Carve Request ID erroneously uses last distributed query

[zwass]

Bug report

What operating system and version are you using?

Any

What version of osquery are you using?

4.5.1

What steps did you take to reproduce the issue?

Schedule a query that makes a file carve.

What did you expect to see?

Carve Request ID provided by osquery is the name of the scheduled query (or some other appropriate value).

What did you see instead?

Carve Request ID is the name of the most recent distributed query that osqueryd executed (even though that query is no longer executing, and even if that query did not even use the carves table).

[theopolis]

I definitely caused this bug but I am unsure of a good way to fix it. Any help would be greatly appreciated.

[hughneale]

Ah, I was just about to report this. Really easy to replicate if you're using scheduled carves. I think its due to this line: #3252. However, I'm going to investigate further.

[directionless]

Is this still present after #6671 ?

[theopolis]

This is still present and I'm working on a stop-gap solution that reduces the confusion.

[apinter-figma]

@theopolis kind of an old issue here, but just to double check my understanding from the code and this issue. The code now generates a distinct uuid for each call to genCarves, but it is not the uuid of the initiating distributed query (or scheduled query). This issue to close would mean that the appropriate spawning distributed query uuid got attached as the request id to each individual carve.