package cnquery.explorer

int32 code = 1
The status code.
string message = 2
A user-facing error message, which should be in English.
repeated google.protobuf.Any details = 3
A list of messages that carry the error details.

The list of queries that an asset needs to execute May be identical amongst multiple packs

Used in: ResolvedPack

string checksum = 1
map<string, ExecutionQuery> queries = 2
map of all queries that should be executed, checksum => query
map<string, DataQueryInfo> datapoints = 3
map of all datapoints to their info

A query which is part of an ExecutionJob Reduced to the bare minimum for the execution

Used in: ExecutionJob

string query = 1
string checksum = 2
map<string, string> properties = 3
mapping from name => checksum, which is in the execution job
repeated string datapoints = 4
list of checksums that we collect as data points
optional llx.CodeBundle code = 5

User-defined and internal filters. Users may use: 1. filters: asset.name == /sth/ 2. filters: - mql: asset.name == /sth/ Internally we use: 3. filters: items: <checksum>: { ..mquery.. }

Used in: Mquery, QueryGroup, QueryPack

map<string, Mquery> items = 1

Impact explains how important certain queries are. They are especially useful in weighted testing where results need to be prioritized. They can also serve as a priority list for data that is collected.

Used in: Mquery

optional ImpactValue value = 1
Value is between 0 to 100 (most impactful).
ScoringSystem scoring = 2
The scoring system to apply for evaluating multiple results
int32 weight = 3
The weight of this query. Has to be > 0, otherwise counts as unset.
Action action = 4
Action is copied into the impact to correctly reconstruct the v7 ScoringSpec

Used in: Impact

int32 value = 1

Mquery represents the MQL and metadata that form a query

Used in: Bundle, Filters, Mqueries, QueryGroup, QueryPack, ResolveReq, ResolvedPack, UpdateAssetJobsReq

string query = 40
FIXME: DEPRECATED, remove in v12.0 vv This is replaced by the field "mql"
repeated MqueryRef refs = 22
This is moved into docs.refs
^^
string mql = 1
string code_id = 2
string checksum = 3
string mrn = 4
string uid = 5
UID is only needed on Mquery upload, when the MRN is computed. It is not be persisted.
string type = 6
string context = 7
string title = 20
optional MqueryDocs docs = 21
string desc = 35
Desc is only used if docs.desc is not defined. It is not persisted.
optional Impact impact = 23
map<string, string> tags = 34
optional Filters filters = 37
repeated Property props = 38
repeated ObjectRef variants = 39
Action action = 41
Action is used for all query overrides (eg: in packs, policies, APIs etc)

Documentation for Mquery

Used in: Mquery

string desc = 1
Description of the query
string audit = 2
Optional. Audit instructions to verify the query results
repeated MqueryRef refs = 4
Optional. References to external sources, typical URLs
optional Remediation remediation = 5
Optional. Remediation instructions for the query

MqueryRef is used to reference external sources

Used in: Docs, Mquery, MqueryDocs

string title = 1
Title of the reference
string url = 2
URL of the reference

MRNs are used to uniquely identify resources. They are globally unique.

Used as request type in: QueryHub.DeleteQueryPack, QueryHub.GetBundle, QueryHub.GetFilters, QueryHub.GetQueryPack

string mrn = 1

Used in: Mquery, Property

string mrn = 1
string uid = 2
map<string, string> tags = 3

Properties allow users to configure queries and bundles in pre-defined ways. They return one value only, have a type, and may specify which query they target, while used in querypacks (or other groupings like policies). They may contain additional metadata to provide more information. Note: At the time of writing properties do not pull from other properties. They may do that later.

Used in: Bundle, Mquery, PropsReq, QueryPack

string mql = 1
string code_id = 2
string checksum = 3
string mrn = 4
string uid = 5
UID is only needed on Mquery upload, when the MRN is computed. It is not be persisted.
string type = 6
string context = 7
repeated ObjectRef for = 8
protolint:disable REPEATED_FIELD_NAMES_PLURALIZED
string title = 20
string desc = 35

Used in: QueryPack

repeated Mquery queries = 3
optional Filters filters = 20
filter for the assets this applies to
string title = 24
metadata
int64 created = 32
int64 modified = 33

Used as response type in: QueryHub.GetQueryPack

Used as field type in: Bundle, QueryPacks

string uid = 36
user-defined UID, which is used to generate the MRN
string context = 8
user-defined, only used during query ingest in case they have no context
string mrn = 1
MRN to universally identify this query. UIDs are local to QueryPacks, MRNs are global
string name = 2
string version = 3
string owner_mrn = 4
auto-generated
repeated Mquery queries = 6
repeated QueryGroup groups = 11
repeated Property props = 35
optional Filters computed_filters = 47
auto-generated
optional Filters filters = 48
string license = 21
optional QueryPackDocs docs = 22
string summary = 46
repeated Author authors = 30
int64 created = 32
int64 modified = 33
map<string, string> tags = 34
string local_content_checksum = 23
internal fields
string local_execution_checksum = 24

Used in: QueryPack

string desc = 1

Remediation is used to provide a fix for a check.

Used in: MqueryDocs

repeated TypedDoc items = 1
items is a list of TypedDoc items that include the description of the remediation for different platforms.

