sha256=KKTyn53xpaMI9WvIqxmsOASFwflHt-2_5ow-zUFc2wg,9890
@@ -160,7 +162,7 @@ cartography/intel/aws/permission_relationships.py,sha256=IarV9gt5BaplZ5TPo_mfypt
 cartography/intel/aws/rds.py,sha256=vnlNYmrO2Cc0PNn31CeG2QwYhwjVosbQFE9Ol1vQyLE,25252
 cartography/intel/aws/redshift.py,sha256=KOqiXIllHmtPTeaNGl-cX4srY5pFE6o12j8MQ5-zWpc,6694
 cartography/intel/aws/resourcegroupstaggingapi.py,sha256=aq4kPF6t8QZZoTxdkQVLXH65Di41CDJVM9llJNe6iaY,10278
-cartography/intel/aws/resources.py,sha256=W-Psy1bjszIZ4dpsm_JPIMEeNzgWJSBu71hju3OUh8c,3272
+cartography/intel/aws/resources.py,sha256=A8Dc3PtCfDyk5a1ZgAoHthhDPS6aWN_kR0PLwnHdC0Q,3370
 cartography/intel/aws/route53.py,sha256=IYqeQud1HuHnf11A7T-Jeif5DWgjpaaU-Jfr2cLUc_o,14099
 cartography/intel/aws/s3.py,sha256=SVxUMtMSkbdjZv5qOSYIbYb8BQa-QTojbHG85-EFWLA,27034
 cartography/intel/aws/secretsmanager.py,sha256=YogwRPT6qZPVg5HrND71zI-nNn60oxoWaW7eUlhuTS0,3304
@@ -229,7 +231,7 @@ cartography/intel/gcp/storage.py,sha256=oO_ayEhkXlj2Gn7T5MU41ZXiqwRwe6Ud4wzqyRTs
 cartography/intel/github/__init__.py,sha256=y876JJGTDJZEOFCDiNCJfcLNxN24pVj4s2N0YmuuoaE,1914
 cartography/intel/github/repos.py,sha256=YPDdBMk6NkZjwPcqPW5LlCy_OS9tKcrZD6ygiUG93J0,21766
 cartography/intel/github/teams.py,sha256=aXI-XbxlA1IDaAUX0XSdEt6pA2n4ew5j_doj1iNYCDM,6618
-cartography/intel/github/users.py,sha256=kQp0dxzP08DVrdvfVeCciQbrKPbbFvwbR_p_I_XGt7s,3826
+cartography/intel/github/users.py,sha256=zkMLVNfEMZIYYtPfqTsMXs2BNFzK8SfFRO7qnnlHy_s,8399
 cartography/intel/github/util.py,sha256=K6hbxypy4luKhIE1Uh5VWZc9OyjMK2OuO00vBAQfloA,8049
 cartography/intel/gsuite/__init__.py,sha256=AGIUskGlLCVGHbnQicNpNWi9AvmV7_7hUKTt-hsB2J8,4306
 cartography/intel/gsuite/api.py,sha256=J0dkNdfBVMrEv8vvStQu7YKVxXSyV45WueFhUS4aOG4,10310
@@ -259,7 +261,7 @@ cartography/intel/okta/organization.py,sha256=YLQc7ETdtf8Vc-CRCYivV_xmVl2Oz0Px53
 cartography/intel/okta/origins.py,sha256=LNswsOXx8oBk9tL6Qc_3EuqXpa9qgD6fWEWrbsP-_fE,3730
 cartography/intel/okta/roles.py,sha256=_H3o8RveEBt5Mx_nHle81pYEB3NrGq2R2UGL_ChArFs,5840
 cartography/intel/okta/sync_state.py,sha256=GYtAJlbEObiZKPihcIzVzB6APdI_TwUYzhycsDJ8cDE,702
-cartography/intel/okta/users.py,sha256=VODob-izytSZDxSW-YDb7vaBLcu4cXkD6hTGcS26DeE,6395
+cartography/intel/okta/users.py,sha256=rkOvLaZkBOV2QrgsCa-O0p2Iq7AfguUO078w7XB8CMM,6422
 cartography/intel/okta/utils.py,sha256=XSXw8QiaaXwL_PfOlbpvjgPfy2Etmt_PkS7T6ruTFmc,2165
 cartography/intel/pagerduty/__init__.py,sha256=kXYtgUFLl4eldveyBoxNiebcfOOktTVvLf6rVkriNuA,2164
 cartography/intel/pagerduty/escalation_policies.py,sha256=5Fnm0WLF9TP1GH0BJ2sZlO6U9tH1KdhCvoMxGtL_318,6455
@@ -268,8 +270,8 @@ cartography/intel/pagerduty/services.py,sha256=Cjm37mWmuBNXSY49-xUQ3xV0DZ391GTLv
 cartography/intel/pagerduty/teams.py,sha256=aRubUXgEVVReyLrXAX_be1E_QBJv3Qlr4n779Jkkz8Q,2498
 cartography/intel/pagerduty/users.py,sha256=oltGssxrnzYsV6QTGP1SsPoA1rCUDStj6vGlGWY695g,1623
 cartography/intel/pagerduty/vendors.py,sha256=WlDHExrWRBegDQKtxBV5nJiYgwoTLxNee4HrQDJ-Pdg,1559
-cartography/intel/semgrep/__init__.py,sha256=XhfixZPJXBIA9SRQDxe2wY26KW447lTPR0Q_DV7aFTU,1150
-cartography/intel/semgrep/dependencies.py,sha256=2Uq86WLDlfO-lNPot__z0TXPbe_cXC_5HFLyYqfbVKU,6742
+cartography/intel/semgrep/__init__.py,sha256=dNosNlFJtIJI-XZMF_5qV2nZ-barQNEZaIkEL-JFTyk,1202
+cartography/intel/semgrep/dependencies.py,sha256=PeEeroI38BUH-TefJeimzxNP5y429y6i-jJj3M2s9N4,8163
