wip

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

.github/release_template.md

@@ -0,0 +1,21 @@
+![LIBS](https://img.shields.io/badge/LIBS-LIBSVER-yellow)
+![DRIVER](https://img.shields.io/badge/DRIVER-DRIVERVER-yellow)
+
+| Packages | Download                                                                                                                                               |
+| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-x86_64.rpm)        |
+| deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-x86_64.deb) |
+| tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/x86_64/falco-FALCOVER-x86_64.tar.gz) |
+| rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpmFALCOBUCKET/falco-FALCOVER-aarch64.rpm)        |
+| deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/debFALCOBUCKET/stable/falco-FALCOVER-aarch64.deb) |
+| tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-FALCOVER-%2300aec7?style=flat-square)](https://download.falco.org/packages/binFALCOBUCKET/aarch64/falco-FALCOVER-aarch64.tar.gz) |
+
+| Images                                                                      |
+| --------------------------------------------------------------------------- |
+| `docker pull docker.io/falcosecurity/falco:FALCOVER`                           |
+| `docker pull public.ecr.aws/falcosecurity/falco:FALCOVER`                      |
+| `docker pull docker.io/falcosecurity/falco-driver-loader:FALCOVER`             |
+| `docker pull docker.io/falcosecurity/falco-driver-loader-legacy:FALCOVER`      |
+| `docker pull docker.io/falcosecurity/falco-no-driver:FALCOVER`                 |
+| `docker pull docker.io/falcosecurity/falco-distroless:FALCOVER`                |
+

.github/workflows/release.yaml

@@ -122,3 +122,47 @@ jobs:
       is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
       tag: ${{ github.event.release.tag_name }}
       sign: true
+      
+  release-body:
+    needs: [release-settings, publish-docker]
+    if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v4
+          
+      - name: Extract LIBS and DRIVER versions
+        run: |
+          cp .github/release_template.md release-body.md
+          LIBS_VERS=$(cat cmake/modules/falcosecurity-libs.cmake | grep 'set(FALCOSECURITY_LIBS_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
+          DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
+          sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
+          sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
+          
+      - name: Append release matrixes
+        run: |
+          sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
+          sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
+          
+      - name: Generate release notes
+        uses: leodido/rn2md@0669e5f3b21492c11c2db43cd6e267566f5880f3
+        with:
+          milestone: ${{ github.event.release.tag_name }}
+          output: ./notes.md
+        
+      - name: Merge release notes to pre existent body
+        run: cat notes.md >> release-body.md
+        
+      - name: Attach release creator to release body
+        run: |
+          echo "" >> release-body.md
+          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
+        
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          body_path: ./release-body.md
+          tag_name: ${{ github.event.release.tag_name }}
+          name: ${{ github.event.release.name }}

.github/workflows/reusable_build_docker.yaml

@@ -78,8 +78,10 @@ jobs:
 
       - name: Build falco-driver-loader-legacy image
         run: |
-          cd ${{ github.workspace }}/docker/driver-loader/
+          cd ${{ github.workspace }}/docker/driver-loader-legacy/
           docker build -t docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} \
+            --build-arg VERSION_BUCKET=deb${{ inputs.bucket_suffix }} \
+            --build-arg FALCO_VERSION=${{ inputs.version }} \
             --build-arg TARGETARCH=${TARGETARCH} \
             .
             docker save docker.io/falcosecurity/falco-driver-loader-legacy:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-driver-loader-legacy-${{ inputs.arch }}.tar

