update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions

[jasondellaluce]

What type of PR is this?

/kind bug

/kind cleanup

/kind feature

Any specific area of the project related to this PR?

/area engine

What this PR does / why we need it:

This is focused on the rules description feature of the -l and -L options, in the specific case of the JSON output. The goal is to be more consistent and print more information, which can be used by our automation and for debugging purposes (some of these have been asked for a while). High-level changes:

• The rule loader compiler has been modularized even more. It will be fairly easier to write unit tests on it now.
• For each rule, macro, or list, now also print the plugins they used among the ones currently loaded
• For each list, now also prints the final "compiled" list of items (after resolving all list refs)
• For each macro, now also prints the final "compiled" condition (after resolving all list and macro refs)
• For each macro, now also prints the final "compiled" condition and output (after resolving all list, macro, and exceptions refs, and also the output substitutions such as the one of container.info)
• Details of each YAML elements now take in consideration all the referenced elements (lists, macros) instead of just the given described element. Doing otherwise makes no sense for some cases, which are: matching event types, condition and output fields, and used plugins

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions

[github-actions]

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

[jasondellaluce]

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

False alarm. No change visible to rulesets has been applied, just some changes in the internal machinery.

/unhold

[jasondellaluce]

/milestone 0.37.0

[jasondellaluce]

Supporting tests, for later: falcosecurity/testing#26

[FedeDP]

Can you rebase this one?

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: b252817869fdc3c3f4d62c47050d2c7d306436be

[Andreagit97]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, jasondellaluce

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,FedeDP,jasondellaluce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment