fix(attack-paths): read findings using replica DB and add more logs (#9861)

2026-01-25 02:08:11 +00:00 · 2026-01-22 14:51:22 +01:00
parent dce05295ef
commit 7dfafb9337
5 changed files with 63 additions and 18 deletions
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -9,6 +9,10 @@ All notable changes to the **Prowler API** are documented in this file.
 - Improve API startup process by `manage.py` argument detection [(#9856)](https://github.com/prowler-cloud/prowler/pull/9856)
 - Deleting providers don't try to delete a `None` Neo4j database when an Attack Paths scan is scheduled [(#9858)](https://github.com/prowler-cloud/prowler/pull/9858)

+### Fixed
+
+- Use replica database for reading Findings to add them to the Attack Paths graph [(#9861)](https://github.com/prowler-cloud/prowler/pull/9861)
+
 ## [1.18.0] (Prowler v5.17.0)

 ### Added
@@ -21,6 +25,7 @@ All notable changes to the **Prowler API** are documented in this file.
 - Attack Paths: `/api/v1/attack-paths-scans` for AWS providers backed by Neo4j [(#9805)](https://github.com/prowler-cloud/prowler/pull/9805)

 ### Security
+
 - Django 5.1.15 (CVE-2025-64460, CVE-2025-13372), Werkzeug 3.1.4 (CVE-2025-66221), sqlparse 0.5.5 (PVE-2025-82038), fonttools 4.60.2 (CVE-2025-66034) [(#9730)](https://github.com/prowler-cloud/prowler/pull/9730)
 - `safety` to `3.7.0` and `filelock` to `3.20.3` due to [Safety vulnerability 82754 (CVE-2025-68146)](https://data.safetycli.com/v/82754/97c/) [(#9816)](https://github.com/prowler-cloud/prowler/pull/9816)
 - `pyasn1` to v0.6.2 to address [CVE-2026-23490](https://nvd.nist.gov/vuln/detail/CVE-2026-23490) [(#9818)](https://github.com/prowler-cloud/prowler/pull/9818)
--- a/api/src/backend/tasks/jobs/attack_paths/aws.py
+++ b/api/src/backend/tasks/jobs/attack_paths/aws.py
@@ -59,6 +59,7 @@ def start_aws_ingestion(
    )

    # Starting with sync functions
+    logger.info(f"Syncing organizations for AWS account {prowler_api_provider.uid}")
    cartography_aws.organizations.sync(
        neo4j_session,
        {prowler_api_provider.alias: prowler_api_provider.uid},
@@ -84,13 +85,22 @@ def start_aws_ingestion(
    )

    if "permission_relationships" in requested_syncs:
+        logger.info(
+            f"Syncing function permission_relationships for AWS account {prowler_api_provider.uid}"
+        )
        cartography_aws.RESOURCE_FUNCTIONS["permission_relationships"](**sync_args)
    db_utils.update_attack_paths_scan_progress(attack_paths_scan, 88)

    if "resourcegroupstaggingapi" in requested_syncs:
+        logger.info(
+            f"Syncing function resourcegroupstaggingapi for AWS account {prowler_api_provider.uid}"
+        )
        cartography_aws.RESOURCE_FUNCTIONS["resourcegroupstaggingapi"](**sync_args)
    db_utils.update_attack_paths_scan_progress(attack_paths_scan, 89)

+    logger.info(
+        f"Syncing ec2_iaminstanceprofile scoped analysis for AWS account {prowler_api_provider.uid}"
+    )
    cartography_aws.run_scoped_analysis_job(
        "aws_ec2_iaminstanceprofile.json",
        neo4j_session,
@@ -98,6 +108,9 @@ def start_aws_ingestion(
    )
    db_utils.update_attack_paths_scan_progress(attack_paths_scan, 90)

+    logger.info(
+        f"Syncing lambda_ecr analysis for AWS account {prowler_api_provider.uid}"
+    )
    cartography_aws.run_analysis_job(
        "aws_lambda_ecr.json",
        neo4j_session,
@@ -105,6 +118,7 @@ def start_aws_ingestion(
    )
    db_utils.update_attack_paths_scan_progress(attack_paths_scan, 91)

+    logger.info(f"Syncing metadata for AWS account {prowler_api_provider.uid}")
    cartography_aws.merge_module_sync_metadata(
        neo4j_session,
        group_type="AWSAccount",
@@ -118,6 +132,7 @@ def start_aws_ingestion(
    # Removing the added extra field
    del common_job_parameters["AWS_ID"]

