Skip to content

Optimize query timing for the table aws_ecr_image_scan_finding #2492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 11, 2025
Merged

Optimize query timing for the table aws_ecr_image_scan_finding #2492

merged 7 commits into from
Jun 11, 2025

Conversation

ParthaI
Copy link
Contributor

@ParthaI ParthaI commented May 9, 2025

Integration test logs

Logs 
Add passing integration test logs here

Example query results

Results 
> select
    distinct REPLACE(
        REPLACE(innerq."AWS_ACCOUNT_NAME", 'aws_', ''),
        '_',
        '-'
    ) as "AWS_ACCOUNT_NAME",
    innerq.region as "AWS_REGION",
    innerq.repository_name as "AWS_REPO",
    innerq.image_tag as "ECR_IMAGE_TAG",
    innerq.name as "COMMON_VULN_ID",
    innerq.uri as "VULN_INFO_URL",
    innerq.severity as "VULN_SEVERITY",
    innerq.package_version as "VULN_PACKAGE_VERSION",
    innerq.package_name as "VULN_PACKAGE_NAME"
from
    (
        with latest_image_ts as (
            select
                repository_name,
                max(image_pushed_at) as image_pushed_at
            from
                myawsaccount.aws_ecr_image
            group by
                repository_name
        ),
        images_with_tags as (
            select
                _ctx,
                region,
                repository_name,
                image_pushed_at,
                jsonb_array_elements_text(image_tags) :: text as image_tag
            from
                myawsaccount.aws_ecr_image
        )
        select
            i._ctx ->> 'connection_name' as "AWS_ACCOUNT_NAME",
            i.region,
            i.repository_name,
            i.image_pushed_at,
            i.image_tag,
            f.name,
            f.uri,
            f.severity,
            f.description,
            (
                jsonb_path_query(f.attributes, '$[*] ? (@.Key == "package_name")') -> 'Value' #>>'{}')::text as package_name,
                (
                    jsonb_path_query(
                        f.attributes,
                        '$[*] ? (@.Key == "package_version")'
                    ) -> 'Value' #>>'{}')::text as package_version
                    from
                        images_with_tags i
                        join latest_image_ts l on (l.repository_name, l.image_pushed_at) = (i.repository_name, i.image_pushed_at)
                        join myawsaccount.aws_ecr_image_scan_finding f on (f.repository_name, f.image_tag) = (l.repository_name, i.image_tag)
                    order by
                        repository_name,
                        image_tag,
                        severity,
                        name,
                        package_name
                ) innerq;
                
+------------------+------------+---------------------+---------------+-----------------+--------------------------------------------------------------+---------------+--------------------------+-------------------+
| AWS_ACCOUNT_NAME | AWS_REGION | AWS_REPO            | ECR_IMAGE_TAG | COMMON_VULN_ID  | VULN_INFO_URL                                                | VULN_SEVERITY | VULN_PACKAGE_VERSION     | VULN_PACKAGE_NAME |
+------------------+------------+---------------------+---------------+-----------------+--------------------------------------------------------------+---------------+--------------------------+-------------------+
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2753 | https://alas.aws.amazon.com/AL2/ALAS-2025-2753.html          | MEDIUM        | 2:9.0.2153-1.amzn2.0.2   | vim-data          |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2753 | https://alas.aws.amazon.com/AL2/ALAS-2025-2753.html          | MEDIUM        | 2:9.0.2153-1.amzn2.0.2   | vim-minimal       |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2767 | https://alas.aws.amazon.com/AL2/ALAS-2025-2767.html          | HIGH          | 2.56.1-9.amzn2.0.8       | glib2             |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2774 | https://alas.aws.amazon.com/AL2/ALAS-2025-2774.html          | MEDIUM        | 2.1.0-15.amzn2.0.4       | expat             |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2780 | https://alas.aws.amazon.com/AL2/ALAS-2025-2780.html          | MEDIUM        | 1:1.0.2k-24.amzn2.0.14   | openssl-libs      |
| aws              | ap-south-1 | steampipe-container | v1.0.1        | ALAS2-2025-2783 | https://alas.aws.amazon.com/AL2/ALAS-2025-2783.html          | HIGH          | 2.9.1-6.amzn2.5.14       | libxml2           |
| aws              | ap-south-1 | test                | latest        | CVE-2013-4235   | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2013-4235  | LOW           | 1:4.8.1-1ubuntu5.20.04.5 | shadow            |
| aws              | ap-south-1 | test                | latest        | CVE-2016-20013  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013 | INFORMATIONAL | 2.31-0ubuntu9.14         | glibc             |
| aws              | ap-south-1 | test                | latest        | CVE-2016-2781   | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781  | LOW           | 8.30-3ubuntu2            | coreutils         |
| aws              | ap-south-1 | test                | latest        | CVE-2017-11164  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-11164 | INFORMATIONAL | 2:8.39-12ubuntu0.1       | pcre3             |
| aws              | ap-south-1 | test                | latest        | CVE-2022-3219   | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219  | LOW           | 2.2.19-3ubuntu2.2        | gnupg2            |
| aws              | ap-south-1 | test                | latest        | CVE-2022-41409  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-41409 | LOW           | 10.34-7ubuntu0.1         | pcre2             |
| aws              | ap-south-1 | test                | latest        | CVE-2023-26604  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-26604 | LOW           | 245.4-4ubuntu3.23        | systemd           |
| aws              | ap-south-1 | test                | latest        | CVE-2023-29383  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29383 | LOW           | 1:4.8.1-1ubuntu5.20.04.5 | shadow            |
| aws              | ap-south-1 | test                | latest        | CVE-2023-45918  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-45918 | LOW           | 6.2-0ubuntu2.1           | ncurses           |
| aws              | ap-south-1 | test                | latest        | CVE-2023-50495  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-50495 | LOW           | 6.2-0ubuntu2.1           | ncurses           |
| aws              | ap-south-1 | test                | latest        | CVE-2023-7008   | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-7008  | LOW           | 245.4-4ubuntu3.23        | systemd           |
| aws              | ap-south-1 | test                | latest        | CVE-2024-10041  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041 | MEDIUM        | 1.3.1-5ubuntu4.7         | pam               |
| aws              | ap-south-1 | test                | latest        | CVE-2024-12133  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-12133 | MEDIUM        | 4.16.0-2                 | libtasn1-6        |
| aws              | ap-south-1 | test                | latest        | CVE-2024-12243  | http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-12243 | MEDIUM        | 3.6.13-2ubuntu1.10       | gnutls28          |