CHANGELOG.md

@@ -1,5 +1,132 @@
 # Change Log
 
+
+## v0.36.0
+
+Released on 2023-09-26
+
+### Breaking Changes
+
+- The default rules file that is shipped in the Falco image and/or can be downloaded via falcoctl as `falco-rules` is now a _stable_ rule file. This file **contains a much smaller number of rules** that are less noisy and have been vetted by the community. This serves as a much requested "starter" Falco rule set that covers many common use case. The rest of that file has been expanded and split into `falco-incubating-rules` and `falco-sandbox-rules`. For more information, see the [rules repository](https://github.com/falcosecurity/rules)
+- The main `falcosecurity/falco` container image and its `falco-driver-loader` counterpart have been upgraded. Now they are able to compile the kernel module or classic eBPF probe for relatively newer version of the kernel (5.x and above) while we no longer ship toolchains to compile the kernel module for older versions in the default images. Downloading of prebuilt drivers and the modern eBPF will work exactly like before. The older image, meant for compatibility with older kernels (4.x and below), is currently retained as `falcosecurity/falco-driver-loader-legacy`.
+- The Falco HTTP output no longer logs to stdout by default for performance reasons. You can set stdout logging preferences and restore the previous behavior with the configuration option `http_output.echo` in `falco.yaml`.
+- The `--list-syscall-events` command line option has been replaced by `--list-events` which prints all supported system events (syscall, tracepoints, metaevents, internal plugin events) in addition to extra information about flags.
+- The semantics of `proc.exepath` have changed. Now that field contains the executable path on disk even if the binary was launched from a symbolic link.
+- The `-d` daemonize option has been removed.
+- The `-p` option is now changed:
+    - when only `-pc` is set Falco will print `container_id=%container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name`
+    - when `-pk` is set it will print as above, but with `k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name` appended
+
+
+### Major Changes
+
+
+* new(falco-driver-loader): --source-only now prints the values as env vars [[#2353](https://github.com/falcosecurity/falco/pull/2353)] - [@steakunderscore](https://github.com/steakunderscore)
+* new(docker): allow passing options to falco-driver-loader from the driver loader cointainer [[#2781](https://github.com/falcosecurity/falco/pull/2781)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new(docker): add experimental falco-distroless image based on Wolfi [[#2768](https://github.com/falcosecurity/falco/pull/2768)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new: the legacy falco image is available as driver-loader-legacy [[#2718](https://github.com/falcosecurity/falco/pull/2718)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* new: added option to enable/disable echoing of server answer to stdout (disabled by default) when using HTTP output [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
+* new: support systemctl reload for Falco services [[#2588](https://github.com/falcosecurity/falco/pull/2588)] - [@jabdr](https://github.com/jabdr)
+* new(falco/config): add new configurations for http_output that allow mTLS [[#2633](https://github.com/falcosecurity/falco/pull/2633)] - [@annadorottya](https://github.com/annadorottya)
+* new: allow falco to match multiple rules on same event [[#2705](https://github.com/falcosecurity/falco/pull/2705)] - [@loresuso](https://github.com/loresuso)
+
+
+### Minor Changes
+
+* update(cmake): bumped bundled falcoctl to 0.6.2 [[#2829](https://github.com/falcosecurity/falco/pull/2829)] - [@FedeDP](https://github.com/FedeDP)
+* update(rules)!: major rule update to version 2.0.0 [[#2823](https://github.com/falcosecurity/falco/pull/2823)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(cmake): bumped plugins to latest stable versions [[#2820](https://github.com/falcosecurity/falco/pull/2820)] - [@FedeDP](https://github.com/FedeDP)
+* update(cmake): bumped libs to 0.13.0-rc2 and driver to 6.0.1+driver [[#2806](https://github.com/falcosecurity/falco/pull/2806)] - [@FedeDP](https://github.com/FedeDP)
+* update!: default substitution for `%container.info` is now equal `container_id=%container.id container_name=%container.name` [[#2793](https://github.com/falcosecurity/falco/pull/2793)] - [@leogr](https://github.com/leogr)
+* update!: the --list-syscall-events flag is now called --list-events and lists all events [[#2771](https://github.com/falcosecurity/falco/pull/2771)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update!: the Falco base image is now based on Debian 12 with gcc 11-12 [[#2718](https://github.com/falcosecurity/falco/pull/2718)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update(docker): the Falco no-driver image is now based on Debian 12 [[#2782](https://github.com/falcosecurity/falco/pull/2782)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* feat(userspace)!: remove `-d` daemonize option [[#2677](https://github.com/falcosecurity/falco/pull/2677)] - [@incertum](https://github.com/incertum)
+* build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 0d0e333 [[#2693](https://github.com/falcosecurity/falco/pull/2693)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b42893a [[#2756](https://github.com/falcosecurity/falco/pull/2756)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from b42893a to 6ed73fe [[#2780](https://github.com/falcosecurity/falco/pull/2780)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake): bumped libs to 0.13.0-rc1 and driver to 6.0.0+driver. [[#2783](https://github.com/falcosecurity/falco/pull/2783)] - [@FedeDP](https://github.com/FedeDP)
+* feat: support parsing of system environment variables in yaml [[#2562](https://github.com/falcosecurity/falco/pull/2562)] - [@therealdwright](https://github.com/therealdwright)
+* feat(userspace)!: deprecate stats command args option in favor of metrics configs in falco.yaml [[#2739](https://github.com/falcosecurity/falco/pull/2739)] - [@incertum](https://github.com/incertum)
+* update: upgrade `falcoctl` to version 0.6.0 [[#2764](https://github.com/falcosecurity/falco/pull/2764)] - [@leogr](https://github.com/leogr)
+* cleanup: deprecate rate limiter mechanism [[#2762](https://github.com/falcosecurity/falco/pull/2762)] - [@Andreagit97](https://github.com/Andreagit97)
+* cleanup(config): add more info [[#2758](https://github.com/falcosecurity/falco/pull/2758)] - [@incertum](https://github.com/incertum)
+* update(userspace/engine): improve skip-if-unknown-filter YAML field [[#2749](https://github.com/falcosecurity/falco/pull/2749)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* chore: improved HTTP output performance [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
+* update!: HTTP output will no more echo to stdout by default [[#2602](https://github.com/falcosecurity/falco/pull/2602)] - [@FedeDP](https://github.com/FedeDP)
+* chore: remove b64 from falco dependencies [[#2746](https://github.com/falcosecurity/falco/pull/2746)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(cmake): support building libs and driver from forks [[#2747](https://github.com/falcosecurity/falco/pull/2747)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update: `-p` presets have been updated to reflect the new rules style guide [[#2737](https://github.com/falcosecurity/falco/pull/2737)] - [@leogr](https://github.com/leogr)
+* feat: Allow specifying explicit kernel release and version for falco-driver-loader [[#2728](https://github.com/falcosecurity/falco/pull/2728)] - [@johananl](https://github.com/johananl)
+* cleanup(config): assign Stable to `base_syscalls` config [[#2740](https://github.com/falcosecurity/falco/pull/2740)] - [@incertum](https://github.com/incertum)
+* update : support build for wasm [[#2663](https://github.com/falcosecurity/falco/pull/2663)] - [@Rohith-Raju](https://github.com/Rohith-Raju)
+* docs(config.yaml): fix wrong severity levels for sinsp logger [[#2736](https://github.com/falcosecurity/falco/pull/2736)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(cmake): bump libs and driver to 0.12.0 [[#2721](https://github.com/falcosecurity/falco/pull/2721)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(docker): remove experimental image based on RedHat UBI [[#2720](https://github.com/falcosecurity/falco/pull/2720)] - [@leogr](https://github.com/leogr)
+
+
+### Bug Fixes
+
+* fix(outputs): expose queue_capacity_outputs config for memory control [[#2711](https://github.com/falcosecurity/falco/pull/2711)] - [@incertum](https://github.com/incertum)
+* fix(userspace/falco): cleanup metrics timer upon leaving. [[#2759](https://github.com/falcosecurity/falco/pull/2759)] - [@FedeDP](https://github.com/FedeDP)
+* fix: restore Falco MINIMAL_BUILD and deprecate `userspace` option [[#2761](https://github.com/falcosecurity/falco/pull/2761)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): support appending to unknown sources [[#2753](https://github.com/falcosecurity/falco/pull/2753)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
+
+### Non user-facing changes
+
+* build(deps): Bump submodules/falcosecurity-rules from `69c9be8` to `77ba57a` [[#2833](https://github.com/falcosecurity/falco/pull/2833)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* chore: bump submodule testing to 62edc65 [[#2831](https://github.com/falcosecurity/falco/pull/2831)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(gha): add version for rn2md [[#2830](https://github.com/falcosecurity/falco/pull/2830)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* chore: automatically attach release author to release body. [[#2828](https://github.com/falcosecurity/falco/pull/2828)] - [@FedeDP](https://github.com/FedeDP)
+* new(ci): autogenerate release body. [[#2812](https://github.com/falcosecurity/falco/pull/2812)] - [@FedeDP](https://github.com/FedeDP)
+* fix(dockerfile): remove useless CMD [[#2824](https://github.com/falcosecurity/falco/pull/2824)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump to the latest libs [[#2822](https://github.com/falcosecurity/falco/pull/2822)] - [@Andreagit97](https://github.com/Andreagit97)
+* update: add SPDX license identifier [[#2809](https://github.com/falcosecurity/falco/pull/2809)] - [@leogr](https://github.com/leogr)
+* chore: bump to latest libs [[#2815](https://github.com/falcosecurity/falco/pull/2815)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `ee5fb38` to `bea364e` [[#2814](https://github.com/falcosecurity/falco/pull/2814)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(build): set the right bucket and version for driver legacy [[#2800](https://github.com/falcosecurity/falco/pull/2800)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `43580b4` to `ee5fb38` [[#2810](https://github.com/falcosecurity/falco/pull/2810)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* cleanup(userspace): thrown exceptions and avoid multiple logs [[#2803](https://github.com/falcosecurity/falco/pull/2803)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `c6e01fa` to `43580b4` [[#2801](https://github.com/falcosecurity/falco/pull/2801)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-testing from `76d1743` to `30c3643` [[#2802](https://github.com/falcosecurity/falco/pull/2802)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(userspace/falco): clearing full output queue [[#2798](https://github.com/falcosecurity/falco/pull/2798)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* update(docs): add driver-loader-legacy to readme and fix bad c&p [[#2799](https://github.com/falcosecurity/falco/pull/2799)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `d31dbc2` to `c6e01fa` [[#2797](https://github.com/falcosecurity/falco/pull/2797)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs: add LICENSE file [[#2796](https://github.com/falcosecurity/falco/pull/2796)] - [@leogr](https://github.com/leogr)
+* build(deps): Bump submodules/falcosecurity-rules from `b6372d2` to `d31dbc2` [[#2794](https://github.com/falcosecurity/falco/pull/2794)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix(stats): always initialize m_output field [[#2789](https://github.com/falcosecurity/falco/pull/2789)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `6ed73fe` to `b6372d2` [[#2786](https://github.com/falcosecurity/falco/pull/2786)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* update(cmake/modules): bump rules to falco-rules-2.0.0-rc1 [[#2775](https://github.com/falcosecurity/falco/pull/2775)] - [@leogr](https://github.com/leogr)
+* update(OWNERS): add LucaGuerra to owners [[#2650](https://github.com/falcosecurity/falco/pull/2650)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* build(deps): Bump submodules/falcosecurity-rules from `9126bef` to `0328c59` [[#2709](https://github.com/falcosecurity/falco/pull/2709)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `0d0e333` to `64ce419` [[#2731](https://github.com/falcosecurity/falco/pull/2731)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `3ceea88` to `40a9817` [[#2745](https://github.com/falcosecurity/falco/pull/2745)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* docs(README.md): correct URL [[#2772](https://github.com/falcosecurity/falco/pull/2772)] - [@vjjmiras](https://github.com/vjjmiras)
+* #2393 Document why Falco is written in C++ rather than anything else [[#2410](https://github.com/falcosecurity/falco/pull/2410)] - [@RichardoC](https://github.com/RichardoC)
+* chore: bump Falco to latest libs [[#2769](https://github.com/falcosecurity/falco/pull/2769)] - [@Andreagit97](https://github.com/Andreagit97)
+* ci: disable falco-driver-loader tests on ARM64 [[#2770](https://github.com/falcosecurity/falco/pull/2770)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(userspace/falco): revised CLI help messages [[#2755](https://github.com/falcosecurity/falco/pull/2755)] - [@leogr](https://github.com/leogr)
+* fix(engine): fix reorder warning for m_watch_config_files / m_rule_matching [[#2767](https://github.com/falcosecurity/falco/pull/2767)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* update: introduce new stats updated to the latest libs version [[#2766](https://github.com/falcosecurity/falco/pull/2766)] - [@Andreagit97](https://github.com/Andreagit97)
+* ci: support tests on amazon-linux [[#2765](https://github.com/falcosecurity/falco/pull/2765)] - [@Andreagit97](https://github.com/Andreagit97)
+* chore: bump Falco to latest libs master [[#2754](https://github.com/falcosecurity/falco/pull/2754)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-testing from `b39c807` to `9110022` [[#2760](https://github.com/falcosecurity/falco/pull/2760)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* fix: fix "ebpf_enabled" output stat [[#2751](https://github.com/falcosecurity/falco/pull/2751)] - [@Andreagit97](https://github.com/Andreagit97)
+* fix(userspace/engine): support both old and new gcc + std::move [[#2748](https://github.com/falcosecurity/falco/pull/2748)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup: turn some warnings into errors [[#2744](https://github.com/falcosecurity/falco/pull/2744)] - [@Andreagit97](https://github.com/Andreagit97)
+* update(ci): minimize retention days for build-only CI artifacts [[#2743](https://github.com/falcosecurity/falco/pull/2743)] - [@jasondellaluce](https://github.com/jasondellaluce)
+* cleanup: remove unused `--pidfile` option from systemd units [[#2742](https://github.com/falcosecurity/falco/pull/2742)] - [@Andreagit97](https://github.com/Andreagit97)
+* build(deps): Bump submodules/falcosecurity-rules from `bf1639a` to `3ceea88` [[#2741](https://github.com/falcosecurity/falco/pull/2741)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* build(deps): Bump submodules/falcosecurity-rules from `64ce419` to `bf1639a` [[#2738](https://github.com/falcosecurity/falco/pull/2738)] - [@dependabot[bot]](https://github.com/apps/dependabot)
+* Relocate tools on Flatcar in BPF mode [[#2729](https://github.com/falcosecurity/falco/pull/2729)] - [@johananl](https://github.com/johananl)
+* build: update versioning with cmake [[#2727](https://github.com/falcosecurity/falco/pull/2727)] - [@leogr](https://github.com/leogr)
+* update(userspace/engine): make rule_matching strategy stateless  [[#2726](https://github.com/falcosecurity/falco/pull/2726)] - [@loresuso](https://github.com/loresuso)
+* chore: bump Falco to latest libs version [[#2722](https://github.com/falcosecurity/falco/pull/2722)] - [@Andreagit97](https://github.com/Andreagit97)
+* update: enforce bumping engine version whenever appropriate [[#2719](https://github.com/falcosecurity/falco/pull/2719)] - [@jasondellaluce](https://github.com/jasondellaluce)
+
+
 ## v0.35.1
 
 Released on 2023-06-29

CMakeLists.txt

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #

LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2019 The Falco Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

RELEASE.md

@@ -146,46 +146,8 @@ Assume `M.m.p` is the new version.
 
 - [Draft a new release](https://github.com/falcosecurity/falco/releases/new)
 - Use `M.m.p` both as tag version and release title
-- Use the following template to fill the release description:
-    ```
-    <!-- Substitute M.m.p with the current release version -->
-
-    | Packages | Download                                                                                                                                               |
-    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
-    | rpm-x86_64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-x86_64.rpm)        |
-    | deb-x86_64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-x86_64.deb) |
-    | tgz-x86_64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/x86_64/falco-M.m.p-x86_64.tar.gz) |
-    | rpm-aarch64      | [![rpm](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/rpm/falco-M.m.p-aarch64.rpm)        |
-    | deb-aarch64      | [![deb](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/deb/stable/falco-M.m.p-aarch64.deb) |
-    | tgz-aarch64      | [![tgz](https://img.shields.io/badge/Falco-M.m.p-%2300aec7?style=flat-square)](https://download.falco.org/packages/bin/aarch64/falco-M.m.p-aarch64.tar.gz) |
-
-    | Images                                                                      |
-    | --------------------------------------------------------------------------- |
-    | `docker pull docker.io/falcosecurity/falco:M.m.p`                           |
-    | `docker pull public.ecr.aws/falcosecurity/falco:M.m.p`                      |
-    | `docker pull docker.io/falcosecurity/falco-driver-loader:M.m.p`             |
-    | `docker pull docker.io/falcosecurity/falco-no-driver:M.m.p`                 |
-
-    <changelog>
-
-    <!-- Substitute <changelog> with the one generated by [rn2md](https://github.com/leodido/rn2md) -->
-
-    ### Statistics
-
-    | Merged PRs      | Number |
-    | --------------- | ------ |
-    | Not user-facing | x      |
-    | Release note    | x      |
-    | Total           | x      |
-
-    <!-- Calculate stats and fill the above table -->
-
-    #### Release Manager <github handle>
-
-    <!-- Substitute GitHub handle with the release manager's one -->
-    ```
-
-- Finally, publish the release!
+- Do NOT fill body, since it will be autogenerated by the [github release workflow](.github/workflows/release.yaml)
+- Publish the release!
 - The release pipeline will start automatically upon publication and all packages and container images will be uploaded to the stable repositories.
 
