Skip to content

Commit 0f3a94c

Browse files
geyslangeyslan
committed
chore(grpc): bump api to latest 715b629
It also updates grpc proto conversion functions to use the new api.
1 parent 715b629 commit 0f3a94c

File tree

6 files changed

+126
-142
lines changed

6 files changed

+126
-142
lines changed

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ require (
88
github.com/IBM/fluent-forward-go v0.2.2
99
github.com/Masterminds/sprig/v3 v3.2.3
1010
github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca
11-
github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f
11+
github.com/aquasecurity/tracee/api v0.0.0-20241202151435-715b6290fb6a
1212
github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241009193135-0b23713fa9f9
1313
github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863
1414
github.com/containerd/containerd v1.7.21

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -406,8 +406,8 @@ github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVb
406406
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
407407
github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca h1:OPbvwFFvR11c1bgOLhBq1R5Uk3hwUjHW2KfrdyJan9Y=
408408
github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca/go.mod h1:UpO6kTehEgAGGKR2twztBxvzjTiLiV/cb2xmlYb+TfE=
409-
github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f h1:O4UmMQViaaP1wKL1eXe7C6VylwrUmUB5mYM+roqnUZg=
410-
github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f/go.mod h1:Gn6xVkaBkVe1pOQ0++uuHl+lMMClv0TPY8mCQ6j88aA=
409+
github.com/aquasecurity/tracee/api v0.0.0-20241202151435-715b6290fb6a h1:5SmeDGWshkjCXTmIDvYx/MsrnOuYw01XnCEKdNkrBF0=
410+
github.com/aquasecurity/tracee/api v0.0.0-20241202151435-715b6290fb6a/go.mod h1:Gn6xVkaBkVe1pOQ0++uuHl+lMMClv0TPY8mCQ6j88aA=
411411
github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241009193135-0b23713fa9f9 h1:sB84YYSDgUAYNSonXeMPweaN6dviCld8UNqcKDn1jBM=
412412
github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20241009193135-0b23713fa9f9/go.mod h1:/eGxScU8+vnxYhchZ72Y0lv1HqTSooLvtGCt9x7450I=
413413
github.com/aquasecurity/tracee/types v0.0.0-20241008181102-d40bc1f81863 h1:domVTTQICTuCvX+ZW5EjvdUBz8EH7FedBj5lRqwpgf4=

pkg/server/grpc/event_data.go

Lines changed: 3 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -22,18 +22,9 @@ func getEventData(e trace.Event) ([]*pb.EventValue, error) {
2222

2323
for _, arg := range e.Args {
2424
if arg.ArgMeta.Name == "triggeredBy" {
25-
triggerEvent, err := getTriggerBy(arg)
26-
if err != nil {
27-
return nil, err
28-
}
29-
30-
data = append(data, &pb.EventValue{
31-
Name: "triggeredBy",
32-
Value: &pb.EventValue_TriggeredBy{
33-
TriggeredBy: triggerEvent,
34-
},
35-
})
36-
25+
// Do NOT parse triggeredBy argument as pb.EventValue here since
26+
// it is parsed as pb.TriggeredBy (a proper pb.Event level field)
27+
// by getTriggerBy helper.
3728
continue
3829
}
3930

@@ -426,59 +417,6 @@ func getSockaddr(v map[string]string) (*pb.EventValue, error) {
426417
}, nil
427418
}
428419

