feat(engine): emit warning when a rule output uses deprecated "evt.dir"

Emit a warning when a rule uses the deprecated "evt.dir" field in output. Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
2026-02-21 14:13:27 +00:00 · 2025-10-13 18:03:28 +02:00
parent 9ca8268c55
commit 1717a98749
2 changed files with 56 additions and 0 deletions
--- a/unit_tests/engine/test_rule_loader.cpp
+++ b/unit_tests/engine/test_rule_loader.cpp
@@ -1327,3 +1327,36 @@ TEST_F(test_falco_engine, empty_string_source_addl_rule) {

 	EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
 }
+
+TEST_F(test_falco_engine, deprecated_field_in_output) {
+	std::string rules_content = R"END(
+- rule: test_rule_with_evt_dir_in_output
+  desc: test rule with evt.dir in output
+  condition: evt.type = close
+  output: user=%user.name command=%proc.cmdline file=%fd.name evt.dir=%evt.dir
+  priority: INFO
+)END";
+
+	ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
+	ASSERT_TRUE(has_warnings());
+	ASSERT_TRUE(check_warning_message(
+	        "usage of deprecated field 'evt.dir' has been detected in the rule output"))
+	        << m_load_result_string;
+	EXPECT_EQ(num_rules_for_ruleset(), 1);
+}
+
+TEST_F(test_falco_engine, no_deprecated_field_warning_in_output) {
+	std::string rules_content = R"END(
+- rule: test_rule_without_evt_dir
+  desc: test rule without evt.dir in output
+  condition: evt.type = close
+  output: user=%user.name command=%proc.cmdline file=%fd.name
+  priority: INFO
+)END";
+
+	ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
+	ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
+	ASSERT_FALSE(check_warning_message("evt.dir")) << m_load_result_string;
+	EXPECT_EQ(num_rules_for_ruleset(), 1);
+}
--- a/userspace/engine/rule_loader_compiler.cpp
+++ b/userspace/engine/rule_loader_compiler.cpp
@@ -72,6 +72,24 @@ static bool is_format_valid(const falco_source& source, std::string fmt, std::st
 	}
 }

+static void check_deprecated_fields_in_output(const std::string& fmt,
+                                              const rule_loader::context& ctx,
+                                              rule_loader::result& res) {
+	// Check for evt.dir field usage in output format
+	for(int i = 0;
+	    i < static_cast<int>(falco::load_result::deprecated_field::DEPRECATED_FIELD_NOT_FOUND);
+	    i++) {
+		auto df = falco::load_result::deprecated_field(i);
+		if(fmt.find(falco::load_result::deprecated_field_str(df)) != std::string::npos) {
+			res.add_deprecated_field_warning(df,
+			                                 "usage of deprecated field '" +
+			                                         falco::load_result::deprecated_field_str(df) +
+			                                         "' has been detected in the rule output",
+			                                 ctx);
+		}
+	}
+}
+
 static void build_rule_exception_infos(
        const std::vector<rule_loader::rule_exception_info>& exceptions,
        std::set<std::string>& exception_fields,
@@ -478,6 +496,9 @@ void rule_loader::compiler::compile_rule_infos(const configuration& cfg,
 			                          r.output_ctx);
 		}

+		// check for deprecated fields in output format
+		check_deprecated_fields_in_output(rule.output, r.output_ctx, *cfg.res);
+
 		// validate the rule's extra fields if any
 		for(auto const& ef : rule.extra_output_fields) {
 			if(!is_format_valid(*cfg.sources.at(r.source), ef.second.first, err)) {
@@ -485,6 +506,8 @@ void rule_loader::compiler::compile_rule_infos(const configuration& cfg,
 				                          err,
 				                          r.output_ctx);
 			}
+			// check for deprecated fields in extra output fields
+			check_deprecated_fields_in_output(ef.second.first, r.output_ctx, *cfg.res);
 		}

 		if(!compile_condition(cfg,