failed to compile fetched bundle

[chris-rock]

What is not working as you expected it?

Start a fresh container and install cnspec:

root@6bc492fbf5d2:/# cnspec scan local
! can't find any paths for providers, none are configured system-path=/opt/mondoo/providers
→ installing provider 'os' version=11.3.19
→ successfully installed os provider path=/opt/mondoo/providers/os version=11.3.19
→ no Mondoo configuration file provided, using defaults
! No credentials provided. Switching to --incognito mode.
→ discover related assets for 1 asset(s)

 6bc492fbf5d2 ────────────────────────────────────────────────    X score: X


Asset: (Ubuntu 22.04.3 LTS) 6bc492fbf5d2
----------------------------------------

error: failed to compile fetched bundle: failed to compile filters for query //local.cnspec.io/run/local-execution/queries/mondoo-kubernetes-security-pod-runasnonroot
failed to compile filters for query //local.cnspec.io/run/local-execution/queries/mondoo-kubernetes-security-cronjob-runasnonroot
failed to compile filters for query //local.cnspec.io/run/local-execution/queries/mondoo-kubernetes-security-job-runasnonroot


Scanned 1 asset

Ubuntu 22.04.3 LTS
    X           6bc492fbf5d2

Where on the platform does it happen?

It happens on all platforms where no authentication to the Mondoo platform is avaiable.

How do we replicate the issue?

1. Start a container
2. Install cnspec
3. Run the scan

Expected behavior (i.e. solution)

Scan runs through

Other Comments

[chris-rock]

The workaround is to

git clone [email protected]:mondoohq/cnspec-policies.git
cnspec scan -f core/{policy}.mql.yaml

[ehaselwanter]

thx

[chris-rock]

After some more investigation, I am able to reproduce it locally:

cnspec scan local -f cnspec-policies/core/mondoo-kubernetes-security.mql.yaml 
FTL failed to resolve policies error="failed to compile bundle: failed to compile filters for query //local.cnspec.io/run/local-execution/queries/mondoo-kubernetes-security-pod-runasnonroot\nfailed to compile filters for query //local.cnspec.io/run/local-execution/queries/mondoo-kubernetes-security-cronjob-runasnonroot\nfailed to compile filters for query //local.cnspec.io/run/local-execution/queries/mondoo-kubernetes-security-job-runasnonroot"

The problem is not happening on macOS or Windows. It it is also not related to registry as the problem seems to be located in the Kubernetes policy itself.

[chris-rock]

This problem only happens when you are on a Linux machine and the k8s provider is not installed. To mitigate the error without without manually downloading the policies, just manually install the provider:

cnspec providers install k8s

[chris-rock]

Since the issue is only happening when k8s provider is not installed, the user targets linux, we disabled the k8s policy as default policy in our registry for now mondoohq/cnspec-policies#470.

As a followup, we are going to have a discussion what the default behavior should be:

• should depending providers being downloaded by default?
• should queries where the provider is missing just being ignored?