✨ cnquery run --exit-1-on-failure (#5656)

This change adds a new flag named `--exit-1-on-failure` which will make
`cnquery` exit with code `1` if any query result failed.

Simple Example:
```
cnquery run -c "1==2" --exit-1-on-failure
```

Closes mondoohq/cnspec#1671

Signed-off-by: Salim Afiune Maya <afiune@mondoo.com>

Author: afiune

.gitignore

@@ -3,6 +3,7 @@ dist
 alpine-container.tar
 centos-container.tar
 ./cnquery
+test/commands/cnquery
 file1
 id_rsa
 id_rsa.pub

apps/cnquery/cmd/plugin.go

@@ -123,6 +123,17 @@ func (c *cnqueryPlugin) RunQuery(conf *run.RunQueryConfig, runtime *providers.Ru
 		out.WriteString("[")
 	}
 
+	// anyResultFailed is a flag that will be switched on if any query result failed,
+	// if the flag `exit-1-on-failure` is provided and anyResultFailed is true, we
+	// will exit the program with the exit code `1`
+	var anyResultFailed = false
+	// we defer this check since we want it to be the last thing to be evaluated
+	defer func() {
+		if conf.GetExit_1OnFailure() && anyResultFailed {
+			os.Exit(1)
+		}
+	}()
+
 	for i := range discoveredAssets.Assets {
 		asset := discoveredAssets.Assets[i]
 
@@ -184,6 +195,17 @@ func (c *cnqueryPlugin) RunQuery(conf *run.RunQueryConfig, runtime *providers.Ru
 			return errors.Wrap(err, "failed to run")
 		}
 
+		// check if any result failed
+		for _, result := range results {
+			if result == nil || result.Data == nil {
+				continue
+			}
+
+			if truthy, ok := result.Data.IsTruthy(); ok && !truthy {
+				anyResultFailed = true
+			}
+		}
+
 		if conf.Format == "llx" && conf.Output != "" {
 			out, err := proto.Marshal(code)
 			if err != nil {
@@ -204,7 +226,6 @@ func (c *cnqueryPlugin) RunQuery(conf *run.RunQueryConfig, runtime *providers.Ru
 				out.WriteString(",")
 			}
 		}
-
 	}
 
 	if conf.Format == "json" {

apps/cnquery/cmd/run.go

@@ -32,6 +32,7 @@ func init() {
 	_ = RunCmd.Flags().MarkHidden("use-llx")
 	RunCmd.Flags().StringToString("annotations", nil, "Specify annotations for this run")
 	_ = RunCmd.Flags().MarkHidden("annotations")
+	RunCmd.Flags().Bool("exit-1-on-failure", false, "Exit with error code 1 if one or more query results fail")
 }
 
 var RunCmd = &cobra.Command{
@@ -53,6 +54,7 @@ var RunCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *plu
 	conf.DoAst, _ = cmd.Flags().GetBool("ast")
 	conf.DoInfo, _ = cmd.Flags().GetBool("info")
 	conf.DoParse, _ = cmd.Flags().GetBool("parse")
+	conf.Exit_1OnFailure, _ = cmd.Flags().GetBool("exit-1-on-failure")
 	if doJSON, _ := cmd.Flags().GetBool("json"); doJSON {
 		conf.Format = "json"
 	}

shared/proto/cnquery.pb.go

@@ -24,6 +24,7 @@ message RunQueryConfig {
   bool incognito = 10;
   string output = 11;
   string input = 12;
+  bool exit_1_on_failure = 14;
 }
 
 message Empty {

shared/proto/cnquery.proto

@@ -4,24 +4,55 @@
 package commands
 
 import (
+	"log"
 	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
 	"sync"
 	"testing"
 
 	cmdtest "github.com/google/go-cmdtest"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/require"
-	"go.mondoo.com/cnquery/v11/apps/cnquery/cmd"
 )
 