The report of all the things collected for an entity (typically asset). The provided pack is used as the root to decide what data fields will be returned.

Used as response type in: QueryConductor.GetReport

Used as field type in: ReportCollection

string pack_mrn = 1
string entity_mrn = 2
map<string, llx.Result> data = 5
int64 created = 20
int64 modified = 21
string resolved_version = 33

map<string, Asset> assets = 1
optional Bundle bundle = 2
map<string, Report> reports = 3
map<string, ErrorStatus> errors = 4
map<string, ResolvedPack> resolved = 5

ResolvedPack is returned from a resolve request. It includes the execution job with all things that need to be run.

Used as response type in: QueryConductor.Resolve

Used as field type in: ReportCollection

optional ExecutionJob execution_job = 2
repeated Mquery filters = 4
string graph_execution_checksum = 7
string filters_checksum = 20

protolint:disable ENUM_FIELD_NAMES_PREFIX protolint:disable ENUM_FIELD_NAMES_ZERO_VALUE_END_WITH

Used in: Impact

SCORING_UNSPECIFIED = 0
Default value, should not be used
WEIGHTED = 1
Weighted scoring mechanism which uses the weight defined at the query level to calculate the score.
WORST = 2
Worst scoring mechanism which uses the worst score of all findings to calculate the policy score.
AVERAGE = 3
Average scoring mechanism which uses the average score of all findings to calculate the policy score.
DATA_ONLY = 4
Treats the query as data only, no scoring is applied.
IGNORE_SCORE = 5
Ignore scoring mechanism which ignores the score of each query.
BANDED = 6
Experimental: BANDED scoring mechanism which creates a score based on the 4 categories of criticality (critical, high, medium, low) and positions scores so that: 1. Any critical/high issues won't generate a high score (upper limit) 2. Lower scoring categories can have an impact on the score (e.g. 1 crit + 200 medium failures will be lower than 1 crit only) 3. A large collection of medium findings won't generate a critical score
DECAYED = 7
Experimental: DECAYED scoring uses a scaled decay function to estimate a score value. This means that a few critical findings will quickly reduce the resulting score, but it won't just drop it to the lowest value.
DISABLED = 8

Used in: SynchronizeAssetsResp

string platform_mrn = 1
string asset_mrn = 2
string url = 3

A typed documentation for a remediation

Used in: Remediation

string id = 1
Identifier
string desc = 2
Description
string language = 3
Optional. Language of the description (e.g. markdown, english)
int64 created = 20
Optional. Creation date of the description
int64 modified = 21
Optional. Modification date of the description
map<string, string> tags = 22
Optional. Tags for the description

Update asset jobs forces all jobs for a given asset to get refreshed.

string asset_mrn = 1
repeated Mquery asset_filters = 2

package cnquery.explorer

service QueryConductor

rpc Assign (Assignment, Empty)

rpc Unassign (Assignment, Empty)

rpc SetProps (PropsReq, Empty)

message PropsReq

string entity_mrn = 1

repeated Property props = 2

rpc Resolve (ResolveReq, ResolvedPack)

message ResolveReq

string entity_mrn = 1

repeated Mquery asset_filters = 2

rpc StoreResults (StoreResultsReq, Empty)

message StoreResultsReq

string asset_mrn = 1

map<string, llx.Result> data = 3

map<string, llx.ResourceRecording> resources = 4

bool is_last_batch = 5

rpc GetReport (EntityDataRequest, Report)

message EntityDataRequest

string entity_mrn = 1

string data_mrn = 2

rpc SynchronizeAssets (SynchronizeAssetsReq, SynchronizeAssetsResp)

message SynchronizeAssetsReq

string space_mrn = 1

repeated providers.v1.Asset list = 2

message SynchronizeAssetsResp

map<string, SynchronizeAssetsRespAssetDetail> details = 1

service QueryHub

rpc SetBundle (Bundle, Empty)

rpc DeleteQueryPack (Mrn, Empty)

rpc ValidateBundle (Bundle, Empty)

rpc GetBundle (Mrn, Bundle)

rpc GetQueryPack (Mrn, QueryPack)

rpc GetFilters (Mrn, Mqueries)

message Mqueries

repeated Mquery items = 1

rpc List (ListReq, QueryPacks)

message ListReq

string owner_mrn = 1

string name = 2

message QueryPacks

repeated QueryPack items = 1

rpc DefaultPacks (DefaultPacksReq, URLs)

message DefaultPacksReq

string kind = 1

string platform = 2

string runtime = 3

string version = 4

repeated string family = 5

message URLs

repeated string urls = 1

enum Action

UNSPECIFIED = 0

MODIFY = 1

DEACTIVATE = 2

ACTIVATE = 3

IGNORE = 4

OUT_OF_SCOPE = 5

message Asset

string mrn = 1

map<string, string> labels = 3

string name = 18

string trace_id = 19

message Assignment

string asset_mrn = 1

repeated string pack_mrns = 2

message AssignmentDelta

string mrn = 1

AssignmentDelta.Action action = 2

enum AssignmentDelta.Action

UNKNOWN = 0

ADD = 1

DELETE = 2

message Author

string name = 1

string email = 2

message Bundle

string owner_mrn = 1

repeated QueryPack packs = 2