Remove homebrew app casks #24593
Remove homebrew app casks #24593
Conversation
mostlikelee
requested review from
rachaelshaw,
noahtalerman and
a team
as code owners
mostlikelee
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
| path AS installed_path | ||
| FROM homebrew_packages | ||
| WHERE type = 'cask' | ||
| AND NOT EXISTS (SELECT 1 FROM file WHERE file.path LIKE CONCAT(homebrew_packages.path, '/%%%%', '/%%.app%%') LIMIT 1); |
There was a problem hiding this comment.
Double checking: LIKE with double %% (recursive search) on the file table can only be used at the end.
There was a problem hiding this comment.
Double wildcards can NEVER be used mid-string (infix)
https://blog.1password.com/the-file-table-osquerys-secret-weapon/
There was a problem hiding this comment.
interesting...i'll have to figure out why this is currently working
There was a problem hiding this comment.
I updated the WHERE clause to be safe, but it's interesting that this works in osqueryi:
SELECT path FROM file WHERE file.path LIKE CONCAT('/opt/homebrew/Caskroom/firefox', '/%%%%', '/%%.app%%') LIMIT 1;
There was a problem hiding this comment.
IIRC a query that uses %% not in the end "works" (returns results) but is it actually recursive?
| path AS installed_path | ||
| FROM homebrew_packages | ||
| WHERE type = 'cask' | ||
| AND NOT EXISTS (SELECT 1 FROM file WHERE file.path LIKE CONCAT(homebrew_packages.path, '/%%%%', '/%%.app%%') LIMIT 1); |
There was a problem hiding this comment.
Am probably missing something, why not do CONCAT(homebrew_packages.path, '/%%%%/%%.app%%').
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #24593 +/- ##
==========================================
+ Coverage 63.51% 63.80% +0.28%
==========================================
Files 1592 1605 +13
Lines 151140 152819 +1679
Branches 3885 3885
==========================================
+ Hits 95994 97500 +1506
- Misses 47492 47538 +46
- Partials 7654 7781 +127
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
mostlikelee
had a problem deploying
to
Docker Hub
GitHub Actions
Error
mostlikelee
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
| path AS installed_path | ||
| FROM homebrew_packages | ||
| WHERE type = 'cask' | ||
| AND NOT EXISTS (SELECT 1 FROM file WHERE file.path LIKE CONCAT(homebrew_packages.path, '/%%') AND file.path LIKE '/%.app%' LIMIT 1); |
There was a problem hiding this comment.
Isn't this file.path LIKE '/%.app%' just matching something like /Google Chrome.app? (on the root path / only)
There was a problem hiding this comment.
I believe file.path is looking for a string match, which is why this is working:
osquery> SELECT path FROM file WHERE file.path LIKE CONCAT('/opt/homebrew/Caskroom/firefox', '/%%') AND file.path LIKE '/%.app%' LIMIT 1;
+-----------------------------------------------------+
| path |
+-----------------------------------------------------+
| /opt/homebrew/Caskroom/firefox/126.0.1/Firefox.app/ |
+-----------------------------------------------------+
osquery> SELECT path FROM file WHERE file.path LIKE CONCAT('/opt/homebrew/Caskroom/ngrok', '/%%') AND file.path LIKE '/%.app%' LIMIT 1;
I think either should work, it seems clearer to use %.app% so i'll update
mostlikelee
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
There was a problem hiding this comment.
LGTM.
Left one nit comment and the following question to discuss:
On the following sample file query:
SELECT * FROM file WHERE file.path LIKE '/usr/local/Caskroom/jd-gui/%%' AND file.path LIKE '/%.app';The first LIKE is used to walk the directory and the second LIKE uses string matching?
| path AS installed_path | ||
| FROM homebrew_packages | ||
| WHERE type = 'cask' | ||
| AND NOT EXISTS (SELECT 1 FROM file WHERE file.path LIKE CONCAT(homebrew_packages.path, '/%%%%') AND file.path LIKE '%%.app%%' LIMIT 1); |
There was a problem hiding this comment.
After some testing I found out what's happening behind the scenes:
SELECT 1 FROM file
WHERE file.path LIKE CONCAT(homebrew_packages.path, '/%%')
AND file.path LIKE '%.app' LIMIT 1- osquery will first walk the first directory in the
LIKE:CONCAT(homebrew_packages.path, '/%%')and generate the list of paths. - osquery will then walk the other directory in the
LIKE: '%.app', which given it's not an absolute path will try to look for.apps in the current working directory (which for osqueryd usually run asrootwill be/) and generate the list of paths, which on macOS will be an empty list.
So, only (1) will generate paths to process.
After (1) and (2), the sqlite engine will perform its own filtering with LIKE (string matching) over the returned paths in (1).
So, basically LIKE is used first by osquery code to generate the paths AND then by the sqlite engine which will do string matching as usual.
The trick here is that we can use this because we are expecting / to contain no apps and no large number of files or directories (I was not able to create files or .apps in /).
There was a problem hiding this comment.
Rather than relying on "no large number of files or directories" to make this query efficient, should we instead use filename LIKE '%.app'?
There was a problem hiding this comment.
LGTM, pending this comment: https://github.com/fleetdm/fleet/pull/24593/files#r1894214609
mostlikelee
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
This reverts commit c9746df.
mostlikelee
temporarily deployed
to
Docker Hub
GitHub Actions
Inactive
|
...oh wait, this is host vitals rather than APIs so @marko-lisica has to approve this |
#22944
Removing homebrew casks that install app bundles from the macos software detail query as they are already reported in the
appstable.appstable provides bundle_identifer which is used in vulnerability (CPE) matching to grab the correct vendor.changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.