Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[osquery 5.13] does not respect ROUND sql #17069

Open
pacamaster opened this issue Feb 21, 2024 · 8 comments
Open

[osquery 5.13] does not respect ROUND sql #17069

pacamaster opened this issue Feb 21, 2024 · 8 comments
Assignees
@getvictor
Labels
~agent Related to Fleet's osquery runtime and agent autoupdater (Orbit) ~backend Backend-related issue. bug Something isn't working as documented ~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-sarahwu #g-endpoint-ops Endpoint ops product group ~osquery core Relates to a change in osquery core. :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.

Comments

@pacamaster
Copy link
Member

pacamaster commented Feb 21, 2024
edited by getvictor

This is a tracking issue for osquery issue: osquery/osquery#8301

Fleet version:
4.45.0

Web browser and operating system:
Current and up-to-date (Chrome Version 121.0.6167.184 (Official Build) (arm64) / Sonoma 14.3.1)

💥  Actual behavior

Running query with ROUND returns strange results, osquery shell returns correct data and respects ROUND

SELECT pid, total_size, name, ROUND(((total_size * 1.0) / (1024 * 1024)), 2) AS used FROM processes ORDER BY total_size DESC;

image

The tagged client reported this issue and I was able to reproduce it in the current Fleet release with our dogfood

🧑‍💻  Steps to reproduce

  1. Run a query with ROUND in osqueryi shell
  2. get correct results returned
  3. Run the same Querry in Fleet, it returns full float numbers along with logging destination and during query report for the saved results

🕯️ More info (optional)

Unsure if this was more of a feature request, but couldn't find the issue filed either for this.
With the extra lines of data it takes up a bunch of extra space/resources.
@pacamaster pacamaster added bug Something isn't working as documented ~released bug This bug was found in a stable release. #g-endpoint-ops Endpoint ops product group customer-sarahwu :incoming New issue in triage process. labels Feb 21, 2024
@JoStableford
Copy link
Contributor

Related to a Slack conversation

@sharon-fdm
Copy link
Contributor

Reproduced on my Mac as well
image

@sharon-fdm sharon-fdm added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. and removed :incoming New issue in triage process. labels Feb 22, 2024
@sharon-fdm sharon-fdm added the ~backend Backend-related issue. label Feb 29, 2024
@lukeheath lukeheath modified the milestones: 4.48.0-tentative, 4.47.0-tentative Mar 11, 2024
@getvictor
Copy link
Member

This appears to be an osquery issue. Here's what I'm seeing on distributed/write:

{
    "queries": {
        "fleet_distributed_query_425": [
            {
                "pid": "658407",
                "total_size": "1215423651840",
                "name": "chrome",
                "used": "1159118.3200000001"
            },
            {
                "pid": "658476",
                "total_size": "1215403827200",
                "name": "chrome",
                "used": "1159099.4099999999"
            },
            {
                "pid": "1116467",
                "total_size": "109725528064",
                "name": "WebKitWebProces",
                "used": "104642.42"
            },
            {
                "pid": "1116436",
                "total_size": "94692233216",
                "name": "gnome-shell-por",
                "used": "90305.550000000003"
            },

@getvictor getvictor changed the title Fleet does not respect ROUND sql osquery does not respect ROUND sql Mar 18, 2024
@getvictor getvictor added the ~agent Related to Fleet's osquery runtime and agent autoupdater (Orbit) label Mar 18, 2024
@getvictor getvictor changed the title osquery does not respect ROUND sql [osquery 5.13] does not respect ROUND sql Mar 26, 2024
@getvictor
Copy link
Member

osquery PR: osquery/osquery#8302

@sharon-fdm sharon-fdm mentioned this issue Mar 27, 2024
Closed
@getvictor
Copy link
Member

@pacamaster This issue has a workaround -- cast the problematic data as text, like:

SELECT pid, total_size, name, CAST(ROUND(((total_size * 1.0) / (1024 * 1024)), 2) AS text) AS used FROM processes ORDER BY total_size DESC;

@sharon-fdm sharon-fdm removed this from the 4.48.0-tentative milestone Apr 1, 2024
@lukeheath lukeheath added this to the 4.50.0-tentative milestone Apr 23, 2024
@lukeheath lukeheath modified the milestones: 4.50.0, 4.51.0-tentative May 13, 2024
@getvictor getvictor added the ~osquery core Relates to a change in osquery core. label May 31, 2024
@nonpunctual nonpunctual added the ~csa Issue was created by or deemed important by the Customer Solutions Architect. label Jun 5, 2024
@lukeheath lukeheath removed this from the 4.51.0 milestone Jun 7, 2024
@lukeheath lukeheath added this to the 4.52.0-tentative milestone Jun 7, 2024
@sharon-fdm sharon-fdm removed this from the 4.52.0-tentative milestone Jun 13, 2024
@sharon-fdm
Copy link
Contributor

@getvictor I removed the milestone since this is osquery core, and we are not sure about the ETA.

@lucasmrod
Copy link
Member

lucasmrod commented Jun 19, 2024
edited by getvictor

@getvictor

QA notes

I'm still seeing the issue after building osqueryd on macOS with today's commit in master:

commit e4ff72ee0b88e3101ad36cc6328d4634fab7f483 (HEAD -> master, origin/master, origin/HEAD)
Author: Stefano Bonicatti <sxxx@xxx.com>
Date:   Thu Jun 13 20:02:24 2024 +0200

    Correct 5.12.2 changelog (#8348)

commit fae29d081af4998823571e0ecc6d4e0c5b8d52eb
Author: Victor Lyuboslavsky <xxx@xxx.com>
Date:   Mon Jun 10 11:07:52 2024 -0500

    Using `std::setprecision` to get the right precision for double to string conversion. (#8302)

sudo ./osquery/osqueryd --version
osqueryd version 5.12.1-14-ge4ff72ee0-dirty

Query: SELECT pid, total_size, name, ROUND(((total_size * 1.0) / (1024 * 1024)), 2) AS used FROM processes ORDER BY total_size DESC;

Screenshot 2024-06-19 at 4 48 08 PM

@getvictor
Copy link
Member

Waiting for latest PR to be merged: osquery/osquery#8355

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@getvictor getvictor

Labels
~agent Related to Fleet's osquery runtime and agent autoupdater (Orbit) ~backend Backend-related issue. bug Something isn't working as documented ~csa Issue was created by or deemed important by the Customer Solutions Architect. customer-sarahwu #g-endpoint-ops Endpoint ops product group ~osquery core Relates to a change in osquery core. :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lucasmrod @lukeheath @getvictor @JoStableford @pacamaster @sharon-fdm @nonpunctual