Add version collations to column definitions (osquery#8222)

Smjert · Dec 27, 2023 · cc2ece7 · cc2ece7
1 parent c396d07
commit cc2ece7
Show file tree

Hide file tree

Showing 38 changed files with 65 additions and 49 deletions.
diff --git a/osquery/core/sql/column.h b/osquery/core/sql/column.h
@@ -77,6 +77,10 @@ enum class ColumnOptions {
   COLLATEBINARY = 32,
   COLLATENOCASE = 64,
   COLLATERTRIM = 128,
+  COLLATEVERSION = 256,
+  COLLATEVERSION_ARCH = 512,
+  COLLATEVERSION_DPKG = 1024,
+  COLLATEVERSION_RHEL = 2048,
 };
 
 /// Treat column options as a set of flags.

diff --git a/osquery/core/tables.cpp b/osquery/core/tables.cpp
@@ -275,6 +275,14 @@ std::string columnDefinition(const TableColumns& columns, bool is_extension) {
       statement += " COLLATE NOCASE";
     } else if (options & ColumnOptions::COLLATERTRIM) {
       statement += " COLLATE RTRIM";
+    } else if (options & ColumnOptions::COLLATEVERSION) {
+      statement += " COLLATE VERSION";
+    } else if (options & ColumnOptions::COLLATEVERSION_ARCH) {
+      statement += " COLLATE VERSION_ARCH";
+    } else if (options & ColumnOptions::COLLATEVERSION_DPKG) {
+      statement += " COLLATE VERSION_DPKG";
+    } else if (options & ColumnOptions::COLLATEVERSION_RHEL) {
+      statement += " COLLATE VERSION_RHEL";
     }
     if (i < columns.size() - 1) {
       statement += ", ";

diff --git a/specs/darwin/alf.table b/specs/darwin/alf.table
@@ -7,7 +7,7 @@ schema([
     Column("logging_enabled", INTEGER, "1 If logging mode is enabled else 0"),
     Column("logging_option", INTEGER, "Firewall logging option"),
     Column("stealth_enabled", INTEGER, "1 If stealth mode is enabled else 0"),
-    Column("version", TEXT, "Application Layer Firewall version"),
+    Column("version", TEXT, "Application Layer Firewall version", collate="version"),
 ])
 implementation("firewall@genALF")
 fuzz_paths([

diff --git a/specs/darwin/apps.table b/specs/darwin/apps.table
@@ -6,11 +6,11 @@ schema([
     Column("bundle_executable", TEXT,
         "Info properties CFBundleExecutable label"),
     Column("bundle_identifier", TEXT,
-        "Info properties CFBundleIdentifier label"),
+        "Info properties CFBundleIdentifier label", collate="nocase"),
     Column("bundle_name", TEXT, "Info properties CFBundleName label"),
     Column("bundle_short_version", TEXT,
-        "Info properties CFBundleShortVersionString label"),
-    Column("bundle_version", TEXT, "Info properties CFBundleVersion label"),
+        "Info properties CFBundleShortVersionString label", collate="version"),
+    Column("bundle_version", TEXT, "Info properties CFBundleVersion label", collate="version"),
     Column("bundle_package_type", TEXT,
         "Info properties CFBundlePackageType label"),
     Column("environment", TEXT, "Application-set environment variables"),
@@ -21,7 +21,7 @@ schema([
     Column("display_name", TEXT, "Info properties CFBundleDisplayName label"),
     Column("info_string", TEXT, "Info properties CFBundleGetInfoString label"),
     Column("minimum_system_version", TEXT,
-        "Minimum version of macOS required for the app to run"),
+        "Minimum version of macOS required for the app to run", collate="version"),
     Column("category", TEXT,
         "The UTI that categorizes the app for the App Store"),
     Column("applescript_enabled", TEXT,

diff --git a/specs/darwin/browser_plugins.table b/specs/darwin/browser_plugins.table
@@ -5,7 +5,7 @@ schema([
       index=True),
     Column("name", TEXT, "Plugin display name"),
     Column("identifier", TEXT, "Plugin identifier"),
-    Column("version", TEXT, "Plugin short version"),
+    Column("version", TEXT, "Plugin short version", collate="version"),
     Column("sdk", TEXT, "Build SDK used to compile plugin"),
     Column("description", TEXT, "Plugin description text"),
     Column("development_region", TEXT, "Plugin language-localization"),

diff --git a/specs/darwin/crashes.table b/specs/darwin/crashes.table
@@ -6,7 +6,7 @@ schema([
     Column("path", TEXT, "Path to the crashed process"),
     Column("crash_path", TEXT, "Location of log file", index=True),
     Column("identifier", TEXT, "Identifier of the crashed process"),
-    Column("version", TEXT, "Version info of the crashed process"),
+    Column("version", TEXT, "Version info of the crashed process", collate="version"),
     Column("parent", BIGINT, "Parent PID of the crashed process"),
     Column("responsible", TEXT, "Process responsible for the crashed process"),
     Column("uid", INTEGER, "User ID of the crashed process", index=True),

diff --git a/specs/darwin/device_firmware.table b/specs/darwin/device_firmware.table
@@ -3,6 +3,6 @@ description("A best-effort list of discovered firmware versions.")
 schema([
     Column("type", TEXT, "Type of device"),
     Column("device", TEXT, "The device name", index=True),
-    Column("version", TEXT, "Firmware version"),
+    Column("version", TEXT, "Firmware version", collate="version"),
 ])
 implementation("device_firmware@genDeviceFirmware")
diff --git a/specs/darwin/gatekeeper.table b/specs/darwin/gatekeeper.table
@@ -3,8 +3,8 @@ description("macOS Gatekeeper Details.")
 schema([
     Column("assessments_enabled", INTEGER, "1 If a Gatekeeper is enabled else 0"),
     Column("dev_id_enabled", INTEGER, "1 If a Gatekeeper allows execution from identified developers else 0"),
-    Column("version", TEXT, "Version of Gatekeeper's gke.bundle"),
-    Column("opaque_version", TEXT, "Version of Gatekeeper's gkopaque.bundle"),
+    Column("version", TEXT, "Version of Gatekeeper's gke.bundle", collate="version"),
+    Column("opaque_version", TEXT, "Version of Gatekeeper's gkopaque.bundle", collate="version"),
 ])
 implementation("gatekeeper@genGateKeeper")
 fuzz_paths([

diff --git a/specs/darwin/homebrew_packages.table b/specs/darwin/homebrew_packages.table
@@ -3,7 +3,7 @@ description("The installed homebrew package database.")
 schema([
     Column("name", TEXT, "Package name"),
     Column("path", TEXT, "Package install path"),
-    Column("version", TEXT, "Current 'linked' version"),
+    Column("version", TEXT, "Current 'linked' version", collate="version"),
     Column("prefix", TEXT, "Homebrew install prefix", hidden=True, additional=True),
 ])
 attributes(cacheable=True)

diff --git a/specs/darwin/kernel_extensions.table b/specs/darwin/kernel_extensions.table
@@ -5,7 +5,7 @@ schema([
     Column("refs", INTEGER, "Reference count"),
     Column("size", BIGINT, "Bytes of wired memory used by extension"),
     Column("name", TEXT, "Extension label"),
-    Column("version", TEXT, "Extension version"),
+    Column("version", TEXT, "Extension version", collate="version"),
     Column("linked_against", TEXT,
       "Indexes of extensions this extension is linked against"),
     Column("path", TEXT, "Optional path to extension bundle"),

diff --git a/specs/darwin/managed_policies.table b/specs/darwin/managed_policies.table
@@ -1,7 +1,7 @@
 table_name("managed_policies")
 description("The managed configuration policies from AD, MDM, MCX, etc.")
 schema([
-    Column("domain", TEXT, "System or manager-chosen domain key"),
+    Column("domain", TEXT, "System or manager-chosen domain key", collate="nocase"),
     Column("uuid", TEXT, "Optional UUID assigned to policy set"),
     Column("name", TEXT, "Policy key name"),
     Column("value", TEXT, "Policy value"),

