github cartography-cncf/cartography 0.136.0
on GitHub

4 hours ago

What's Changed

  • feat(kube): Extend Kubernetes Module to have KubernetesNode and Container Architecture Info by @shyammukund in #2598
  • chore: bump types-requests from 2.33.0.20260327 to 2.33.0.20260402 by @dependabot[bot] in #2605
  • chore: bump the minor-and-patch group with 6 updates by @dependabot[bot] in #2604
  • chore: bump astral-sh/setup-uv from 7.6.0 to 8.0.0 by @dependabot[bot] in #2603
  • chore: bump docker/login-action from 4.0.0 to 4.1.0 in the minor-and-patch group across 1 directory by @dependabot[bot] in #2602
  • chore: bump python from 739e721 to eefe082 by @dependabot[bot] in #2601
  • chore: bump pytest from 9.0.2 to 9.0.3 by @dependabot[bot] in #2610
  • fix(googleworkspace): Handle Google Workspace memberships missing type by @kunaals in #2611
  • feat(gcp): Add Container Architecture Coverage for GCP Cloud Run by @shyammukund in #2600
  • feat(permissions): Add DynamoDB write and Secrets Manager permission mappings by @jychp in #2613
  • feat(kube): Add in HAS_IMAGE rel between KubernetesContainer and GCPArtifactRegistryImage by @shyammukund in #2608
  • feat(azure): Extend Azure Coverage so containers have architecture and digest info by @shyammukund in #2607
  • fix(ubuntu): add HTTP retry policy to avoid transient 503 failures by @serge-wq in #2609
  • feat(ontology): Add Analysis Job to compute RESOLVED_IMAGE rel between Container and Images by @shyammukund in #2617
  • feat(aws): Update HAS_IMAGE in ECS to extend to GAR and Gitlab Images by @shyammukund in #2618
  • fix(aws): reduce SageMaker regional retry tail by @kunaals in #2616
  • feat(gitlab): align code-to-cloud graph modeling by @jychp in #2612
  • feat(gcp): Update CloudRunJob and CloudRunRevision to have container ontology label by @shyammukund in #2619
  • feat(crowdstrike): enrich device ontology ownership by @kunaals in #2615
  • fix(rules): exclude inactive unmanaged accounts by @jychp in #2623
  • feat(kubernetes): map KubernetesCluster to its EKSCluster by @jychp in #2626
  • fix(github): defer global cleanup until all orgs sync by @jychp in #2621
  • feat(kubernetes): add IRSA service account role mapping by @jychp in #2627
  • feat(ontology): add SecurityIssue semantic label for non-CVE findings by @jychp in #2576
  • feat(jamf): sync device inventory and memberships by @kunaals in #2625
  • chore: bump types-requests from 2.33.0.20260402 to 2.33.0.20260408 by @dependabot[bot] in #2634
  • chore: bump types-pyyaml from 6.0.12.20250915 to 6.0.12.20260408 by @dependabot[bot] in #2633
  • fix(jamf): map mobile display fields into device ontology by @kunaals in #2636
  • chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2631
  • chore: bump python from eefe082 to d168b8d by @dependabot[bot] in #2630
  • fix(jamf): normalize mobile os before ontology mapping by @kunaals in #2638
  • fix(keycloak)/unsupported-pagination by @VeteaRes in #2516
  • fix(aws) use recommended function to fetch s3 bucket region by @aliahmed58 in #2509
  • chore: bump pyopenssl from 25.3.0 to 26.0.0 by @dependabot[bot] in #2637
  • chore(graph): bump default cleanup iterationsize to 10000 by @jychp in #2639
  • chore: bump the minor-and-patch group across 1 directory with 4 updates by @dependabot[bot] in #2632
  • fix(aws): honor configured profile even when only one is discovered by @jychp in #2641
  • fix(aws): skip permission relationships without resource arns by @jychp in #2644
  • fix(gcp): list Go modules via packages API in Artifact Registry by @jychp in #2649
  • feat(gcp): add GCPCloudRunService USES_SERVICE_ACCOUNT relationship by @jychp in #2651
  • feat(gcp): map CAN_READ from principals to GCPSecretManagerSecret by @jychp in #2652
  • feat(vercel): add Vercel ingestion module by @jychp in #2628