429-
func getTriggerBy(triggeredByArg trace.Argument) (*pb.TriggeredBy, error) {
430-
var triggerEvent *pb.TriggeredBy
431-
432-
m, ok := triggeredByArg.Value.(map[string]interface{})
433-
if !ok {
434-
return nil, errfmt.Errorf("error getting triggering event: %v", triggeredByArg.Value)
435-
}
436-
437-
triggerEvent = &pb.TriggeredBy{}
438-
439-
id, ok := m["id"].(int)
440-
if !ok {
441-
return nil, errfmt.Errorf("error getting id of triggering event: %v", m)
442-
}
443-
triggerEvent.Id = uint32(id)
444-
445-
name, ok := m["name"].(string)
446-
if !ok {
447-
return nil, errfmt.Errorf("error getting name of triggering event: %v", m)
448-
}
449-
triggerEvent.Name = name
450-
451-
triggerEventArgs, ok := m["args"].([]trace.Argument)
452-
if !ok {
453-
return nil, errfmt.Errorf("error getting args of triggering event: %v", m)
454-
}
455-
456-
data := make([]*pb.EventValue, 0)
457-
458-
for _, arg := range triggerEventArgs {
459-
eventValue, err := getEventValue(arg)
460-
if err != nil {
461-
return nil, err
462-
}
463-
464-
eventValue.Name = arg.ArgMeta.Name
465-
data = append(data, eventValue)
466-
}
467-
468-
if events.Core.GetDefinitionByID(events.ID(id)).IsSyscall() {
469-
data = append(data, &pb.EventValue{
470-
Name: "returnValue",
471-
Value: &pb.EventValue_Int64{
472-
Int64: int64(m["returnValue"].(int)),
473-
},
474-
})
475-
}
476-
477-
triggerEvent.Data = data
478-
479-
return triggerEvent, nil
480-
}
481-
482420
func getDNSResourceRecord(source trace.ProtoDNSResourceRecord) *pb.DNSResourceRecord {
483421
opts := make([]*pb.DNSOPT, len(source.OPT))
484422

pkg/server/grpc/event_data_test.go

Lines changed: 22 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -718,7 +718,6 @@ func Test_getEventData(t *testing.T) {
718718

719719
func TestEventTrigger(t *testing.T) {
720720
event := trace.Event{
721-
EventID: 6001,
722721
Args: []trace.Argument{
723722
{
724723
ArgMeta: trace.ArgMeta{
@@ -750,52 +749,31 @@ func TestEventTrigger(t *testing.T) {
750749
},
751750
}
752751

753-
eventData, err := getEventData(event)
752+
expectedTriggerEvent, err := getTriggerBy(event.Args)
754753
assert.NoError(t, err)
755754

756-
expected := []*pb.EventValue{
757-
{
758-
Name: "arg1",
759-
Value: &pb.EventValue_Str{
760-
Str: "value1",
761-
},
762-
},
763-
{
764-
Name: "triggeredBy",
765-
Value: &pb.EventValue_TriggeredBy{
766-
TriggeredBy: &pb.TriggeredBy{
767-
Id: 101,
768-
Name: "ptrace",
769-
Data: []*pb.EventValue{
770-
{
771-
Name: "arg1",
772-
Value: &pb.EventValue_Str{
773-
Str: "arg value",
774-
},
775-
},
776-
{
777-
Name: "returnValue",
778-
Value: &pb.EventValue_Int64{
779-
Int64: 10,
780-
},
781-
},
782-
},
783-
},
784-
},
785-
},
786-
}
787-
788-
assert.Equal(t, len(expected), len(eventData))
789-
790-
expectedTriggerEvent := expected[1].GetTriggeredBy()
791-
assert.NotNil(t, expectedTriggerEvent)
755+
actualTriggerId, ok := event.Args[1].Value.(map[string]interface{})["id"].(int)
756+
assert.True(t, ok)
757+
actualTriggerName, ok := event.Args[1].Value.(map[string]interface{})["name"].(string)
758+
assert.True(t, ok)
759+
actualTriggerArgs, ok := event.Args[1].Value.(map[string]interface{})["args"].([]trace.Argument)
760+
assert.True(t, ok)
761+
actualTriggerArg0Str, ok := actualTriggerArgs[0].Value.(string)
762+
assert.True(t, ok)
763+
actualArg1Name := "returnValue"
764+
actualArg1Value, ok := event.Args[1].Value.(map[string]interface{})["returnValue"].(int)
765+
assert.True(t, ok)
792766

793-
actualTriggerEvent := eventData[1].GetTriggeredBy()
794-
assert.NotNil(t, actualTriggerEvent)
767+
assert.Equal(t, expectedTriggerEvent.Id, uint32(actualTriggerId))
768+
assert.Equal(t, expectedTriggerEvent.Name, actualTriggerName)
795769

