github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-03 18:06:44 +00:00
Code Issues Projects Releases Wiki Activity

update(userspace/engine): address jasondellaluce comments

Browse Source 
Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
This commit is contained in:
Lorenzo Susini 2023-05-29 12:17:58 +00:00 committed by poiana
parent 0bd609d5a4
commit 6e12b95dd2
3 changed files with 14 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmake/modules/falcosecurity-libs.cmake
View File

@ -27,8 +27,8 @@ else()
# In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable - # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
# ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
if(NOT FALCOSECURITY_LIBS_VERSION) if(NOT FALCOSECURITY_LIBS_VERSION)
set(FALCOSECURITY_LIBS_VERSION "0.11.0-rc3") set(FALCOSECURITY_LIBS_VERSION "0.11.0-rc4")
set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=92d78d64dbbdcbf08256be91e1b74f4d99caaea35f27324219fc6a5c195c99b8") set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=4c2ce49b12e480b22e780ba31a33b7c109d84aee385e21a2aace452aef842ccb")
endif() endif()
# cd /path/to/build && cmake /path/to/source # cd /path/to/build && cmake /path/to/source

17
userspace/engine/falco_engine.cpp
View File

@ -578,9 +578,9 @@ void falco_engine::get_json_details(const falco_rule &r,
rule["details"] = json_details; rule["details"] = json_details;
// Get fields from output string // Get fields from output string
sinsp_evt_formatter fmt(insp, r.output); auto fmt = create_formatter(r.source, r.output);
std::vector<std::string> out_fields; std::vector<std::string> out_fields;
fmt.get_field_names(out_fields); fmt->get_field_names(out_fields);
Json::Value outputFields = Json::arrayValue; Json::Value outputFields = Json::arrayValue;
for(const auto &of : out_fields) for(const auto &of : out_fields)
{ {
@ -736,15 +736,12 @@ void falco_engine::get_json_evt_types(libsinsp::filter::ast::expr* ast,
{ {
output = Json::arrayValue; output = Json::arrayValue;
auto evtcodes = libsinsp::filter::ast::ppm_event_codes(ast); auto evtcodes = libsinsp::filter::ast::ppm_event_codes(ast);
if(evtcodes.size() != libsinsp::events::all_event_set().size()) auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast);
auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes);
auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false);
for (const auto& n : unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names))
{ {
auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast); output.append(n);
auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes);
auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false);
for (const auto& n : unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names))
{
output.append(n);
}
} }
} }

5
userspace/engine/json_evt.h
View File

@ -26,6 +26,7 @@ limitations under the License.
#include <nlohmann/json.hpp> #include <nlohmann/json.hpp>
#include "falco_common.h"
#include "prefix_search.h" #include "prefix_search.h"
#include <sinsp.h> #include <sinsp.h>
@ -435,6 +436,10 @@ public:
bool tostring(gen_event *evt, std::string &output) override; bool tostring(gen_event *evt, std::string &output) override;
bool tostring_withformat(gen_event *evt, std::string &output, gen_event_formatter::output_format of) override; bool tostring_withformat(gen_event *evt, std::string &output, gen_event_formatter::output_format of) override;
bool get_field_values(gen_event *evt, std::map<std::string, std::string> &fields) override; bool get_field_values(gen_event *evt, std::map<std::string, std::string> &fields) override;
void get_field_names(std::vector<std::string> &fields) override
{
throw falco_exception("json_event_formatter::get_field_names operation not supported");
}
output_format get_output_format() override; output_format get_output_format() override;
std::string tojson(json_event *ev); std::string tojson(json_event *ev);