refactor(api): migrate Attack Paths network exposure queries from APOC to openCypher (#10266)

Author: josema-xyz

api/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ### 🔄 Changed
 
+- Attack Paths: Migrate network exposure queries from APOC to standard openCypher for Neo4j and Neptune compatibility [(#10266)](https://github.com/prowler-cloud/prowler/pull/10266)
 - `POST /api/v1/providers` returns `409 Conflict` if already exists [(#10293)](https://github.com/prowler-cloud/prowler/pull/10293)
 
 ---

api/src/backend/api/attack_paths/queries/aws.py

@@ -16,8 +16,7 @@
     description="Detect EC2 instances with SSH exposed to the internet that can assume higher-privileged roles to read tagged sensitive S3 buckets despite bucket-level public access blocks.",
     provider="aws",
     cypher=f"""
-        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
-        YIELD node AS internet
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
 
         MATCH path_s3 = (aws:AWSAccount {{id: $provider_uid}})--(s3:S3Bucket)--(t:AWSTag)
         WHERE toLower(t.key) = toLower($tag_key) AND toLower(t.value) = toLower($tag_value)
@@ -32,8 +31,7 @@
 
         MATCH path_assume_role = (ec2)-[p:STS_ASSUMEROLE_ALLOW*1..9]-(r:AWSRole)
 
-        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
-        YIELD rel AS can_access
+        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
 
         UNWIND nodes(path_s3) + nodes(path_ec2) + nodes(path_role) + nodes(path_assume_role) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -181,14 +179,12 @@
     description="Find EC2 instances flagged as exposed to the internet within the selected account.",
     provider="aws",
     cypher=f"""
-        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
-        YIELD node AS internet
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
 
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)
         WHERE ec2.exposed_internet = true
 
-        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
-        YIELD rel AS can_access
+        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
 
         UNWIND nodes(path) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -205,16 +201,14 @@
     description="Find internet-facing resources associated with security groups that allow inbound access from '0.0.0.0/0'.",
     provider="aws",
     cypher=f"""
-        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
-        YIELD node AS internet
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
 
         // Match EC2 instances that are internet-exposed with open security groups (0.0.0.0/0)
         MATCH path_ec2 = (aws:AWSAccount {{id: $provider_uid}})--(ec2:EC2Instance)--(sg:EC2SecurityGroup)--(ipi:IpPermissionInbound)--(ir:IpRange)
         WHERE ec2.exposed_internet = true
             AND ir.range = "0.0.0.0/0"
 
-        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, ec2)
-        YIELD rel AS can_access
+        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(ec2)
 
         UNWIND nodes(path_ec2) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -231,14 +225,12 @@
     description="Find Classic Load Balancers exposed to the internet along with their listeners.",
     provider="aws",
     cypher=f"""
-        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
-        YIELD node AS internet
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
 
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elb:LoadBalancer)--(listener:ELBListener)
         WHERE elb.exposed_internet = true
 
-        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, elb)
-        YIELD rel AS can_access
+        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elb)
 
         UNWIND nodes(path) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -255,14 +247,12 @@
     description="Find ELBv2 load balancers exposed to the internet along with their listeners.",
     provider="aws",
     cypher=f"""
-        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
-        YIELD node AS internet
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
 
         MATCH path = (aws:AWSAccount {{id: $provider_uid}})--(elbv2:LoadBalancerV2)--(listener:ELBV2Listener)
         WHERE elbv2.exposed_internet = true
 
-        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, elbv2)
-        YIELD rel AS can_access
+        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(elbv2)
 
         UNWIND nodes(path) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})
@@ -279,31 +269,15 @@
     description="Given a public IP address, find the related AWS resource and its adjacent node within the selected account.",
     provider="aws",
     cypher=f"""
-        CALL apoc.create.vNode(['Internet'], {{id: 'Internet', name: 'Internet', provider_id: $provider_id}})
-        YIELD node AS internet
+        OPTIONAL MATCH (internet:Internet {{_provider_id: $provider_id}})
 
-        CALL () {{
-            MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:EC2PrivateIp)-[q]-(y)
-            WHERE x.public_ip = $ip
-            RETURN path, x
+        MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x)-[q]-(y)
+        WHERE (x:EC2PrivateIp AND x.public_ip = $ip)
+           OR (x:EC2Instance AND x.publicipaddress = $ip)
+           OR (x:NetworkInterface AND x.public_ip = $ip)
+           OR (x:ElasticIPAddress AND x.public_ip = $ip)
 
-            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:EC2Instance)-[q]-(y)
-            WHERE x.publicipaddress = $ip
-            RETURN path, x
-
-            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:NetworkInterface)-[q]-(y)
-            WHERE x.public_ip = $ip
-            RETURN path, x
-
-            UNION MATCH path = (aws:AWSAccount {{id: $provider_uid}})-[r]-(x:ElasticIPAddress)-[q]-(y)
-            WHERE x.public_ip = $ip
-            RETURN path, x
-        }}
-
-        WITH path, x, internet
-
-        CALL apoc.create.vRelationship(internet, 'CAN_ACCESS', {{provider_id: $provider_id}}, x)
-        YIELD rel AS can_access
+        OPTIONAL MATCH (internet)-[can_access:CAN_ACCESS]->(x)
 
         UNWIND nodes(path) as n
         OPTIONAL MATCH (n)-[pfr]-(pf:{PROWLER_FINDING_LABEL} {{status: 'FAIL', provider_uid: $provider_uid}})