 In order to check the status of the release pipeline click on the [GitHub Actions tab](https://github.com/falcosecurity/falco/actions?query=event%3Arelease) in the Falco repository and filter by release.

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,3 +1,17 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
 if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")

cmake/modules/CPackConfig.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/Coverage.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/copy_files_to_build_dir.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/cpp-httplib.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/cxxopts.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/driver-repo/CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/driver.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at
@@ -33,8 +34,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "6.0.0+driver")
-    set(DRIVER_CHECKSUM "SHA256=573cef7b9c69cfe1d5d8b873d2a20ad8235a2a96997df6bcebd120692dee7a91")
+    set(DRIVER_VERSION "6.0.1+driver")
+    set(DRIVER_CHECKSUM "SHA256=2b4412b5053c8ed5bd1a9de745faa16ec0210dc65dc858af65951d4c8d22207c")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falco-version.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/falcoctl.cmake

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -15,14 +16,14 @@ include(ExternalProject)
 
 string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} FALCOCTL_SYSTEM_NAME)
 
-set(FALCOCTL_VERSION "0.6.0")
+set(FALCOCTL_VERSION "0.6.2")
 
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
     set(FALCOCTL_SYSTEM_PROC_GO "amd64")
-    set(FALCOCTL_HASH "b81c36449b525e1de871288741beeadead021ac133d9b306f0636be1befe58a5")
+    set(FALCOCTL_HASH "2d06d7577dbae91fb085f71477ff6e22076a815978bddd036984fa077236a515")
 else() # aarch64
     set(FALCOCTL_SYSTEM_PROC_GO "arm64")
-    set(FALCOCTL_HASH "6e99fd765f67cdd46fa8c5b2969e97497856d2e615698ced04046c8898187b18")
+    set(FALCOCTL_HASH "0b711a1b3499f479d999f4f4d2c94fc4f0bc23a2506711b613e6eedb0593631b")
 endif()
 
 ExternalProject_Add(

cmake/modules/falcosecurity-libs-repo/CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/falcosecurity-libs.cmake

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -34,8 +35,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..` 
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "0.13.0-rc1")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=a75526b664bce2ba05912e056e48be39b0b1cb797b2055d107e55afbee2c8233")
+    set(FALCOSECURITY_LIBS_VERSION "ebd17a1cfb5935d774681aa6a4696deb6561d965")
+    # set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=2be42a27be3ffe6bd7e53eaa5d8358cab05a0dca821819c6e9059e51b9786219")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/libyaml.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

cmake/modules/njson.cmake

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #

cmake/modules/plugins.cmake

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -23,11 +24,11 @@ if(NOT DEFINED PLUGINS_COMPONENT_NAME)
 endif()
 
 # k8saudit
-set(PLUGIN_K8S_AUDIT_VERSION "0.6.0")
+set(PLUGIN_K8S_AUDIT_VERSION "0.6.1")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_K8S_AUDIT_HASH "560e8f8dc8fd169e524d95462d65b5227415a7a157442e82383c7d9f456ce58f")
+    set(PLUGIN_K8S_AUDIT_HASH "e2908ebf2c03feecd26307ceab55aec9cae1cbc63d6aa05e147d8786e7670fb0")
 else() # aarch64
-    set(PLUGIN_K8S_AUDIT_HASH "e4757af1bac42b21c5937340790841dedc3805759050a6ffb22d1761e1dd1d31")
+    set(PLUGIN_K8S_AUDIT_HASH "8987a995fa09518aebc488ba549448166d605596c2d6478c10415a9d9f5f05dd")
 endif()
 
 ExternalProject_Add(
@@ -43,7 +44,7 @@ install(FILES "${PROJECT_BINARY_DIR}/k8saudit-plugin-prefix/src/k8saudit-plugin/
 ExternalProject_Add(
   k8saudit-rules
   URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/k8saudit-rules-${PLUGIN_K8S_AUDIT_VERSION}.tar.gz"
-  URL_HASH "SHA256=44cee2fb88312d889213e1dbe1b9902d0a3f5c594cce73b2cac8e54fb51321b7"
+  URL_HASH "SHA256=36321b3f1d7969926073a4d40bbbb7b4b28805b038c067f140795210ab641161"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -51,11 +52,11 @@ ExternalProject_Add(
 install(FILES "${PROJECT_BINARY_DIR}/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
 # cloudtrail
-set(PLUGIN_CLOUDTRAIL_VERSION "0.8.0")
+set(PLUGIN_CLOUDTRAIL_VERSION "0.9.0")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_CLOUDTRAIL_HASH "13ba77602c0859936f6e3b00f93bd218c463300c6a797b694a0d5aeecde13976")
+    set(PLUGIN_CLOUDTRAIL_HASH "c8dc8ea5337aa9475042e6441320a5188bbf76977e3a69dd34a49a6251f8e9ad")
 else() # aarch64
-    set(PLUGIN_CLOUDTRAIL_HASH "a01730738e9d5769f69957a204c8afe528b059e9a22f59792dfc65e19d6a43db")
+    set(PLUGIN_CLOUDTRAIL_HASH "bea12e81409c3df5698f7ab6a740ee9698b9dd1275b5985810daf70ac505c810")
 endif()
 
 ExternalProject_Add(
@@ -71,7 +72,7 @@ install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-plugin-prefix/src/cloudtrail-plu
 ExternalProject_Add(
   cloudtrail-rules
   URL "https://download.falco.org/plugins/${PLUGINS_DOWNLOAD_BUCKET}/cloudtrail-rules-${PLUGIN_CLOUDTRAIL_VERSION}.tar.gz"
-  URL_HASH "SHA256=27f2fc0a74d39476ad968a61318dec65a82b109c4a462b9fa22be45425ddaaad"
+  URL_HASH "SHA256=b0c2b6c78d61cc3e7fb66445bcd8f763d15eb4a24f518385377e704aacec6b3f"
   CONFIGURE_COMMAND ""
   BUILD_COMMAND ""
   INSTALL_COMMAND "")
@@ -79,11 +80,11 @@ ExternalProject_Add(
 install(FILES "${PROJECT_BINARY_DIR}/cloudtrail-rules-prefix/src/cloudtrail-rules/aws_cloudtrail_rules.yaml" DESTINATION "${FALCO_ETC_DIR}" COMPONENT "${PLUGINS_COMPONENT_NAME}")
 
 # json
-set(PLUGIN_JSON_VERSION "0.7.0")
+set(PLUGIN_JSON_VERSION "0.7.1")
 if(${CMAKE_HOST_SYSTEM_PROCESSOR} STREQUAL "x86_64")
-    set(PLUGIN_JSON_HASH "a7bf52009a935f22b473724f722566fde27aec5c7d618ecd426eed81e477e94d")
+    set(PLUGIN_JSON_HASH "3177fd667b384df2ffd2ae3260bda867c407c09d3fbcae841af204b82c1341c1")
 else() # aarch64
-    set(PLUGIN_JSON_HASH "9cd65fac3f1cbc7f723b69671d42d35901cd322a23d8f2b9dc95fb0593918a7e")
+    set(PLUGIN_JSON_HASH "3b5d0a9190bfd08e21915f997f88ca314f2027564a022eb88eef80ff4e2c77fa")
 endif()
 
 ExternalProject_Add(

cmake/modules/rules.cmake

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -15,8 +16,8 @@ include(GNUInstallDirs)
 include(ExternalProject)
 
 # falco_rules.yaml
-set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-2.0.0-rc1")
-set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=1e5cda24238bb33e7fdb55a523d39fe8eac3978822fca9ce073c6bd537b86ecf")
+set(FALCOSECURITY_RULES_FALCO_VERSION "falco-rules-2.0.0")
+set(FALCOSECURITY_RULES_FALCO_CHECKSUM "SHA256=48b6c5ae7a619a320eb51dbe036d1bc78622ab692956c9493390678874757b32")
 set(FALCOSECURITY_RULES_FALCO_PATH "${PROJECT_BINARY_DIR}/falcosecurity-rules-falco-prefix/src/falcosecurity-rules-falco/falco_rules.yaml")
 ExternalProject_Add(
   falcosecurity-rules-falco

cmake/modules/static-analysis.cmake

@@ -1,3 +1,17 @@
+# SPDX-License-Identifier: Apache-2.0
+#
+# Copyright (C) 2023 The Falco Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+#
+
 # create the reports folder
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)

cmake/modules/yaml-cpp.cmake

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

docker/README.md

@@ -9,7 +9,10 @@ This directory contains various ways to package Falco as a container and related
 | [falcosecurity/falco:latest](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco), [falcosecurity/falco:master](https://hub.docker.com/repository/docker/falcosecurity/falco) | docker/falco | Falco (DEB built from git tag or from the master) with all the building toolchain. |
 | [falcosecurity/falco-driver-loader:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader), [falcosecurity/falco-driver-loader:master](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader) | docker/driver-loader | `falco-driver-loader` as entrypoint with the building toolchain. |
 | [falcosecurity/falco-no-driver:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver), [falcosecurity/falco-no-driver:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver),[falcosecurity/falco-no-driver:master](https://hub.docker.com/repository/docker/falcosecurity/falco-no-driver) | docker/no-driver | Falco (TGZ built from git tag or from the master) without the building toolchain. |
+| [falcosecurity/falco-driver-loader-legacy:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy), [falcosecurity/falco-driver-loader-legacy:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-driver-loader-legacy) | docker/driver-loader-legacy | `falco-driver-loader` as entrypoint with the legacy building toolchain. Recommended for kernels < 4.0 |
 
