From b9ca52c60d1533239e2eea539c813647f4f1f3d4 Mon Sep 17 00:00:00 2001 From: Iacopo Rozzo Date: Mon, 13 Oct 2025 18:03:28 +0200 Subject: [PATCH] feat(engine): emit warning when a rule output uses deprecated "evt.dir" Emit a warning when a rule uses the deprecated "evt.dir" field in output. Signed-off-by: Iacopo Rozzo --- unit_tests/engine/test_rule_loader.cpp | 33 +++++++++++++++++++++++ userspace/engine/rule_loader_compiler.cpp | 23 ++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/unit_tests/engine/test_rule_loader.cpp b/unit_tests/engine/test_rule_loader.cpp index 83618c60781..d6a4001c5d8 100644 --- a/unit_tests/engine/test_rule_loader.cpp +++ b/unit_tests/engine/test_rule_loader.cpp @@ -1327,3 +1327,36 @@ TEST_F(test_falco_engine, empty_string_source_addl_rule) { EXPECT_TRUE(load_rules(rules_content, "rules.yaml")); } + +TEST_F(test_falco_engine, deprecated_field_in_output) { + std::string rules_content = R"END( +- rule: test_rule_with_evt_dir_in_output + desc: test rule with evt.dir in output + condition: evt.type = close + output: user=%user.name command=%proc.cmdline file=%fd.name evt.dir=%evt.dir + priority: INFO +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation(); + ASSERT_TRUE(has_warnings()); + ASSERT_TRUE(check_warning_message( + "usage of deprecated field 'evt.dir' has been detected in the rule output")) + << m_load_result_string; + EXPECT_EQ(num_rules_for_ruleset(), 1); +} + +TEST_F(test_falco_engine, no_deprecated_field_warning_in_output) { + std::string rules_content = R"END( +- rule: test_rule_without_evt_dir + desc: test rule without evt.dir in output + condition: evt.type = close + output: user=%user.name command=%proc.cmdline file=%fd.name + priority: INFO +)END"; + + ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); + ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation(); + ASSERT_FALSE(check_warning_message("evt.dir")) << m_load_result_string; + EXPECT_EQ(num_rules_for_ruleset(), 1); +} diff --git a/userspace/engine/rule_loader_compiler.cpp b/userspace/engine/rule_loader_compiler.cpp index e48141ae8f8..650655d51a6 100644 --- a/userspace/engine/rule_loader_compiler.cpp +++ b/userspace/engine/rule_loader_compiler.cpp @@ -72,6 +72,24 @@ static bool is_format_valid(const falco_source& source, std::string fmt, std::st } } +static void check_deprecated_fields_in_output(const std::string& fmt, + const rule_loader::context& ctx, + rule_loader::result& res) { + // Check for evt.dir field usage in output format + for(int i = 0; + i < static_cast(falco::load_result::deprecated_field::DEPRECATED_FIELD_NOT_FOUND); + i++) { + auto df = falco::load_result::deprecated_field(i); + if(fmt.find(falco::load_result::deprecated_field_str(df)) != std::string::npos) { + res.add_deprecated_field_warning(df, + "usage of deprecated field '" + + falco::load_result::deprecated_field_str(df) + + "' has been detected in the rule output", + ctx); + } + } +} + static void build_rule_exception_infos( const std::vector& exceptions, std::set& exception_fields, @@ -478,6 +496,9 @@ void rule_loader::compiler::compile_rule_infos(const configuration& cfg, r.output_ctx); } + // check for deprecated fields in output format + check_deprecated_fields_in_output(rule.output, r.output_ctx, *cfg.res); + // validate the rule's extra fields if any for(auto const& ef : rule.extra_output_fields) { if(!is_format_valid(*cfg.sources.at(r.source), ef.second.first, err)) { @@ -485,6 +506,8 @@ void rule_loader::compiler::compile_rule_infos(const configuration& cfg, err, r.output_ctx); } + // check for deprecated fields in extra output fields + check_deprecated_fields_in_output(ef.second.first, r.output_ctx, *cfg.res); } if(!compile_condition(cfg,