Merge branch 'master' of github.com:prowler-cloud/prowler into changelog-v5.23.0

api/CHANGELOG.md

@@ -2,12 +2,11 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
-## [1.24.0] (Prowler UNRELEASED)
+## [1.24.0] (Prowler v5.23.0)
 
 ### 🚀 Added
 
-- Pin all unpinned dependencies to exact versions to prevent supply chain attacks and ensure reproducible builds [(#10469)](https://github.com/prowler-cloud/prowler/pull/10469)
-- Filter RBAC role lookup by `tenant_id` to prevent cross-tenant privilege leak [(#10491)](https://github.com/prowler-cloud/prowler/pull/10491)
+- RBAC role lookup filtered by `tenant_id` to prevent cross-tenant privilege leak [(#10491)](https://github.com/prowler-cloud/prowler/pull/10491)
 - `VALKEY_SCHEME`, `VALKEY_USERNAME`, and `VALKEY_PASSWORD` environment variables to configure Celery broker TLS/auth connection details for Valkey/ElastiCache [(#10420)](https://github.com/prowler-cloud/prowler/pull/10420)
 - `Vercel` provider support [(#10190)](https://github.com/prowler-cloud/prowler/pull/10190)
 - Finding groups list and latest endpoints support `sort=delta`, ordering by `new_count` then `changed_count` so groups with the most new findings rank highest [(#10606)](https://github.com/prowler-cloud/prowler/pull/10606)

docs/user-guide/tutorials/prowler-app-attack-paths.mdx

@@ -121,43 +121,58 @@ Custom queries are sandboxed to keep the graph database safe and responsive:
 
 ### Example Queries
 
-The following examples are read-only and can be pasted directly into the editor.
+The following examples are read-only and can be pasted directly into the editor. Each one demonstrates a different graph traversal pattern.
 
-**List all S3 buckets in the scan:**
+**Internet-exposed EC2 instances with their security group rules:**
 
 ```cypher
-MATCH (b:S3Bucket)
-RETURN b.name AS bucket, b.region AS region
-LIMIT 50
-```
-
-**Find IAM roles that can be assumed from the internet:**
-
-```cypher
-MATCH (r:AWSRole)
-WHERE r.trust_policy CONTAINS '"Principal":"*"'
-RETURN r.arn AS role_arn, r.name AS role_name
+MATCH (i:EC2Instance)--(sg:EC2SecurityGroup)--(rule:IpPermissionInbound)
+WHERE i.exposed_internet = true
+RETURN i.instanceid AS instance, sg.name AS security_group,
+       rule.fromport AS from_port, rule.toport AS to_port
 LIMIT 25
 ```
 
-**Find EC2 instances exposed to the internet with attached IAM roles:**
+**EC2 instances that can assume IAM roles:**
 
 ```cypher
 MATCH (i:EC2Instance)-[:STS_ASSUMEROLE_ALLOW]->(r:AWSRole)
 WHERE i.exposed_internet = true
-RETURN i.instanceid AS instance_id, r.arn AS role_arn
+RETURN i.instanceid AS instance, r.name AS role_name, r.arn AS role_arn
 LIMIT 25
 ```
 
-**Inspect Prowler findings linked to a specific resource type:**
+**IAM principals with wildcard Allow statements:**
 
 ```cypher
-MATCH (b:S3Bucket)-[:HAS_FINDING]->(f:ProwlerFinding)
-WHERE f.severity IN ['critical', 'high']
-RETURN b.name AS bucket, f.check_id AS check, f.severity AS severity
+MATCH (principal:AWSPrincipal)--(policy:AWSPolicy)--(stmt:AWSPolicyStatement)
+WHERE stmt.effect = 'Allow'
+  AND ANY(action IN stmt.action WHERE action = '*')
+RETURN principal.arn AS principal, policy.arn AS policy,
+       stmt.action AS actions, stmt.resource AS resources
+LIMIT 25
+```
+
+**Critical findings on internet-exposed resources:**
+
+```cypher
+MATCH (i:EC2Instance)-[:HAS_FINDING]->(f:ProwlerFinding)
+WHERE i.exposed_internet = true AND f.status = 'FAIL'
+  AND f.severity IN ['critical', 'high']
+RETURN i.instanceid AS instance, f.check_id AS check,
+       f.severity AS severity, f.status AS status
 LIMIT 50
 ```
 
