Skip to content

feat(engine): emit warning when a condition uses deprecated "evt.dir" #3690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 9, 2025
Merged

feat(engine): emit warning when a condition uses deprecated "evt.dir" #3690

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f1542d3
feat(engine): emit warning when a condition uses deprecated "evt.dir"
Oct 6, 2025
4f1ff8a
Use generic DEPRECATED_ITEM warning code
irozzo-1A Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions unit_tests/engine/test_filter_warning_resolver.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

#include <string>
#include <gtest/gtest.h>
#include <engine/filter_warning_resolver.h>

Expand All @@ -38,4 +39,8 @@ TEST(WarningResolver, warnings_in_filtering_conditions) {
ASSERT_TRUE(warns("ka.field intersects (otherval, <NA>)"));
ASSERT_TRUE(warns("ka.field pmatch (<NA>)"));
ASSERT_TRUE(warns("ka.field pmatch (otherval, <NA>)"));
ASSERT_TRUE(warns("evt.dir = <"));
ASSERT_TRUE(warns("evt.dir = >"));
ASSERT_TRUE(warns("proc.name=test and evt.dir = <"));
ASSERT_TRUE(warns("evt.dir = < and proc.name=test"));
}
11 changes: 8 additions & 3 deletions userspace/engine/falco_load_result.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,8 @@ static const std::string warning_codes[] = {"LOAD_UNKNOWN_SOURCE",
"LOAD_EXCEPTION_NAME_NOT_UNIQUE",
"LOAD_INVALID_MACRO_NAME",
"LOAD_INVALID_LIST_NAME",
"LOAD_COMPILE_CONDITION"};
"LOAD_COMPILE_CONDITION",
"LOAD_DEPRECATED_DIR_FIELD"};

const std::string& falco::load_result::warning_code_str(warning_code wc) {
return warning_codes[wc];
Expand All @@ -92,7 +93,8 @@ static const std::string warning_strings[] = {"Unknown event source",
"Multiple exceptions defined with the same name",
"Invalid macro name",
"Invalid list name",
"Warning in rule condition"};
"Warning in rule condition",
"Deprecated evt.dir field usage"};

const std::string& falco::load_result::warning_str(warning_code wc) {
return warning_strings[wc];
Expand All @@ -119,7 +121,10 @@ static const std::string warning_descs[] = {
"A rule is defining multiple exceptions with the same name",
"A macro is defined with an invalid name",
"A list is defined with an invalid name",
"A rule condition or output have been parsed with a warning"};
"A rule condition or output have been parsed with a warning",
"A rule condition uses the deprecated 'evt.dir' field. Due to the drop of enter events, "
"'evt.dir = <' always evaluates to true, and 'evt.dir = >' always evaluates to false. The "
"rule expression can be simplified by removing the condition on 'evt.dir'."};

const std::string& falco::load_result::warning_desc(warning_code wc) {
return warning_descs[wc];
Expand Down
3 changes: 2 additions & 1 deletion userspace/engine/falco_load_result.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,8 @@ class load_result {
LOAD_EXCEPTION_NAME_NOT_UNIQUE,
LOAD_INVALID_MACRO_NAME,
LOAD_INVALID_LIST_NAME,
LOAD_COMPILE_CONDITION
LOAD_COMPILE_CONDITION,
LOAD_DEPRECATED_DIR_FIELD
};

virtual ~load_result() = default;
Expand Down
10 changes: 10 additions & 0 deletions userspace/engine/filter_warning_resolver.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

#include <string>
#include <libsinsp/sinsp.h>
#include "filter_warning_resolver.h"

Expand All @@ -27,6 +28,10 @@ static inline bool is_unsafe_field(const std::string& f) {
!strncmp(f.c_str(), "jevt.", strlen("jevt."));
}

static inline bool is_deprecated_dir_field(const std::string& f) {
return f == "evt.dir";
}

static inline bool is_equality_operator(const std::string& op) {
return op == "==" || op == "=" || op == "!=" || op == "in" || op == "intersects" ||
op == "pmatch";
Expand Down Expand Up @@ -54,6 +59,11 @@ void filter_warning_resolver::visitor::visit(libsinsp::filter::ast::binary_check

void filter_warning_resolver::visitor::visit(libsinsp::filter::ast::field_expr* e) {
m_last_node_is_unsafe_field = is_unsafe_field(e->field);

// Check for deprecated dir field usage
if(is_deprecated_dir_field(e->field)) {
m_warnings->insert(load_result::LOAD_DEPRECATED_DIR_FIELD);
}
}

void filter_warning_resolver::visitor::visit(libsinsp::filter::ast::value_expr* e) {
Expand Down
1 change: 0 additions & 1 deletion userspace/engine/rule_loader_compiler.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ limitations under the License.
#include <memory>
#include <set>
#include <vector>
#include <functional>

#include "rule_loader_compiler.h"
#include "filter_warning_resolver.h"
Expand Down
Loading