diff --git a/specs/darwin/package_install_history.table b/specs/darwin/package_install_history.table
@@ -4,7 +4,7 @@ schema([
     Column("package_id", TEXT, "Label packageIdentifiers"),
     Column("time", INTEGER, "Label date as UNIX timestamp"),
     Column("name", TEXT, "Package display name"),
-    Column("version", TEXT, "Package display version"),
+    Column("version", TEXT, "Package display version", collate="version"),
     Column("source", TEXT, "Install source: usually the installer process name"),
     Column("content_type", TEXT, "Package content_type (optional)"),
 ])

diff --git a/specs/darwin/package_receipts.table b/specs/darwin/package_receipts.table
@@ -4,7 +4,7 @@ schema([
     Column("package_id", TEXT, "Package domain identifier"),
     Column("package_filename", TEXT, "Filename of original .pkg file",
         index=True, hidden=True),
-    Column("version", TEXT, "Installed package version"),
+    Column("version", TEXT, "Installed package version", collate="version"),
     Column("location", TEXT, "Optional relative install path on volume"),
     Column("install_time", DOUBLE, "Timestamp of install time"),
     Column("installer_name", TEXT, "Name of installer process"),

diff --git a/specs/darwin/safari_extensions.table b/specs/darwin/safari_extensions.table
@@ -5,8 +5,8 @@ schema([
       index=True),
     Column("name", TEXT, "Extension display name"),
     Column("identifier", TEXT, "Extension identifier"),
-    Column("version", TEXT, "Extension long version"),
-    Column("sdk", TEXT, "Bundle SDK used to compile extension"),
+    Column("version", TEXT, "Extension long version", collate="version"),
+    Column("sdk", TEXT, "Bundle SDK used to compile extension", collate="version"),
     Column("update_url", TEXT, "Extension-supplied update URI"),
     Column("author", TEXT, "Optional extension author"),
     Column("developer_id", TEXT, "Optional developer identifier"),

diff --git a/specs/darwin/system_extensions.table b/specs/darwin/system_extensions.table
@@ -4,8 +4,8 @@ schema([
     Column("path", TEXT, "Original path of system extension"),
     Column("UUID", TEXT, "Extension unique id"),
     Column("state", TEXT, "System extension state"),
-    Column("identifier", TEXT, "Identifier name"),
-    Column("version", TEXT, "System extension version"),
+    Column("identifier", TEXT, "Identifier name", collate="nocase"),
+    Column("version", TEXT, "System extension version", collate="version"),
     Column("category", TEXT, "System extension category"),
     Column("bundle_path", TEXT, "System extension bundle path"),
     Column("team", TEXT, "Signing team ID"),

diff --git a/specs/darwin/xprotect_meta.table b/specs/darwin/xprotect_meta.table
@@ -4,7 +4,7 @@ schema([
     Column("identifier", TEXT, "Browser plugin or extension identifier"),
     Column("type", TEXT, "Either plugin or extension"),
     Column("developer_id", TEXT, "Developer identity (SHA1) of extension"),
-    Column("min_version", TEXT, "The minimum allowed plugin version."),
+    Column("min_version", TEXT, "The minimum allowed plugin version.", collate="version"),
 ])
 attributes(cacheable=True)
 implementation("xprotect@genXProtectMeta")
diff --git a/specs/firefox_addons.table b/specs/firefox_addons.table
@@ -7,7 +7,7 @@ schema([
     Column("identifier", TEXT, "Addon identifier", index=True),
     Column("creator", TEXT, "Addon-supported creator string"),
     Column("type", TEXT, "Extension, addon, webapp"),
-    Column("version", TEXT, "Addon-supplied version string"),
+    Column("version", TEXT, "Addon-supplied version string", collate="version"),
     Column("description", TEXT, "Addon-supplied description string"),
     Column("source_url", TEXT, "URL that installed the addon"),
     Column("visible", INTEGER, "1 If the addon is shown in browser else 0"),

