Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New transformer: join(<list>, <sep>) #1925

Open
Tracked by #3255
leogr opened this issue Jun 20, 2024 · 6 comments
Open
Tracked by #3255

New transformer: join(<list>, <sep>) #1925

leogr opened this issue Jun 20, 2024 · 6 comments
Assignees
@therealbobo
Labels
kind/feature New feature or request
Milestone
0.20.0

Comments

@leogr
Copy link
Member

leogr commented Jun 20, 2024

Motivation

Please take a look at this comment for context.

The join(<list>, <sep>) transformer concatenates the items of a list with a given separator. Its output can be utilized in two primary ways:

  1. In conditions for filtering.
  2. In the output: field of Falco's rule.

One significant use case is generating a string representation of the process lineage, such as join(proc.lineage, "->").

Feature

Implement the join(<list>, <sep>) function with the following specifications:

  • <list>: A list (i.e., a field with EPF_IS_LIST).
  • <sep>: A string used as a separator.

The transformer should return a concatenated string.

For example, join(proc.env, ";") would return something like SHELL=/bin/bash;SHELL_NEW=/bin/sh;PWD=/home/user HOME=/home/user.

Note: Implementing this transformer requires extending the current syntax to allow more than one argument.

Alternatives

An alternative is not to implement this transformer if all potential use cases can be achieved through other methods. However, implementing this general-purpose transformer could provide greater flexibility in both filtering and output. Therefore, there is no compelling reason not to implement this transformer.
@leogr leogr added the kind/feature New feature or request label Jun 20, 2024
@leogr leogr mentioned this issue Jun 20, 2024
Open
@incertum incertum mentioned this issue Jul 31, 2024
Open
@incertum incertum mentioned this issue Aug 8, 2024
Open
@leogr
Copy link
Member Author

leogr commented Aug 22, 2024

As discussed here, we are considering to place the <sep> as the first arg. i.e join(<sep>, <list>)

@incertum
Copy link
Contributor

/milestone 0.19.0

@poiana poiana added this to the 0.19.0 milestone Aug 28, 2024
@wangwillian0 wangwillian0 mentioned this issue Oct 30, 2024
Open
@FedeDP
Copy link
Contributor

FedeDP commented Nov 13, 2024

Perhaps we could also support join(string, sep) to fix #1981?

@FedeDP
Copy link
Contributor

FedeDP commented Nov 13, 2024

/milestone 0.20.0

@poiana poiana modified the milestones: 0.19.0, 0.20.0 Nov 13, 2024
@therealbobo
Copy link
Contributor

/assign

@leogr
Copy link
Member Author

leogr commented Nov 22, 2024

Perhaps we could also support join(string, sep) to fix #1981?

@FedeDP we should use concat instead, for that use case, see #2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@therealbobo therealbobo

Labels
kind/feature New feature or request
Projects
None yet
Milestone
0.20.0
Development

No branches or pull requests
5 participants
@leogr @FedeDP @incertum @therealbobo @poiana