796-
assert.Equal(t, expectedTriggerEvent.Id, actualTriggerEvent.Id)
797-
assert.Equal(t, expectedTriggerEvent.Name, actualTriggerEvent.Name)
770+
expectedArg0Name := expectedTriggerEvent.Data[0].GetName()
771+
expectedArg0StrValue := expectedTriggerEvent.Data[0].GetValue().(*pb.EventValue_Str).Str
772+
assert.Equal(t, expectedArg0Name, actualTriggerArgs[0].ArgMeta.Name)
773+
assert.Equal(t, expectedArg0StrValue, actualTriggerArg0Str)
798774

799-
assert.Equal(t, len(expectedTriggerEvent.Data), len(actualTriggerEvent.Data))
800-
assert.Equal(t, expectedTriggerEvent.Data, actualTriggerEvent.Data)
775+
expectedArg1Name := expectedTriggerEvent.Data[1].GetName()
776+
expectedArg1Value := expectedTriggerEvent.Data[1].GetValue().(*pb.EventValue_Int64).Int64
777+
assert.Equal(t, expectedArg1Name, actualArg1Name)
778+
assert.Equal(t, expectedArg1Value, int64(actualArg1Value))
801779
}

pkg/server/grpc/tracee.go

Lines changed: 74 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212

1313
pb "github.com/aquasecurity/tracee/api/v1beta1"
1414
tracee "github.com/aquasecurity/tracee/pkg/ebpf"
15+
"github.com/aquasecurity/tracee/pkg/errfmt"
1516
"github.com/aquasecurity/tracee/pkg/events"
1617
"github.com/aquasecurity/tracee/pkg/logger"
1718
"github.com/aquasecurity/tracee/pkg/streams"
@@ -721,9 +722,9 @@ func convertTraceeEventToProto(e trace.Event) (*pb.Event, error) {
721722
k8s := getK8s(e)
722723
idExternal := getExternalID(e)
723724

724-
var eventContext *pb.Context
725+
var eventWorkload *pb.Workload
725726
if process != nil || container != nil || k8s != nil {
726-
eventContext = &pb.Context{
727+
eventWorkload = &pb.Workload{
727728
Process: process,
728729
Container: container,
729730
K8S: k8s,
@@ -740,16 +741,21 @@ func convertTraceeEventToProto(e trace.Event) (*pb.Event, error) {
740741
threat = getThreat(e.Metadata.Description, e.Metadata.Properties)
741742
}
742743

744+
triggerEvent, err := getTriggerBy(e.Args)
745+
if err != nil {
746+
return nil, err
747+
}
748+
743749
event := &pb.Event{
744750
Id: idExternal,
745751
Name: e.EventName,
746752
Policies: &pb.Policies{
747753
Matched: e.MatchedPolicies,
748754
},
749-
Context: eventContext,
750-
Threat: threat,
751-
752-
Data: eventData,
755+
Workload: eventWorkload,
756+
Data: eventData,
757+
Threat: threat,
758+
TriggeredBy: triggerEvent,
753759
}
754760

755761
if e.Timestamp != 0 {
@@ -932,6 +938,68 @@ func getThreat(description string, metadata map[string]interface{}) *pb.Threat {
932938
}
933939
}
934940

