Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove homebrew app casks #24593

Merged
merged 7 commits into from
Dec 24, 2024
+37 −2
Merged

Remove homebrew app casks #24593

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f9be254
remove app casks
mostlikelee Dec 10, 2024
a528149
changelog
mostlikelee Dec 10, 2024
c0d9f84
update WHERE clause
mostlikelee Dec 17, 2024
dc187c5
generate doc
mostlikelee Dec 17, 2024
29b26df
remove prefix
mostlikelee Dec 19, 2024
c9746df
use directory
mostlikelee Dec 23, 2024
4e5cc48
Revert "use directory"
mostlikelee Dec 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changes/22944-homebrew-casks
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* removed duplicate software records from homebrew casks already reported in the osquery `apps` table to address false positive vulnerabilities due to lack of bundle_identifier
17 changes: 16 additions & 1 deletion docs/Contributing/Understanding-host-vitals.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -662,7 +662,22 @@ SELECT
'' AS vendor,
0 AS last_opened_at,
path AS installed_path
FROM homebrew_packages;
FROM homebrew_packages
WHERE type = 'formula'
UNION
SELECT
name AS name,
version AS version,
'' AS bundle_identifier,
'' AS extension_id,
'' AS browser,
'homebrew_packages' AS source,
'' AS vendor,
0 AS last_opened_at,
path AS installed_path
FROM homebrew_packages
WHERE type = 'cask'
AND NOT EXISTS (SELECT 1 FROM file WHERE file.path LIKE CONCAT(homebrew_packages.path, '/%%', '/%.app%') LIMIT 1);
```

## software_macos_codesign
Expand Down
21 changes: 20 additions & 1 deletion server/service/osquery_utils/queries.go
View file
Open in desktop
lucasmrod marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -819,6 +819,10 @@ var softwareMacOS = DetailQuery{
// ensure that the nested loops in the query generation are ordered correctly for the _extensions
// tables that need a uid parameter. CROSS JOIN ensures that SQLite does not reorder the loop
// nesting, which is important as described in https://youtu.be/hcn3HIcHAAo?t=77.
//
// Homebrew package casks are filtered to exclude those that have an associated .app bundle
// as these are already included in the apps table. Apps table software includes bundle_identifier
// which is used in vulnerability scanning.
Query: withCachedUsers(`WITH cached_users AS (%s)
SELECT
name AS name,
Expand Down Expand Up @@ -890,7 +894,22 @@ SELECT
'' AS vendor,
0 AS last_opened_at,
path AS installed_path
FROM homebrew_packages;
FROM homebrew_packages
WHERE type = 'formula'
UNION
SELECT
name AS name,
version AS version,
'' AS bundle_identifier,
'' AS extension_id,
'' AS browser,
'homebrew_packages' AS source,
'' AS vendor,
0 AS last_opened_at,
path AS installed_path
FROM homebrew_packages
WHERE type = 'cask'
AND NOT EXISTS (SELECT 1 FROM file WHERE file.path LIKE CONCAT(homebrew_packages.path, '/%%%%', '/%%.app%%') LIMIT 1);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double checking: LIKE with double %% (recursive search) on the file table can only be used at the end.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double wildcards can NEVER be used mid-string (infix)

https://blog.1password.com/the-file-table-osquerys-secret-weapon/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting...i'll have to figure out why this is currently working

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the WHERE clause to be safe, but it's interesting that this works in osqueryi:

SELECT path FROM file WHERE file.path LIKE CONCAT('/opt/homebrew/Caskroom/firefox', '/%%%%', '/%%.app%%') LIMIT 1;

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC a query that uses %% not in the end "works" (returns results) but is it actually recursive?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Am probably missing something, why not do CONCAT(homebrew_packages.path, '/%%%%/%%.app%%').

`),
Platforms: []string{"darwin"},
DirectIngestFunc: directIngestSoftware,
Expand Down
Loading