+**Roles trusting an AWS service (building block for PassRole escalation):**
+
+```cypher
+MATCH (r:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(p:AWSPrincipal)
+WHERE p.arn ENDS WITH '.amazonaws.com'
+RETURN r.name AS role_name, r.arn AS role_arn, p.arn AS trusted_service
+LIMIT 25
+```
+
 ### Tips for Writing Queries
 
 - Start small with `LIMIT` to inspect the shape of the data before broadening the pattern.
@@ -171,7 +186,7 @@ Attack Paths graphs are populated by [Cartography](https://github.com/cartograph
 
 For the complete catalogue of node labels and relationships available in custom queries, refer to the official Cartography schema documentation:
 
-- **AWS:** [Cartography AWS Schema](https://github.com/cartography-cncf/cartography/blob/master/docs/root/modules/aws/schema.md)
+- **AWS:** [Cartography AWS Schema](https://cartography-cncf.github.io/cartography/modules/aws/schema.html)
 
 In addition to the upstream schema, Prowler enriches the graph with:
 

mcp_server/CHANGELOG.md

@@ -2,7 +2,7 @@
 
 All notable changes to the **Prowler MCP Server** are documented in this file.
 
-## [0.6.0] (Prowler UNRELEASED)
+## [0.6.0] (Prowler v5.23.0)
 
 ### 🚀 Added
 

prowler/CHANGELOG.md

@@ -2,7 +2,7 @@
 
 All notable changes to the **Prowler SDK** are documented in this file.
 
-## [5.23.0] (Prowler UNRELEASED)
+## [5.23.0] (Prowler v5.23.0)
 
 ### 🚀 Added
 
@@ -21,19 +21,19 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `entra_conditional_access_policy_device_registration_mfa_required` check and `entra_intune_enrollment_sign_in_frequency_every_time` enhancement for M365 provider [(#10222)](https://github.com/prowler-cloud/prowler/pull/10222)
 - `entra_conditional_access_policy_block_elevated_insider_risk` check for M365 provider [(#10234)](https://github.com/prowler-cloud/prowler/pull/10234)
 - `Vercel` provider support with 30 checks [(#10189)](https://github.com/prowler-cloud/prowler/pull/10189)
+- `internet-exposed` category for 13 AWS checks (CloudFront, CodeArtifact, EC2, EFS, RDS, SageMaker, Shield, VPC) [(#10502)](https://github.com/prowler-cloud/prowler/pull/10502)
 - `stepfunctions_statemachine_no_secrets_in_definition` check for hardcoded secrets in AWS Step Functions state machine definitions [(#10570)](https://github.com/prowler-cloud/prowler/pull/10570)
 - CCC improvements with the latest checks and new mappings [(#10625)](https://github.com/prowler-cloud/prowler/pull/10625)
 
 ### 🔄 Changed
 
-- Added `internet-exposed` category to 13 AWS checks (CloudFront, CodeArtifact, EC2, EFS, RDS, SageMaker, Shield, VPC) [(#10502)](https://github.com/prowler-cloud/prowler/pull/10502)
 - Minimum Python version from 3.9 to 3.10 and updated classifiers to reflect supported versions (3.10, 3.11, 3.12) [(#10464)](https://github.com/prowler-cloud/prowler/pull/10464)
 - Pin direct SDK dependencies to exact versions and rely on `poetry.lock` artifact hashes for reproducible installs [(#10593)](https://github.com/prowler-cloud/prowler/pull/10593)
 - Sensitive CLI flags now warn when values are passed directly, recommending environment variables instead [(#10532)](https://github.com/prowler-cloud/prowler/pull/10532)
 