  • refactor(aws-iam): drop dead AccountAccessKey rel definitions by @jychp in #2654
  • feat(socketdev): add Socket.dev intel module for supply chain security by @jychp in #2629
  • feat: scope Container to individual containers; route Cloud Run + image-based Functions through Function by @jychp in #2653
  • fix(entra): Skip Group when a group gets deleted between listing and fetching by @shyammukund in #2624
  • feat(intune): stream detected apps transform to prevent OOM by @shyammukund in #2643
  • fix(gcp): skip default Apps Script project folders by @kunaals in #2656
  • feat(ontology): Jamf device emails should derive canonical ownership edges by @kunaals in #2661
  • feat(rules): add rule to detect unpinned GitHub Actions by @jychp in #2660
  • fix(aws): lower retry attempts and harden transient failures by @kunaals in #2553
  • feat(kubernetes): make list secrets and aws-auth configmap permissions optional by @jychp in #2663
  • fix(workos): migrate intel module to workos SDK v6 by @jychp in #2650
  • refactor: refine Container/Function ontology for Azure container groups and Cloud Run by @jychp in #2657
  • feat(tailscale): model grants and resolve effective access relationships by @jychp in #2647
  • fix(aws): preserve S3 buckets on head_bucket timeouts by @kunaals in #2666
  • fix(microsoft): migrate intune detected apps to report exports by @kunaals in #2664
  • fix(aws): filter unsupported service regions by @kunaals in #2662
  • fix(gcp): speed up vertex ai sync path by @kunaals in #2669
  • fix(cve): retry NIST NVD fetch on ChunkedEncodingError by @jychp in #2665
  • feat(cve_metadata): add CVE metadata enrichment intel module by @jychp in #2538
  • fix(kubernetes): process templated EKS aws-auth entries by @jychp in #2655
  • perf(gcp): batch permission relationship sync by @kunaals in #2673
  • refactor(ontology): remove OntologyRelMapping, migrate to analysis jobs and Python by @jychp in #2674
  • perf(gcp): speed up cloud run sync path by @kunaals in #2672
  • feat(ontology): promote DNSRecord to semantic label and add cross-provider DNS linking by @jychp in #2676
  • fix(gcp): Handle billing-disabled GCP KMS syncs gracefully by @kunaals in #2677
  • fix(gcp): Handle CAI policy binding rate limits in GCP sync by @kunaals in #2679
  • feat(scan): Add DEPLOYED rel between syft/trivy and images by @shyammukund in #2678
  • perf(aws): Add index on EC2Instance metadatahttptokens by @jychp in #2685
  • fix(gcp): speed up artifact registry sync by @kunaals in #2675
  • feat(ontology): map missing nodes and add FileStorage semantic label by @jychp in #2667
  • chore: bump the minor-and-patch group across 1 directory with 5 updates by @dependabot[bot] in #2689
  • chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2682
  • chore: bump python from d168b8d to a0779d7 by @dependabot[bot] in #2681
  • feat(gcp): Link GCP Artifact Registry platform images for ontology resolution by @kunaals in #2693
  • feat(gcp): Add workload_identity_enabled property to GKECluster by @jychp in #2688
  • feat(aws): add ECS ExecuteCommand permission relationship by @jychp in #2687
  • feat(aws): add public backup snapshot visibility by @jychp in #2645
  • fix(gcp): connect GCPPolicyBinding to bound resource via APPLIES_TO by @jychp in #2659
  • feat(aws): add ELBV2TargetGroup node and ECSService target registrations by @jychp in #2670
  • feat(kubernetes): add gateway-api ingestion for Gateway/HTTPRoute paths by @kunaals in #2414
  • feat(ontology): map OktaAdministrationRole, ScalewayPermissionSet, and WorkOSRole to roles by @jychp in #2686
  • feat: add support for EC2 IPv6 address extraction and storage by @Denyme24 in #2473
  • fix(aws): preserve ELB state on transient regional failures by @kunaals in #2680
