Extract array miss as "no value" vs failed extract

While testing, I found a case when creating a pod where:
1) the first container had no securityContext value
2) the second container had a security context with privileged=true

and this did not match the default rule Create Privileged Pod, when it
should match.

The rule Create Privileged Pod uses the field
ka.req.pod.containers.privileged, which in turn uses
json_event_filter_check::def_extract(). def_extract() iterates
over a set of json_pointers, potentially expanding arrays as they are
returned. Many k8s audit fields use this extract function.

For ka.req.pod.containers.privileged, the first json_pointer is
/requestObject/spec/containers to find the list of containers, and the
second is /securityContext/privileged to extract the privileged property
out of the securityContext object. What's returned is an array of
true/false noting if each container is privileged.

The problem is that def_extract() aborts when iterating over arrays if
extracting a pointer from an array can't be done.

In this case, the first pointer extracts the array of containers, and
then when iterating over the array of containers, the security context
pointer doesn't extract, causing the whole filter field to abort and
return ::no_value.

The fix is to not abort when iterating over arrays, but use ::no_value
for that array item's value instead. This allows def_extract() to
extract the privileged value out of the second container.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

userspace/engine/json_evt.cpp

@@ -312,7 +312,7 @@ bool json_event_filter_check::def_extract(const nlohmann::json &root,
 			{
 				if(!def_extract(item, ptrs, std::next(it, 1)))
 				{
-					return false;
+					add_extracted_value(no_value);
 				}
 			}
 		}