 ## Experimental Images
 
+| Name | Directory | Description |
+|---|---|---|
 | [falcosecurity/falco-distroless:latest](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless), [falcosecurity/falco-distroless:_tag_](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless),[falcosecurity/falco-distroless:master](https://hub.docker.com/repository/docker/falcosecurity/falco-distroless) | docker/no-driver/Dockerfile.distroless | Falco without the building toolchain built from a distroless base image. This results in a smaller image that has less potentially vulnerable components. |

docker/driver-loader-legacy/Dockerfile

@@ -126,5 +126,3 @@ RUN curl -L -o binutils_2.30-22_${TARGETARCH}.deb https://download.falco.org/dep
 COPY ./docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/bin/falco"]

docker/driver-loader-legacy/docker-entrypoint.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,18 +17,13 @@
 # limitations under the License.
 #
 
-# Set the SKIP_DRIVER_LOADER variable to skip loading the driver
 
-if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
-    echo "* Setting up /usr/src links from host"
+echo "* Setting up /usr/src links from host"
 
-    for i in "$HOST_ROOT/usr/src"/*
-    do
-        base=$(basename "$i")
-        ln -s "$i" "/usr/src/$base"
-    done
+for i in "$HOST_ROOT/usr/src"/*
+do
+    base=$(basename "$i")
+    ln -s "$i" "/usr/src/$base"
+done
 
-    /usr/bin/falco-driver-loader
-fi
-
-exec "$@"
+/usr/bin/falco-driver-loader "$@"

docker/driver-loader/docker-entrypoint.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -25,4 +26,4 @@ do
     ln -s "$i" "/usr/src/$base"
 done
 
-/usr/bin/falco-driver-loader "$@"
+/usr/bin/falco-driver-loader "$@"

docker/falco/docker-entrypoint.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -33,4 +34,4 @@ if [[ -z "${SKIP_DRIVER_LOADER}" ]]; then
     /usr/bin/falco-driver-loader "${falco_driver_loader_option_arr[@]}"
 fi
 
-exec "$@"
+exec "$@"

falco.yaml

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #
@@ -674,6 +675,12 @@ syscall_event_drops:
 # periodic metric snapshots (including stats and resource utilization) captured
 # at regular intervals
 #
+# --- [Warning]
+#
+# Due to a regression (https://github.com/falcosecurity/falco/issues/2821) some metrics
+# like `falco.host_num_cpus` or `falco.start_ts` will not be available when you use
+# source plugins (like k8saudit).
+#
 # --- [Description]
 #
 # Consider these key points about the `metrics` feature in Falco:

scripts/CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2021 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/postinst.in

@@ -1,6 +1,7 @@
 #!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/postrm.in

@@ -1,6 +1,7 @@
 #!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/debian/prerm.in

@@ -1,6 +1,7 @@
 #!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/falco-driver-loader

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/ignored-calls.sh

@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2020 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/postinstall.in

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/postuninstall.in

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

scripts/rpm/preuninstall.in

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

unit_tests/CMakeLists.txt

@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
 #
 # Copyright (C) 2023 The Falco Authors.
 #

unit_tests/engine/test_falco_utils.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/engine/test_filter_details_resolver.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -46,4 +47,4 @@ TEST(DetailsResolver, resolve_ast)
     // Assert lists
     ASSERT_EQ(details.lists.size(), 1);
     ASSERT_NE(details.lists.find("known_procs"), details.lists.end());
-}
+}

unit_tests/engine/test_filter_macro_resolver.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/engine/test_filter_warning_resolver.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/engine/test_plugin_requirements.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/engine/test_rulesets.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/falco/app/actions/app_action_helpers.h

@@ -1,3 +1,19 @@
+// SPDX-License-Identifier: Apache-2.0
+/*
+Copyright (C) 2023 The Falco Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
 #pragma once
 #include <gtest/gtest.h>
 #include <falco/app/state.h>

unit_tests/falco/app/actions/test_configure_interesting_sets.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/falco/app/actions/test_configure_syscall_buffer_num.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/falco/app/actions/test_select_event_sources.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

unit_tests/falco/test_atomic_signal_handler.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -128,4 +129,4 @@ TEST(AtomicSignalHandler, handle_and_reset)
 	ASSERT_FALSE(handler.triggered());
 	ASSERT_FALSE(handler.handled());
 	ASSERT_FALSE(handler.handle(do_nothing));
-}
+}

unit_tests/falco/test_configuration.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/engine/CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2019 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

userspace/engine/banned.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/engine/evttype_index_ruleset.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/evttype_index_ruleset.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_common.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -116,4 +117,4 @@ bool falco_common::parse_rule_matching(std::string v, rule_matching& out)
 		}
 	}
 	return false;
-}
+}

userspace/engine/falco_common.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_engine.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -45,7 +46,6 @@ limitations under the License.
 #include "utils.h"
 #include "banned.h" // This raises a compilation error when certain functions are used
 #include "evttype_index_ruleset.h"
-#include "filter_details_resolver.h"
 
 const std::string falco_engine::s_default_ruleset = "falco-default-ruleset";
 
@@ -190,22 +190,60 @@ void falco_engine::load_rules(const std::string &rules_content, bool verbose, bo
 std::unique_ptr<load_result> falco_engine::load_rules(const std::string &rules_content, const std::string &name)
 {
 	rule_loader::configuration cfg(rules_content, m_sources, name);
-	cfg.min_priority = m_min_priority;
 	cfg.output_extra = m_extra;
 	cfg.replace_output_container_info = m_replace_container_info;
-	cfg.default_ruleset_id = m_default_ruleset_id;
 
+	// read rules YAML file and collect its definitions
 	rule_loader::reader reader;
 	if (reader.read(cfg, m_rule_collector))
-	{
+	{	
+		// compile the definitions (resolve macro/list refs, exceptions, ...)
+		rule_loader::compiler::compile_output out;
+		rule_loader::compiler().compile(cfg, m_rule_collector, out);
+
+		// clear the rules known by the engine and each ruleset
+		m_rules.clear();
 		for (auto &src : m_sources)
 		{
 			src.ruleset = src.ruleset_factory->new_ruleset();
 		}
 
-		rule_loader::compiler compiler;
-		m_rules.clear();
-		compiler.compile(cfg, m_rule_collector, m_rules);
+		// add rules to the engine and the rulesets
+		for (const auto& rule : out.rules)
+		{
+			// skip the rule if below the minimum priority
+			if (rule.priority > m_min_priority)
+			{
+				continue;
+			}
+
+			auto info = m_rule_collector.rules().at(rule.name);
+			if (!info)
+			{
+				// this is just defensive, it should never happen
+				throw falco_exception("can't find internal rule info at name: " + name);
+			}
+
+			// the rule is ok, we can add it to the engine and the rulesets
+			// note: the compiler should guarantee that the rule's condition
+			// is a valid sinsp filter
+			auto source = find_source(rule.source);
+			std::shared_ptr<gen_event_filter> filter(
+				sinsp_filter_compiler(source->filter_factory, rule.condition.get()).compile());
+			auto rule_id = m_rules.insert(rule, rule.name);
+			m_rules.at(rule_id)->id = rule_id;
+			source->ruleset->add(rule, filter, rule.condition);
+
+			// By default rules are enabled/disabled for the default ruleset
+			if(info->enabled)
+			{
+				source->ruleset->enable(rule.name, true, m_default_ruleset_id);
+			}
+			else
+			{
+				source->ruleset->disable(rule.name, true, m_default_ruleset_id);
+			}
+		}
 	}
 
 	if (cfg.res->successful())
@@ -468,7 +506,17 @@ std::size_t falco_engine::add_source(const std::string &source,
 	return m_sources.insert(src, source);
 }
 
-void falco_engine::describe_rule(std::string *rule, bool json) const
+template <typename T> inline Json::Value sequence_to_json_array(const T& seq)
+{
+	Json::Value ret = Json::arrayValue;
+	for (auto it = seq.begin(); it != seq.end(); it++)
+	{
+		ret.append(*it);
+	}
+	return ret;
+}
+
+void falco_engine::describe_rule(std::string *rule, const std::vector<std::shared_ptr<sinsp_plugin>>& plugins, bool json) const
 {
 	if(!json)
 	{
@@ -497,10 +545,20 @@ void falco_engine::describe_rule(std::string *rule, bool json) const
 		return;
 	}
 
-	std::unique_ptr<sinsp> insp(new sinsp());
+	// use previously-loaded collector definitions to obtain a compiled
+	// output of rules, macros, and lists.
+	// note: we ignore the loading result (errors, warnings), as they should have
+	// already been checked when previously-loading the rules files. Thus, we
+	// assume that the definitions will give no compilation error.
+	rule_loader::configuration cfg("", m_sources, "");
+	cfg.output_extra = m_extra;
+	cfg.replace_output_container_info = m_replace_container_info;
+	rule_loader::compiler::compile_output compiled;
+	rule_loader::compiler().compile(cfg, m_rule_collector, compiled);
+
+	// use collected and compiled info to print a json output
 	Json::FastWriter writer;
 	std::string json_str;
-
 	if(!rule)
 	{
 		// In this case we build json information about
@@ -536,33 +594,33 @@ void falco_engine::describe_rule(std::string *rule, bool json) const
 
 		// Store information about rules
 		Json::Value rules_array = Json::arrayValue;
-		for(const auto& r : m_rules)
+		for(const auto& r : compiled.rules)
 		{
-			auto ri = m_rule_collector.rules().at(r.name);
+			auto info = m_rule_collector.rules().at(r.name);
 			Json::Value rule;
-			get_json_details(r, *ri, insp.get(), rule);
-
-			// Append to rule array
+			get_json_details(rule, r, *info, plugins);
 			rules_array.append(rule);
 		}
 		output["rules"] = rules_array;
 		