+    logger.info(f"Syncing cleanup_job for AWS account {prowler_api_provider.uid}")
    cartography_aws.run_cleanup_job(
        "aws_post_ingestion_principals_cleanup.json",
        neo4j_session,
@@ -125,6 +140,7 @@ def start_aws_ingestion(
    )
    db_utils.update_attack_paths_scan_progress(attack_paths_scan, 93)

+    logger.info(f"Syncing analysis for AWS account {prowler_api_provider.uid}")
    cartography_aws._perform_aws_analysis(
        requested_syncs, neo4j_session, common_job_parameters
    )
--- a/api/src/backend/tasks/jobs/attack_paths/prowler.py
+++ b/api/src/backend/tasks/jobs/attack_paths/prowler.py
@@ -4,6 +4,7 @@ from cartography.client.core.tx import run_write_query
 from cartography.config import Config as CartographyConfig
 from celery.utils.log import get_task_logger

+from api.db_router import MainRouter
 from api.db_utils import rls_transaction
 from api.models import Provider, ResourceFindingMapping
 from config.env import env
@@ -95,8 +96,15 @@ def analysis(
    scan_id: str,
    config: CartographyConfig,
 ) -> None:
+    logger.info(f"Getting Prowler findings for AWS account {prowler_api_provider.uid}")
    findings_data = get_provider_last_scan_findings(prowler_api_provider, scan_id)
+
+    logger.info(f"Loading Prowler findings for AWS account {prowler_api_provider.uid}")
    load_findings(neo4j_session, findings_data, prowler_api_provider, config)
+
+    logger.info(
+        f"Cleaning up Prowler findings for AWS account {prowler_api_provider.uid}"
+    )
    cleanup_findings(neo4j_session, prowler_api_provider, config)


@@ -105,9 +113,12 @@ def get_provider_last_scan_findings(
    scan_id: str,
 ) -> list[dict[str, str]]:
    with rls_transaction(prowler_api_provider.tenant_id):
-        resource_finding_qs = ResourceFindingMapping.objects.filter(
+        resource_finding_qs = (
+            ResourceFindingMapping.objects.using(MainRouter.replica_db)
+            .filter(
                finding__scan_id=scan_id,
-        ).values(
+            )
+            .values(
                "resource__uid",
                "finding__id",
                "finding__uid",
@@ -124,6 +135,7 @@ def get_provider_last_scan_findings(
                "finding__muted",
                "finding__muted_reason",
            )
+        )

        findings = []
        for resource_finding in resource_finding_qs:
--- a/api/src/backend/tasks/jobs/attack_paths/scan.py
+++ b/api/src/backend/tasks/jobs/attack_paths/scan.py
@@ -117,13 +117,22 @@ def run(tenant_id: str, scan_id: str, task_id: str) -> dict[str, Any]:
            )

            # Post-processing: Just keeping it to be more Cartography compliant
+            logger.info(
+                f"Syncing Cartography ontology for AWS account {prowler_api_provider.uid}"
+            )
            cartography_ontology.run(neo4j_session, cartography_config)
            db_utils.update_attack_paths_scan_progress(attack_paths_scan, 95)

+            logger.info(
+                f"Syncing Cartography analysis for AWS account {prowler_api_provider.uid}"
+            )
            cartography_analysis.run(neo4j_session, cartography_config)
            db_utils.update_attack_paths_scan_progress(attack_paths_scan, 96)

            # Adding Prowler nodes and relationships
+            logger.info(
+                f"Syncing Prowler analysis for AWS account {prowler_api_provider.uid}"
+            )
            prowler.analysis(
                neo4j_session, prowler_api_provider, scan_id, cartography_config
            )
--- a/api/src/backend/tasks/tests/test_attack_paths_scan.py
+++ b/api/src/backend/tasks/tests/test_attack_paths_scan.py
@@ -402,6 +402,9 @@ class TestAttackPathsProwlerHelpers:
        with patch(
            "tasks.jobs.attack_paths.prowler.rls_transaction",
            new=lambda *args, **kwargs: nullcontext(),
+        ), patch(
+            "tasks.jobs.attack_paths.prowler.MainRouter.replica_db",
+            "default",
        ):
            findings_data = prowler_module.get_provider_last_scan_findings(
                provider,