falcosecurity · poiana · Dec 2, 2023 · Nov 20, 2023 · Nov 20, 2023 · Nov 20, 2023
diff --git a/submodules/falcosecurity-testing b/submodules/falcosecurity-testing
diff --git a/userspace/engine/falco_engine.cpp b/userspace/engine/falco_engine.cpp
@@ -505,17 +505,17 @@ std::size_t falco_engine::add_source(const std::string &source,
 	return m_sources.insert(src, source);
 }
 
-template <typename T> inline Json::Value sequence_to_json_array(const T& seq)
+template <typename T> inline nlohmann::json sequence_to_json_array(const T& seq)
 {
-	Json::Value ret = Json::arrayValue;
-	for (auto it = seq.begin(); it != seq.end(); it++)
+	nlohmann::json ret = nlohmann::json::array();
+	for (const auto& v : seq)
 	{
-		ret.append(*it);
+		ret.push_back(v);
 	}
 	return ret;
 }
 
-void falco_engine::describe_rule(std::string *rule, const std::vector<std::shared_ptr<sinsp_plugin>>& plugins, bool json) const
+nlohmann::json falco_engine::describe_rule(std::string *rule, const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
 {
 	// use previously-loaded collector definitions and the compiled
 	// output of rules, macros, and lists.
@@ -524,103 +524,69 @@ void falco_engine::describe_rule(std::string *rule, const std::vector<std::share
 		throw falco_exception("rules most be loaded before describing them");
 	}
 
-	if(!json)
-	{
-		static const char *rule_fmt = "%-50s %s\n";
-		fprintf(stdout, rule_fmt, "Rule", "Description");
-		fprintf(stdout, rule_fmt, "----", "-----------");
-		if(!rule)
-		{
-			for(auto &r : m_rules)
-			{
-				auto str = falco::utils::wrap_text(r.description, 51, 110) + "\n";
-				fprintf(stdout, rule_fmt, r.name.c_str(), str.c_str());
-			}
-		}
-		else
-		{
-			auto r = m_rules.at(*rule);
-			if(r == nullptr)
-			{
-				return;
-			}
-			auto str = falco::utils::wrap_text(r->description, 51, 110) + "\n";
-			fprintf(stdout, rule_fmt, r->name.c_str(), str.c_str());
-		}
-
-		return;
-	}
-
 	// use collected and compiled info to print a json output
-	Json::FastWriter writer;
-	std::string json_str;
+	nlohmann::json output;
 	if(!rule)
 	{
-		// In this case we build json information about
-		// all rules, macros and lists
-		Json::Value output;
-
 		// Store required engine version
 		auto required_engine_version = m_rule_collector.required_engine_version();
 		output["required_engine_version"] = required_engine_version.version.as_string();
 
 		// Store required plugin versions
-		Json::Value plugin_versions = Json::arrayValue;
+		nlohmann::json plugin_versions = nlohmann::json::array();
 		auto required_plugin_versions = m_rule_collector.required_plugin_versions();
 		for(const auto& req : required_plugin_versions)
 		{
-			Json::Value r;
+			nlohmann::json r;
 			r["name"] = req.at(0).name;
 			r["version"] = req.at(0).version;
 
-			Json::Value alternatives = Json::arrayValue;
+			nlohmann::json alternatives = nlohmann::json::array();
 			for(size_t i = 1; i < req.size(); i++)
 			{
-				Json::Value alternative;
+				nlohmann::json alternative;
 				alternative["name"] = req[i].name;
 				alternative["version"] = req[i].version;
-				alternatives.append(alternative);
+				alternatives.push_back(std::move(alternative));
 			}
-			r["alternatives"] = alternatives;
+			r["alternatives"] = std::move(alternatives);
 
-			plugin_versions.append(r);
+			plugin_versions.push_back(std::move(r));
 		}
-		output["required_plugin_versions"] = plugin_versions;
+		output["required_plugin_versions"] = std::move(plugin_versions);
 