 		// Store information about macros
-		Json::Value macros_array;
-		for(const auto &m : m_rule_collector.macros())
+		Json::Value macros_array = Json::arrayValue;
+		for(const auto &m : compiled.macros)
 		{
+			auto info = m_rule_collector.macros().at(m.name);
 			Json::Value macro;
-			get_json_details(m, macro);
+			get_json_details(macro, m, *info, plugins);
 			macros_array.append(macro);
 		}
 		output["macros"] = macros_array;
 
 		// Store information about lists 
 		Json::Value lists_array = Json::arrayValue;
-		for(const auto &l : m_rule_collector.lists())
+		for(const auto &l : compiled.lists)
 		{
+			auto info = m_rule_collector.lists().at(l.name);
 			Json::Value list;
-			get_json_details(l, list);
+			get_json_details(list, l, *info, plugins);
 			lists_array.append(list);			
 		}
 		output["lists"] = lists_array;
@@ -579,68 +637,73 @@ void falco_engine::describe_rule(std::string *rule, bool json) const
 		}
 		auto r = m_rules.at(ri->name);
 		Json::Value rule; 
-		get_json_details(*r, *ri, insp.get(), rule);
+		get_json_details(rule, *r, *ri, plugins);
 		json_str = writer.write(rule);
 	}
 
 	fprintf(stdout, "%s", json_str.c_str());
 }
 
-void falco_engine::get_json_details(const falco_rule &r,
-	const rule_loader::rule_info &ri,
-	sinsp *insp,
-	Json::Value &rule) const
+void falco_engine::get_json_details(
+	Json::Value &out,
+	const falco_rule &r,
+	const rule_loader::rule_info &info,
+	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
 {
 	Json::Value rule_info;
 
 	// Fill general rule information
 	rule_info["name"] = r.name;
-	rule_info["condition"] = ri.cond;
+	rule_info["condition"] = info.cond;
 	rule_info["priority"] = format_priority(r.priority, false);
-	rule_info["output"] = r.output;
+	rule_info["output"] = info.output;
 	rule_info["description"] = r.description;
-	rule_info["enabled"] = ri.enabled;
+	rule_info["enabled"] = info.enabled;
 	rule_info["source"] = r.source;
-	Json::Value tags = Json::arrayValue;
-	for(const auto &t : ri.tags)
-	{
-		tags.append(t);
-	}
-	rule_info["tags"] = tags;
-	rule["info"] = rule_info;
+	rule_info["tags"] = sequence_to_json_array(info.tags);
+	out["info"] = rule_info;
 
-	// Parse rule condition and build the AST
-	// Assumption: no exception because rules have already been loaded.
-	auto ast = libsinsp::filter::parser(ri.cond).parse();
+	// Parse rule condition and build the non-compiled AST
+	// Assumption: no error because rules have already been loaded.
+	auto ast = libsinsp::filter::parser(info.cond).parse();
+
+	// get details related to the condition's filter
+	filter_details details;
+	filter_details compiled_details;
 	Json::Value json_details;
-	get_json_details(ast.get(), json_details);
-	rule["details"] = json_details;
+	for(const auto &m : m_rule_collector.macros())
+	{
+		details.known_macros.insert(m.name);
+		compiled_details.known_macros.insert(m.name);
+	}
+	for(const auto &l : m_rule_collector.lists())
+	{
+		details.known_lists.insert(l.name);
+		compiled_details.known_lists.insert(l.name);
+	}
+	filter_details_resolver().run(ast.get(), details);
+	filter_details_resolver().run(r.condition.get(), compiled_details);
+
+	out["details"]["macros"] = sequence_to_json_array(details.macros);
+	out["details"]["lists"] = sequence_to_json_array(details.lists);
+	out["details"]["condition_operators"] = sequence_to_json_array(compiled_details.operators);
+	out["details"]["condition_fields"] = sequence_to_json_array(compiled_details.fields);
 
 	// Get fields from output string
 	auto fmt = create_formatter(r.source, r.output);
 	std::vector<std::string> out_fields;
 	fmt->get_field_names(out_fields);
-	Json::Value outputFields = Json::arrayValue;
-	for(const auto &of : out_fields)
-	{
-		outputFields.append(of);
-	}
-	rule["details"]["output_fields"] = outputFields;
+	out["details"]["output_fields"] = sequence_to_json_array(out_fields);
 
 	// Get fields from exceptions
-	Json::Value exception_fields = Json::arrayValue;
-	for(const auto &f : r.exception_fields)
-	{
-		exception_fields.append(f);
-	}
-	rule["details"]["exception_fields"] = exception_fields;
+	out["details"]["exception_fields"] = sequence_to_json_array(r.exception_fields);
 
 	// Get names and operators from exceptions
-	Json::Value exception_names = Json::arrayValue;
-	Json::Value exception_operators = Json::arrayValue;
-	for(const auto &e : ri.exceptions)
+	std::unordered_set<std::string> exception_names;
+	std::unordered_set<std::string> exception_operators;
+	for(const auto &e : info.exceptions)
 	{
-		exception_names.append(e.name);
+		exception_names.insert(e.name);
 		if(e.comps.is_list)
 		{
 			for(const auto& c : e.comps.items)
@@ -650,140 +713,236 @@ void falco_engine::get_json_details(const falco_rule &r,
 					// considering max two levels of lists
 					for(const auto& i : c.items)
 					{
-						exception_operators.append(i.item);
+						exception_operators.insert(i.item);
 					}
 				}
 				else
 				{
-					exception_operators.append(c.item);
+					exception_operators.insert(c.item);
 				}
 			}
 		}
 		else
 		{
-			exception_operators.append(e.comps.item);
+			exception_operators.insert(e.comps.item);
 		}	
 	}
-	rule["details"]["exceptions"] = exception_names;
-	rule["details"]["exception_operators"] = exception_operators;
+	out["details"]["exception_names"] = sequence_to_json_array(exception_names);
+	out["details"]["exception_operators"] = sequence_to_json_array(exception_operators);
 
-	if(ri.source == falco_common::syscall_source)
-	{
-		// Store event types
-		Json::Value events;
-		get_json_evt_types(ast.get(), events);
-		rule["details"]["events"] = events;
-	}
+	// Store event types
+	Json::Value events;
+	get_json_evt_types(events, info.source, r.condition.get());
+	out["details"]["events"] = events;
+
+	// Store compiled condition and output
+	out["details"]["condition_compiled"] = libsinsp::filter::ast::as_string(r.condition.get());
+	out["details"]["output_compiled"] = r.output;
+
+	// Compute the plugins that are actually used by this rule. This is involves:
+	// - The rule's event source, that can be implemented by a plugin
+	// - The fields used in the rule's condition, output, and exceptions
+	// - The evt types used in the rule's condition checks, that can potentially
+	//   match plugin-provided async events
+	Json::Value used_plugins;
+	// note: making a union of conditions's and output's fields
+	// note: the condition's AST accounts for all the resolved refs and exceptions
+	compiled_details.fields.insert(out_fields.begin(), out_fields.end());
+	get_json_used_plugins(used_plugins, info.source, compiled_details.evtnames, compiled_details.fields, plugins);
+	out["details"]["plugins"] = used_plugins;
 }
 
-void falco_engine::get_json_details(const rule_loader::macro_info& m,
-	Json::Value& macro) const
+void falco_engine::get_json_details(
+	Json::Value& out,
+	const falco_macro& m,
+	const rule_loader::macro_info& info,
+	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
 {
 	Json::Value macro_info;
 
 	macro_info["name"] = m.name;
-	macro_info["condition"] = m.cond;
-	macro["info"] = macro_info;
+	macro_info["condition"] = info.cond;
+	out["info"] = macro_info;
 
+	// Parse the macro condition and build the non-compiled AST
 	// Assumption: no exception because rules have already been loaded.
-	auto ast = libsinsp::filter::parser(m.cond).parse();
+	auto ast = libsinsp::filter::parser(info.cond).parse();
 
+	// get details related to the condition's filter
+	filter_details details;
+	filter_details compiled_details;
 	Json::Value json_details;
-	get_json_details(ast.get(), json_details);
-	macro["details"] = json_details;
+	for(const auto &m : m_rule_collector.macros())
+	{
+		details.known_macros.insert(m.name);
+		compiled_details.known_macros.insert(m.name);
+	}
+	for(const auto &l : m_rule_collector.lists())
+	{
+		details.known_lists.insert(l.name);
+		compiled_details.known_lists.insert(l.name);
+	}
+	filter_details_resolver().run(ast.get(), details);
+	filter_details_resolver().run(m.condition.get(), compiled_details);
+
+	out["details"]["used"] = m.used;
+	out["details"]["macros"] = sequence_to_json_array(details.macros);
+	out["details"]["lists"] = sequence_to_json_array(details.lists);
+	out["details"]["condition_operators"] = sequence_to_json_array(compiled_details.operators);
+	out["details"]["condition_fields"] = sequence_to_json_array(compiled_details.fields);
 
 	// Store event types
 	Json::Value events;
-	get_json_evt_types(ast.get(), events);
-	macro["details"]["events"] = events;
+	get_json_evt_types(events, "", m.condition.get());
+	out["details"]["events"] = events;
+
+	// Store compiled condition
+	out["details"]["condition_compiled"] = libsinsp::filter::ast::as_string(m.condition.get());
+
+	// Compute the plugins that are actually used by this macro.
+	// Note: macros have no specific source, we need to set an empty list of used
+	// plugins because we can't be certain about their actual usage. For example,
+	// if a macro uses a plugin's field, we can't be sure which plugin actually
+	// is used until we resolve the macro ref in a rule providing a source for
+	// disambiguation.
+	out["details"]["plugins"] = Json::arrayValue;
 }
 
-void falco_engine::get_json_details(const rule_loader::list_info& l, 
-	Json::Value& list) const
+void falco_engine::get_json_details(
+	Json::Value& out,
+	const falco_list& l,
+	const rule_loader::list_info& info,
+	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
 {
 	Json::Value list_info;
 	list_info["name"] = l.name;
 