 ### 🐞 Fixed
 
-- OCI mutelist support: pass `tenancy_id` to `is_finding_muted` and update `oraclecloud_mutelist_example.yaml` to use `Accounts` key [(#10565)](https://github.com/prowler-cloud/prowler/issues/10565)
+- OCI mutelist support: pass `tenancy_id` to `is_finding_muted` and update `oraclecloud_mutelist_example.yaml` to use `Accounts` key [(#10566)](https://github.com/prowler-cloud/prowler/pull/10566)
 - `return` statements in `finally` blocks replaced across IAM, Organizations, GCP provider, and custom checks metadata to stop silently swallowing exceptions [(#10102)](https://github.com/prowler-cloud/prowler/pull/10102)
 - `JiraConnection` now includes issue types per project fetched during `test_connection`, fixing `JiraInvalidIssueTypeError` on non-English Jira instances [(#10534)](https://github.com/prowler-cloud/prowler/pull/10534)
 - `--list-checks` and `--list-checks-json` now include `threat-detection` category checks in their output [(#10578)](https://github.com/prowler-cloud/prowler/pull/10578)
@@ -42,6 +42,14 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `is_policy_public` now recognizes `kms:CallerAccount`, `kms:ViaService`, `aws:CalledVia`, `aws:CalledViaFirst`, and `aws:CalledViaLast` as restrictive condition keys, fixing false positives in `kms_key_policy_is_not_public` and other checks that use `is_condition_block_restrictive` [(#10600)](https://github.com/prowler-cloud/prowler/pull/10600)
 - `_enabled_regions` empty-set bug in `AwsProvider.generate_regional_clients` creating boto3 clients for all 36 AWS regions instead of the audited ones, causing random CI timeouts and slow test runs [(#10598)](https://github.com/prowler-cloud/prowler/pull/10598)
 - Retrieve only the latest version from a package in AWS CodeArtifact [(#10243)](https://github.com/prowler-cloud/prowler/pull/10243)
+- AWS global services (CloudFront, Route53, Shield, FMS) now use the partition's global region instead of the profile's default region [(#10458)](https://github.com/prowler-cloud/prowler/pull/10458)
+- Oracle Cloud `events_rule_idp_group_mapping_changes` now recognizes the CIS 3.1 `add/remove` event names to avoid false positives [(#10416)](https://github.com/prowler-cloud/prowler/pull/10416)
+- Oracle Cloud password policy checks now exclude immutable system-managed policies (`SimplePasswordPolicy`, `StandardPasswordPolicy`) to avoid false positives [(#10453)](https://github.com/prowler-cloud/prowler/pull/10453)
+- Oracle Cloud `kms_key_rotation_enabled` now checks current key version age to avoid false positives on vaults without auto-rotation support [(#10450)](https://github.com/prowler-cloud/prowler/pull/10450)
+- OCI filestorage, blockstorage, KMS, and compute services now honor `--region` for scanning outside the tenancy home region [(#10472)](https://github.com/prowler-cloud/prowler/pull/10472)
+- OCI provider now supports multi-region filtering via `--region` [(#10473)](https://github.com/prowler-cloud/prowler/pull/10473)
+- `prowler image --registry` failing with `ImageNoImagesProvidedError` due to registry arguments not being forwarded to `ImageProvider` in `init_global_provider` [(#10470)](https://github.com/prowler-cloud/prowler/pull/10470)
+- OCI multi-region support for identity client configuration in blockstorage, identity, and filestorage services [(#10520)](https://github.com/prowler-cloud/prowler/pull/10520)
 