 cartography/intel/semgrep/deployment.py,sha256=sh-yJHtdgZjxIJimNnA-DxsM-MYgMhQ_WX2E7w4PWiM,2012
 cartography/intel/semgrep/findings.py,sha256=GDqZmfl9-HiZ93u0jhlkZ1w_qzrD1cFFFJtVc7DFdPk,9761
 cartography/intel/snipeit/__init__.py,sha256=0uIh8NbuI7IbfgaOrPHg4Nfm1yO6mTRC_qaFiIjR2FA,992
@@ -327,7 +329,9 @@ cartography/models/duo/token.py,sha256=BS_AvF-TAGzCY9Owtqxr8g_s6716dnzFOO1Iwkckm
 cartography/models/duo/user.py,sha256=ih3DH_QveAve4cX9dmIwC5gVN6_RNnuLK3bfJ5I9u6g,6554
 cartography/models/duo/web_authn_credential.py,sha256=OcZnfG5zCMlphxSltRcAXQ12hHYJjxrBt6A9L28g7Vk,2920
 cartography/models/github/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cartography/models/github/orgs.py,sha256=f5kJ-51MDGW5k4sWMeTfyBDxcHdhFJZGkRUvGcjllBU,1097
 cartography/models/github/teams.py,sha256=mk3OFGTDqWkLz7aX7Q9AtpOMOkZDDGH0MWoVeevK2-k,4376
+cartography/models/github/users.py,sha256=XliVsBKWF7wW7Dwjwdoz9E2gk1cASyfQgAddKYr23VY,5739
 cartography/models/kandji/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/kandji/device.py,sha256=C3zPhLi1oPNysbSUr4H2u8b-Xy14sb3FE7YcjCwlntw,2214
 cartography/models/kandji/tenant.py,sha256=KhcbahNBemny3coQPiadIY8B-yDMg_ejYB2BR6vqBfw,674
@@ -335,7 +339,7 @@ cartography/models/lastpass/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMp
 cartography/models/lastpass/tenant.py,sha256=TG-9LFo9Sfzb9UgcTt_gFVTKocLItbgQMMPkN_iprXU,618
 cartography/models/lastpass/user.py,sha256=SMTTYN6jgccc9k76hY3rVImElJOhHhZ9f1aZ6JzcrHw,3487
 cartography/models/semgrep/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cartography/models/semgrep/dependencies.py,sha256=QcvlqKKvX1bi4iqcM0ioYb1ZfGfisJ9E2o2CMnEf2CE,3399
+cartography/models/semgrep/dependencies.py,sha256=zO8NxfFIvL6vzFWaIDAXqPF7VfUwLMj5YizqA0IS-eA,3959
 cartography/models/semgrep/deployment.py,sha256=or5qZDuR51MXzINpH15jZrqmSUvXQevCNYWJ7D6v-JI,745
 cartography/models/semgrep/findings.py,sha256=RPd-QzvP38fbTIqFARx6XpcZSsd5JM3KIg-ZlJA7NlE,5490
 cartography/models/semgrep/locations.py,sha256=kSk7Nn5Mn4Ob84MVZOo2GR0YFi-9Okq9pgA3FfC6_bk,3061
@@ -343,9 +347,9 @@ cartography/models/snipeit/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 cartography/models/snipeit/asset.py,sha256=FyRAaeXuZjMy0eUQcSDFcgEAF5lbLMlvqp1Tv9d3Lv4,3238
 cartography/models/snipeit/tenant.py,sha256=p4rFnpNNuF1W5ilGBbexDaETWTwavfb38RcQGoImkQI,679
 cartography/models/snipeit/user.py,sha256=MsB4MiCVNTH6JpESime7cOkB89autZOXQpL6Z0l7L6o,2113
-cartography-0.96.0rc1.dist-info/LICENSE,sha256=kvLEBRYaQ1RvUni6y7Ti9uHeooqnjPoo6n_-0JO1ETc,11351
-cartography-0.96.0rc1.dist-info/METADATA,sha256=XD5vv3n7YJIVKQjrySebeVAG-xABJUaaner8ELB2NG0,1966
-cartography-0.96.0rc1.dist-info/WHEEL,sha256=R06PA3UVYHThwHvxuRWMqaGcr-PuniXahwjmQRFMEkY,91
-cartography-0.96.0rc1.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
-cartography-0.96.0rc1.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
-cartography-0.96.0rc1.dist-info/RECORD,,
+cartography-0.96.0rc2.dist-info/LICENSE,sha256=kvLEBRYaQ1RvUni6y7Ti9uHeooqnjPoo6n_-0JO1ETc,11351
+cartography-0.96.0rc2.dist-info/METADATA,sha256=TZRI_txSoyOf6cEy50VjF6X9jA-tjukRutReucOcbBY,1966
+cartography-0.96.0rc2.dist-info/WHEEL,sha256=R06PA3UVYHThwHvxuRWMqaGcr-PuniXahwjmQRFMEkY,91
+cartography-0.96.0rc2.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
+cartography-0.96.0rc2.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
+cartography-0.96.0rc2.dist-info/RECORD,,