diff --git a/specs/kernel_info.table b/specs/kernel_info.table
@@ -1,7 +1,7 @@
 table_name("kernel_info")
 description("Basic active kernel information.")
 schema([
-  Column("version", TEXT, "Kernel version"),
+  Column("version", TEXT, "Kernel version", collate="version"),
   Column("arguments", TEXT, "Kernel arguments"),
   Column("path", TEXT, "Kernel path"),
   Column("device", TEXT, "Kernel device identifier"),

diff --git a/specs/linux/apt_sources.table b/specs/linux/apt_sources.table
@@ -5,7 +5,7 @@ schema([
     Column("source", TEXT, "Source file"),
     Column("base_uri", TEXT, "Repository base URI"),
     Column("release", TEXT, "Release name"),
-    Column("version", TEXT, "Repository source version"),
+    Column("version", TEXT, "Repository source version", collate="version_dpkg"),
     Column("maintainer", TEXT, "Repository maintainer"),
     Column("components", TEXT, "Repository components"),
     Column("architectures", TEXT, "Repository architectures"),

diff --git a/specs/linux/deb_packages.table b/specs/linux/deb_packages.table
@@ -2,7 +2,7 @@ table_name("deb_packages")
 description("The installed DEB package database.")
 schema([
     Column("name", TEXT, "Package name"),
-    Column("version", TEXT, "Package version"),
+    Column("version", TEXT, "Package version", collate="version_dpkg"),
     Column("source", TEXT, "Package source"),
     Column("size", BIGINT, "Package size in bytes"),
     Column("arch", TEXT, "Package architecture"),

diff --git a/specs/linux/rpm_packages.table b/specs/linux/rpm_packages.table
@@ -2,7 +2,7 @@ table_name("rpm_packages")
 description("RPM packages that are currently installed on the host system.")
 schema([
     Column("name", TEXT, "RPM package name", index=True),
-    Column("version", TEXT, "Package version" ,index=True),
+    Column("version", TEXT, "Package version" ,index=True, collate="version_rhel"),
     Column("release", TEXT, "Package release", index=True),
     Column("source", TEXT, "Source RPM package name (optional)"),
     Column("size", BIGINT, "Package size in bytes"),

diff --git a/specs/linwin/intel_me_info.table b/specs/linwin/intel_me_info.table
@@ -1,7 +1,7 @@
 table_name("intel_me_info")
 description("Intel ME/CSE Info.")
 schema([
-    Column("version",  TEXT, "Intel ME version"),
+    Column("version",  TEXT, "Intel ME version", collate="version"),
 ])
 
 implementation("intel_me_info@getIntelMEInfo")

diff --git a/specs/npm_packages.table b/specs/npm_packages.table
@@ -2,7 +2,7 @@ table_name("npm_packages")
 description("Node packages installed in a system.")
 schema([
     Column("name", TEXT, "Package display name"),
-    Column("version", TEXT, "Package-supplied version"),
+    Column("version", TEXT, "Package-supplied version", collate="version"),
     Column("description", TEXT, "Package-supplied description"),
     Column("author", TEXT, "Package-supplied author"),
     Column("license", TEXT, "License under which package is launched"),

diff --git a/specs/posix/docker_info.table b/specs/posix/docker_info.table
@@ -21,7 +21,7 @@ schema([
     Column("oom_kill_disable", INTEGER, "1 if Out-of-memory kill is disabled. 0 otherwise"),
     Column("logging_driver", TEXT, "Logging driver"),
     Column("cgroup_driver", TEXT, "Control groups driver"),
-    Column("kernel_version", TEXT, "Kernel version"),
+    Column("kernel_version", TEXT, "Kernel version", collate="version"),
     Column("os", TEXT, "Operating system"),
     Column("os_type", TEXT, "Operating system type"),
     Column("architecture", TEXT, "Hardware architecture"),
@@ -31,7 +31,7 @@ schema([
     Column("https_proxy", TEXT, "HTTPS proxy"),
     Column("no_proxy", TEXT, "Comma-separated list of domain extensions proxy should not be used for"),
     Column("name", TEXT, "Name of the docker host"),
-    Column("server_version", TEXT, "Server version"),
+    Column("server_version", TEXT, "Server version", collate="version"),
     Column("root_dir", TEXT, "Docker root directory")
 ])
 attributes(cacheable=True)

