Use common FalcoFinding with subtypes

dso/model.py

@@ -92,7 +92,6 @@ def datasource_to_datatypes(datasource: str) -> tuple[str]:
             ),
             Datasource.FALCO: (
                 Datatype.FALCO_FINDING,
-                Datatype.FALCO_DEBUG_SESSION,
             ),
         }[datasource]
 
@@ -241,7 +240,6 @@ class Datatype:
     COMPLIANCE_SNAPSHOTS = 'compliance/snapshots'
     ARTEFACT_SCAN_INFO = 'meta/artefact_scan_info'
     FALCO_FINDING = 'finding/falco'
-    FALCO_DEBUG_SESSION = 'finding/falco_debug_session'
 
     @staticmethod
     def datatype_to_datasource(datatype: str) -> str:
@@ -254,7 +252,6 @@ def datatype_to_datasource(datatype: str) -> str:
             Datatype.DIKI_FINDING: Datasource.DIKI,
             Datatype.SAST_FINDING: Datasource.SAST,
             Datatype.FALCO_FINDING: Datasource.FALCO,
-            Datatype.FALCO_DEBUG_SESSION: Datasource.FALCO,
         }[datatype]
 
 
@@ -586,67 +583,83 @@ class Cluster:
 
 
 @dataclasses.dataclass(frozen=True)
-class FalcoEventGroup(Finding):
-    """
+class FalcoEventGroup:
+    '''
     FalcoEventGroup represents a group of Falco events that are similar in
     nature. In almost all cases those are false posities and can be ignored.
     Falco exceptions can be defined but they can be silenced here.
-    """
+
+    :param count int:
+        number of events in this group.
+    :param group_hash str:
+        hash of the group (event fiields and values that form the group),
+        can be reconstructed from a sample event and the fields property.
+    :param fields dict[str, str]:
+        Identical fields that form the group
+    :param events list[FalcoEvent]:
+        list of events in this group (possibly truncated).
+    :param exception ExceptionTemplate:
+        exception template for this group
+    '''
     message: str
     clusters: list[Cluster]
     landscape: str
     project: str
     rule: str
     priority: FalcoPriority
-    """Falco priority, one of EMERGENCY, ALERT, CRITICAL, ERROR, WARNING,
-    NOTICE, INFORMATIONAL, DEBUG
-    """
     first_event: datetime.datetime
     last_event: datetime.datetime
     count: int
-    """number of events in this group"""
     group_hash: str
-    """hash of the group (event fiields and values that form the group),
-    can be reconstructed from a sample event and the fields property."""
     fields: dict[str, str]
-    """Identical fields that form the group"""
     events: list[FalcoEvent]
-    """list of events in this group (possibly truncated)."""
     exception: ExceptionTemplate
-    """exception template for this group"""
 
     @property
     def key(self) -> str:
         return self.group_hash
 
 
 @dataclasses.dataclass(frozen=True)
-class FalcoDebugEventGroup(Finding):
-    """
+class FalcoDebugEventGroup:
+    '''
     Group of events that - most likely - are a result of a single debug
     session. It might however also be an indication of an attack. These
     events must be reviewed and ideally be linked to some legal activity.
-    """
+
+    :param group_hash str:
+        reproducible group hash to avoid double reporting should the reporting
+        job run multiple times on the same data.
+    :param events list[FalcoEvent]:
+        List of all events. The goal is not to truncate this list but it might
+        have to be done if it gets too large.
+    '''
     count: int
     cluster: str
     hostname: str
     project: str
     landscape: str
     group_hash: str
-    """reproducible group hash to avoid double reporting should the reporting
-    job run multiple times on the same data."""
     first_event: datetime.datetime
     last_event: datetime.datetime
     events: list[FalcoEvent]
-    """ List of all events. The goal is not to truncate this list but it might
-    have to be done if it gets too large.
-    """
 
     @property
     def key(self) -> str:
         return self.group_hash
 
 
+class FalcoFindingSubType(enum.StrEnum):
+    EVENT_GROUP = 'event-group'
+    DEBUG_EVENT_GROUP = 'debug-event-group'
+
+
+@dataclasses.dataclass(frozen=True)
+class FalcoFinding(Finding):
+    subtype: FalcoFindingSubType
+    finding: FalcoDebugEventGroup | FalcoEventGroup
+
+
 @dataclasses.dataclass
 class ArtefactMetadata:
     '''
@@ -676,8 +689,7 @@ class ArtefactMetadata:
         | OsID
         | CustomRescoring
         | ComplianceSnapshot
-        | FalcoEventGroup
-        | FalcoDebugEventGroup
+        | FalcoFinding
         | dict # fallback, there should be a type
     )
     discovery_date: datetime.date | None = None # required for finding specific SLA tracking