+	// note: the syntactic definitions still has the list refs unresolved
 	Json::Value items = Json::arrayValue;
-	Json::Value lists = Json::arrayValue;
-	for(const auto &i : l.items)
+	std::unordered_set<std::string> lists;
+	for(const auto &i : info.items)
 	{
-		if(m_rule_collector.lists().at(i) != nullptr)
+		// if an item is present in the syntactic def of a list, but not
+		// on the compiled_items of the same list, then we can assume it
+		// being a resolved list ref
+		if(std::find(l.items.begin(), l.items.end(), i) == l.items.end())
 		{
-			lists.append(i);
+			lists.insert(i);
 			continue;
 		}
 		items.append(i);
 	}
 
 	list_info["items"] = items;
-	list["info"] = list_info;
-	list["details"]["lists"] = lists;
+	out["info"] = list_info;
+	out["details"]["used"] = l.used;
+	out["details"]["lists"] = sequence_to_json_array(lists);
+	out["details"]["items_compiled"] = sequence_to_json_array(l.items);
+	out["details"]["plugins"] = Json::arrayValue; // always empty
 }
 
-void falco_engine::get_json_details(libsinsp::filter::ast::expr* ast,
-	Json::Value& output) const
+void falco_engine::get_json_evt_types(
+	Json::Value& out,
+	const std::string& source,
+	libsinsp::filter::ast::expr* ast) const
 {
-	filter_details details;
-	for(const auto &m : m_rule_collector.macros())
+	// note: this duplicates part of the logic of evttype_index_ruleset,
+	// not good but it's our best option for now
+	if (source.empty() || source == falco_common::syscall_source)
 	{
-		details.known_macros.insert(m.name);
+		auto evtcodes = libsinsp::filter::ast::ppm_event_codes(ast);
+		evtcodes.insert(ppm_event_code::PPME_ASYNCEVENT_E);
+		auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast);
+		auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes);
+		auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false);
+		out = sequence_to_json_array(unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names));
 	}
-
-	for(const auto &l : m_rule_collector.lists())
+	else
 	{
-		details.known_lists.insert(l.name);
+		out = sequence_to_json_array(libsinsp::events::event_set_to_names(
+			{ppm_event_code::PPME_PLUGINEVENT_E, ppm_event_code::PPME_ASYNCEVENT_E}));
 	}
-
-	// Resolve the AST details
-	filter_details_resolver resolver;
-	resolver.run(ast, details);
-
-	Json::Value macros = Json::arrayValue;
-	for(const auto &m : details.macros)
-	{
-		macros.append(m);
-	}
-	output["macros"] = macros;
-
-	Json::Value operators = Json::arrayValue;
-	for(const auto &o : details.operators)
-	{
-		operators.append(o);
-	}
-	output["operators"] = operators;
-
-	Json::Value condition_fields = Json::arrayValue;
-	for(const auto &f : details.fields)
-	{
-		condition_fields.append(f);
-	}
-	output["condition_fields"] = condition_fields;
-
-	Json::Value lists = Json::arrayValue;
-	for(const auto &l : details.lists)
-	{
-		lists.append(l);
-	}
-	output["lists"] = lists;
-	
-	details.reset();
 }
 
-void falco_engine::get_json_evt_types(libsinsp::filter::ast::expr* ast,
-					Json::Value& output) const
+void falco_engine::get_json_used_plugins(
+	Json::Value& out,
+	const std::string& source,
+	const std::unordered_set<std::string>& evtnames,
+	const std::unordered_set<std::string>& fields,
+	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
 {
-	output = Json::arrayValue;
-	auto evtcodes = libsinsp::filter::ast::ppm_event_codes(ast);
-	auto syscodes = libsinsp::filter::ast::ppm_sc_codes(ast);
-	auto syscodes_to_evt_names = libsinsp::events::sc_set_to_event_names(syscodes);
-	auto evtcodes_to_evt_names = libsinsp::events::event_set_to_names(evtcodes, false);
-	for (const auto& n : unordered_set_union(syscodes_to_evt_names, evtcodes_to_evt_names))
+	// note: condition and output fields may have an argument, so
+	// we need to isolate the field names
+	std::unordered_set<std::string> fieldnames;
+	for (auto f: fields)
 	{
-		output.append(n);
+		auto argpos = f.find('[');
+		if (argpos != std::string::npos)
+		{
+			f = f.substr(0, argpos);
+		}
+		fieldnames.insert(f);
 	}
-}
 
+	std::unordered_set<std::string> used_plugins;
+	for (const auto& p : plugins)
+	{
+		bool used = false;
+		if (p->caps() & CAP_SOURCING)
+		{
+			// The rule's source is implemented by a plugin with event
+			// sourcing capability.
+			// Note: if Falco loads two plugins implementing the same source,
+			// they will both be included in the list.
+			if (!used && p->event_source() == source)
+			{
+				used_plugins.insert(p->name());
+				used = true;
+			}
+		}
+		if (!used && p->caps() & CAP_EXTRACTION)
+		{
+			// The rule uses a field implemented by a plugin with field
+			// extraction capability that is compatible with the rule's source.
+			// Note: here we're assuming that Falco will prevent loading
+			// plugins implementing fields with the same name for the same
+			// event source (implemented in init_inspectors app action).
+			if (sinsp_plugin::is_source_compatible(p->extract_event_sources(), source))
+			{
+				for (const auto &f : p->fields())
+				{
+					if (!used && fieldnames.find(f.m_name) != fieldnames.end())
+					{
+						used_plugins.insert(p->name());
+						used = true;
+						break;
+					}
+				}
+			}
+		}
+		if (!used && p->caps() & CAP_ASYNC)
+		{
+			// The rule matches an event type implemented by a plugin with
+			// async events capability that is compatible with the rule's source.
+			// Note: if Falco loads two plugins implementing async events with
+			// the same name, they will both be included in the list.
+			if (sinsp_plugin::is_source_compatible(p->async_event_sources(), source))
+			{
+				for (const auto &n : p->async_event_names())
+				{
+					if (!used && evtnames.find(n) != evtnames.end())
+					{
+						used_plugins.insert(p->name());
+						used = true;
+						break;
+					}
+				}
+			}
+		}
+	}
+
+	out = sequence_to_json_array(used_plugins);
+}
 
 void falco_engine::print_stats() const
 {

userspace/engine/falco_engine.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -124,7 +125,7 @@ public:
 	// Print details on the given rule. If rule is NULL, print
 	// details on all rules.
 	//
-	void describe_rule(std::string *rule, bool json) const;
+	void describe_rule(std::string *rule, const std::vector<std::shared_ptr<sinsp_plugin>>& plugins, bool json) const;
 
 	//
 	// Print statistics on how many events matched each rule.
@@ -302,18 +303,31 @@ private:
 	inline bool should_drop_evt() const;
 
 	// Retrieve json details from rules, macros, lists
-	void get_json_details(const falco_rule& r,
-					const rule_loader::rule_info& ri,
-					sinsp* insp,
-					Json::Value& rule) const;
-	void get_json_details(const rule_loader::macro_info& m,
-					Json::Value& macro) const;
-	void get_json_details(const rule_loader::list_info& l,
-					Json::Value& list) const;
-	void get_json_details(libsinsp::filter::ast::expr* ast,
-					Json::Value& output) const;
-	void get_json_evt_types(libsinsp::filter::ast::expr* ast,
-					Json::Value& output) const;
+	void get_json_details(
+		Json::Value& out,
+		const falco_rule& r,
+		const rule_loader::rule_info& info,
+		const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const;
+	void get_json_details(
+		Json::Value& out,
+		const falco_macro& m,
+		const rule_loader::macro_info& info,
+		const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const;
+	void get_json_details(
+		Json::Value& out,
+		const falco_list& l,
+		const rule_loader::list_info& info,
+		const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const;
+	void get_json_evt_types(
+		Json::Value& out,
+		const std::string& source,
+		libsinsp::filter::ast::expr* ast) const;
+	void get_json_used_plugins(
+		Json::Value& out,
+		const std::string& source,
+		const std::unordered_set<std::string>& evttypes,
+		const std::unordered_set<std::string>& fields,
+		const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const;
 
 	rule_loader::collector m_rule_collector;
 	indexed_vector<falco_rule> m_rules;

userspace/engine/falco_engine_version.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/engine/falco_load_result.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_load_result.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_rule.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,6 +21,46 @@ limitations under the License.
 #include <string>
 #include "falco_common.h"
 
+#include <filter/ast.h>
+
+/*!
+	\brief Represents a list in the Falco Engine.
+	The rule ID must be unique across all the lists loaded in the engine.
+*/
+struct falco_list
+{
+	falco_list(): used(false), id(0) { }
+	falco_list(falco_list&&) = default;
+	falco_list& operator = (falco_list&&) = default;
+	falco_list(const falco_list&) = default;
+	falco_list& operator = (const falco_list&) = default;
+	~falco_list() = default;
+
+	bool used;
+	std::size_t id;
+	std::string name;
+	std::vector<std::string> items;
+};
+
+/*!
+	\brief Represents a macro in the Falco Engine.
+	The rule ID must be unique across all the macros loaded in the engine.
+*/
+struct falco_macro
+{
+	falco_macro(): used(false), id(0) { }
+	falco_macro(falco_macro&&) = default;
+	falco_macro& operator = (falco_macro&&) = default;
+	falco_macro(const falco_macro&) = default;
+	falco_macro& operator = (const falco_macro&) = default;
+	~falco_macro() = default;
+
+	bool used;
+	std::size_t id;
+	std::string name;
+	std::shared_ptr<libsinsp::filter::ast::expr> condition;
+};
+
 /*!
 	\brief Represents a rule in the Falco Engine.
 	The rule ID must be unique across all the rules loaded in the engine.
@@ -31,6 +72,7 @@ struct falco_rule
 	falco_rule& operator = (falco_rule&&) = default;
 	falco_rule(const falco_rule&) = default;
 	falco_rule& operator = (const falco_rule&) = default;
+	~falco_rule() = default;
 
 	std::size_t id;
 	std::string source;
@@ -40,4 +82,5 @@ struct falco_rule
 	std::set<std::string> tags;
 	std::set<std::string> exception_fields;
 	falco_common::priority_type priority;
+	std::shared_ptr<libsinsp::filter::ast::expr> condition;
 };

userspace/engine/falco_source.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/falco_utils.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2016-2018 The Falco Authors.
 

userspace/engine/falco_utils.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2016-2018 The Falco Authors.
 

userspace/engine/filter_details_resolver.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -18,12 +19,23 @@ limitations under the License.
 
