fix(attack-paths): improve findings ingestion cypher query (#9875)

Co-authored-by: Josema Camacho <josema@prowler.com>
2026-01-25 02:08:11 +00:00 · 2026-01-23 13:41:19 +01:00
parent b38a0358c9
commit fcc106abe3
2 changed files with 11 additions and 4 deletions
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -13,6 +13,7 @@ All notable changes to the **Prowler API** are documented in this file.
 - Lazy load Neo4j driver [(#9868)](https://github.com/prowler-cloud/prowler/pull/9868)
 - Use `Findings.all_objects` to avoid the `ActiveProviderPartitionedManager` [(#9869)](https://github.com/prowler-cloud/prowler/pull/9869)
 - Lazy load Neo4j driver for workers only [(#9872)](https://github.com/prowler-cloud/prowler/pull/9872)
+- Improve Cypher query for inserting Findings into Attack Paths scan graphs [(#9874)](https://github.com/prowler-cloud/prowler/pull/9874)

 ## [1.18.0] (Prowler v5.17.0)

--- a/api/src/backend/tasks/jobs/attack_paths/prowler.py
+++ b/api/src/backend/tasks/jobs/attack_paths/prowler.py
@@ -25,12 +25,18 @@ INDEX_STATEMENTS = [
 ]

 INSERT_STATEMENT_TEMPLATE = """
+    MATCH (account:__ROOT_NODE_LABEL__ {id: $provider_uid})
    UNWIND $findings_data AS finding_data

-    MATCH (account:__ROOT_NODE_LABEL__ {id: $provider_uid})
-    MATCH (account)-->(resource)
-        WHERE resource.__NODE_UID_FIELD__ = finding_data.resource_uid
-            OR resource.id = finding_data.resource_uid
+    OPTIONAL MATCH (account)-->(resource_by_uid)
+        WHERE resource_by_uid.__NODE_UID_FIELD__ = finding_data.resource_uid
+    WITH account, finding_data, resource_by_uid
+
+    OPTIONAL MATCH (account)-->(resource_by_id)
+        WHERE resource_by_uid IS NULL
+            AND resource_by_id.id = finding_data.resource_uid
+    WITH account, finding_data, COALESCE(resource_by_uid, resource_by_id) AS resource
+        WHERE resource IS NOT NULL

    MERGE (finding:ProwlerFinding {id: finding_data.id})
        ON CREATE SET