search

osquery / osquery-go

Go bindings for osquery
MIT License
386 stars 78 forks source link

Query constraint parsing broken in osquery 3.2.0 #53

Closed zwass closed 6 years ago

zwass commented 6 years ago

With the addition of properly typed JSON in osquery 3, constraint parsing is broken.

Former JSON:

{  
   "constraints":[  
      {  
         "name":"domain",
         "list":[  
            {  
               "op":"2",
               "expr":"kolide.co"
            }
         ],
         "affinity":"TEXT"
      },
      {  
         "name":"email",
         "list":"",
         "affinity":"TEXT"
      }
   ]
}

New JSON:

{  
   "constraints":[  
      {  
         "name":"domain",
         "list":[  
            {  
               "op":2,
               "expr":"kolide.co"
            }
         ],
         "affinity":"TEXT"
      },
      {  
         "name":"email",
         "list":[  

         ],
         "affinity":"TEXT"
      }
   ]
}

Note that now integers have integer type rather than string, and empty lists are actually empty lists instead of empty strings. We need to update the parsing code (https://github.com/kolide/osquery-go/blob/master/plugin/table/table.go#L235) to handle both the old string types from osquery < 3 and the new integer types in osquery >= 3.