 		// Store information about rules
-		Json::Value rules_array = Json::arrayValue;
+		nlohmann::json rules_array = nlohmann::json::array();
 		for(const auto& r : m_last_compile_output->rules)
 		{
 			auto info = m_rule_collector.rules().at(r.name);
-			Json::Value rule;
+			nlohmann::json rule;
 			get_json_details(rule, r, *info, plugins);
-			rules_array.append(rule);
+			rules_array.push_back(std::move(rule));
 		}
-		output["rules"] = rules_array;
+		output["rules"] = std::move(rules_array);
 
 		// Store information about macros
-		Json::Value macros_array = Json::arrayValue;
+		nlohmann::json macros_array = nlohmann::json::array();
 		for(const auto &m : m_last_compile_output->macros)
 		{
 			auto info = m_rule_collector.macros().at(m.name);
-			Json::Value macro;
+			nlohmann::json macro;
 			get_json_details(macro, m, *info, plugins);
-			macros_array.append(macro);
+			macros_array.push_back(std::move(macro));
 		}
-		output["macros"] = macros_array;
+		output["macros"] = std::move(macros_array);
 
 		// Store information about lists 
-		Json::Value lists_array = Json::arrayValue;
+		nlohmann::json lists_array = nlohmann::json::array();
 		for(const auto &l : m_last_compile_output->lists)
 		{
 			auto info = m_rule_collector.lists().at(l.name);
-			Json::Value list;
+			nlohmann::json list;
 			get_json_details(list, l, *info, plugins);
-			lists_array.append(list);			
+			lists_array.push_back(std::move(list));			
 		}
-		output["lists"] = lists_array;
-
-		json_str = writer.write(output);
+		output["lists"] = std::move(lists_array);
 	}
 	else
 	{
@@ -631,32 +597,35 @@ void falco_engine::describe_rule(std::string *rule, const std::vector<std::share
 			throw falco_exception("Rule \"" + *rule + "\" is not loaded");
 		}
 		auto r = m_rules.at(ri->name);
-		Json::Value rule; 
+
+		nlohmann::json rule;
 		get_json_details(rule, *r, *ri, plugins);
-		json_str = writer.write(rule);
+		nlohmann::json rules_array = nlohmann::json::array();
+		rules_array.push_back(std::move(rule));
+		output["rules"] = std::move(rules_array);
 	}
 
-	fprintf(stdout, "%s", json_str.c_str());
+	return output;
 }
 
 void falco_engine::get_json_details(
-	Json::Value &out,
+	nlohmann::json &out,
 	const falco_rule &r,
 	const rule_loader::rule_info &info,
 	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
 {
-	Json::Value rule_info;
+	nlohmann::json rule_info;
 
 	// Fill general rule information
 	rule_info["name"] = r.name;
 	rule_info["condition"] = info.cond;
-	rule_info["priority"] = format_priority(r.priority, false);
+	rule_info["priority"] = std::move(format_priority(r.priority, false));
 	rule_info["output"] = info.output;
 	rule_info["description"] = r.description;
 	rule_info["enabled"] = info.enabled;
 	rule_info["source"] = r.source;
-	rule_info["tags"] = sequence_to_json_array(info.tags);
-	out["info"] = rule_info;
+	rule_info["tags"] = std::move(sequence_to_json_array(info.tags));
+	out["info"] = std::move(rule_info);
 
 	// Parse rule condition and build the non-compiled AST
 	// Assumption: no error because rules have already been loaded.
@@ -665,7 +634,7 @@ void falco_engine::get_json_details(
 	// get details related to the condition's filter
 	filter_details details;
 	filter_details compiled_details;
-	Json::Value json_details;
+	nlohmann::json json_details;
 	for(const auto &m : m_rule_collector.macros())
 	{
 		details.known_macros.insert(m.name);
@@ -679,19 +648,19 @@ void falco_engine::get_json_details(
 	filter_details_resolver().run(ast.get(), details);
 	filter_details_resolver().run(r.condition.get(), compiled_details);
 
