cyntrisec 0.1.7__py3-none-any.whl

cyntrisec/core/diff.py

@@ -0,0 +1,361 @@
+"""
+Snapshot Diff - Compare two scan snapshots to detect changes.
+
+Identifies:
+- New assets (added since previous scan)
+- Removed assets (gone since previous scan)
+- Changed relationships (new connections, removed connections)
+- Security regressions (new attack paths, new findings)
+- Security improvements (fixed attack paths, resolved findings)
+"""
+
+from __future__ import annotations
+
+import uuid
+from dataclasses import dataclass, field
+from enum import Enum
+
+from cyntrisec.core.schema import Asset, AttackPath, Finding, Relationship
+
+
+class ChangeType(str, Enum):
+    """Type of change detected."""
+
+    added = "added"
+    removed = "removed"
+    modified = "modified"
+
+
+@dataclass
+class AssetChange:
+    """A change to an asset between snapshots."""
+
+    change_type: ChangeType
+    asset: Asset
+    previous_asset: Asset | None = None
+
+    @property
+    def key(self) -> str:
+        """Unique key for the asset (ARN or resource ID)."""
+        return self.asset.arn or self.asset.aws_resource_id
+
+
+@dataclass
+class RelationshipChange:
+    """A change to a relationship between snapshots."""
+
+    change_type: ChangeType
+    relationship: Relationship
+    source_name: str = ""
+    target_name: str = ""
+
+
+@dataclass
+class PathChange:
+    """A change to an attack path between snapshots."""
+
+    change_type: ChangeType
+    path: AttackPath
+    is_regression: bool = False  # True if this is a NEW attack path (bad)
+    is_improvement: bool = False  # True if this is a REMOVED attack path (good)
+
+
+@dataclass
+class FindingChange:
+    """A change to a security finding between snapshots."""
+
+    change_type: ChangeType
+    finding: Finding
+    is_regression: bool = False
+    is_improvement: bool = False
+
+
+@dataclass
+class DiffResult:
+    """
+    Result of comparing two snapshots.
+
+    Attributes:
+        old_snapshot_id: ID of the baseline snapshot
+        new_snapshot_id: ID of the current snapshot
+        asset_changes: New/removed/modified assets
+        relationship_changes: New/removed relationships
+        path_changes: New/removed attack paths
+        finding_changes: New/resolved findings
+        summary: High-level summary stats
+    """
+
+    old_snapshot_id: uuid.UUID
+    new_snapshot_id: uuid.UUID
+    asset_changes: list[AssetChange] = field(default_factory=list)
+    relationship_changes: list[RelationshipChange] = field(default_factory=list)
+    path_changes: list[PathChange] = field(default_factory=list)
+    finding_changes: list[FindingChange] = field(default_factory=list)
+
+    @property
+    def summary(self) -> dict[str, int]:
+        """Summary statistics of changes."""
+        return {
+            "assets_added": sum(1 for c in self.asset_changes if c.change_type == ChangeType.added),
+            "assets_removed": sum(
+                1 for c in self.asset_changes if c.change_type == ChangeType.removed
+            ),
+            "relationships_added": sum(
+                1 for c in self.relationship_changes if c.change_type == ChangeType.added
+            ),
+            "relationships_removed": sum(
+                1 for c in self.relationship_changes if c.change_type == ChangeType.removed
+            ),
+            "paths_added": sum(1 for c in self.path_changes if c.change_type == ChangeType.added),
+            "paths_removed": sum(
+                1 for c in self.path_changes if c.change_type == ChangeType.removed
+            ),
+            "findings_new": sum(
+                1 for c in self.finding_changes if c.change_type == ChangeType.added
+            ),
+            "findings_resolved": sum(
+                1 for c in self.finding_changes if c.change_type == ChangeType.removed
+            ),
+        }
+
+    @property
+    def has_regressions(self) -> bool:
+        """Check if there are security regressions."""
+        return any(c.is_regression for c in self.path_changes) or any(
+            c.is_regression for c in self.finding_changes
+        )
+
+    @property
+    def has_improvements(self) -> bool:
+        """Check if there are security improvements."""
+        return any(c.is_improvement for c in self.path_changes) or any(
+            c.is_improvement for c in self.finding_changes
+        )
+
+
+class SnapshotDiff:
+    """
+    Compare two scan snapshots to detect changes.
+
+    Useful for:
+    - Configuration drift detection
+    - Security regression testing
+    - Change auditing
+    """
+
+    def diff(
+        self,
+        *,
+        old_assets: list[Asset],
+        old_relationships: list[Relationship],
+        old_paths: list[AttackPath],
+        old_findings: list[Finding],
+        new_assets: list[Asset],
+        new_relationships: list[Relationship],
+        new_paths: list[AttackPath],
+        new_findings: list[Finding],
+        old_snapshot_id: uuid.UUID,
+        new_snapshot_id: uuid.UUID,
+    ) -> DiffResult:
+        """
+        Compare two snapshots and return all changes.
+
+        Args:
+            old_*: Data from baseline snapshot
+            new_*: Data from current snapshot
+
+        Returns:
+            DiffResult with all detected changes
+        """
+        result = DiffResult(
+            old_snapshot_id=old_snapshot_id,
+            new_snapshot_id=new_snapshot_id,
+        )
+
+        # Diff assets by ARN/resource ID
+        result.asset_changes = self._diff_assets(old_assets, new_assets)
+
+        # Build asset name lookup for relationship display
+        asset_names = {a.id: a.name for a in new_assets}
+        asset_names.update({a.id: a.name for a in old_assets})
+
+        # Diff relationships by source+target+type
+        result.relationship_changes = self._diff_relationships(
+            old_relationships, new_relationships, asset_names
+        )
+
+        # Diff attack paths by source+target
+        result.path_changes = self._diff_paths(old_paths, new_paths)
+
+        # Diff findings by asset+type
+        result.finding_changes = self._diff_findings(old_findings, new_findings)
+
+        return result
+
+    def _diff_assets(
+        self,
+        old: list[Asset],
+        new: list[Asset],
+    ) -> list[AssetChange]:
+        """Diff assets between snapshots."""
+        changes = []
+
+        # Key by ARN or resource ID
+        old_by_key = {(a.arn or a.aws_resource_id): a for a in old}
+        new_by_key = {(a.arn or a.aws_resource_id): a for a in new}
+
+        old_keys = set(old_by_key.keys())
+        new_keys = set(new_by_key.keys())
+
+        # Added assets
+        for key in new_keys - old_keys:
+            changes.append(
+                AssetChange(
+                    change_type=ChangeType.added,
+                    asset=new_by_key[key],
+                )
+            )
+
+        # Removed assets
+        for key in old_keys - new_keys:
+            changes.append(
+                AssetChange(
+                    change_type=ChangeType.removed,
+                    asset=old_by_key[key],
+                )
+            )
+
+        return changes
+
+    def _diff_relationships(
+        self,
+        old: list[Relationship],
+        new: list[Relationship],
+        asset_names: dict[uuid.UUID, str],
+    ) -> list[RelationshipChange]:
+        """Diff relationships between snapshots."""
+        changes = []
+
+        # Key by source ARN + target ARN + type (since IDs change between snapshots)
+        def rel_key(r: Relationship) -> tuple[str, str, str]:
+            return (
+                asset_names.get(r.source_asset_id, str(r.source_asset_id)),
+                asset_names.get(r.target_asset_id, str(r.target_asset_id)),
+                r.relationship_type,
+            )
+
+        old_by_key = {rel_key(r): r for r in old}
+        new_by_key = {rel_key(r): r for r in new}
+
+        old_keys = set(old_by_key.keys())
+        new_keys = set(new_by_key.keys())
+
+        # Added relationships
+        for key in new_keys - old_keys:
+            rel = new_by_key[key]
+            changes.append(
+                RelationshipChange(
+                    change_type=ChangeType.added,
+                    relationship=rel,
+                    source_name=key[0],
+                    target_name=key[1],
+                )
+            )
+
+        # Removed relationships
+        for key in old_keys - new_keys:
+            rel = old_by_key[key]
+            changes.append(
+                RelationshipChange(
+                    change_type=ChangeType.removed,
+                    relationship=rel,
+                    source_name=key[0],
+                    target_name=key[1],
+                )
+            )
+
+        return changes
+
+    def _diff_paths(
+        self,
+        old: list[AttackPath],
+        new: list[AttackPath],
+    ) -> list[PathChange]:
+        """Diff attack paths between snapshots."""
+        changes = []
+
+        # Key by attack vector + source/target names (from proof)
+        def path_key(p: AttackPath) -> tuple[str, str, str]:
+            proof = p.proof or {}
+            steps = proof.get("steps", [])
+            source_name = steps[0].get("name", "") if steps else ""
+            target_name = steps[-1].get("name", "") if steps else ""
+            return (p.attack_vector, source_name, target_name)
+
+        old_by_key = {path_key(p): p for p in old}
+        new_by_key = {path_key(p): p for p in new}
+
+        old_keys = set(old_by_key.keys())
+        new_keys = set(new_by_key.keys())
+
+        # New attack paths (regressions!)
