Doc changes for VSCode extensions (#17639)

Doc changes for #17003
2026-05-23 08:58:41 +00:00 · 2024-03-14 17:00:07 -03:00 · 2024-03-14 17:00:07 -03:00 · 01dfce56cf
commit 01dfce56cf
parent e6dbb66869
2 changed files with 44 additions and 14 deletions
--- a/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
+++ b/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
@ -1050,20 +1050,10 @@ apiVersion: v1
 kind: query
 spec:
  name: Get a list of Visual Studio Code extensions
-  platform: darwin
-  description: Get a list of installed VS Code extensions.
+  platform: darwin, linux, windows
+  description: Get a list of installed VS Code extensions (requires osquery > 5.11.0).
  query: |
-    SELECT  split(user_path, '/', 1) as username,
-        json_extract(value, '$.identifier.id') as id,
-        json_extract(value, '$.identifier.uuid') as uuid,
-        json_extract(value, '$.location.path') as path,
-        json_extract(value, '$.version') as version,
-        json_extract(value, '$.metadata.publisherDisplayName') as publisher_display_name
-        FROM (
-          SELECT file_lines.path as user_path, value
-          FROM file_lines, json_each(line)
-          WHERE file_lines.path LIKE '/Users/%/.vscode/extensions/extensions.json'
-        );
+    SELECT u.username, vs.* FROM users u CROSS JOIN vscode_extensions vs USING (uid);
  purpose: Informational
  tags: inventory
  contributors: lucasmrod,sharon-fdm,zwass
--- a/Fleet/Understanding-host-vitals.md
+++ b/Fleet/Understanding-host-vitals.md
@ -178,7 +178,8 @@ WITH registry_keys AS (
                            MAX(CASE WHEN name = 'UPN' THEN data END) AS upn,
                            MAX(CASE WHEN name = 'IsFederated' THEN data END) AS is_federated,
                            MAX(CASE WHEN name = 'DiscoveryServiceFullURL' THEN data END) AS discovery_service_url,
-                            MAX(CASE WHEN name = 'ProviderID' THEN data END) AS provider_id
+                            MAX(CASE WHEN name = 'ProviderID' THEN data END) AS provider_id,
+                            MAX(CASE WHEN name = 'EnrollmentState' THEN data END) AS state
                        FROM registry_keys
                        GROUP BY key
                    ),
@ -195,6 +196,10 @@ WITH registry_keys AS (
                        i.installation_type
                    FROM installation_info i
                    LEFT JOIN enrollment_info e ON e.upn IS NOT NULL
+		    -- coalesce to 'unknown' and keep that state in the list
+		    -- in order to account for hosts that might not have this
+		    -- key, and servers
+                    WHERE COALESCE(e.state, '0') IN ('0', '1', '2')
                    LIMIT 1;
 ```

@ -565,6 +570,7 @@ SELECT
  '' AS extension_id,
  '' AS browser,
  'apps' AS source,
+  '' AS vendor,
  last_opened_time AS last_opened_at,
  path AS installed_path
 FROM apps
@ -577,6 +583,7 @@ SELECT
  '' AS extension_id,
  '' AS browser,
  'python_packages' AS source,
+  '' AS vendor,
  0 AS last_opened_at,
  path AS installed_path
 FROM python_packages
@ -589,6 +596,7 @@ SELECT
  identifier AS extension_id,
  browser_type AS browser,
  'chrome_extensions' AS source,
+  '' AS vendor,
  0 AS last_opened_at,
  path AS installed_path
 FROM cached_users CROSS JOIN chrome_extensions USING (uid)
@ -601,6 +609,7 @@ SELECT
  identifier AS extension_id,
  'firefox' AS browser,
  'firefox_addons' AS source,
+  '' AS vendor,
  0 AS last_opened_at,
  path AS installed_path
 FROM cached_users CROSS JOIN firefox_addons USING (uid)
@ -613,6 +622,7 @@ SELECT
  '' AS extension_id,
  '' AS browser,
  'safari_extensions' AS source,
+  '' AS vendor,
  0 AS last_opened_at,
  path AS installed_path
 FROM cached_users CROSS JOIN safari_extensions USING (uid)
@ -625,11 +635,41 @@ SELECT
  '' AS extension_id,
  '' AS browser,
  'homebrew_packages' AS source,
+  '' AS vendor,
  0 AS last_opened_at,
  path AS installed_path
 FROM homebrew_packages;
 ```

+## software_vscode_extensions
+
+- Platforms: linux, ubuntu, debian, rhel, centos, sles, kali, gentoo, amzn, pop, arch, linuxmint, void, nixos, endeavouros, manjaro, opensuse-leap, opensuse-tumbleweed, darwin, windows
+
+- Discovery query:
+```sql
+SELECT 1 FROM osquery_registry WHERE active = true AND registry = 'table' AND name = 'vscode_extensions';
+```
+
+- Query:
+```sql
+WITH cached_users AS (WITH cached_groups AS (select * from groups)
+ SELECT uid, username, type, groupname, shell
+ FROM users LEFT JOIN cached_groups USING (gid)
+ WHERE type <> 'special' AND shell NOT LIKE '%/false' AND shell NOT LIKE '%/nologin' AND shell NOT LIKE '%/shutdown' AND shell NOT LIKE '%/halt' AND username NOT LIKE '%$' AND username NOT LIKE '\_%' ESCAPE '\' AND NOT (username = 'sync' AND shell ='/bin/sync' AND directory <> ''))
+SELECT
+  name,
+  version,
+  'IDE extension (VS Code)' AS type,
+  '' AS bundle_identifier,
+  uuid AS extension_id,
+  '' AS browser,
+  'vscode_extensions' AS source,
+  publisher AS vendor,
+  '' AS last_opened_at,
+  path AS installed_path
+FROM cached_users CROSS JOIN vscode_extensions USING (uid)
+```
+
 ## software_windows

 - Platforms: windows