-	out["details"]["macros"] = sequence_to_json_array(details.macros);
-	out["details"]["lists"] = sequence_to_json_array(details.lists);
-	out["details"]["condition_operators"] = sequence_to_json_array(compiled_details.operators);
-	out["details"]["condition_fields"] = sequence_to_json_array(compiled_details.fields);
+	out["details"]["macros"] = std::move(sequence_to_json_array(details.macros));
+	out["details"]["lists"] = std::move(sequence_to_json_array(details.lists));
+	out["details"]["condition_operators"] = std::move(sequence_to_json_array(compiled_details.operators));
+	out["details"]["condition_fields"] = std::move(sequence_to_json_array(compiled_details.fields));
 
 	// Get fields from output string
 	auto fmt = create_formatter(r.source, r.output);
 	std::vector<std::string> out_fields;
 	fmt->get_field_names(out_fields);
-	out["details"]["output_fields"] = sequence_to_json_array(out_fields);
+	out["details"]["output_fields"] = std::move(sequence_to_json_array(out_fields));
 
 	// Get fields from exceptions
-	out["details"]["exception_fields"] = sequence_to_json_array(r.exception_fields);
+	out["details"]["exception_fields"] = std::move(sequence_to_json_array(r.exception_fields));
 
 	// Get names and operators from exceptions
 	std::unordered_set<std::string> exception_names;
@@ -722,42 +691,42 @@ void falco_engine::get_json_details(
 			exception_operators.insert(e.comps.item);
 		}	
 	}
-	out["details"]["exception_names"] = sequence_to_json_array(exception_names);
-	out["details"]["exception_operators"] = sequence_to_json_array(exception_operators);
+	out["details"]["exception_names"] = std::move(sequence_to_json_array(exception_names));
+	out["details"]["exception_operators"] = std::move(sequence_to_json_array(exception_operators));
 
 	// Store event types
-	Json::Value events;
+	nlohmann::json events;
 	get_json_evt_types(events, info.source, r.condition.get());
-	out["details"]["events"] = events;
+	out["details"]["events"] = std::move(events);
 
 	// Store compiled condition and output
-	out["details"]["condition_compiled"] = libsinsp::filter::ast::as_string(r.condition.get());
+	out["details"]["condition_compiled"] = std::move(libsinsp::filter::ast::as_string(r.condition.get()));
 	out["details"]["output_compiled"] = r.output;
 
 	// Compute the plugins that are actually used by this rule. This is involves:
 	// - The rule's event source, that can be implemented by a plugin
 	// - The fields used in the rule's condition, output, and exceptions
 	// - The evt types used in the rule's condition checks, that can potentially
 	//   match plugin-provided async events
-	Json::Value used_plugins;
+	nlohmann::json used_plugins;
 	// note: making a union of conditions's and output's fields
 	// note: the condition's AST accounts for all the resolved refs and exceptions
 	compiled_details.fields.insert(out_fields.begin(), out_fields.end());
 	get_json_used_plugins(used_plugins, info.source, compiled_details.evtnames, compiled_details.fields, plugins);
-	out["details"]["plugins"] = used_plugins;
+	out["details"]["plugins"] = std::move(used_plugins);
 }
 
 void falco_engine::get_json_details(
-	Json::Value& out,
+	nlohmann::json& out,
 	const falco_macro& m,
 	const rule_loader::macro_info& info,
 	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
 {
-	Json::Value macro_info;
+	nlohmann::json macro_info;
 
 	macro_info["name"] = m.name;
 	macro_info["condition"] = info.cond;
-	out["info"] = macro_info;
+	out["info"] = std::move(macro_info);
 
 	// Parse the macro condition and build the non-compiled AST
 	// Assumption: no exception because rules have already been loaded.
@@ -766,7 +735,7 @@ void falco_engine::get_json_details(
 	// get details related to the condition's filter
 	filter_details details;
 	filter_details compiled_details;
-	Json::Value json_details;
+	nlohmann::json json_details;
 	for(const auto &m : m_rule_collector.macros())
 	{
 		details.known_macros.insert(m.name);
@@ -781,39 +750,39 @@ void falco_engine::get_json_details(
 	filter_details_resolver().run(m.condition.get(), compiled_details);
 
 	out["details"]["used"] = m.used;
-	out["details"]["macros"] = sequence_to_json_array(details.macros);
-	out["details"]["lists"] = sequence_to_json_array(details.lists);
-	out["details"]["condition_operators"] = sequence_to_json_array(compiled_details.operators);
-	out["details"]["condition_fields"] = sequence_to_json_array(compiled_details.fields);
+	out["details"]["macros"] = std::move(sequence_to_json_array(details.macros));
+	out["details"]["lists"] = std::move(sequence_to_json_array(details.lists));
+	out["details"]["condition_operators"] = std::move(sequence_to_json_array(compiled_details.operators));
+	out["details"]["condition_fields"] = std::move(sequence_to_json_array(compiled_details.fields));
 
