github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-16 07:47:00 +00:00
Code Issues Projects Releases Wiki Activity

fix(userspace/engine): print rules fields with arguments

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2023-09-05 11:26:58 +00:00 committed by poiana
parent 26bdefae8e
commit cba80a404f
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
userspace/engine/falco_engine.cpp
View File

@ -819,6 +819,19 @@ void falco_engine::get_json_used_plugins(
const std::unordered_set<std::string>& fields,
const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
{
// note: condition and output fields may have an argument, so
// we need to isolate the field names
std::unordered_set<std::string> fieldnames;
for (auto f: fields)
{
auto argpos = f.find('[');
if (argpos != std::string::npos)
{
f = f.substr(0, argpos);
}
fieldnames.insert(f);
}
out = Json::arrayValue;
for (const auto& p : plugins)
{
@ -846,7 +859,7 @@ void falco_engine::get_json_used_plugins(
{
for (const auto &f : p->fields())
{
if (!used && fields.find(f.m_name) != fields.end())
if (!used && fieldnames.find(f.m_name) != fieldnames.end())
{
out.append(p->name());
used = true;

14
userspace/engine/filter_details_resolver.cpp
View File

@ -19,6 +19,16 @@ limitations under the License.
using namespace libsinsp::filter;
std::string get_field_name(const std::string& name, const std::string& arg)
{
std::string fld = name;
if (!arg.empty())
{
fld += "[" + arg + "]";
}
return fld;
}
void filter_details::reset()
{
fields.clear();
@ -86,7 +96,7 @@ void filter_details_resolver::visitor::visit(ast::list_expr* e)
void filter_details_resolver::visitor::visit(ast::binary_check_expr* e)
{
m_expect_macro = false;
m_details.fields.insert(e->field);
m_details.fields.insert(get_field_name(e->field, e->arg));
m_details.operators.insert(e->op);
if (e->field == "evt.type" || e->field == "evt.asynctype")
{
@ -105,7 +115,7 @@ void filter_details_resolver::visitor::visit(ast::binary_check_expr* e)
void filter_details_resolver::visitor::visit(ast::unary_check_expr* e)
{
m_expect_macro = false;
m_details.fields.insert(e->field);
m_details.fields.insert(get_field_name(e->field, e->arg));
m_details.operators.insert(e->op);
}