diff --git a/specs/posix/docker_version.table b/specs/posix/docker_version.table
@@ -1,14 +1,14 @@
 table_name("docker_version")
 description("Docker version information.")
 schema([
-    Column("version", TEXT, "Docker version"),
-    Column("api_version", TEXT, "API version"),
-    Column("min_api_version", TEXT, "Minimum API version supported"),
+    Column("version", TEXT, "Docker version", collate="version"),
+    Column("api_version", TEXT, "API version", collate="version"),
+    Column("min_api_version", TEXT, "Minimum API version supported", collate="version"),
     Column("git_commit", TEXT, "Docker build git commit"),
-    Column("go_version", TEXT, "Go version"),
+    Column("go_version", TEXT, "Go version", collate="version"),
     Column("os", TEXT, "Operating system"),
     Column("arch", TEXT, "Hardware architecture"),
-    Column("kernel_version", TEXT, "Kernel version"),
+    Column("kernel_version", TEXT, "Kernel version", collate="version"),
     Column("build_time", TEXT, "Build time")
 ])
 attributes(cacheable=True)

diff --git a/specs/python_packages.table b/specs/python_packages.table
@@ -2,7 +2,7 @@ table_name("python_packages")
 description("Python packages installed in a system.")
 schema([
     Column("name", TEXT, "Package display name"),
-    Column("version", TEXT, "Package-supplied version"),
+    Column("version", TEXT, "Package-supplied version", collate="version"),
     Column("summary", TEXT, "Package-supplied summary"),
     Column("author", TEXT, "Optional package author"),
     Column("license", TEXT, "License under which package is launched"),

diff --git a/specs/utility/file.table b/specs/utility/file.table
@@ -23,8 +23,8 @@ extended_schema(WINDOWS, [
     Column("attributes", TEXT, "File attrib string. See: https://ss64.com/nt/attrib.html"),
     Column("volume_serial", TEXT, "Volume serial number"),
     Column("file_id", TEXT, "file ID"),
-    Column("file_version", TEXT, "File version"),
-    Column("product_version", TEXT, "File product version"),
+    Column("file_version", TEXT, "File version", collate="version"),
+    Column("product_version", TEXT, "File product version", collate="version"),
     Column("original_filename", TEXT, "(Executable files only) Original filename"),
     Column("shortcut_target_path", TEXT, "Full path to the file the shortcut points to"),
     Column("shortcut_target_type", TEXT, "Display name for the target type"),

diff --git a/specs/utility/osquery_extensions.table b/specs/utility/osquery_extensions.table
@@ -3,8 +3,8 @@ description("List of active osquery extensions.")
 schema([
     Column("uuid", BIGINT, "The transient ID assigned for communication"),
     Column("name", TEXT, "Extension's name"),
-    Column("version", TEXT, "Extension's version"),
-    Column("sdk_version", TEXT, "osquery SDK version used to build the extension"),
+    Column("version", TEXT, "Extension's version", collate="version"),
+    Column("sdk_version", TEXT, "osquery SDK version used to build the extension", collate="version"),
     Column("path", TEXT, "Path of the extension's Thrift connection or library path"),
     Column("type", TEXT, "SDK extension type: core, extension, or module")
 ])

diff --git a/specs/utility/osquery_info.table b/specs/utility/osquery_info.table
@@ -4,7 +4,7 @@ schema([
     Column("pid", INTEGER, "Process (or thread/handle) ID"),
     Column("uuid", TEXT, "Unique ID provided by the system"),
     Column("instance_id", TEXT, "Unique, long-lived ID per instance of osquery"),
-    Column("version", TEXT, "osquery toolkit version"),
+    Column("version", TEXT, "osquery toolkit version", collate="version"),
     Column("config_hash", TEXT, "Hash of the working configuration state"),
     Column("config_valid", INTEGER, "1 if the config was loaded and considered valid, else 0"),
     Column("extensions", TEXT, "osquery extensions status"),