 var once sync.Once
+var testDir string
 var cnqueryCmd *cobra.Command
 
 func setup() {
-	var err error
-	cnqueryCmd, err = cmd.BuildRootCmd()
+	// build cnquery
+	if err := exec.Command("go", "build", "../../apps/cnquery/cnquery.go").Run(); err != nil {
+		log.Fatalf("building cnquery: %v", err)
+	}
+
+	// install local provider
+	if err := exec.Command("bash", "-c", "cd ../.. && make providers/build/os providers/install/os").Run(); err != nil {
+		log.Fatalf("building os provider: %v", err)
+	}
+
+	// create a fake directory to use for testing purposes (providers, config, etc.)
+	dir, err := os.MkdirTemp("", "mondoo")
+	if err != nil {
+		log.Fatalf("creating directory: %v", err)
+	}
+	testDir = dir
+
+	// provider install places the provider in the "$(HOME)/.config/mondoo/providers/${$@_NAME}") but we
+	// want to test it in isolation. Therefore, we copy the provider to the current directory .providers
+	osProviderPath := filepath.Join(testDir, "os")
+	if err := os.MkdirAll(osProviderPath, 0755); err != nil {
+		log.Fatalf("creating directory: %v", err)
+	}
+
+	distPath, err := filepath.Abs("../../providers/os/dist")
 	if err != nil {
-		panic(err)
+		log.Fatalf("unable to expand dist path: %v", err)
+	}
+
+	if err := os.CopyFS(osProviderPath, os.DirFS(distPath)); err != nil {
+		log.Fatalf("copying provider: %v", err)
 	}
 }
 
@@ -35,13 +66,15 @@ func TestCompare(t *testing.T) {
 	ts, err := cmdtest.Read("testdata")
 	require.NoError(t, err)
 
+	// Set a fake config path to avoid loading the real configuration
+	// file from the system running this tests
+	os.Setenv("MONDOO_CONFIG_PATH", path.Join(testDir, "foo"))
+	// Override providers path with the fake test directory
+	os.Setenv("PROVIDERS_PATH", testDir)
+	// Disable auto-update to avoid installing providers
+	os.Setenv("MONDOO_AUTO_UPDATE", "false")
+
 	ts.DisableLogging = true
-	ts.Commands["cnquery"] = cmdtest.InProcessProgram("cnquery", func() int {
-		err := cnqueryCmd.Execute()
-		if err != nil {
-			return 1
-		}
-		return 0
-	})
+	ts.Commands["cnquery"] = cmdtest.Program("cnquery")
 	ts.Run(t, false) // set to true to update test files
 }

test/commands/cli_test.go

@@ -6,17 +6,30 @@ Usage:
   cnquery run [command]
 
 Available Commands:
+  container   Run a query with a running container or container image
+  device      Run a query with a block device target
+  docker      Run a query with a running Docker container, Docker image, or Dockerfile
+  filesystem  Run a query with a mounted file system target
+  local       Run a query with your local system
   mock        Run a query with a recording file without an active connection
   sbom        Run a query with read SBOM file on disk
+  ssh         Run a query with a remote system via SSH
+  vagrant     Run a query with a Vagrant host
+  winrm       Run a query with a remote system via WinRM
 
 Flags:
-      --ast                  Parse the query and return the abstract syntax tree (AST)
-  -c, --command string       MQL query to execute in the shell
-  -h, --help                 help for run
-      --info                 Parse the query and provide information about it
-  -j, --json                 Run the query and return the object in a JSON structure
-      --parse                Parse the query and return the logical structure
-      --platform-id string   Select a specific target asset by providing its platform ID
+      --ast                    Parse the query and return the abstract syntax tree (AST)
+  -c, --command string         MQL query to execute in the shell
+      --discover strings       Enable the discovery of nested assets. Supports: all, auto, container, container-images
+      --exit-1-on-failure      Exit with error code 1 if one or more query results fail
+  -h, --help                   help for run
+      --info                   Parse the query and provide information about it
+  -j, --json                   Run the query and return the object in a JSON structure
+      --parse                  Parse the query and return the logical structure
+      --platform-id string     Select a specific target asset by providing its platform ID
+      --record string          Record all resource calls and use resources in the recording
+      --sudo                   Elevate privileges with sudo
+      --use-recording string   Use a recording to inject resource data (read-only)
 
