Use common FalcoFinding with subtypes

gardener · Mar 4, 2025 · 72a243a · 72a243a
1 parent fbdd145
commit 72a243a
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/dso/model.py b/dso/model.py
@@ -586,7 +586,7 @@ class Cluster:
 
 
 @dataclasses.dataclass(frozen=True)
-class FalcoEventGroup(Finding):
+class FalcoEventGroup:
     """
     FalcoEventGroup represents a group of Falco events that are similar in
     nature. In almost all cases those are false posities and can be ignored.
@@ -621,7 +621,7 @@ def key(self) -> str:
 
 
 @dataclasses.dataclass(frozen=True)
-class FalcoDebugEventGroup(Finding):
+class FalcoDebugEventGroup:
     """
     Group of events that - most likely - are a result of a single debug
     session. It might however also be an indication of an attack. These
@@ -647,6 +647,17 @@ def key(self) -> str:
         return self.group_hash
 
 
+class FalcoFindingSubType(enum.StrEnum):
+    EVENT_GROUP = 'event-group'
+    DEBUG_EVENT_GROUP = 'debug-event-group'
+
+
+@dataclasses.dataclass(frozen=True)
+class FalcoFinding(Finding):
+    subtype: FalcoFindingSubType
+    finding: FalcoDebugEventGroup | FalcoEventGroup
+
+
 @dataclasses.dataclass
 class ArtefactMetadata:
     '''
@@ -676,8 +687,7 @@ class ArtefactMetadata:
         | OsID
         | CustomRescoring
         | ComplianceSnapshot
-        | FalcoEventGroup
-        | FalcoDebugEventGroup
+        | FalcoFinding
         | dict # fallback, there should be a type
     )
     discovery_date: datetime.date | None = None # required for finding specific SLA tracking