Issue with some Test Errors in cnquery Scans (Exchange server 2019)

[HRouhani]

Summary:

The scan runs successfully overall; however, some specific tests encounter errors consistently. The error message for these tests is:

! Error:      Ensure 'External send connector authentication: DNS routing' is set to 'True'                                                                                                                        
  Message:    1 error occurred:                                                                                                                                                                                    
        * could not convert []interface {} to block 

Notably, these tests execute without any issues when run directly from the shell.

Text example: test.mql.yaml

# Read more about the policy structure at https://mondoo.com/docs
policies:
  - uid: cis-microsoft-exchange-server-2019-es-level
    name: SSH Server Policy
    version: 1.0.0
    tags:
      another-key: another-value
      key: value
    authors:
      - name: Jane Doe
        email: jane@example.com
    docs:
      desc: |-
    groups:
      - uid: cis-microsoft-exchange-server-2019-es-level-1--1
        title: Edge Transport Server
        filters: |
          asset.platform == "windows"
          asset.version == 17763
        checks:
          - uid: cis-microsoft-exchange-server-2019--external-send-connector-authentication-dns-routing-set-true
queries:
  - uid: cis-microsoft-exchange-server-2019--external-send-connector-authentication-dns-routing-set-true
    title: 'Ensure ''External send connector authentication: DNS routing'' is set to ''True'''
    impact: 80
    tags:
      cisecurity.org/recommendation: "1.12"
    mql: |
     parse.json(content: powershell("
        Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;
        $connector = Get-SendConnector | Select-Object DNSRoutingEnabled;
        $connector | ConvertTo-Json
      ").stdout).params {DNSRoutingEnabled == true}

The error appears when customer has several Connectors in this case.

Expected Behavior:

The test should pass without any errors during the cnquery scan, just as it does when the PowerShell command is executed directly from the shell.

Actual Behavior:
The test fails with the error: could not convert []interface {} to block.

Possible Cause:
The error suggests that there might be an issue with how cnquery processes the output of the PowerShell command or converts the JSON result.

Suggested Fix:
Investigate the output format of the PowerShell command and ensure it is compatible with the expected input format for cnquery.
Review the JSON parsing logic within cnquery to handle the output correctly.

Important:

Using .all() is not an option here, as in the case of single connector, it is not able to make a proper comparison as can be seen here:

parse.json(content: powershell("
        Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;
        $connector = Get-SendConnector | Select-Object DNSRoutingEnabled;
        $connector | ConvertTo-Json
      ").stdout).params.all(DNSRoutingEnabled == true)

	[failed] [].all()
  actual:   {
    DNSRoutingEnabled: true
  }

[mm-weber]

We also tried working around this issue using a variants: policy, which didn't work, because we cannot use the parse.json(content: powwershell().stdout)-clause as a filters:

Example variants check, that also doesn't work:

  - uid: cis-microsoft-exchange-server-2019--internet-facing-receive-connectors-set-tls-basicauth
    title: Ensure ‘Internet-facing receive connectors’ is set to ‘Tls, BasicAuth, BasicAuthRequireTLS’
    impact: 80
    variants:
      - uid: cis-microsoft-exchange-server-2019--internet-facing-receive-connectors-set-tls-basicauth-single
      - uid: cis-microsoft-exchange-server-2019--internet-facing-receive-connectors-set-tls-basicauth-all
  - uid: cis-microsoft-exchange-server-2019--internet-facing-receive-connectors-set-tls-basicauth-single
    filters: |
      psC1a = powershell("Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; $connectors = Get-ReceiveConnector | Select-Object @{Name='AuthMechanism'; Expression={[string]$_.AuthMechanism}} ; $connectors | ConvertTo-Json ").stdout
      parse.json(content: psC1a).params > 1
    mql: |
      psC1b = powershell("Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; $connectors = Get-ReceiveConnector | Select-Object @{Name='AuthMechanism'; Expression={[string]$_.AuthMechanism}} ; $connectors | ConvertTo-Json ").stdout
      parse.json(content: psC1b).params.all(AuthMechanism == "Tls, BasicAuth, BasicAuthRequireTLS")
  - uid: cis-microsoft-exchange-server-2019--internet-facing-receive-connectors-set-tls-basicauth-all
    filters: |
      psC2a = powershell("Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; $connectors = Get-ReceiveConnector | Select-Object @{Name='AuthMechanism'; Expression={[string]$_.AuthMechanism}} ; $connectors | ConvertTo-Json ").stdout
      parse.json(content: psC2a).params <= 1
    mql: |
      psC2b = powershell("Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; $connectors = Get-ReceiveConnector | Select-Object @{Name='AuthMechanism'; Expression={[string]$_.AuthMechanism}} ; $connectors | ConvertTo-Json ").stdout
      parse.json(content: psC2b).params.AuthMechanism == "Tls, BasicAuth, BasicAuthRequireTLS"

[mm-weber]

This blocks the completion of: https://github.com/mondoohq/cnspec-enterprise-policies/pull/917

[jaym]

can you provide the json that is causing problems