 ### 🔐 Security
 
@@ -52,21 +60,6 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ---
 
-## [5.22.1] (Prowler UNRELEASED)
-
-### 🐞 Fixed
-
-- AWS global services (CloudFront, Route53, Shield, FMS) now use the partition's global region instead of the profile's default region [(#10458)](https://github.com/prowler-cloud/prowler/issues/10458)
-- Oracle Cloud `events_rule_idp_group_mapping_changes` now recognizes the CIS 3.1 `add/remove` event names to avoid false positives [(#10416)](https://github.com/prowler-cloud/prowler/pull/10416)
-- Oracle Cloud password policy checks now exclude immutable system-managed policies (`SimplePasswordPolicy`, `StandardPasswordPolicy`) to avoid false positives [(#10453)](https://github.com/prowler-cloud/prowler/pull/10453)
-- Oracle Cloud `kms_key_rotation_enabled` now checks current key version age to avoid false positives on vaults without auto-rotation support [(#10450)](https://github.com/prowler-cloud/prowler/pull/10450)
-- Oracle Cloud patch for filestorage, blockstorage, kms, and compute services in OCI to allow for region scanning outside home [(#10455)](https://github.com/prowler-cloud/prowler/pull/10472)
-- Oracle cloud provider now supports multi-region filtering [(#10435)](https://github.com/prowler-cloud/prowler/pull/10473)
-- `prowler image --registry` failing with `ImageNoImagesProvidedError` due to registry arguments not being forwarded to `ImageProvider` in `init_global_provider` [(#10457)](https://github.com/prowler-cloud/prowler/issues/10457)
-- Oracle Cloud multi-region support for identity client configuration in blockstorage, identity, and filestorage services [(#10519)](https://github.com/prowler-cloud/prowler/pull/10520)
-
----
-
 ## [5.22.0] (Prowler v5.22.0)
 
 ### 🐞 Fixed

ui/CHANGELOG.md

@@ -2,7 +2,7 @@
 
 All notable changes to the **Prowler UI** are documented in this file.
 
-## [1.23.0] (Prowler UNRELEASED)
+## [1.23.0] (Prowler v5.23.0)
 
 ### 🚀 Added
 
@@ -26,6 +26,7 @@ All notable changes to the **Prowler UI** are documented in this file.
 - Deleting the active organization now switches to the target org before deleting, preventing JWT rejection from the backend [(#10491)](https://github.com/prowler-cloud/prowler/pull/10491)
 - Clear Filters now resets all filters including muted findings and auto-applies, Clear all in pills only removes pill-visible sub-filters, and the discard icon is now an Undo text button [(#10446)](https://github.com/prowler-cloud/prowler/pull/10446)
 - Send to Jira modal now dynamically fetches and displays available issue types per project instead of hardcoding `"Task"`, fixing failures on non-English Jira instances [(#10534)](https://github.com/prowler-cloud/prowler/pull/10534)
+- Exclude service filter from finding group resources endpoint to prevent empty results when a service filter is active [(#10652)](https://github.com/prowler-cloud/prowler/pull/10652)
 
 ---
 

ui/actions/finding-groups/finding-groups.ts

@@ -41,10 +41,25 @@ function splitCsvFilterValues(value: string | string[] | undefined): string[] {
   return [];
 }
 
+/**
+ * Filters that belong to finding-groups but are NOT valid for the
+ * finding-group resources sub-endpoint. These must be stripped before
+ * calling the resources API to avoid empty results.
+ */
+const FINDING_GROUP_ONLY_FILTERS = ["filter[service__in]"] as const;
+
 function normalizeFindingGroupResourceFilters(
   filters: Record<string, string | string[] | undefined>,
 ): Record<string, string | string[] | undefined> {
-  const normalized = { ...filters };
+  const normalized = Object.fromEntries(
+    Object.entries(filters).filter(
+      ([key]) =>
+        !FINDING_GROUP_ONLY_FILTERS.includes(
+          key as (typeof FINDING_GROUP_ONLY_FILTERS)[number],
+        ),
+    ),
+  );
+
   const exactStatusFilter = normalized["filter[status]"];
 
   if (exactStatusFilter !== undefined) {

ui/components/findings/table/findings-group-drill-down.tsx

@@ -270,7 +270,9 @@ export function FindingsGroupDrillDown({
                     colSpan={columns.length}
                     className="h-24 text-center"
                   >
-                    No resources found.
+                    {Object.keys(filters).length > 0
+                      ? "No resources found for the selected filters."
+                      : "No resources found."}
                   </TableCell>
                 </TableRow>
               ) : null}

ui/components/findings/table/inline-resource-container.tsx

@@ -363,7 +363,9 @@ export function InlineResourceContainer({
                             colSpan={columns.length}
                             className="h-24 text-center"
                           >
-                            No resources found.
+                            {Object.keys(filters).length > 0
+                              ? "No resources found for the selected filters."
+                              : "No resources found."}
                           </TableCell>
                         </TableRow>
                       )}