@ParthaI ParthaI self-assigned this May 9, 2025
@ParthaI ParthaI requested a review from misraved May 9, 2025 05:34
@ParthaI ParthaI marked this pull request as draft May 9, 2025 05:35
@ParthaI
Copy link
Contributor Author

ParthaI commented May 9, 2025

Table docs need to be updated based on feedback.

@ParthaI
Copy link
Contributor Author

ParthaI commented May 9, 2025

Closing this PR since the complex query sill failes with anyOf key quals.

@ParthaI ParthaI closed this May 9, 2025
@ParthaI ParthaI reopened this May 12, 2025
@cbruno10 cbruno10 requested a review from Copilot May 12, 2025 13:46
Copilot

This comment was marked as outdated.

Sign in to view

@ParthaI ParthaI marked this pull request as ready for review June 9, 2025 11:22
@ParthaI
Copy link
Contributor Author

ParthaI commented Jun 9, 2025

There was an issue in Steampipe FDW related to handling anyOf qualifications. We've recently released an RC version (v1.1.5-rc.0) of the Steampipe CLI, which includes a fix for this FDW issue.

I have thoroughly tested this PR against the new Steampipe CLI RC version (v1.1.5-rc.0), and it is working perfectly without any issues.

Once the stable version of the Steampipe CLI is officially released with these FDW improvements, this PR will be ready to merge. 🚀

@cbruno10 cbruno10 requested a review from Copilot June 9, 2025 15:05
Copilot
Copilot AI reviewed Jun 9, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR optimizes query timing for the aws_ecr_image_scan_finding table by streamlining the data retrieval process. Key changes include:

  • Removing the ParentHydrate (listAwsEcrImageTags) to read query qualifiers directly.
  • Updating KeyColumns requirements for image_tag and image_digest from Optional to AnyOf.
  • Refactoring repository and image tag value assignments to use direct qualifier values.
Comments suppressed due to low confidence (3)

aws/table_aws_ecr_image_scan_finding.go:24

  • Removing ParentHydrate simplifies the implementation by relying on query qualifiers directly. Confirm that all necessary filtering logic previously provided through the parent function is maintained.
ParentHydrate: listAwsEcrImageTags,

aws/table_aws_ecr_image_scan_finding.go:36

  • Changing KeyColumns from Optional to AnyOf for image_tag and image_digest appears to align with the new design. Verify that the updated qualifier requirements work as expected with the query planner.
{Name: "image_tag", Require: plugin.AnyOf},

aws/table_aws_ecr_image_scan_finding.go:144

  • Switching to retrieving repositoryName directly from query qualifiers streamlines the input handling. Ensure that the qualifiers are always provided to prevent any potential runtime errors.
RepositoryName: aws.String(repositoryName.GetStringValue()),

@misraved misraved merged commit 38c1979 into main Jun 11, 2025
1 check passed
@misraved misraved deleted the optimize-query-timing-for-ecr-image-scanning-finding branch June 11, 2025 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@misraved misraved misraved approved these changes

Assignees

@ParthaI ParthaI

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ParthaI @misraved