refactor(userspace/engine): restrict unsafe-na-check warning to k8s audit fields

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2025-06-27 23:27:20 +00:00 · 2022-04-21 12:24:54 +00:00 · 2022-04-21 12:24:54 +00:00 · 0bf53f0f88
commit 0bf53f0f88
parent 37d03cf7bc
2 changed files with 20 additions and 12 deletions
--- a/tests/engine/test_filter_warning_resolver.cpp
+++ b/tests/engine/test_filter_warning_resolver.cpp
@ -28,17 +28,19 @@ static bool warns(const std::string& condition)
 TEST_CASE("Should spot warnings in filtering conditions", "[rule_loader]")
 {
-	SECTION("for unsafe usage of <NA>")
+	SECTION("for unsafe usage of <NA> in k8s audit fields")
 	{
-		REQUIRE(false == warns("sample.field exists"));
+		REQUIRE(false == warns("ka.field exists"));
-		REQUIRE(true == warns("sample.field = <NA>"));
+		REQUIRE(false == warns("some.field = <NA>"));
-		REQUIRE(true == warns("sample.field == <NA>"));
+		REQUIRE(true == warns("jevt.field = <NA>"));
-		REQUIRE(true == warns("sample.field != <NA>"));
+		REQUIRE(true == warns("ka.field = <NA>"));
-		REQUIRE(true == warns("sample.field in (<NA>)"));
+		REQUIRE(true == warns("ka.field == <NA>"));
-		REQUIRE(true == warns("sample.field in (otherval, <NA>)"));
+		REQUIRE(true == warns("ka.field != <NA>"));
-		REQUIRE(true == warns("sample.field intersects (<NA>)"));
+		REQUIRE(true == warns("ka.field in (<NA>)"));
-		REQUIRE(true == warns("sample.field intersects (otherval, <NA>)"));
+		REQUIRE(true == warns("ka.field in (otherval, <NA>)"));
-		REQUIRE(true == warns("sample.field pmatch (<NA>)"));
+		REQUIRE(true == warns("ka.field intersects (<NA>)"));
-		REQUIRE(true == warns("sample.field pmatch (otherval, <NA>)"));
+		REQUIRE(true == warns("ka.field intersects (otherval, <NA>)"));
 		REQUIRE(true == warns("ka.field pmatch (<NA>)"));
 		REQUIRE(true == warns("ka.field pmatch (otherval, <NA>)"));
 	}
 }
--- a/userspace/engine/filter_warning_resolver.cpp
+++ b/userspace/engine/filter_warning_resolver.cpp
@ -20,6 +20,12 @@ limitations under the License.
 static const char* no_value = "<NA>";
 static const char* warn_unsafe_na_check = "unsafe-na-check";
 static inline bool is_unsafe_field(const string& f)
 {
 	return !strncmp(f.c_str(), "ka.", strlen("ka."))
 		|| !strncmp(f.c_str(), "jevt.", strlen("jevt."));
 }
 static inline bool is_equality_operator(const string& op)
 {
 	return op == "==" || op == "=" || op == "!="
@ -57,7 +63,7 @@ bool filter_warning_resolver::format(
 void filter_warning_resolver::visitor::visit(
 	libsinsp::filter::ast::binary_check_expr* e)
 {
-	if (is_equality_operator(e->op))
+	if (is_unsafe_field(e->field) && is_equality_operator(e->op))
 	{
 		m_is_equality_check = true;
 		e->value->accept(this);