sandbox
sandbox copied to clipboard
cncf
[Sandbox] Cartography
Application contact emails
[email protected], [email protected]
Project Summary
Cartography builds a self-maintaining map of your infrastructure.
Project Description
Cartography consolidates infrastructure assets across multiple vendors and the relationships between them in a knowledge graph powered by an openCypher-compatible database.
Cartography aims to enable a broad set of exploration and automation scenarios. It is particularly good at exposing otherwise hidden dependency relationships between your service's assets so that you may validate assumptions about security risks.
Service owners can generate asset reports, Red Teamers can discover attack paths, and Blue Teamers can identify areas for security improvement. All can benefit from using the graph for manual exploration through a web frontend interface, or in an automated fashion by calling the APIs.
To provide specific examples, Cartography can be used to better understand AWS IAM permissions and perform automated vulnerability management on container images.
Org repo URL (provide if all repos under the org are in scope of the application)
N/A
Project repo URL in scope of application
https://github.com/lyft/cartography/
Additional repos in scope of the application
N/A
Website URL
https://github.com/lyft/cartography/
Roadmap
https://github.com/orgs/lyft/projects/26/views/1
Roadmap context
We built a new data model to make plugin development less error prone and improve write performance. We are currently focused on migrating older plugins to use it.
Contributing Guide
https://github.com/lyft/cartography/#contributing
Code of Conduct (CoC)
https://github.com/lyft/cartography/#code-of-conduct
Adopters
https://github.com/lyft/cartography/#who-uses-cartography
Contributing or Sponsoring Org
https://github.com/lyft
Maintainers file
https://github.com/lyft/cartography/blob/master/MAINTAINERS.md
IP Policy
- [X] If the project is accepted, I agree the project will follow the CNCF IP Policy
Trademark and accounts
- [X] If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Why CNCF?
Cartography was open sourced by Lyft in March 2019 and we are proud of how the community has grown since then. We believe Cartography solves asset management and analysis problems in a useful way, and would like to continue to grow the project. However, this is not possible over the long run if its steward is just one company. By moving the project to a neutral open source foundation such as the CNCF, we hope that we will attract more users and contributors so that we can better sustain a steady stream of maintainers.
Benefit to the Landscape
We believe that having a Cartography-generated map over your infrastructure is a game changer for any security or devops shop. Cartography is not the only cloud inventory tool out there, but it differentiates itself in that it
- Has a healthy ecosystem of documented use-cases. Here is a sample of public contributions not created by Lyft employees: 1, 2, 3, 4, 5, 6
- Has a robust plugin architecture that makes it easy to extend
- Is easy to adopt in that it is shipped as a simple Python script and is flexible about how to deploy it.
Cloud Native 'Fit'
Landscape: Provisioning - Security & Compliance. Cartography is a foundational security tool that makes it easier to manage your infrastructure.
Its graph approach makes it easy to answer questions including but not limited to
- Who has read access to my sensitive datastores and how
- What is the effective blast radius of a compromised asset in my environment
- Which of my assets are open to the internet
- What are my cross-vendor trust relationships
- From which parent container image was this vulnerability introduced to my environment and who should I assign the action item to
As such, it fits in “Provisioning” and “Security & Compliance”.
TAGs: TAG Security
Cloud Native 'Integration'
Cartography uses the Neo4j graph database to build knowledge graphs of infra across multiple resource types.
Cloud Native Overlap
Trivy: As described in this blog, Cartography knowledge graphs can be used to orchestrate Trivy image scans so that we can identify whether a vulnerability was introduced by the service itself or by one of its parent images several layers up – a time-consuming task solved quickly using a graph approach.
Similar projects
Similar CNCF projects
- ThreatMapper provides a graph view over network flows to prioritize threat scan results. Cartography is more general purpose as it can be applied to multiple infra/security scenarios, and is more low level in the sense that it only stores data to a graph database and does not include a user interface out of the box (other than the default Neo4j web interface).
Non-CNCF similar projects
- CloudQuery pulls data from multiple sources and loads it to multiple destinations. Cartography focuses on knowledge graphs.
- BloodHound creates knowledge graphs for identifying attack paths in Microsoft Windows domain environments. Cartography focuses on cloud assets and relating resources from one provider to another.
Landscape
No
Business Product or Service to Project separation
N/A
Project presentations
Yes.
- Meeting notes: 2020-03-11
- https://github.com/cncf/sig-security/issues/347
- Slides
Project champions
N/A
Additional information
Thank you for your consideration!