 using namespace libsinsp::filter;
 
+std::string get_field_name(const std::string& name, const std::string& arg)
+{
+	std::string fld = name;
+	if (!arg.empty())
+	{
+		fld += "[" + arg + "]";
+	}
+	return fld;
+}
+
 void filter_details::reset()
 {
 	fields.clear();
 	macros.clear();
 	operators.clear();
 	lists.clear();
+	evtnames.clear();
 }
 
 void filter_details_resolver::run(ast::expr* filter, filter_details& details)
@@ -34,6 +46,7 @@ void filter_details_resolver::run(ast::expr* filter, filter_details& details)
 
 void filter_details_resolver::visitor::visit(ast::and_expr* e)
 {
+	m_expect_macro = false;
 	for(size_t i = 0; i < e->children.size(); i++)
 	{
 		m_expect_macro = true;
@@ -44,6 +57,7 @@ void filter_details_resolver::visitor::visit(ast::and_expr* e)
 
 void filter_details_resolver::visitor::visit(ast::or_expr* e)
 {
+	m_expect_macro = false;
 	for(size_t i = 0; i < e->children.size(); i++)
 	{
 		m_expect_macro = true;
@@ -69,35 +83,50 @@ void filter_details_resolver::visitor::visit(ast::list_expr* e)
 			}
 		}
 	}
+	if (m_expect_evtname)
+	{
+		for(const auto& item : e->values)
+		{
+			if(m_details.known_lists.find(item) == m_details.known_lists.end())
+			{
+				m_details.evtnames.insert(item);
+			}
+		}
+	}
 }
 
 void filter_details_resolver::visitor::visit(ast::binary_check_expr* e)
 {
 	m_expect_macro = false;
-	m_details.fields.insert(e->field);
+	m_details.fields.insert(get_field_name(e->field, e->arg));
 	m_details.operators.insert(e->op);
 	m_expect_list = true;
+	m_expect_evtname = e->field == "evt.type" || e->field == "evt.asynctype";
 	e->value->accept(this);
+	m_expect_evtname = false;
 	m_expect_list = false;
 }
 
 void filter_details_resolver::visitor::visit(ast::unary_check_expr* e)
 {
 	m_expect_macro = false;
-	m_details.fields.insert(e->field);
+	m_details.fields.insert(get_field_name(e->field, e->arg));
 	m_details.operators.insert(e->op);
 }
 
 void filter_details_resolver::visitor::visit(ast::value_expr* e)
 {
-	if(m_expect_macro)
+	if (m_expect_macro)
 	{
-		auto it = m_details.known_macros.find(e->value);
-		if(it == m_details.known_macros.end())
+		if(m_details.known_macros.find(e->value) != m_details.known_macros.end())
 		{
-			return;
+			m_details.macros.insert(e->value);
 		}
-
-		m_details.macros.insert(e->value);
+		// todo(jasondellaluce): should we throw an error if we
+		// encounter an unknown macro?
 	}
-}
+	else if (m_expect_evtname)
+	{
+		m_details.evtnames.insert(e->value);
+	}
+}

userspace/engine/filter_details_resolver.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 
@@ -32,6 +33,7 @@ struct filter_details
 	std::unordered_set<std::string> macros;
 	std::unordered_set<std::string> operators;
 	std::unordered_set<std::string> lists;
+	std::unordered_set<std::string> evtnames;
 
 	void reset();
 };
@@ -58,7 +60,8 @@ private:
 		visitor(filter_details& details) : 
 			m_details(details),
 			m_expect_list(false),
-			m_expect_macro(false) {}
+			m_expect_macro(false),
+			m_expect_evtname(false) {}
 		visitor(visitor&&) = default;
 		visitor& operator = (visitor&&) = default;
 		visitor(const visitor&) = delete;
@@ -75,5 +78,6 @@ private:
 		filter_details& m_details;
 		bool m_expect_list;
 		bool m_expect_macro;
+		bool m_expect_evtname;
 	};
 };

userspace/engine/filter_macro_resolver.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/filter_macro_resolver.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/filter_ruleset.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/filter_warning_resolver.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/filter_warning_resolver.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/formats.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2020 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/formats.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2020 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/indexed_vector.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/json_evt.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/json_evt.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2019 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/rule_loader.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -531,12 +532,12 @@ rule_loader::plugin_version_info::plugin_version_info(context &ctx)
 }
 
 rule_loader::list_info::list_info(context &ctx)
-	: ctx(ctx), used(false), index(0), visibility(0)
+	: ctx(ctx), index(0), visibility(0)
 {
 }
 
 rule_loader::macro_info::macro_info(context &ctx)
-	: ctx(ctx), cond_ctx(ctx), used(false), index(0), visibility(0)
+	: ctx(ctx), cond_ctx(ctx), index(0), visibility(0)
 {
 }
 

userspace/engine/rule_loader.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -272,8 +273,7 @@ namespace rule_loader
 			const indexed_vector<falco_source>& srcs,
 			const std::string& name)
 				: content(cont), sources(srcs), name(name),
-				  default_ruleset_id(0), replace_output_container_info(false),
-				  min_priority(falco_common::PRIORITY_DEBUG)
+				  output_extra(), replace_output_container_info(false)
 			{
 				res.reset(new result(name));
 			}
@@ -282,14 +282,15 @@ namespace rule_loader
 		configuration(const configuration&) = delete;
 		configuration& operator = (const configuration&) = delete;
 
+		// inputs
 		const std::string& content;
 		const indexed_vector<falco_source>& sources;
 		std::string name;
-		std::unique_ptr<result> res;
 		std::string output_extra;
-		uint16_t default_ruleset_id;
 		bool replace_output_container_info;
-		falco_common::priority_type min_priority;
+
+		// outputs
+		std::unique_ptr<result> res;
 	};
 
 	/*!
@@ -358,7 +359,6 @@ namespace rule_loader
 		list_info& operator = (const list_info&) = default;
 
 		context ctx;
-		bool used;
 		size_t index;
 		size_t visibility;
 		std::string name;
@@ -379,12 +379,10 @@ namespace rule_loader
 
 		context ctx;
 		context cond_ctx;
-		bool used;
 		size_t index;
 		size_t visibility;
 		std::string name;
 		std::string cond;
-		std::shared_ptr<libsinsp::filter::ast::expr> cond_ast;
 	};
 
 	/*!

userspace/engine/rule_loader_collector.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/rule_loader_collector.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/rule_loader_compiler.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -159,8 +160,30 @@ static void build_rule_exception_infos(
 	}
 }
 
+static inline rule_loader::list_info* list_info_from_name(
+	const rule_loader::collector& c, const std::string& name)
+{
+	auto ret = c.lists().at(name);
+	if (!ret)
+	{
+		throw falco_exception("can't find internal list info at name: " + name);
+	}
+	return ret;
+}
+
+static inline rule_loader::macro_info* macro_info_from_name(
+	const rule_loader::collector& c, const std::string& name)
+{
+	auto ret = c.macros().at(name);
+	if (!ret)
+	{
+		throw falco_exception("can't find internal macro info at name: " + name);
+	}
+	return ret;
+}
+
 // todo(jasondellaluce): this breaks string escaping in lists
-static bool resolve_list(std::string& cnd, const rule_loader::list_info& list)
+static bool resolve_list(std::string& cnd, const falco_list& list)
 {
 	static std::string blanks = " \t\n\r";
 	static std::string delims = blanks + "(),=";
@@ -231,18 +254,20 @@ static bool resolve_list(std::string& cnd, const rule_loader::list_info& list)
 }
 
 static void resolve_macros(
-	indexed_vector<rule_loader::macro_info>& macros,
+	const indexed_vector<rule_loader::macro_info>& infos,
+	indexed_vector<falco_macro>& macros,
 	std::shared_ptr<ast::expr>& ast,
 	const std::string& condition,
 	uint32_t visibility,
 	const rule_loader::context &ctx)
 {
 	filter_macro_resolver macro_resolver;
-	for (auto &m : macros)
+	for (auto &m : infos)
 	{
 		if (m.index < visibility)
 		{
-			macro_resolver.set_macro(m.name, m.cond_ast);
+			auto macro = macros.at(m.name);
+			macro_resolver.set_macro(m.name, macro->condition);
 		}
 	}
 	macro_resolver.run(ast);
@@ -271,7 +296,7 @@ static void resolve_macros(
 // note: there is no visibility order between filter conditions and lists
 static std::shared_ptr<ast::expr> parse_condition(
 	std::string condition,
-	indexed_vector<rule_loader::list_info>& lists,
+	indexed_vector<falco_list>& lists,
 	const rule_loader::context &ctx)
 {
 	for (auto &l : lists)
@@ -318,13 +343,14 @@ static void apply_output_substitutions(
 void rule_loader::compiler::compile_list_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<list_info>& out) const
+		indexed_vector<falco_list>& out) const
 {
 	std::string tmp;
 	std::vector<std::string> used;
 	for (auto &list : col.lists())
 	{
-		list_info v = list;
+		falco_list v;
+		v.name = list.name;
 		v.items.clear();
 		for (auto &item : list.items)
 		{
@@ -346,7 +372,8 @@ void rule_loader::compiler::compile_list_infos(
 			}
 		}
 		v.used = false;
-		out.insert(v, v.name);
+		auto list_id = out.insert(v, v.name);
+		out.at(list_id)->id = list_id;
 	}
 	for (auto &v : used)
 	{
@@ -358,20 +385,23 @@ void rule_loader::compiler::compile_list_infos(
 void rule_loader::compiler::compile_macros_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<list_info>& lists,
-		indexed_vector<macro_info>& out) const
+		indexed_vector<falco_list>& lists,
+		indexed_vector<falco_macro>& out) const
 {
 	for (auto &m : col.macros())
 	{
-		macro_info entry = m;
-		entry.cond_ast = parse_condition(m.cond, lists, m.cond_ctx);
+		falco_macro entry;
+		entry.name = m.name;
+		entry.condition = parse_condition(m.cond, lists, m.cond_ctx);
 		entry.used = false;
-		out.insert(entry, m.name);
+		auto macro_id = out.insert(entry, m.name);
+		out.at(macro_id)->id = macro_id;
 	}
 
 	for (auto &m : out)
 	{
-		resolve_macros(out, m.cond_ast, m.cond, m.visibility, m.ctx);
+		auto info = macro_info_from_name(col, m.name);
+		resolve_macros(col.macros(), out, m.condition, info->cond, info->visibility, info->ctx);
 	}
 }
 
