Optimize query timing for the table aws_ecr_image_scan_finding

[ParthaI]

Integration test logs

Logs

Add passing integration test logs here

Example query results

Results

> select
    distinct REPLACE(
        REPLACE(innerq."AWS_ACCOUNT_NAME", 'aws_', ''),
        '_',
        '-'
    ) as "AWS_ACCOUNT_NAME",
    innerq.region as "AWS_REGION",
    innerq.repository_name as "AWS_REPO",
    innerq.image_tag as "ECR_IMAGE_TAG",
    innerq.name as "COMMON_VULN_ID",
    innerq.uri as "VULN_INFO_URL",
    innerq.severity as "VULN_SEVERITY",
    innerq.package_version as "VULN_PACKAGE_VERSION",
    innerq.package_name as "VULN_PACKAGE_NAME"
from
    (
        with latest_image_ts as (
            select
                repository_name,
                max(image_pushed_at) as image_pushed_at
            from
                myawsaccount.aws_ecr_image
            group by
                repository_name
        ),
        images_with_tags as (
            select
                _ctx,
                region,
                repository_name,
                image_pushed_at,
                jsonb_array_elements_text(image_tags) :: text as image_tag
            from
                myawsaccount.aws_ecr_image
        )
        select
            i._ctx ->> 'connection_name' as "AWS_ACCOUNT_NAME",
            i.region,
            i.repository_name,
            i.image_pushed_at,
            i.image_tag,
            f.name,
            f.uri,
            f.severity,
            f.description,
            (
                jsonb_path_query(f.attributes, '$[*] ? (@.Key == "package_name")') -> 'Value' #>>'{}')::text as package_name,
                (
                    jsonb_path_query(
                        f.attributes,
                        '$[*] ? (@.Key == "package_version")'
                    ) -> 'Value' #>>'{}')::text as package_version
                    from
                        images_with_tags i
                        join latest_image_ts l on (l.repository_name, l.image_pushed_at) = (i.repository_name, i.image_pushed_at)
                        join myawsaccount.aws_ecr_image_scan_finding f on (f.repository_name, f.image_tag) = (l.repository_name, i.image_tag)
                    order by
                        repository_name,
                        image_tag,
                        severity,
                        name,
                        package_name
                ) innerq;
                
+------------------+------------+---------------------+---------------+-----------------+--------------------------------------------------------------+---------------+--------------------------+-------------------+
| AWS_ACCOUNT_NAME | AWS_REGION | AWS_REPO            | ECR_IMAGE_TAG | COMMON_VULN_ID  | VULN_INFO_URL                                                | VULN_SEVERITY | VULN_PACKAGE_VERSION     | VULN_PACKAGE_NAME |
+------------------+------------+---------------------+---------------+-----------------+--------------------------------------------------------------+---------------+--------------------------+-------------------+
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2753 | https://alas.aws.amazon.com/AL2/ALAS-2025-2753.html          | MEDIUM        | 2:9.0.2153-1.amzn2.0.2   | vim-data          |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2753 | https://alas.aws.amazon.com/AL2/ALAS-2025-2753.html          | MEDIUM        | 2:9.0.2153-1.amzn2.0.2   | vim-minimal       |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2767 | https://alas.aws.amazon.com/AL2/ALAS-2025-2767.html          | HIGH          | 2.56.1-9.amzn2.0.8       | glib2             |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2774 | https://alas.aws.amazon.com/AL2/ALAS-2025-2774.html          | MEDIUM        | 2.1.0-15.amzn2.0.4       | expat             |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2780 | https://alas.aws.amazon.com/AL2/ALAS-2025-2780.html          | MEDIUM        | 1:1.0.2k-24.amzn2.0.14   | openssl-libs      |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2783 | https://alas.aws.amazon.com/AL2/ALAS-2025-2783.html          | HIGH          | 2.9.1-6.amzn2.5.14       | libxml2           |
| aws              | ap-south-1 | test                | latest        | CVE-2013-4235   | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2013-4235  | LOW           | 1:4.8.1-1ubuntu5.20.04.5 | shadow            |
| aws              | ap-south-1 | test                | latest        | CVE-2016-20013  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013 | INFORMATIONAL | 2.31-0ubuntu9.14         | glibc             |
| aws              | ap-south-1 | test                | latest        | CVE-2016-2781   | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781  | LOW           | 8.30-3ubuntu2            | coreutils         |
| aws              | ap-south-1 | test                | latest        | CVE-2017-11164  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164 | INFORMATIONAL | 2:8.39-12ubuntu0.1       | pcre3             |
| aws              | ap-south-1 | test                | latest        | CVE-2022-3219   | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219  | LOW           | 2.2.19-3ubuntu2.2        | gnupg2            |
| aws              | ap-south-1 | test                | latest        | CVE-2022-41409  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-41409 | LOW           | 10.34-7ubuntu0.1         | pcre2             |
| aws              | ap-south-1 | test                | latest        | CVE-2023-26604  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-26604 | LOW           | 245.4-4ubuntu3.23        | systemd           |
| aws              | ap-south-1 | test                | latest        | CVE-2023-29383  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29383 | LOW           | 1:4.8.1-1ubuntu5.20.04.5 | shadow            |
| aws              | ap-south-1 | test                | latest        | CVE-2023-45918  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-45918 | LOW           | 6.2-0ubuntu2.1           | ncurses           |
| aws              | ap-south-1 | test                | latest        | CVE-2023-50495  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-50495 | LOW           | 6.2-0ubuntu2.1           | ncurses           |
| aws              | ap-south-1 | test                | latest        | CVE-2023-7008   | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-7008  | LOW           | 245.4-4ubuntu3.23        | systemd           |
| aws              | ap-south-1 | test                | latest        | CVE-2024-10041  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041 | MEDIUM        | 1.3.1-5ubuntu4.7         | pam               |
| aws              | ap-south-1 | test                | latest        | CVE-2024-12133  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-12133 | MEDIUM        | 4.16.0-2                 | libtasn1-6        |
| aws              | ap-south-1 | test                | latest        | CVE-2024-12243  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-12243 | MEDIUM        | 3.6.13-2ubuntu1.10       | gnutls28          |

[ParthaI]

Table docs need to be updated based on feedback.

[ParthaI]

Closing this PR since the complex query sill failes with anyOf key quals.

[Copilot]

Pull Request Overview

This PR optimizes query timing for the aws_ecr_image_scan_finding table by updating how qualifiers are handled and removing the dependency on the parent hydrate function.

• Changed key column qualifiers from plugin.Optional to plugin.AnyOf for image_tag and image_digest.
• Removed the RepositoryImage parent hydrate function and corresponding type.
• Updated listAwsEcrImageScanFindings to extract repository details directly from query qualifiers.

[Copilot]

If only 'image_digest' is provided and 'image_tag' is nil, calling GetStringValue() on a nil imageTag will cause a runtime panic. Consider adding a nil check or using the 'image_digest' value as a fallback.