FWIW - I think this would be an amazing project to bring under CNCF! Defenders think in lists - attackers think in graphs as a wise person once noted. Also as a security TAG participant and previous assessor - and graphista - I'm happy to volunteer to lead a security review. I don't have any direct relationship to the project but I am very well versed in graphs and leading the K8s threat modeling and helped on the last K8s (and future) 3rd party audit efforts so I feel equipped to tackle any security reviews needed - with help from the TAG.
I'm not seeing cloud-native elements to this project. While it looks very useful on general principles, I'm not seeing any integration with existing cloud-native projects, nor dependencies on containers, microservices, or Kubernetes. Can you explain why Cartography is suitable for the CNCF in particular, instead of "a neutral foundation"?
Hi @jberkus, thanks for your read.
While it doesn't have a specific dependency on Kubernetes, cartography is suitable for the CNCF in particular because was built to solve problems that are uniquely complicated in cloud native environments such as reasoning about permissions, networking, and container image lineage.
cartography also complements existing cloud-native tools and methodologies even though it doesn't directly integrate with them. Here are a few examples:
-
Cross-vendor cross-cloud auditing: cloud-native environments often involve a mix of on-prem and cloud resources across multiple vendors that change over time, and cartography is useful for maintaining an inventory and providing a centralized view of the entire ecosystem. This is useful for reporting and regulatory requirements, and is described much more eloquently in Marco's blog Mapping Moving Clouds.
-
Security incident response: if a detection agent like Falco detects that a malicious shell has been launched in a container, it can send security alerts to an observability platform, and an incident handler can then use cartography to put the alert into context:
- What service does that container belong to?
- Assuming this service is compromised, what other assets is the malicious actor able to access or pivot to? What is the blast radius?
- Who is on call for the service and who else do I need to notify?
-
Microservice comms: cartography is not directly involved in the network comms that happen in a service mesh, but it complements them by visualizing the topology and dependencies between services, such as how it can show K8s nodes grouped by cluster and how network ingress and egress is controlled, or how it can maintain an inventory of all known URI endpoints of an application and map them to owners.
@achantavy thanks for all the info. The presentation to TAG-Security was quite a while ago (March 2020) and at that time wasn't looking to join the CNCF (based on the meeting notes). Can you add a quick summary of what changed since then? Thanks.
Hi @rochaporto, back in 2020 we asked about the steps needed to join CNCF and decided that it wasn't the right time because the pandemic had just started and we had other priorities.
In the 4 years since then, I think we've hit a lot of the CNCF project criteria - e.g. adoption by multiple companies, public roadmaps, decisions fully made in the open, various specific information available in docs, etc - as cartography needed to grow that way. The project now has a more defined identity in that knows what it is - a uniquely useful analysis capability - and what it isn't - e.g. it's not a near real-time detection tool.
In a nutshell, we're pursuing CNCF now because the project has reached the right maturity level to think about longer term strategic direction and ownership beyond just one company.
Thanks @achantavy .
The TOC reviewed this sandbox submission on April 9th.
The CNCF staff will look at the license implication of the neo4j dependency (cc @jeefy @amye) but once that's sorted it out we can go for a vote without having to re-discuss during a sandbox review session.
In the meantime we also recommend the project gives an update to TAG-Security - given the maturity of the project a move to incubation might be something to consider soon. The discussion with the TAG should help understanding if this would be a good option.
Hi @rochaporto , thanks for your reply and for you and the team's time reviewing!
The CNCF staff will look at the license implication of the neo4j dependency (cc @jeefy @amye) but once that's sorted it out we can go for a vote without having to re-discuss during a sandbox review session.
Appreciate it, please write back when the license questions are resolved.
In the meantime we also recommend the project gives an update to TAG-Security
I will reach out to TAG-Security to give an updated presentation.
given the maturity of the project a move to incubation might be something to consider soon. The discussion with the TAG should help understanding if this would be a good option.
I'm looking forward to learning more from the TAG. One logistics question: how would this work given that we are not in the sandbox yet -- assuming the license issues end up ok, would it take longer for us to be admitted to sandbox, or admitted directly into incubation?
Thanks again!
@achantavy Sandbox applications are fairly lightweight as compared to direct application to Incubation. While most projects apply to sandbox and then apply to incubation when they are ready, we occasionally have projects that are well advanced to apply directly to incubation.
@jeefy @mrbobbytables Were the license implications here sorted?