 Global Flags:
       --api-proxy string   Set proxy for communications with Mondoo Platform API

test/commands/testdata/cnquery_run.ct

@@ -0,0 +1,11 @@
+$ cnquery run local -c 1==2
+→ no Mondoo configuration file provided, using defaults
+[failed]  == 2
+  expected: == 2
+  actual:   1
+
+$ cnquery run local -c 1==2 --exit-1-on-failure --> FAIL
+→ no Mondoo configuration file provided, using defaults
+[failed]  == 2
+  expected: == 2
+  actual:   1

test/commands/testdata/cnquery_run_exit_1_on_failure.ct

@@ -17,14 +17,25 @@ Usage:
   cnquery sbom [command]
 
 Available Commands:
+  container   Collect a software bill of materials (SBOM) for a running container or container image
+  docker      Collect a software bill of materials (SBOM) for a running Docker container, Docker image, or Dockerfile
+  filesystem  Collect a software bill of materials (SBOM) for a mounted file system target
+  local       Collect a software bill of materials (SBOM) for your local system
   sbom        Collect a software bill of materials (SBOM) for read SBOM file on disk
+  ssh         Collect a software bill of materials (SBOM) for a remote system via SSH
+  vagrant     Collect a software bill of materials (SBOM) for a Vagrant host
+  winrm       Collect a software bill of materials (SBOM) for a remote system via WinRM
 
 Flags:
       --annotation stringToString   Add an annotation to the asset (default [])
       --asset-name string           User-override for the asset name
+      --discover strings            Enable the discovery of nested assets. Supports: all, auto, container, container-images
   -h, --help                        help for sbom
   -o, --output string               Set output format: json, cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tag-value, table (default "list")
       --output-target string        Set output target to which the SBOM report will be written
+      --record string               Record all resource calls and use resources in the recording
+      --sudo                        Elevate privileges with sudo
+      --use-recording string        Use a recording to inject resource data (read-only)
       --with-evidence               Display evidence for each component
 
 Global Flags:

test/commands/testdata/cnquery_sbom.ct

@@ -14,13 +14,22 @@ Usage:
   cnquery scan [command]
 
 Available Commands:
+  container   Scan a running container or container image
+  device      Scan a block device target
+  docker      Scan a running Docker container, Docker image, or Dockerfile
+  filesystem  Scan a mounted file system target
+  local       Scan your local system
   mock        Scan a recording file without an active connection
   sbom        Scan read SBOM file on disk
+  ssh         Scan a remote system via SSH
+  vagrant     Scan a Vagrant host
+  winrm       Scan a remote system via WinRM
 
 Flags:
       --annotation stringToString     Add an annotation to the asset (default [])
       --asset-name string             User-override for the asset name
       --detect-cicd                   Try to detect CI/CD environments. If detected, set the asset category to 'cicd' (default true)
+      --discover strings              Enable the discovery of nested assets. Supports: all, auto, container, container-images
   -h, --help                          help for scan
       --incognito                     Run in incognito mode. Do not report scan results to Mondoo Platform
       --inventory-file string         Set the path to the inventory file
@@ -32,7 +41,10 @@ Flags:
       --props stringToString          Custom values for properties (default [])
       --querypack querypack-bundle    Set the query packs to execute. This requires querypack-bundle. You can specify multiple UIDs
   -f, --querypack-bundle strings      Path to local query pack file
+      --record string                 Record all resource calls and use resources in the recording
+      --sudo                          Elevate privileges with sudo
       --trace-id string               Trace identifier
+      --use-recording string          Use a recording to inject resource data (read-only)
 
 Global Flags:
       --api-proxy string   Set proxy for communications with Mondoo Platform API