  • fix(gcp): Retry transient GCP Artifact Registry list failures by @kunaals in #2691
  • fix(kubernetes): normalize gateway-api timestamps and skip on missing RBAC by @kunaals in #2694
  • feat(AIBOM): Add DETECTED_BY and SCANNED_BY rels between AIBOM and Image by @shyammukund in #2692
  • fix(syft): link packages with current image digests by @kunaals in #2699
  • fix(aws): index DynamoDB table ARNs by @kunaals in #2701
  • perf(aws): Batch ECR image layer relationship loads by @kunaals in #2698
  • fix(gcp): skip Cloud SQL user/database sync on non-running instances by @jychp in #2705
  • perf(gcp): tighten permission relationship reads by @kunaals in #2697
  • feat(gcp): Add code-to-cloud for GCP Artifact Registry by @jychp in #2690
  • chore(logging): demote noisy per-region/per-tenant info logs to debug by @jychp in #2702
  • feat(AIBOM): Add AIBOM Runs_ON container rel through analysis job by @shyammukund in #2708
  • feat(rules): add SLSA provenance coverage rule and tighten subimage coverage by @jychp in #2709
  • perf(matchlinks): Support opt-in scoped MatchLinks by @kunaals in #2700
  • test(gcp): add integration tests for empty parent cleanup behavior by @kunaals in #2306
  • fix(crowdstrike): stop leaking CVE nodes when Spotlight vulns close by @jychp in #2711
  • perf(cve_metadata): reduce NVD feed memory usage by @kunaals in #2712
  • fix(syft): skip malformed JSON files instead of aborting sync by @jychp in #2713
  • feature(reports): Add unified report source options for report ingestion by @kunaals in #2620
  • fix(kubernetes): map load balancer port status fields by @kunaals in #2715
  • feat(github): add GHCR container packages sync by @jychp in #2710
  • Handle pre-2002 CVEs in NVD yearly feeds by @kunaals in #2717
  • Simplify NVD yearly feed selection by @kunaals in #2718
  • feat(gitlab): ingest CI/CD runners, variables, environments, and pipelines config by @jychp in #2714
  • fix(aws): skip deleted Secrets Manager versions by @kunaals in #2720
  • fix(github): handle 400 from GHCR packages endpoint gracefully by @jychp in #2719
  • fix(cve_metadata): load metadata one feed year at a time by @jychp in #2721
  • feat(github): allow skipping unscoped cleanup by @kunaals in #2723
  • feat(indexes): add extra_index to AzureRoleAssignment.scope and K8s CRB role_name by @jychp in #2725
  • fix(googleworkspace): skip suspended users in OAuth token sync by @jychp in #2724
  • feat(gcp): GCP attack-path parity — IAM permission edges, SA keys, public-exposure rules, GKE Workload Identity by @jychp in #2726
  • fix(aws): fetch IAM tags once per sync, not per region by @jychp in #2728
  • chore: drop obsolete cleanup jobs and redundant index lines by @jychp in #2731
  • docs: ship intel-module procedures as auto-loaded skills + prefer uv for native install by @jychp in #2729
  • chore: bump docker/setup-docker-action from 5.0.0 to 5.1.0 in the minor-and-patch group by @dependabot[bot] in #2732
  • chore: bump the minor-and-patch group with 6 updates by @dependabot[bot] in #2733
  • perf(gcp): optimize Artifact Registry image writes by @kunaals in #2706
  • feat(ecr): Infer ECR provenance from CircleCI labels by @kunaals in #2727
  • refactor: unify workload chain across providers via WORKLOAD_PARENT by @jychp in #2735
  • refactor(reports): Refactor Report Reader to not need azure specific args by @shyammukund in #2722
  • fix(scanner): make azure cli import lazy by @shyammukund in #2736
  • fix(tailscale): tolerate 404 from Services endpoint by @jychp in #2739

New Contributors

Full Changelog: 0.135.0...0.136.0

Check out latest releases or
releases around cartography-cncf/cartography 0.136.0

Don't miss a new cartography release

NewReleases is sending notifications on new releases.

Get notifications