Hi @jeefy, @mrbobbytables, @TheFoxAtWork - are there any updates on the license situation?
We'd like to continue this sandbox application and pursue incubation later.
@achantavy Heya! We have a "few" follow-up questions if you wouldn't mind. :)
- Is Cartography using neo4j’s Community Edition, licensed under GPL-3.0, https://github.com/neo4j/neo4j?
- Is Cartography distributing neo4j, or does each downstream user have to obtain neo4j themselves?
- If Cartography is distributing neo4j, are you also distributing neo4j’s source code and its GPL-3.0 license text + copyright notices?
- Is Cartography modifying neo4j in any way?
- Is neo4j a mandatory dependency for Cartography, or is it one of multiple options available to the end user?
- Please briefly describe the functionality / purpose that neo4j serves for Cartography.
- How does Cartography interact with neo4j, and how are the two combined or linked together?
- For example, does Cartography only interact with neo4j through an official Apache-2.0 driver provided by neo4j, such as https://github.com/neo4j/neo4j-python-driver?
- Is neo4j included together in an executable with Cartography? Or does neo4j run as a separate executable / process?
- Do the two operate together in a shared memory space?
- (See https://www.gnu.org/licenses/gpl-faq.en.html#MereAggregation for more specifics on what we’re trying to get at with these questions.)
Thanks!!
@jeefy thanks so much for your reply! Here are the answers:
Is Cartography using neo4j’s Community Edition, licensed under GPL-3.0, https://github.com/neo4j/neo4j?
Yes, Cartography uses neo4j community edition.
Is Cartography distributing neo4j, or does each downstream user have to obtain neo4j themselves?
No, we do not distribute neo4j, each downstream user obtains neo4j themselves.
If Cartography is distributing neo4j, are you also distributing neo4j’s source code and its GPL-3.0 license text + copyright notices?
N/A
Is Cartography modifying neo4j in any way?
No, Cartography does not modify Neo4j.
Is neo4j a mandatory dependency for Cartography, or is it one of multiple options available to the end user?
Yes, neo4j is a mandatory dependency.
Please briefly describe the functionality / purpose that neo4j serves for Cartography.
It's the main datastore: we need neo4j's graph functionality. In the future we could add support for other graph DBs but at this time neo4j is our principal datastore.
How does Cartography interact with neo4j, and how are the two combined or linked together? For example, does Cartography only interact with neo4j through an official Apache-2.0 driver provided by neo4j, such as https://github.com/neo4j/neo4j-python-driver?
Yes, this is correct: Cartography only interacts with neo4j through the official Apache-2.0 driver provided by neo4j.
Is neo4j included together in an executable with Cartography? Or does neo4j run as a separate executable / process?
No, neo4j is not included in an executable with Cartography. Cartography is a python script that talks to neo4j via the neo4j-driver.
Do the two operate together in a shared memory space? (See https://www.gnu.org/licenses/gpl-faq.en.html#MereAggregation for more specifics on what we’re trying to get at with these questions.)
No, the two do not operate together in a shared memory space.
Hi @jeefy and everyone, are there any updates from the meeting on August 13? Please let me know if you need more information.
@achantavy thank you for your patience. I've asked Staff to check in on any additional blockers that prevent this from moving to a vote.
(proxy for @jeefy) it's going to be a longer discussion around neo4j as a dependency, but at the moment it should not serve as a blocker.
We are good to move this to a vote. 👍
/vote
Vote created
@mrbobbytables has called for a vote on [Sandbox] Cartography (#58).
The members of the following teams have binding votes:
| Team |
|---|
| @cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
How to vote
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| 👍 | 👎 | 👀 |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 2months 30days 2h 52m 48s. It will pass if at least 66% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.
