Hi @seph! I've pushed the suggested changes to #7675.

I've got a small issue that I'd like to put a PR up for... I've got a fix working locally but would like to chat in here first to see if I'm on the right track (also hi, I'm new to osquery and not a cpp programmer, so be aware 🙂 ). The issue: file carve table gets broken when running in debug because a type assertion fails in the json tree construction A solution: change the loading code in carves.cpp to switch on type

diff --git a/osquery/tables/forensic/carves.cpp b/osquery/tables/forensic/carves.cpp
index 1fcdb25af..80929ad13 100644
--- a/osquery/tables/forensic/carves.cpp
+++ b/osquery/tables/forensic/carves.cpp
@@ -53,8 +53,10 @@ void enumerateCarves(QueryData& results, const std::string& new_guid) {
       r["time"] = INTEGER(tree.doc()["time"].GetUint64());
     }

-    if (tree.doc().HasMember("size")) {
+    if (tree.doc().HasMember("size") && tree.doc()["size"].IsInt()) {
       r["size"] = INTEGER(tree.doc()["size"].GetInt());
+    } else if (tree.doc().HasMember("size") && tree.doc()["size"].IsString()) {
+      r["size"] = INTEGER(tree.doc()["size"].GetString());
     }

     stringToRow("sha256", r, tree);

From reading more of the codebase and the database code it seems like there's some friction where the update functions only take strings and then it seems its up to casts elsewhere in the codebase to turn them into the right types

Hi @Andre Pinter I think opening an issue for this is a good idea. It's great that you've already got a possible fix. If you open a PR, point it to the issue, it should be reviewed after you click to agree to the contributor license agreement (CLA)

In cases where a greater amount of code is being considered, it's always a good plan to get explicit agreement on the issue and the approach before starting. Just so that you don't implement a big chunk of work that cannot be accepted for design or practical reasons

Hi folks! This is ready for review (CI now passes, was failing due to flaky tests): https://github.com/osquery/osquery/pull/7712

Would anyone be able to review this PR https://github.com/osquery/osquery/pull/7714

Does anyone know enough to review that PR? https://github.com/osquery/osquery/pull/7714 If the answer is no, we will have to self-approve it

I've ported forward some code for containerd events. Most of the original code is from @Stefano Bonicatti but I can fix any issues: https://github.com/osquery/osquery/pull/7751

Hi folks! The following two PRs are ready for re-review: 1. #7655: Fixes the current odd behavior + adds missing documentation for "discovery" queries in distributed queries. It also fixes the following two issues: #5260 and #7793. 2. #7712: This is for future-proof support of osquery downgrades. So that osquery doesn't break whenever a new version adds a column family to RocksDB and users need to downgrade osquery.

Hi osquery reviewers! I opened a new blueprint for making schedule epoch and counter behavior more consistent, to support periodic snapshots and stream alerting from the same differential rule: https://github.com/osquery/osquery/issues/7799 It has a couple PRs and draft commits for proposed implementation - curious what people think when you have time 🙂

Hello there, can anyone give a quick review to https://github.com/osquery/osquery/pull/7813, this issue is blocking/keeps failing our CI

There are a few lingering PRs from Fleet team members that could use some attention:

https://github.com/osquery/osquery/pull/7655 - @seph Do Lucas's answers work for you?

https://github.com/osquery/osquery/pull/7751 - @Stefano Bonicatti do you think you could take a look at this one?

https://github.com/osquery/osquery/pull/7712 - @Stefano Bonicatti do you think you could take a look at this as well? It's adapted from your idea.

https://github.com/osquery/osquery/pull/7821 - @thor this one is actually pretty new, but could you please lend a hand with your Windows expertise?

I have a new PR to add stats to distributed queries: https://github.com/osquery/osquery/pull/7870

This looks like a good candidate for 5.8.0: https://github.com/osquery/osquery/pull/7916. I could review it but I'm not very familiar with the relevant systems.

I think https://github.com/osquery/osquery/pull/7821#discussion_r1095282267 is ready to merge now, though I can't approve or merge it because of how I opened the PR (though didn't write any of the code)

Hi folks! I've tested this change and it works #7944. And the changes are simple enough and make sense.

Hi everyone, I have a draft PR up for a

windows_search

table that lets users query windows using CCommand via osquery. This is my first attempt at contributing to osquery and my first real foray into C++. Would love some preliminary feedback, just to validate my approach and ensure my code is in the ball park in terms of quality.

@Marcos Oviedo https://github.com/osquery/osquery/pull/7999

Hi folks! When time allows, please take a look at #8070. It fixes documentation bugs, adds a flag to enable debug logging on the watchdog and improves the error messages a bit (the errors printed when the watchdog kills a worker process).

I’d love code review on: • https://github.com/osquery/osquery/pull/8037 — which adds query context support to block_devices fixing a performance issue • https://github.com/osquery/osquery/pull/8052 — which updates how disk_encryption tracks things, fixing a long standing bug

Hi, everyone! I've created PR https://github.com/osquery/osquery/pull/8077 to fix segmentation fault in

EventSubscriberPlugin::generateRows

(issue #8076) Would appreciate your comments.

I’m playing with trying to get some of the website stuff towards GHA automation. Can anyone thumb https://github.com/osquery/osquery-site/pull/280 ?

Hey, it would be great if someone could take a look at the PR https://github.com/osquery/osquery/pull/8086, it makes one of the tables more convenient to use

Hi, I have pushed a PR to add some of the newest SIP flags in the SIP config table: https://github.com/osquery/osquery/pull/8101.

Hi All, I've got a PR up that could use some experienced eyes: https://github.com/osquery/osquery/pull/8119 Had a little clunkiness at first w/ the clang formatting as it's my first time putting up an osquery PR, but I think I've got it all resolved now. Thanks in advance!

Hi all, I'm interested in this PR https://github.com/osquery/osquery/pull/8077 I saw that the last commend was over a month ago. Any idea it could be looked at again and if it would land in 5.10 release?