new(outputs): expose rule tags and event source in gRPC and json outputs

[jasondellaluce]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area engine

What this PR does / why we need it:

1. Adds rule tags as a new field to the gRPC outputs service.
2. Adds rule tags and event source fields to the json outputs.
3. Updates the test suite to check that rule tags and event source are correctly retrievable through the gRPC api and through json outputs.

Which issue(s) this PR fixes:

Fixes #1647, #1713

Does this PR introduce a user-facing change?:

new(outputs): expose rule tags and event source in gRPC and json outputs

[poiana]

Welcome @jasondellaluce! It looks like this is your first PR to falcosecurity/falco 🎉

[leogr]

/milestone 0.30.0

[leogr]

Just found a spacing issue (see the comment below), otherwise LGTM!
Btw, great improvements, thank you! 👍

Note for reviewers: since the Lua code has been changed, to avoid a headache, make sure your local Falco's built is pointing to the correct Lua files 😺

[leogr]

cc @Issif

[leogr]

/approve

[poiana]

LGTM label has been added.

Git tree hash: e81a8c7a4fb3ef9c28bf009a85e0f09c7f34c363

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jasondellaluce, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[leodido]

Late to the party...

Have you folks considered making the output of the tags configurable?

The reason they were not there was also that, as far as I remember, the tags are not a mandatory part (while output is) of the Falco rule definitions.

Furthermore, a test covering such a scenario (no tags defined in the rule) would have been helpful to understand what's the resulting json in that case (empty array? other? valid json?).

[leodido]

Great job Jason!

Left two comments

[leodido]

Let's check what we end up with when a Falco rule does not have tags defined.

Do we obtain ...,"tags":[],... or not? I'd prefer a clean JSON, but that's my personal preference only :)

[leogr]

I don't have any preferences. Anyway, I agree with @leodido that a test covering such a scenario (especially for the JSON output format) would be really helpful to clarify the expected result.

[jasondellaluce]

Thank you for your review! I opened a PR to address these concerns, so we can eventually move this conversation there: #1733

[Issif]

I'm really happy of this PR, when Falco 0.30.0 is out, I'll update the format of json in Falcosidekick either 👍 .