im looking into documentation and i didnt find any table which i can connect with users to do this

MacOS apps table Windows programs table Linux has rpm and dpkg tables.

are there any tables about vulnerabilities ?

@Filip osquery is a host telemetry agent designed to gather information about the local device (eg. what processes are running, what underlying hardware is installed, etc.) using native APIs abstracted into relational database virtual tables. There is no table "about vulnerabilities" because that would mean the device had the feed of vulnerabilities locally available as part of its native OS. To accomplish what you are asking, you can compare local device data (eg. installed programs) against external vulnerability feeds using 3rd party integrations, logging tools, or osquery-based SaaS services that have such functionality. The only way you could accomplish what you are asking within a single query using only vanilla osquery would be something like: • Retrieve a feed of vulnerabilities from a remote endpoint using the

curl

table, • Manipulate it to match the output format/schema of your desired osquery source (eg.

programs

), by using things like

JSON_EXTRACT

to parse the feed. • Perform some sort of version comparison using SQL functions (eg.

SPLIT(version,'.',0) AS version_major)

) to determine whether the software in question is vulnerable.

thanks @fritz, your answer is very helpful, will do that 🙂