From 57bcb74d0df1471078889409440c6bcb03ec1347 Mon Sep 17 00:00:00 2001
From: Josema Camacho <josema@prowler.com>
Date: Wed, 11 Mar 2026 18:12:43 +0100
Subject: [PATCH] fix(api): upgrade Cartography to 0.132.0 to fix
 exposed_internet on ELB/ELBv2 nodes (#10272)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 api/CHANGELOG.md                              |  1 +
 api/Dockerfile                                |  7 ------
 api/poetry.lock                               | 25 ++++---------------
 api/pyproject.toml                            |  2 +-
 .../backend/tasks/jobs/attack_paths/aws.py    | 25 +++++++++++++++++++
 5 files changed, 32 insertions(+), 28 deletions(-)

diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md
index 1de35a8999..a76194ef6f 100644
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -16,6 +16,7 @@ All notable changes to the **Prowler API** are documented in this file.
 ### 🐞 Fixed
 
 - Attack Paths: Add missing logging for query execution and exception details in scan error handling [(#10269)](https://github.com/prowler-cloud/prowler/pull/10269)
+- Attack Paths: Upgrade Cartography from 0.129.0 to 0.132.0, fixing `exposed_internet` not set on ELB/ELBv2 nodes [(#10272)](https://github.com/prowler-cloud/prowler/pull/10272)
 
 ---
 
diff --git a/api/Dockerfile b/api/Dockerfile
index 508bcae60e..a07115e9a4 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -24,13 +24,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     python3-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Cartography depends on `dockerfile` which has no pre-built arm64 wheel and requires Go to compile
-# hadolint ignore=DL3008
-RUN if [ "$(uname -m)" = "aarch64" ]; then \
-        apt-get update && apt-get install -y --no-install-recommends golang-go \
-        && rm -rf /var/lib/apt/lists/* ; \
-    fi
-
 # Install PowerShell
 RUN ARCH=$(uname -m) && \
     if [ "$ARCH" = "x86_64" ]; then \
diff --git a/api/poetry.lock b/api/poetry.lock
index 6aba9045da..dba0433896 100644
--- a/api/poetry.lock
+++ b/api/poetry.lock
@@ -1822,14 +1822,14 @@ crt = ["awscrt (==0.27.6)"]
 
 [[package]]
 name = "cartography"
-version = "0.129.0"
+version = "0.132.0"
 description = "Explore assets and their relationships across your technical infrastructure."
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
-    {file = "cartography-0.129.0-py3-none-any.whl", hash = "sha256:d42c840369be9e4d0ac4d024074e3732416e40bab3d9a3023b6a247918daed4c"},
-    {file = "cartography-0.129.0.tar.gz", hash = "sha256:cb47d603e652554a4cbcc1a868c96014eb02b3d5cc1affea0428b2ed7fa61699"},
+    {file = "cartography-0.132.0-py3-none-any.whl", hash = "sha256:c070aa51d0ab4479cb043cae70b35e7df49f2fb5f1fa95ccf10000bbeb952262"},
+    {file = "cartography-0.132.0.tar.gz", hash = "sha256:7c6332bc57fd2629d7b83aee7bd95a7b2edb0d51ef746efa0461399e0b66625c"},
 ]
 
 [package.dependencies]
@@ -1864,8 +1864,8 @@ boto3 = ">=1.15.1"
 botocore = ">=1.18.1"
 cloudflare = ">=4.1.0,<5.0.0"
 crowdstrike-falconpy = ">=0.5.1"
+cryptography = "*"
 dnspython = ">=1.15.0"
-dockerfile = ">=3.0.0"
 duo-client = "*"
 google-api-python-client = ">=1.7.8"
 google-auth = ">=2.37.0"
@@ -3095,21 +3095,6 @@ docs = ["myst-parser (==0.18.0)", "sphinx (==5.1.1)"]
 ssh = ["paramiko (>=2.4.3)"]
 websockets = ["websocket-client (>=1.3.0)"]
 
