chore(engine): add deprecation warning for evt.latency when used in conditions

Emit a deprecation warning when `evt.latency` is detected in a rule condition. Signed-off-by: irozzo-1A <iacopo@sysdig.com>
2026-02-21 14:13:27 +00:00 · 2025-11-25 16:46:24 +01:00
parent 2d9f1f1abc
commit 5b53681d2f
3 changed files with 26 additions and 5 deletions
--- a/userspace/engine/falco_load_result.cpp
+++ b/userspace/engine/falco_load_result.cpp
@@ -143,7 +143,12 @@ const std::string& falco::load_result::warning_desc(warning_code wc) {
 	return warning_descs[static_cast<int>(wc)];
 }

-static const std::string deprecated_fields[] = {"evt.dir"};
+static const std::string deprecated_fields[] = {"evt.dir",
+                                                "evt.latency",
+                                                "evt.latency.s",
+                                                "evt.latency.ns",
+                                                "evt.latency.human",
+                                                "evt.wait_latency"};

 // Compile-time check to ensure deprecated_fields array has the correct size
 static_assert(
@@ -155,10 +160,19 @@ const std::string& falco::load_result::deprecated_field_str(deprecated_field df)
 	return deprecated_fields[static_cast<int>(df)];
 }

+// Shared description suffix for latency fields
+static const std::string latency_field_desc_suffix =
+        "field is not available due to the drop of enter events.";
+
 static const std::string deprecated_field_descs[] = {
        "due to the drop of enter events, 'evt.dir = <' always evaluates to true, and 'evt.dir = "
        ">' always evaluates to false. The rule expression can be simplified by removing the "
-        "condition on 'evt.dir'"};
+        "condition on 'evt.dir'",
+        latency_field_desc_suffix,
+        latency_field_desc_suffix,
+        latency_field_desc_suffix,
+        latency_field_desc_suffix,
+        latency_field_desc_suffix};

 // Compile-time check to ensure deprecated_field_descs array has the correct size
 static_assert(
--- a/userspace/engine/falco_load_result.h
+++ b/userspace/engine/falco_load_result.h
@@ -75,7 +75,15 @@ public:
 	// impact.
 	static const std::string& warning_desc(warning_code ec);

-	enum class deprecated_field { DEPRECATED_FIELD_EVT_DIR, DEPRECATED_FIELD_NOT_FOUND };
+	enum class deprecated_field {
+		DEPRECATED_FIELD_EVT_DIR,
+		DEPRECATED_FIELD_EVT_LATENCY,
+		DEPRECATED_FIELD_EVT_LATENCY_S,
+		DEPRECATED_FIELD_EVT_LATENCY_NS,
+		DEPRECATED_FIELD_EVT_LATENCY_HUMAN,
+		DEPRECATED_FIELD_EVT_WAIT_LATENCY,
+		DEPRECATED_FIELD_NOT_FOUND
+	};

 	// The deprecated field as a string
 	static const std::string& deprecated_field_str(deprecated_field df);
--- a/userspace/engine/rule_loader.h
+++ b/userspace/engine/rule_loader.h
@@ -215,8 +215,7 @@ struct deprecated_field_warning : warning {
 	        df(df) {}

 	std::string as_string() const override {
-		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df) +
-		       "' is deprecated";
+		return warning::as_string() + ": field '" + falco::load_result::deprecated_field_str(df);
 	};
 	std::string description() const override {
 		return warning::description() + ": " + falco::load_result::deprecated_field_desc(df);