+        for key in new_keys - old_keys:
+            changes.append(
+                PathChange(
+                    change_type=ChangeType.added,
+                    path=new_by_key[key],
+                    is_regression=True,
+                )
+            )
+
+        # Removed attack paths (improvements!)
+        for key in old_keys - new_keys:
+            changes.append(
+                PathChange(
+                    change_type=ChangeType.removed,
+                    path=old_by_key[key],
+                    is_improvement=True,
+                )
+            )
+
+        return changes
+
+    def _diff_findings(
+        self,
+        old: list[Finding],
+        new: list[Finding],
+    ) -> list[FindingChange]:
+        """Diff findings between snapshots."""
+        changes = []
+
+        # Key by finding type + title (normalized)
+        def finding_key(f: Finding) -> tuple[str, str]:
+            return (f.finding_type, f.title.lower())
+
+        old_by_key = {finding_key(f): f for f in old}
+        new_by_key = {finding_key(f): f for f in new}
+
+        old_keys = set(old_by_key.keys())
+        new_keys = set(new_by_key.keys())
+
+        # New findings (regressions)
+        for key in new_keys - old_keys:
+            changes.append(
+                FindingChange(
+                    change_type=ChangeType.added,
+                    finding=new_by_key[key],
+                    is_regression=True,
+                )
+            )
+
+        # Removed findings (improvements)
+        for key in old_keys - new_keys:
+            changes.append(
+                FindingChange(
+                    change_type=ChangeType.removed,
+                    finding=old_by_key[key],
+                    is_improvement=True,
+                )
+            )
+
+        return changes

cyntrisec/core/graph.py

@@ -0,0 +1,202 @@
+"""
+Capability Graph - In-memory graph representation.
+
+The graph models AWS infrastructure as:
+- Nodes: Assets (resources, logical groupings)
+- Edges: Relationships (capabilities, permissions, connectivity)
+"""
+
+from __future__ import annotations
+
+import uuid
+from collections.abc import Sequence
+from dataclasses import dataclass
+
+from cyntrisec.core.schema import INTERNET_ASSET_ID, Asset, EdgeKind, Relationship
+
+
+@dataclass(frozen=True)
+class AwsGraph:
+    """
+    In-memory capability graph for AWS infrastructure.
+
+    Provides efficient lookups for:
+    - Asset by ID
+    - Neighbors (outgoing edges)
+    - Predecessors (incoming edges)
+    - Assets by type
+
+    This is an immutable snapshot of the graph at scan time.
+    """
+
+    assets_by_id: dict[uuid.UUID, Asset]
+    outgoing: dict[uuid.UUID, list[Relationship]]
+    incoming: dict[uuid.UUID, list[Relationship]]
+
+    def asset(self, asset_id: uuid.UUID) -> Asset | None:
+        """Get an asset by ID."""
+        return self.assets_by_id.get(asset_id)
+
+    def neighbors(self, asset_id: uuid.UUID) -> list[uuid.UUID]:
+        """Get IDs of all assets this asset can reach (outgoing edges)."""
+        return [rel.target_asset_id for rel in self.outgoing.get(asset_id, [])]
+
+    def predecessors(self, asset_id: uuid.UUID) -> list[uuid.UUID]:
+        """Get IDs of all assets that can reach this asset (incoming edges)."""
+        return [rel.source_asset_id for rel in self.incoming.get(asset_id, [])]
+
+    def edges_from(self, asset_id: uuid.UUID) -> list[Relationship]:
+        """Get all outgoing relationships from an asset."""
+        return list(self.outgoing.get(asset_id, []))
+
+    def edges_to(self, asset_id: uuid.UUID) -> list[Relationship]:
+        """Get all incoming relationships to an asset."""
+        return list(self.incoming.get(asset_id, []))
+
+    def all_assets(self) -> list[Asset]:
+        """Get all assets in the graph."""
+        return list(self.assets_by_id.values())
+
+    def all_relationships(self) -> list[Relationship]:
+        """Get all relationships in the graph."""
+        all_rels = []
+        for rels in self.outgoing.values():
+            all_rels.extend(rels)
+        return all_rels
+
+    def asset_count(self) -> int:
+        """Get the number of assets."""
+        return len(self.assets_by_id)
+
+    def relationship_count(self) -> int:
+        """Get the number of relationships."""
+        return sum(len(rels) for rels in self.outgoing.values())
+
+    def assets_by_type(self, asset_type: str) -> list[Asset]:
+        """Get all assets of a specific type."""