-[[package]]
-name = "dockerfile"
-version = "3.4.0"
-description = "Parse a dockerfile into a high-level representation using the official go parser."
-optional = false
-python-versions = ">=3.9"
-groups = ["main"]
-files = [
-    {file = "dockerfile-3.4.0-cp39-abi3-macosx_13_0_x86_64.whl", hash = "sha256:ed33446a76007cbb3f28c247f189cc06db34667d4f59a398a5c44912d7c13f36"},
-    {file = "dockerfile-3.4.0-cp39-abi3-macosx_14_0_arm64.whl", hash = "sha256:a4549d4f038483c25906d4fec56bb6ffe82ae26e0f80a15f2c0fedbb50712053"},
-    {file = "dockerfile-3.4.0-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:b95102bd82e6f67c836186b51c13114aa586a20e8cb6441bde24d4070542009d"},
-    {file = "dockerfile-3.4.0-cp39-abi3-win_amd64.whl", hash = "sha256:30202187f1885f99ac839fd41ca8150b2fd0a66fac12db0166361d0c4622e71a"},
-    {file = "dockerfile-3.4.0.tar.gz", hash = "sha256:238bb950985c55a525daef8bbfe994a0230aa0978c419f4caa4d9ce0a37343f1"},
-]
-
 [[package]]
 name = "dogpile-cache"
 version = "1.5.0"
@@ -9397,4 +9382,4 @@ files = [
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.11,<3.13"
-content-hash = "42759b370c9e38da727e73f9d8ec0fa61bc6137eab18f11ccd7deff79a0dee69"
+content-hash = "6e38c38b1f8dc05b881f49703fa445eec299527e6697992b18e4613534fbcdb6"
diff --git a/api/pyproject.toml b/api/pyproject.toml
index 05c24bb807..6e08dabdb2 100644
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -37,7 +37,7 @@ dependencies = [
   "matplotlib (>=3.10.6,<4.0.0)",
   "reportlab (>=4.4.4,<5.0.0)",
   "neo4j (>=6.0.0,<7.0.0)",
-  "cartography (==0.129.0)",
+  "cartography (==0.132.0)",
   "gevent (>=25.9.1,<26.0.0)",
   "werkzeug (>=3.1.4)",
   "sqlparse (>=0.5.4)",
diff --git a/api/src/backend/tasks/jobs/attack_paths/aws.py b/api/src/backend/tasks/jobs/attack_paths/aws.py
index 160ad6ee3a..e7f26b5173 100644
--- a/api/src/backend/tasks/jobs/attack_paths/aws.py
+++ b/api/src/backend/tasks/jobs/attack_paths/aws.py
@@ -43,6 +43,7 @@ def start_aws_ingestion(
         "aws_guardduty_severity_threshold": cartography_config.aws_guardduty_severity_threshold,
         "aws_cloudtrail_management_events_lookback_hours": cartography_config.aws_cloudtrail_management_events_lookback_hours,
         "experimental_aws_inspector_batch": cartography_config.experimental_aws_inspector_batch,
+        "aws_tagging_api_cleanup_batch": cartography_config.aws_tagging_api_cleanup_batch,
     }
 
     boto3_session = get_boto3_session(prowler_api_provider, prowler_sdk_provider)
@@ -116,6 +117,30 @@ def start_aws_ingestion(
         neo4j_session,
         common_job_parameters,
     )
+
+    if all(
+        s in requested_syncs
+        for s in ["ecs", "ec2:load_balancer_v2", "ec2:load_balancer_v2:expose"]
+    ):
+        logger.info(
+            f"Syncing lb_container_exposure scoped analysis for AWS account {prowler_api_provider.uid}"
+        )
+        cartography_aws.run_scoped_analysis_job(
+            "aws_lb_container_exposure.json",
+            neo4j_session,
+            common_job_parameters,
+        )
+
+    if all(s in requested_syncs for s in ["ec2:network_acls", "ec2:load_balancer_v2"]):
+        logger.info(
+            f"Syncing lb_nacl_direct scoped analysis for AWS account {prowler_api_provider.uid}"
+        )
+        cartography_aws.run_scoped_analysis_job(
+            "aws_lb_nacl_direct.json",
+            neo4j_session,
+            common_job_parameters,
+        )
+
     db_utils.update_attack_paths_scan_progress(attack_paths_scan, 91)
 
     logger.info(f"Syncing metadata for AWS account {prowler_api_provider.uid}")