From 6e12b95dd295d587580378893767ea235d2f34ce Mon Sep 17 00:00:00 2001 From: Lorenzo Susini Date: Mon, 29 May 2023 12:17:58 +0000 Subject: [PATCH] update(userspace/engine): address jasondellaluce comments Signed-off-by: Lorenzo Susini --- cmake/modules/falcosecurity-libs.cmake | 4 ++-- userspace/engine/falco_engine.cpp | 17 +++++++---------- userspace/engine/json_evt.h | 5 +++++ 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 7905a7d6..9040afb7 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -27,8 +27,8 @@ else() # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "0.11.0-rc3") - set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=92d78d64dbbdcbf08256be91e1b74f4d99caaea35f27324219fc6a5c195c99b8") + set(FALCOSECURITY_LIBS_VERSION "0.11.0-rc4") + set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=4c2ce49b12e480b22e780ba31a33b7c109d84aee385e21a2aace452aef842ccb") endif() # cd /path/to/build && cmake /path/to/source diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp index 5c1d7441..26faafd0 100644 --- a/userspace/engine/falco_engine.cpp +++ b/userspace/engine/falco_engine.cpp @@ -578,9 +578,9 @@ void falco_engine::get_json_details(const falco_rule &r, rule["details"] = json_details; // Get fields from output string - sinsp_evt_formatter fmt(insp, r.output); + auto fmt = create_formatter(r.source, r.output); std::vector out_fields; - fmt.get_field_names(out_fields); + fmt->get_field_names(out_fields); Json::Value outputFields = Json::arrayValue; for(const auto &of : out_fields) { @@ -736,15 +736,12 @@ void falco_engine::get_json_evt_types(libsinsp::filter::ast::expr* ast, { output = Json::arrayValue; auto evtcodes = libsinsp::filter::ast::ppm_event_codes(ast); - if(evtcodes.size() != libsinsp::events::all_event_set().size()) + auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast); + auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes); + auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false); + for (const auto& n : unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names)) { - auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast); - auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes); - auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false); - for (const auto& n : unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names)) - { - output.append(n); - } + output.append(n); } } diff --git a/userspace/engine/json_evt.h b/userspace/engine/json_evt.h index 009f20d0..5e4e840b 100644 --- a/userspace/engine/json_evt.h +++ b/userspace/engine/json_evt.h @@ -26,6 +26,7 @@ limitations under the License. #include +#include "falco_common.h" #include "prefix_search.h" #include @@ -435,6 +436,10 @@ public: bool tostring(gen_event *evt, std::string &output) override; bool tostring_withformat(gen_event *evt, std::string &output, gen_event_formatter::output_format of) override; bool get_field_values(gen_event *evt, std::map &fields) override; + void get_field_names(std::vector &fields) override + { + throw falco_exception("json_event_formatter::get_field_names operation not supported"); + } output_format get_output_format() override; std::string tojson(json_event *ev);