🐛 llx: stop array contains/difference builtins panicking on a null argument (#8320)

* 🐛 llx: stop array contains/difference builtins panicking on a null argument

`arrayContainsAll`, `arrayContainsNone`, and `arrayDifferenceV2` guarded the
receiver array against null but then did an unchecked `arg.Value.([]any)` on
the argument. When the argument resolves to a typed null array — e.g. a
`map[string][]T` key miss such as `pam.conf.services["su"]` on a host with no
`/etc/pam.d` (COS, Flatcar, Bottlerocket k8s nodes) — that assertion panics
with `interface conversion: interface {} is nil, not []interface {}`.

Because the executor runs blocks in goroutines the panic is unrecoverable and
crashes the entire scan rather than failing the single check. The dict
variants already use the safe comma-ok form; only the array variants were
affected.

Guard the argument the same way the receiver is guarded: a null argument
propagates as null. The compiled `… == []` wrapper then resolves the check to
a clean pass/fail instead of crashing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* 🟢 core: lock containsAll-of-empty-list returns true

mondoo-linux-security's su-restriction check relies on
`groups.containsAll(suRestrictedGroups)` being true when suRestrictedGroups is
an empty (typed, non-null) []string. Add a regression test pinning that
containsAll of an empty list is vacuously satisfied, distinct from the null-arg
case which propagates null.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: tas50

llx/builtin_array.go

@@ -815,6 +815,14 @@ func arrayDifferenceV2(e *blockExecutor, bind *RawData, chunk *Chunk, ref uint64
 		return nil, rref, err
 	}
 
+	// A null argument (e.g. a missing map key resolving to a typed null
+	// array) propagates as null, mirroring the receiver-nil guard above.
+	// Without this the `arg.Value.([]any)` assertion below panics, which
+	// crashes the whole scan rather than failing the single check.
+	if arg.Value == nil {
+		return &RawData{Type: bind.Type, Error: arg.Error}, 0, nil
+	}
+
 	t := types.Type(arg.Type)
 	if t != bind.Type {
 		return nil, 0, errors.New("called `difference` with wrong type (got: " + t.Label() + ", expected:" + bind.Type.Label() + ")")
@@ -920,6 +928,14 @@ func arrayContainsAll(e *blockExecutor, bind *RawData, chunk *Chunk, ref uint64)
 		return nil, rref, err
 	}
 
+	// A null argument (e.g. a missing map key resolving to a typed null
+	// array) propagates as null, mirroring the receiver-nil guard above.
+	// Without this the `arg.Value.([]any)` assertion below panics, which
+	// crashes the whole scan rather than failing the single check.
+	if arg.Value == nil {
+		return &RawData{Type: bind.Type, Error: arg.Error}, 0, nil
+	}
+
 	t := types.Type(arg.Type)
 	if t != bind.Type {
 		return nil, 0, errors.New("called `arrayNone` with wrong type (got: " + t.Label() + ", expected:" + bind.Type.Label() + ")")
@@ -973,6 +989,14 @@ func arrayContainsNone(e *blockExecutor, bind *RawData, chunk *Chunk, ref uint64
 		return nil, rref, err
 	}
 
+	// A null argument (e.g. a missing map key resolving to a typed null
+	// array) propagates as null, mirroring the receiver-nil guard above.
+	// Without this the `arg.Value.([]any)` assertion below panics, which
+	// crashes the whole scan rather than failing the single check.
+	if arg.Value == nil {
+		return &RawData{Type: bind.Type, Error: arg.Error}, 0, nil
+	}
+
 	t := types.Type(arg.Type)
 	if t != bind.Type {
 		return nil, 0, errors.New("called `arrayNone` with wrong type (got: " + t.Label() + ", expected:" + bind.Type.Label() + ")")

providers/core/resources/mql_test.go

@@ -741,6 +741,31 @@ func TestArray(t *testing.T) {
 			Code:        "['x'].containsAll([asset.labels['nope']])",
 			Expectation: []any{nil},
 		},
+		// Regression: a null argument (e.g. a missing map key resolving to a
+		// typed null array, as happens on hosts with no /etc/pam.d) must
+		// propagate as null instead of panicking the whole scan with
+		// "interface conversion: interface {} is nil, not []interface {}".
+		{
+			Code:        "a = {a: [1,2]}; [1,2,3].containsAll(a['b'])",
+			Expectation: nil,
+		},
+		{
+			Code:        "a = {a: [1,2]}; [1,2,3].containsNone(a['b'])",
+			Expectation: nil,
+		},
+		{
+			Code:        "a = {a: [1,2]}; [1,2,3] - a['b']",
+			Expectation: nil,
+		},
+		// Regression: containsAll of an empty (typed, non-null) list is
+		// vacuously satisfied, so the compiled `== []` check is true. The
+		// mondoo-linux-security su-restriction check relies on this for
+		// `groups.containsAll(suRestrictedGroups)` when no group is configured
+		// and suRestrictedGroups is an empty []string.
+		{
+			Code:        `a = ["x", "y"]; ["wheel", "sudo"].containsAll(a.where(false))`,
+			ResultIndex: 1, Expectation: true,
+		},
 		{
 			Code:        "['a','b'] != /c/",
 			ResultIndex: 0, Expectation: true,