diff --git a/specs/windows/drivers.table b/specs/windows/drivers.table
@@ -7,7 +7,7 @@ schema([
     Column("description", TEXT, "Driver description"),
     Column("service", TEXT, "Driver service name, if one exists"),
     Column("service_key", TEXT, "Driver service registry key"),
-    Column("version", TEXT, "Driver version"),
+    Column("version", TEXT, "Driver version", collate="version"),
     Column("inf", TEXT, "Associated inf file"),
     Column("class", TEXT, "Device/driver class name"),
     Column("provider", TEXT, "Driver provider"),

diff --git a/specs/windows/hvci_status.table b/specs/windows/hvci_status.table
@@ -1,7 +1,7 @@
 table_name("hvci_status")
 description("Retrieve HVCI info of the machine.")
 schema([
-  Column("version", TEXT, "The version number of the Device Guard build."),
+  Column("version", TEXT, "The version number of the Device Guard build.", collate="version"),
   Column("instance_identifier", TEXT, "The instance ID of Device Guard."),
   Column("vbs_status", TEXT, "The status of the virtualization based security settings. Returns UNKNOWN if an error is encountered."),
   Column("code_integrity_policy_enforcement_status", TEXT, "The status of the code integrity policy enforcement settings. Returns UNKNOWN if an error is encountered."),

diff --git a/specs/windows/ie_extensions.table b/specs/windows/ie_extensions.table
@@ -3,7 +3,7 @@ description("Internet Explorer browser extensions.")
 schema([
     Column("name", TEXT, "Extension display name"),
     Column("registry_path", TEXT, "Extension identifier"),
-    Column("version", TEXT, "Version of the executable"),
+    Column("version", TEXT, "Version of the executable", collate="version"),
     Column("path", TEXT, "Path to executable"),
 ])
 implementation("system/windows/ie_extensions@genIEExtensions")
diff --git a/specs/windows/programs.table b/specs/windows/programs.table
@@ -2,7 +2,7 @@ table_name("programs", aliases=["programs_and_features"])
 description("Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.")
 schema([
     Column("name", TEXT, "Commonly used product name."),
-    Column("version", TEXT, "Product version information."),
+    Column("version", TEXT, "Product version information.", collate="version"),
     Column("install_location", TEXT, "The installation location directory of the product."),
     Column("install_source", TEXT, "The installation source of the product."),
     Column("language", TEXT, "The language of the product."),

diff --git a/specs/windows/services.table b/specs/windows/services.table
@@ -1,7 +1,7 @@
 table_name("services")
 description("Lists all installed Windows services and their relevant data.")
 schema([
-    Column("name", TEXT, "Service name"),
+    Column("name", TEXT, "Service name", collate="nocase"),
     Column("service_type", TEXT, "Service Type: OWN_PROCESS, SHARE_PROCESS and maybe Interactive (can interact with the desktop)"),
     Column("display_name", TEXT, "Service Display name"),
     Column("status", TEXT, "Service Current status: STOPPED, START_PENDING, STOP_PENDING, RUNNING, CONTINUE_PENDING, PAUSE_PENDING, PAUSED"),

diff --git a/specs/windows/tpm_info.table b/specs/windows/tpm_info.table
@@ -9,7 +9,7 @@ schema([
   Column("manufacturer_name", TEXT, "TPM manufacturers name"),
   Column("product_name", TEXT, "Product name of the TPM"),
   Column("physical_presence_version", TEXT, "Version of the Physical Presence Interface"),
-  Column("spec_version", TEXT, "Trusted Computing Group specification that the TPM supports"),
+  Column("spec_version", TEXT, "Trusted Computing Group specification that the TPM supports", collate="version"),
 ])
 implementation("tpm_info@genTpmInfo")
 examples([