941+
func getTriggerBy(args []trace.Argument) (*pb.TriggeredBy, error) {
942+
var triggeredByArg *trace.Argument
943+
triggerEvent := &pb.TriggeredBy{}
944+
945+
for i := range args {
946+
if args[i].ArgMeta.Name == "triggeredBy" {
947+
triggeredByArg = &args[i]
948+
break
949+
}
950+
}
951+
if triggeredByArg == nil {
952+
return triggerEvent, nil
953+
}
954+
955+
m, ok := triggeredByArg.Value.(map[string]interface{})
956+
if !ok {
957+
return nil, errfmt.Errorf("error getting triggering event: %v", triggeredByArg.Value)
958+
}
959+
960+
id, ok := m["id"].(int)
961+
if !ok {
962+
return nil, errfmt.Errorf("error getting id of triggering event: %v", m)
963+
}
964+
triggerEvent.Id = uint32(id)
965+
966+
name, ok := m["name"].(string)
967+
if !ok {
968+
return nil, errfmt.Errorf("error getting name of triggering event: %v", m)
969+
}
970+
triggerEvent.Name = name
971+
972+
triggerEventArgs, ok := m["args"].([]trace.Argument)
973+
if !ok {
974+
return nil, errfmt.Errorf("error getting args of triggering event: %v", m)
975+
}
976+
977+
data := make([]*pb.EventValue, 0)
978+
979+
for _, arg := range triggerEventArgs {
980+
eventValue, err := getEventValue(arg)
981+
if err != nil {
982+
return nil, err
983+
}
984+
985+
eventValue.Name = arg.ArgMeta.Name
986+
data = append(data, eventValue)
987+
}
988+
989+
if events.Core.GetDefinitionByID(events.ID(id)).IsSyscall() {
990+
data = append(data, &pb.EventValue{
991+
Name: "returnValue",
992+
Value: &pb.EventValue_Int64{
993+
Int64: int64(m["returnValue"].(int)),
994+
},
995+
})
996+
}
997+
998+
triggerEvent.Data = data
999+
1000+
return triggerEvent, nil
1001+
}
1002+
9351003
func getSeverity(metadata map[string]interface{}) pb.Severity {
9361004
severityValue, ok := metadata["Severity"].(int)
9371005
if ok {

pkg/server/grpc/tracee_test.go

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ import (
1111
"github.com/aquasecurity/tracee/types/trace"
1212
)
1313

14-
func Test_convertEventWithProcessContext(t *testing.T) {
14+
func Test_convertEventWithProcessWorkload(t *testing.T) {
1515
t.Parallel()
1616

1717
unixTime := int(time.Now().UnixNano())
@@ -40,22 +40,22 @@ func Test_convertEventWithProcessContext(t *testing.T) {
4040
protoEvent, err := convertTraceeEventToProto(traceEvent)
4141
assert.NoError(t, err)
4242

43-
assert.Equal(t, uint32(1), protoEvent.Context.Process.Pid.Value)
44-
assert.Equal(t, uint32(2), protoEvent.Context.Process.Thread.Tid.Value)
45-
assert.Equal(t, uint32(3), protoEvent.Context.Process.HostPid.Value)
46-
assert.Equal(t, uint32(4), protoEvent.Context.Process.Thread.HostTid.Value)
47-
assert.Equal(t, uint32(5), protoEvent.Context.Process.Ancestors[0].Pid.Value)
48-
assert.Equal(t, uint32(6), protoEvent.Context.Process.Ancestors[0].HostPid.Value)
49-
assert.Equal(t, uint32(7), protoEvent.Context.Process.RealUser.Id.Value)
43+
assert.Equal(t, uint32(1), protoEvent.Workload.Process.Pid.Value)
44+
assert.Equal(t, uint32(2), protoEvent.Workload.Process.Thread.Tid.Value)
45+
assert.Equal(t, uint32(3), protoEvent.Workload.Process.HostPid.Value)
46+
assert.Equal(t, uint32(4), protoEvent.Workload.Process.Thread.HostTid.Value)
47+
assert.Equal(t, uint32(5), protoEvent.Workload.Process.Ancestors[0].Pid.Value)
48+
assert.Equal(t, uint32(6), protoEvent.Workload.Process.Ancestors[0].HostPid.Value)
49+
assert.Equal(t, uint32(7), protoEvent.Workload.Process.RealUser.Id.Value)
5050
assert.Equal(t, pb.EventId_execve, protoEvent.Id)
51-
assert.Equal(t, uint32(9), protoEvent.Context.Process.Thread.UniqueId.Value)
52-
assert.Equal(t, uint32(10), protoEvent.Context.Process.UniqueId.Value)
53-
assert.Equal(t, uint32(11), protoEvent.Context.Process.Ancestors[0].UniqueId.Value)
51+
assert.Equal(t, uint32(9), protoEvent.Workload.Process.Thread.UniqueId.Value)
52+
assert.Equal(t, uint32(10), protoEvent.Workload.Process.UniqueId.Value)
53+
assert.Equal(t, uint32(11), protoEvent.Workload.Process.Ancestors[0].UniqueId.Value)
5454
assert.Equal(t, "eventTest", protoEvent.Name)
5555
assert.Equal(t, []string{"policyTest"}, protoEvent.Policies.Matched)
56-
assert.Equal(t, "processTest", protoEvent.Context.Process.Thread.Name)
57-
assert.Equal(t, "syscall", protoEvent.Context.Process.Thread.Syscall)
58-
assert.Equal(t, true, protoEvent.Context.Process.Thread.Compat)
56+
assert.Equal(t, "processTest", protoEvent.Workload.Process.Thread.Name)
57+
assert.Equal(t, "syscall", protoEvent.Workload.Process.Thread.Syscall)
58+
assert.Equal(t, true, protoEvent.Workload.Process.Thread.Compat)
5959
}
6060

6161
func Test_convertEventWithStackaddresses(t *testing.T) {
@@ -75,11 +75,11 @@ func Test_convertEventWithStackaddresses(t *testing.T) {
7575
}
7676

7777
for i := range expected {
78-
assert.Equal(t, expected[i].Address, protoEvent.Context.Process.Thread.UserStackTrace.Addresses[i].Address)
78+
assert.Equal(t, expected[i].Address, protoEvent.Workload.Process.Thread.UserStackTrace.Addresses[i].Address)
7979
}
8080
}
8181

82-
func Test_convertEventWithContainerContext(t *testing.T) {
82+
func Test_convertEventWithContainerWorkload(t *testing.T) {
8383
t.Parallel()
8484

8585
traceEvent := trace.Event{
@@ -94,13 +94,13 @@ func Test_convertEventWithContainerContext(t *testing.T) {
9494
protoEvent, err := convertTraceeEventToProto(traceEvent)
9595
assert.NoError(t, err)
9696

97-
assert.Equal(t, "containerID", protoEvent.Context.Container.Id)
98-
assert.Equal(t, "containerName", protoEvent.Context.Container.Name)
99-
assert.Equal(t, "imageName", protoEvent.Context.Container.Image.Name)
100-
assert.Equal(t, []string{"imageDigest"}, protoEvent.Context.Container.Image.RepoDigests)
97+
assert.Equal(t, "containerID", protoEvent.Workload.Container.Id)
98+
assert.Equal(t, "containerName", protoEvent.Workload.Container.Name)
99+
assert.Equal(t, "imageName", protoEvent.Workload.Container.Image.Name)
100+
assert.Equal(t, []string{"imageDigest"}, protoEvent.Workload.Container.Image.RepoDigests)
101101
}
102102

103-
func Test_convertEventWithK8sContext(t *testing.T) {
103+
func Test_convertEventWithK8sWorkload(t *testing.T) {
104104
t.Parallel()
105105

106106
traceEvent := trace.Event{
@@ -114,9 +114,9 @@ func Test_convertEventWithK8sContext(t *testing.T) {
114114
protoEvent, err := convertTraceeEventToProto(traceEvent)
115115
assert.NoError(t, err)
116116

117-
assert.Equal(t, "podName", protoEvent.Context.K8S.Pod.Name)
118-
assert.Equal(t, "podNamespace", protoEvent.Context.K8S.Namespace.Name)
119-
assert.Equal(t, "podUID", protoEvent.Context.K8S.Pod.Uid)
117+
assert.Equal(t, "podName", protoEvent.Workload.K8S.Pod.Name)
118+
assert.Equal(t, "podNamespace", protoEvent.Workload.K8S.Namespace.Name)
119+
assert.Equal(t, "podUID", protoEvent.Workload.K8S.Pod.Uid)
120120
}
121121

122122
func Test_convertEventWithThreat(t *testing.T) {

0 commit comments

Comments
 (0)