@@ -385,8 +415,8 @@ static bool err_is_unknown_type_or_field(const std::string& err)
 void rule_loader::compiler::compile_rule_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<list_info>& lists,
-		indexed_vector<macro_info>& macros,
+		indexed_vector<falco_list>& lists,
+		indexed_vector<falco_macro>& macros,
 		indexed_vector<falco_rule>& out) const
 {
 	std::string err, condition;
@@ -400,12 +430,6 @@ void rule_loader::compiler::compile_rule_infos(
 			continue;
 		}
 
-		// skip the rule if below the minimum priority
-		if (r.priority > cfg.min_priority)
-		{
-			continue;
-		}
-
 		// note: this should not be nullptr if the source is not unknown
 		auto source = cfg.sources.at(r.source);
 		THROW(!source,
@@ -422,12 +446,12 @@ void rule_loader::compiler::compile_rule_infos(
 			build_rule_exception_infos(
 				r.exceptions, rule.exception_fields, condition);
 		}
-		auto ast = parse_condition(condition, lists, r.cond_ctx);
-		resolve_macros(macros, ast, condition, MAX_VISIBILITY, r.ctx);
+		rule.condition = parse_condition(condition, lists, r.cond_ctx);
+		resolve_macros(col.macros(), macros, rule.condition, condition, MAX_VISIBILITY, r.ctx);
 
 		// check for warnings in the filtering condition
 		warn_codes.clear();
-		if (warn_resolver.run(ast.get(), warn_codes))
+		if (warn_resolver.run(rule.condition.get(), warn_codes))
 		{
 			for (auto &w : warn_codes)
 			{
@@ -442,8 +466,11 @@ void rule_loader::compiler::compile_rule_infos(
 			apply_output_substitutions(cfg, rule.output);
 		}
 
+		// validate the rule's output
 		if(!is_format_valid(*cfg.sources.at(r.source), rule.output, err))
 		{
+			// skip the rule silently if skip_if_unknown_filter is true and
+			// we encountered some specific kind of errors
 			if (err_is_unknown_type_or_field(err) && r.skip_if_unknown_filter)
 			{
 				cfg.res->add_warning(
@@ -458,30 +485,18 @@ void rule_loader::compiler::compile_rule_infos(
 				r.output_ctx);
 		}
 
-		// construct rule definition and compile it to a filter
-		rule.name = r.name;
-		rule.source = r.source;
-		rule.description = r.desc;
-		rule.priority = r.priority;
-		rule.tags = r.tags;
-
-		auto rule_id = out.insert(rule, rule.name);
-		out.at(rule_id)->id = rule_id;
-
-		// This also compiles the filter, and might throw a
-		// falco_exception with details on the compilation
-		// failure.
-		sinsp_filter_compiler compiler(cfg.sources.at(r.source)->filter_factory, ast.get());
-		try {
-			std::shared_ptr<gen_event_filter> filter(compiler.compile());
-			source->ruleset->add(*out.at(rule_id), filter, ast);
+		// validate the rule's condition: we compile it into a sinsp filter
+		// on-the-fly and we throw an exception with details on failure
+		sinsp_filter_compiler compiler(cfg.sources.at(r.source)->filter_factory, rule.condition.get());
+		try
+		{
+			compiler.compile();
 		}
 		catch (const sinsp_exception& e)
 		{
-			// Allow errors containing "nonexistent field" if
-			// skip_if_unknown_filter is true
+			// skip the rule silently if skip_if_unknown_filter is true and
+			// we encountered some specific kind of errors
 			std::string err = e.what();
-
 			if (err_is_unknown_type_or_field(err) && r.skip_if_unknown_filter)
 			{
 				cfg.res->add_warning(
@@ -490,7 +505,6 @@ void rule_loader::compiler::compile_rule_infos(
 					r.cond_ctx);
 				continue;
 			}
-
 			rule_loader::context ctx(compiler.get_pos(), condition, r.cond_ctx);
 			throw rule_loader::rule_load_exception(
 				falco::load_result::load_result::LOAD_ERR_COMPILE_CONDITION,
@@ -498,20 +512,10 @@ void rule_loader::compiler::compile_rule_infos(
 				ctx);
 		}
 
-		// By default rules are enabled/disabled for the default ruleset
-		if(r.enabled)
-		{
-			source->ruleset->enable(rule.name, true, cfg.default_ruleset_id);
-		}
-		else
-		{
-			source->ruleset->disable(rule.name, true, cfg.default_ruleset_id);
-		}
-
 		// populate set of event types and emit an special warning
-		if(rule.source == falco_common::syscall_source)
+		if(r.source == falco_common::syscall_source)
 		{
-			auto evttypes = libsinsp::filter::ast::ppm_event_codes(ast.get());
+			auto evttypes = libsinsp::filter::ast::ppm_event_codes(rule.condition.get());
 			if ((evttypes.empty() || evttypes.size() > 100) && r.warn_evttypes)
 			{
 				cfg.res->add_warning(
@@ -520,23 +524,29 @@ void rule_loader::compiler::compile_rule_infos(
 					r.ctx);
 			}
 		}
+
+		// finalize the rule definition and add it to output
+		rule.name = r.name;
+		rule.source = r.source;
+		rule.description = r.desc;
+		rule.priority = r.priority;
+		rule.tags = r.tags;
+		auto rule_id = out.insert(rule, rule.name);
+		out.at(rule_id)->id = rule_id;
 	}
 }
 
 void rule_loader::compiler::compile(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<falco_rule>& out) const
+		compile_output& out) const
 {
-	indexed_vector<list_info> lists;
-	indexed_vector<macro_info> macros;
-
 	// expand all lists, macros, and rules
 	try
 	{
-		compile_list_infos(cfg, col, lists);
-		compile_macros_infos(cfg, col, lists, macros);
-		compile_rule_infos(cfg, col, lists, macros, out);
+		compile_list_infos(cfg, col, out.lists);
+		compile_macros_infos(cfg, col, out.lists, out.macros);
+		compile_rule_infos(cfg, col, out.lists, out.macros, out.rules);
 	}
 	catch(rule_load_exception &e)
 	{
@@ -545,24 +555,24 @@ void rule_loader::compiler::compile(
 	}
 
 	// print info on any dangling lists or macros that were not used anywhere
-	for (auto &m : macros)
+	for (auto &m : out.macros)
 	{
 		if (!m.used)
 		{
 			cfg.res->add_warning(
 				falco::load_result::load_result::LOAD_UNUSED_MACRO,
 				"Macro not referred to by any other rule/macro",
-				m.ctx);
+				macro_info_from_name(col, m.name)->ctx);
 		}
 	}
-	for (auto &l : lists)
+	for (auto &l : out.lists)
 	{
 		if (!l.used)
 		{
 			cfg.res->add_warning(
 				falco::load_result::LOAD_UNUSED_LIST,
 				"List not referred to by any other rule/macro",
-				l.ctx);
+				list_info_from_name(col, l.name)->ctx);
 		}
 	}
 }

userspace/engine/rule_loader_compiler.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -30,6 +31,23 @@ namespace rule_loader
 class compiler
 {
 public:
+	/*!
+		\brief The output of a compilation.
+	*/
+	struct compile_output
+	{
+		compile_output() = default;
+		virtual ~compile_output() = default;
+		compile_output(compile_output&&) = default;
+		compile_output& operator = (compile_output&&) = default;
+		compile_output(const compile_output&) = default;
+		compile_output& operator = (const compile_output&) = default;
+
+		indexed_vector<falco_list> lists;
+		indexed_vector<falco_macro> macros;
+		indexed_vector<falco_rule> rules;
+	};
+
 	compiler() = default;
 	virtual ~compiler() = default;
 	compiler(compiler&&) = default;
@@ -43,25 +61,25 @@ public:
 	virtual void compile(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<falco_rule>& out) const;
+		compile_output& out) const;
 
 private:
 	void compile_list_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<list_info>& out) const;
+		indexed_vector<falco_list>& out) const;
 
 	void compile_macros_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<list_info>& lists,
-		indexed_vector<macro_info>& out) const;
+		indexed_vector<falco_list>& lists,
+		indexed_vector<falco_macro>& out) const;
 
 	void compile_rule_infos(
 		configuration& cfg,
 		const collector& col,
-		indexed_vector<list_info>& lists,
-		indexed_vector<macro_info>& macros,
+		indexed_vector<falco_list>& lists,
+		indexed_vector<falco_macro>& macros,
 		indexed_vector<falco_rule>& out) const;
 };
 

userspace/engine/rule_loader_reader.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/rule_loader_reader.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -42,4 +43,4 @@ public:
 	virtual bool read(configuration& cfg, collector& loader);
 };
 
-}; // namespace rule_loader
+}; // namespace rule_loader

userspace/engine/stats_manager.cpp

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

userspace/engine/stats_manager.h

@@ -1,5 +1,6 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
-Copyright (C) 2022 The Falco Authors.
+Copyright (C) 2023 The Falco Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -70,4 +71,4 @@ private:
 	std::atomic<uint64_t> m_total;
 	std::vector<std::unique_ptr<std::atomic<uint64_t>>> m_by_priority;
 	std::vector<std::unique_ptr<std::atomic<uint64_t>>> m_by_rule_id;
-};
+};

userspace/falco/CMakeLists.txt

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 #
-# Copyright (C) 2022 The Falco Authors.
+# Copyright (C) 2023 The Falco Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 # the License. You may obtain a copy of the License at

userspace/falco/app/actions/actions.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/falco/app/actions/configure_interesting_sets.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/falco/app/actions/configure_syscall_buffer_num.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/falco/app/actions/configure_syscall_buffer_size.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/falco/app/actions/create_requested_paths.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/falco/app/actions/create_signal_handlers.cpp

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.
 

userspace/falco/app/actions/helpers.h

@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: Apache-2.0
 /*
 Copyright (C) 2023 The Falco Authors.