types.Finding interface update (#646)

tracee-rules/output.go

@@ -20,11 +20,11 @@ import (
 const DefaultDetectionOutputTemplate string = `
 *** Detection ***
 Time: {{ dateInZone "2006-01-02T15:04:05Z" (now) "UTC" }}
-Signature ID: {{ .ID }}
-Signature: {{ .Name }}
-Data: {{ .Finding.Data }}
-Command: {{ .Finding.Context.ProcessName }}
-Hostname: {{ .Finding.Context.HostName }}
+Signature ID: {{ .SigMetadata.ID }}
+Signature: {{ .SigMetadata.Name }}
+Data: {{ .Data }}
+Command: {{ .Context.ProcessName }}
+Hostname: {{ .Context.HostName }}
 `
 
 func setupTemplate(inputTemplateFile string) (*template.Template, error) {
@@ -58,15 +58,9 @@ func setupOutput(w io.Writer, webhook string, webhookTemplate string, contentTyp
 
 	go func(w io.Writer, tWebhook, tOutput *template.Template) {
 		for res := range out {
-			sigMetadata, err := res.Signature.GetMetadata()
-			if err != nil {
-				log.Println("invalid signature metadata: ", err)
-				continue
-			}
-
 			switch res.Context.(type) {
 			case tracee.Event:
-				if err := tOutput.Execute(w, types.FindingWithMetadata{Finding: res, SignatureMetadata: sigMetadata}); err != nil {
+				if err := tOutput.Execute(w, res); err != nil {
 					log.Println("error writing to output: ", err)
 				}
 			default:
@@ -128,17 +122,13 @@ func prepareJSONPayload(res types.Finding, clock Clock) (string, error) {
 		Time         time.Time              `json:"time"`
 		OutputFields map[string]interface{} `json:"output_fields"`
 	}
-	sigmeta, err := res.Signature.GetMetadata()
-	if err != nil {
-		return "", err
-	}
 	fields := make(map[string]interface{})
 	if te, ok := res.Context.(tracee.Event); ok {
 		fields["value"] = te.ReturnValue
 	}
 	payload := Payload{
-		Output:       fmt.Sprintf("Rule \"%s\" detection:\n %v", sigmeta.Name, res.Data),
-		Rule:         sigmeta.Name,
+		Output:       fmt.Sprintf("Rule \"%s\" detection:\n %v", res.SigMetadata.Name, res.Data),
+		Rule:         res.SigMetadata.Name,
 		Time:         clock.Now().UTC(),
 		OutputFields: fields,
 	}

tracee-rules/output_test.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"bytes"
-	"errors"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -100,13 +99,14 @@ HostName: foobar.local
 		findingCh, err := setupOutput(&actualOutput, "", "", "", tc.outputFormat)
 		require.NoError(t, err, tc.name)
 
+		sm, _ := fakeSignature{}.GetMetadata()
 		findingCh <- types.Finding{
 			Data: map[string]interface{}{
 				"foo1": "bar1, baz1",
 				"foo2": []string{"bar2", "baz2"},
 			},
-			Context:   tc.inputContext,
-			Signature: fakeSignature{},
+			Context:     tc.inputContext,
+			SigMetadata: sm,
 		}
 
 		time.Sleep(time.Millisecond)
@@ -163,15 +163,6 @@ HostName: foobar.local
 }`,
 			inputTemplateFile: "templates/sprig.tmpl",
 		},
-		{
-			name: "sad path, with failing GetMetadata func for sig",
-			inputSignature: fakeSignature{
-				getMetadata: func() (types.SignatureMetadata, error) {
-					return types.SignatureMetadata{}, errors.New("getMetadata failed")
-				},
-			},
-			expectedError: "error preparing json payload: getMetadata failed",
-		},
 		{
 			name:               "sad path, error reaching webhook",
 			inputTestServerURL: "foo://bad.host",
@@ -205,6 +196,7 @@ HostName: foobar.local
 
 			inputTemplate, _ := setupTemplate(tc.inputTemplateFile)
 
+			m, _ := tc.inputSignature.GetMetadata()
 			actualError := sendToWebhook(inputTemplate, types.Finding{
 				Data: map[string]interface{}{
 					"foo1": "bar1, baz1",
@@ -214,7 +206,7 @@ HostName: foobar.local
 					ProcessName: "foobar.exe",
 					HostName:    "foobar.local",
 				},
-				Signature: tc.inputSignature,
+				SigMetadata: m,
 			}, ts.URL, tc.inputTemplateFile, tc.contentType, fakeClock{})
 
 			switch {

tracee-rules/signatures/golang/examples/example.go

@@ -50,13 +50,14 @@ func (sig *counter) OnEvent(e types.Event) error {
 		sig.count++
 	}
 	if sig.count == sig.target {
+		m, _ := sig.GetMetadata()
 		sig.cb(types.Finding{
 			Data: map[string]interface{}{
 				"count":    sig.count,
 				"severity": "HIGH",
 			},
-			Context:   e,
-			Signature: sig,
+			Context:     e,
+			SigMetadata: m,
 		})
 		sig.count = 0
 	}

tracee-rules/signatures/golang/stdio_over_socket.go

@@ -170,16 +170,15 @@ func (sig *stdioOverSocket) OnSignal(s types.Signal) error {
 }
 
 func isStdioOverSocket(sig *stdioOverSocket, eventObj tracee.Event, pidSocketMap map[int]string, srcFd int, dstFd int) error {
-
 	stdAll := []int{0, 1, 2}
-
 	ip, socketfdExists := pidSocketMap[srcFd]
 
 	// this means that a socket FD is duplicated into one of the standard FDs
 	if socketfdExists && intInSlice(dstFd, stdAll) {
+		m, _ := sig.GetMetadata()
 		sig.cb(types.Finding{
-			Signature: sig,
-			Context:   eventObj,
+			SigMetadata: m,
+			Context:     eventObj,
 			Data: map[string]interface{}{
 				"ip": ip,
 			},

tracee-rules/signatures/rego/regosig/traceerego.go

@@ -147,16 +147,16 @@ func (sig *RegoSignature) OnEvent(e types.Event) error {
 		case bool:
 			if v {
 				sig.cb(types.Finding{
-					Data:      nil,
-					Context:   ee,
-					Signature: sig,
+					Data:        nil,
+					Context:     ee,
+					SigMetadata: sig.metadata,
 				})
 			}
 		case map[string]interface{}:
 			sig.cb(types.Finding{
-				Data:      v,
-				Context:   ee,
-				Signature: sig,
+				Data:        v,
+				Context:     ee,
+				SigMetadata: sig.metadata,
 			})
 		}
 	}

tracee-rules/types/types.go

@@ -45,12 +45,7 @@ type SignalSourceComplete string
 
 //Finding is the main output of a signature. It represents a match result for the signature business logic
 type Finding struct {
-	Data      map[string]interface{}
-	Context   Event
-	Signature Signature
-}
-
-type FindingWithMetadata struct {
-	Finding
-	SignatureMetadata
+	Data        map[string]interface{}
+	Context     Event
+	SigMetadata SignatureMetadata
 }