 	// Store event types
-	Json::Value events;
+	nlohmann::json events;
 	get_json_evt_types(events, "", m.condition.get());
-	out["details"]["events"] = events;
+	out["details"]["events"] = std::move(events);
 
 	// Store compiled condition
-	out["details"]["condition_compiled"] = libsinsp::filter::ast::as_string(m.condition.get());
+	out["details"]["condition_compiled"] = std::move(libsinsp::filter::ast::as_string(m.condition.get()));
 
 	// Compute the plugins that are actually used by this macro.
 	// Note: macros have no specific source, we need to set an empty list of used
 	// plugins because we can't be certain about their actual usage. For example,
 	// if a macro uses a plugin's field, we can't be sure which plugin actually
 	// is used until we resolve the macro ref in a rule providing a source for
 	// disambiguation.
-	out["details"]["plugins"] = Json::arrayValue;
+	out["details"]["plugins"] = std::move(nlohmann::json::array());
 }
 
 void falco_engine::get_json_details(
-	Json::Value& out,
+	nlohmann::json& out,
 	const falco_list& l,
 	const rule_loader::list_info& info,
 	const std::vector<std::shared_ptr<sinsp_plugin>>& plugins) const
 {
-	Json::Value list_info;
+	nlohmann::json list_info;
 	list_info["name"] = l.name;
 
 	// note: the syntactic definitions still has the list refs unresolved
-	Json::Value items = Json::arrayValue;
+	nlohmann::json items = nlohmann::json::array();
 	std::unordered_set<std::string> lists;
 	for(const auto &i : info.items)
 	{
@@ -825,19 +794,19 @@ void falco_engine::get_json_details(
 			lists.insert(i);
 			continue;
 		}
-		items.append(i);
+		items.push_back(std::move(i));
 	}
 
-	list_info["items"] = items;
-	out["info"] = list_info;
+	list_info["items"] = std::move(items);
+	out["info"] = std::move(list_info);
 	out["details"]["used"] = l.used;
-	out["details"]["lists"] = sequence_to_json_array(lists);
-	out["details"]["items_compiled"] = sequence_to_json_array(l.items);
-	out["details"]["plugins"] = Json::arrayValue; // always empty
+	out["details"]["lists"] = std::move(sequence_to_json_array(lists));
+	out["details"]["items_compiled"] = std::move(sequence_to_json_array(l.items));
+	out["details"]["plugins"] = std::move(nlohmann::json::array()); // always empty
 }
 
 void falco_engine::get_json_evt_types(
-	Json::Value& out,
+	nlohmann::json& out,
 	const std::string& source,
 	libsinsp::filter::ast::expr* ast) const
 {
@@ -860,7 +829,7 @@ void falco_engine::get_json_evt_types(
 }
 
 void falco_engine::get_json_used_plugins(
-	Json::Value& out,
+	nlohmann::json& out,
 	const std::string& source,
 	const std::unordered_set<std::string>& evtnames,
 	const std::unordered_set<std::string>& fields,
@@ -869,14 +838,17 @@ void falco_engine::get_json_used_plugins(
 	// note: condition and output fields may have an argument, so
 	// we need to isolate the field names
 	std::unordered_set<std::string> fieldnames;
-	for (auto f: fields)
+	for (const auto &f: fields)
 	{
 		auto argpos = f.find('[');
 		if (argpos != std::string::npos)
 		{
-			f = f.substr(0, argpos);
+			fieldnames.insert(f.substr(0, argpos));
+		}
+		else
+		{
+			fieldnames.insert(f);
 		}
-		fieldnames.insert(f);
 	}
 
 	std::unordered_set<std::string> used_plugins;