+        return [a for a in self.assets_by_id.values() if a.asset_type == asset_type]
+
+    def entry_points(self) -> list[Asset]:
+        """
+        Get all internet-facing entry points.
+
+        Includes:
+        1. Assets reachable via CAN_REACH edges from the Internet (preferred)
+        2. Assets marked as internet_facing (fallback/legacy)
+        """
+        entries: dict[uuid.UUID, Asset] = {}
+
+        # 1. CAN_REACH from Internet
+        if INTERNET_ASSET_ID in self.outgoing:
+            for rel in self.outgoing[INTERNET_ASSET_ID]:
+                if rel.relationship_type == "CAN_REACH":
+                    asset = self.assets_by_id.get(rel.target_asset_id)
+                    if asset:
+                        entries[asset.id] = asset
+
+        # 2. Legacy/Attribute-based checks
+        for asset in self.assets_by_id.values():
+            if asset.id in entries:
+                continue
+
+            if asset.is_internet_facing:
+                entries[asset.id] = asset
+            elif asset.asset_type in [
+                "ec2:elastic-ip",
+                "elbv2:load-balancer",
+                "elb:load-balancer",
+                "cloudfront:distribution",
+                "apigateway:rest-api",
+            ]:
+                if asset.properties.get("scheme") == "internet-facing":
+                    entries[asset.id] = asset
+                elif asset.properties.get("public_ip"):
+                    entries[asset.id] = asset
+
+        return list(entries.values())
+
+    def sensitive_targets(self) -> list[Asset]:
+        """
+        Get all sensitive target assets.
+
+        Targets are assets marked as sensitive or have specific types
+        (databases, secrets, admin roles).
+        """
+        targets = []
+        for asset in self.assets_by_id.values():
+            if asset.is_sensitive_target:
+                targets.append(asset)
+            elif asset.asset_type in [
+                "rds:db-instance",
+                "dynamodb:table",
+                "secretsmanager:secret",
+                "ssm:parameter",
+            ]:
+                targets.append(asset)
+            elif asset.asset_type == "iam:role":
+                name_lower = asset.name.lower()
+                if any(kw in name_lower for kw in ["admin", "root", "power"]):
+                    targets.append(asset)
+            elif asset.asset_type == "s3:bucket":
+                name_lower = asset.name.lower()
+                if any(kw in name_lower for kw in ["secret", "credential", "backup"]):
+                    targets.append(asset)
+        return targets
+
+
+class GraphBuilder:
+    """
+    Builds an AwsGraph from assets and relationships.
+
+    Example:
+        builder = GraphBuilder()
+        graph = builder.build(assets=assets, relationships=relationships)
+    """
+
+    def build(
+        self,
+        *,
+        assets: Sequence[Asset],
+        relationships: Sequence[Relationship],
+    ) -> AwsGraph:
+        """
+        Build a graph from assets and relationships.
+
+        Only includes relationships where both endpoints exist
+        in the provided asset list.
+        """
+        assets_by_id: dict[uuid.UUID, Asset] = {asset.id: asset for asset in assets}
+        outgoing: dict[uuid.UUID, list[Relationship]] = {}
+        incoming: dict[uuid.UUID, list[Relationship]] = {}
+
+        for rel in relationships:
+            # Skip relationships with missing endpoints
+            if rel.source_asset_id not in assets_by_id:
+                continue
+            if rel.target_asset_id not in assets_by_id:
+                continue
+
+            # Task 11.1: Edge Kind Inference for Legacy Data
+            # Create a copy if we need to infer edge_kind to avoid mutating input
+            if rel.edge_kind == EdgeKind.UNKNOWN:
+                rtype = rel.relationship_type.upper()
+                inferred_kind = EdgeKind.UNKNOWN
+
+                # Structural Edges
+                if rtype in ["CONTAINS", "USES", "ALLOWS_TRAFFIC_TO", "ATTACHED_TO", "TRUSTS"]:
+                    inferred_kind = EdgeKind.STRUCTURAL
+                # Capability Edges
+                elif rtype.startswith("CAN_") or rtype.startswith("MAY_") or rtype in ["ROUTES_TO", "EXPOSES", "INVOKES", "CONNECTS_TO"]:
+                    inferred_kind = EdgeKind.CAPABILITY
+
+                if inferred_kind != EdgeKind.UNKNOWN:
+                    rel = rel.model_copy(update={"edge_kind": inferred_kind})
+
+            outgoing.setdefault(rel.source_asset_id, []).append(rel)
+            incoming.setdefault(rel.target_asset_id, []).append(rel)
+
+        return AwsGraph(
+            assets_by_id=assets_by_id,
+            outgoing=outgoing,
+            incoming=incoming,
+        )