Is there current guidance about the constraints on results that we should expect from recursive searches against the ‘file’ table? I am experiencing strange results when trying to recursively look for files on MacOS (noticed on Mac 11.5.2, osquery 4.9.0): When I run find on the system, I get this (partial results):

# find / -name java -type f 2>/dev/null -exec ls -lisah {} \;
... /usr/bin/java
... /usr/local/Cellar/libmagic/5.40/share/misc/magic/java
... /usr/local/Cellar/openjdk/16.0.2/libexec/openjdk.jdk/Contents/Home/bin/java
... /usr/share/file/magic/java
... /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java
... /System/Volumes/Data/usr/local/Cellar/libmagic/5.40/share/misc/magic/java
... /System/Volumes/Data/usr/local/Cellar/openjdk/16.0.2/libexec/openjdk.jdk/Contents/Home/bin/java
... /System/Volumes/Data/Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/bin/java

When I run a recursion from the root, I get only 1:

SELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/%%'
filename: java
path: /usr/bin/java

Other times, I get a few directories lower:

SELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/usr/share/%%'
filename: java
path: /usr/share/file/magic/java

Other times, it doesn’t work:

SELECT filename,path FROM file WHERE filename = "java" AND path LIKE '/usr/local/Cellar/%%'
0 results (should be at least 2)