![git-vote[bot] avatar](https://avatars.githubusercontent.com/in/206179?v=4 "Published by a pub.dev verified publisher"){kind=small}
Vote status
So far 27.27% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 3 | 0 | 0 | 8 |
Binding votes (3)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2024-08-20 15:27:13.0 +00:00:00 |
| cathyhongzhang | In favor | 2024-08-20 15:27:38.0 +00:00:00 |
| angellk | In favor | 2024-08-20 21:46:50.0 +00:00:00 |
| @dims | Pending | |
| @rochaporto | Pending | |
| @mauilion | Pending | |
| @linsun | Pending | |
| @dzolotusky | Pending | |
| @kevin-wangzefeng | Pending | |
| @nikhita | Pending | |
| @kgamanji | Pending |
Non-binding votes (4)
| User | Vote | Timestamp |
|---|---|---|
| chandanchowdhury | In favor | 2024-08-20 16:58:27.0 +00:00:00 |
| anshumanbh | In favor | 2024-08-20 17:29:28.0 +00:00:00 |
| csanders-git | In favor | 2024-08-20 21:04:06.0 +00:00:00 |
| TehWebby | In favor | 2024-08-20 21:04:26.0 +00:00:00 |
Vote status
So far 63.64% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 7 | 0 | 0 | 4 |
Binding votes (7)
| User | Vote | Timestamp |
|---|---|---|
| linsun | In favor | 2024-08-21 13:42:56.0 +00:00:00 |
| angellk | In favor | 2024-08-20 21:46:50.0 +00:00:00 |
| TheFoxAtWork | In favor | 2024-08-20 15:27:13.0 +00:00:00 |
| cathyhongzhang | In favor | 2024-08-20 15:27:38.0 +00:00:00 |
| rochaporto | In favor | 2024-08-21 7:28:10.0 +00:00:00 |
| dzolotusky | In favor | 2024-08-21 13:40:55.0 +00:00:00 |
| kevin-wangzefeng | In favor | 2024-08-21 0:45:09.0 +00:00:00 |
| @dims | Pending | |
| @mauilion | Pending | |
| @nikhita | Pending | |
| @kgamanji | Pending |
Non-binding votes (7)
| User | Vote | Timestamp |
|---|---|---|
| chandanchowdhury | In favor | 2024-08-20 16:58:27.0 +00:00:00 |
| anshumanbh | In favor | 2024-08-20 17:29:28.0 +00:00:00 |
| csanders-git | In favor | 2024-08-20 21:04:06.0 +00:00:00 |
| TehWebby | In favor | 2024-08-20 21:04:26.0 +00:00:00 |
| feng-tao | In favor | 2024-08-21 0:11:18.0 +00:00:00 |
| gedigi | In favor | 2024-08-21 4:55:00.0 +00:00:00 |
| kunaals | In favor | 2024-08-21 5:42:00.0 +00:00:00 |
Vote closed
The vote passed! 🎉
72.73% of the users with binding vote were in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 8 | 0 | 0 | 3 |
Binding votes (8)
| User | Vote | Timestamp |
|---|---|---|
| @cathyhongzhang | In favor | 2024-08-20 15:27:38.0 +00:00:00 |
| @TheFoxAtWork | In favor | 2024-08-20 15:27:13.0 +00:00:00 |
| @kevin-wangzefeng | In favor | 2024-08-21 0:45:09.0 +00:00:00 |
| @dzolotusky | In favor | 2024-08-21 13:40:55.0 +00:00:00 |
| @nikhita | In favor | 2024-08-23 10:43:24.0 +00:00:00 |
| @rochaporto | In favor | 2024-08-21 7:28:10.0 +00:00:00 |
| @angellk | In favor | 2024-08-20 21:46:50.0 +00:00:00 |
| @linsun | In favor | 2024-08-21 13:42:56.0 +00:00:00 |
Non-binding votes (10)
| User | Vote | Timestamp |
|---|---|---|
| @chandanchowdhury | In favor | 2024-08-20 16:58:27.0 +00:00:00 |
| @anshumanbh | In favor | 2024-08-20 17:29:28.0 +00:00:00 |
| @csanders-git | In favor | 2024-08-20 21:04:06.0 +00:00:00 |
| @TehWebby | In favor | 2024-08-20 21:04:26.0 +00:00:00 |
| @feng-tao | In favor | 2024-08-21 0:11:18.0 +00:00:00 |
| @gedigi | In favor | 2024-08-21 4:55:00.0 +00:00:00 |
| @kunaals | In favor | 2024-08-21 5:42:00.0 +00:00:00 |
| @sunstonesecure-robert | In favor | 2024-08-21 23:39:32.0 +00:00:00 |
| @kledo-lyft | In favor | 2024-08-22 0:11:12.0 +00:00:00 |
| @alejandroroiz | In favor | 2024-08-22 20:16:41.0 +00:00:00 |
Thank you everyone for your review and votes! Really excited for what's next.
Welcome and congrats on getting accepted as a CNCF Sandbox project!
You can get started on your on-boarding checklist here: https://github.com/cncf/sandbox/issues/135
and if you have any questions, please don't hesitate to reach out!
With https://github.com/cncf/sandbox/issues/135 created, we can go ahead and close this out :)
Congrats again!