update(userspace/engine): add event codes to json output

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
2025-08-07 09:13:57 +00:00 · 2023-05-16 10:32:59 +00:00 · 2023-05-16 10:32:59 +00:00 · e11b4c4430
commit e11b4c4430
parent 46cbc3c589
3 changed files with 32 additions and 1 deletions
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@ -601,6 +601,31 @@ Json::Value falco_engine::get_json_rule_details(const falco_rule& r, filter_deta
 	}
 	output["lists"] = lists;
 	if (rule_info->source == falco_common::syscall_source)
 	{
 		Json::Value events = Json::arrayValue;
 		std::unordered_set<std::string> evts;
 		for(const auto &e : rule_info->evttypes)
 		{
 			auto evt_info = libsinsp::events::info(e);
 			auto res = evts.insert(std::string(evt_info->name));
 			if(res.second)
 			{
 				events.append(evt_info->name);
 			}
 		}
 		output["events"] = events;
 	}
 	output["source"] = rule_info->source;
 	Json::Value tags = Json::arrayValue;
 	for(const auto &t : rule_info->tags)
 	{
 		tags.append(t);
 	}	
 	output["tags"] = tags;
 	details.reset();
 	return output;
--- a/userspace/engine/rule_loader.h
+++ b/userspace/engine/rule_loader.h
@ -456,6 +456,7 @@ namespace rule_loader
 		std::set<std::string> tags;
 		std::vector<rule_exception_info> exceptions;
 		falco_common::priority_type priority;
 		libsinsp::events::set<ppm_event_code> evttypes;
 		bool enabled;
 		bool warn_evttypes;
 		bool skip_if_unknown_filter;
--- a/userspace/engine/rule_loader_compiler.cpp
+++ b/userspace/engine/rule_loader_compiler.cpp
@ -386,7 +386,11 @@ void rule_loader::compiler::compile_rule_infos(
 	std::string err, condition;
 	std::set<falco::load_result::load_result::warning_code> warn_codes;
 	filter_warning_resolver warn_resolver;
-	for (auto &r : col.rules())
+
 	// note: cast away the const qualifier in the for loop
 	// this is needed because we want to store information about evttypes
 	// used by any rules, which might come in handy when describing rules.
 	for (auto &r : const_cast<indexed_vector<rule_info>&>(col.rules()))
 	{
 		// skip the rule if below the minimum priority
 		if (r.priority > cfg.min_priority)
@ -505,6 +509,7 @@ void rule_loader::compiler::compile_rule_infos(
 					"Rule matches too many evt.type values. This has a significant performance penalty.",
 					r.ctx);
 			}
 			r.evttypes = evttypes;
 		}
 	}
 }