diff --git a/dso/model.py b/dso/model.py index 25d905118..943bfa9f4 100644 --- a/dso/model.py +++ b/dso/model.py @@ -92,7 +92,6 @@ def datasource_to_datatypes(datasource: str) -> tuple[str]: ), Datasource.FALCO: ( Datatype.FALCO_FINDING, - Datatype.FALCO_DEBUG_SESSION, ), }[datasource] @@ -241,7 +240,6 @@ class Datatype: COMPLIANCE_SNAPSHOTS = 'compliance/snapshots' ARTEFACT_SCAN_INFO = 'meta/artefact_scan_info' FALCO_FINDING = 'finding/falco' - FALCO_DEBUG_SESSION = 'finding/falco_debug_session' @staticmethod def datatype_to_datasource(datatype: str) -> str: @@ -254,7 +252,6 @@ def datatype_to_datasource(datatype: str) -> str: Datatype.DIKI_FINDING: Datasource.DIKI, Datatype.SAST_FINDING: Datasource.SAST, Datatype.FALCO_FINDING: Datasource.FALCO, - Datatype.FALCO_DEBUG_SESSION: Datasource.FALCO, }[datatype] @@ -586,34 +583,37 @@ class Cluster: @dataclasses.dataclass(frozen=True) -class FalcoEventGroup(Finding): - """ +class FalcoEventGroup: + ''' FalcoEventGroup represents a group of Falco events that are similar in nature. In almost all cases those are false posities and can be ignored. Falco exceptions can be defined but they can be silenced here. - """ + + :param count int: + number of events in this group. + :param group_hash str: + hash of the group (event fiields and values that form the group), + can be reconstructed from a sample event and the fields property. + :param fields dict[str, str]: + Identical fields that form the group + :param events list[FalcoEvent]: + list of events in this group (possibly truncated). + :param exception ExceptionTemplate: + exception template for this group + ''' message: str clusters: list[Cluster] landscape: str project: str rule: str priority: FalcoPriority - """Falco priority, one of EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, - NOTICE, INFORMATIONAL, DEBUG - """ first_event: datetime.datetime last_event: datetime.datetime count: int - """number of events in this group""" group_hash: str - """hash of the group (event fiields and values that form the group), - can be reconstructed from a sample event and the fields property.""" fields: dict[str, str] - """Identical fields that form the group""" events: list[FalcoEvent] - """list of events in this group (possibly truncated).""" exception: ExceptionTemplate - """exception template for this group""" @property def key(self) -> str: @@ -621,32 +621,45 @@ def key(self) -> str: @dataclasses.dataclass(frozen=True) -class FalcoDebugEventGroup(Finding): - """ +class FalcoDebugEventGroup: + ''' Group of events that - most likely - are a result of a single debug session. It might however also be an indication of an attack. These events must be reviewed and ideally be linked to some legal activity. - """ + + :param group_hash str: + reproducible group hash to avoid double reporting should the reporting + job run multiple times on the same data. + :param events list[FalcoEvent]: + List of all events. The goal is not to truncate this list but it might + have to be done if it gets too large. + ''' count: int cluster: str hostname: str project: str landscape: str group_hash: str - """reproducible group hash to avoid double reporting should the reporting - job run multiple times on the same data.""" first_event: datetime.datetime last_event: datetime.datetime events: list[FalcoEvent] - """ List of all events. The goal is not to truncate this list but it might - have to be done if it gets too large. - """ @property def key(self) -> str: return self.group_hash +class FalcoFindingSubType(enum.StrEnum): + EVENT_GROUP = 'event-group' + DEBUG_EVENT_GROUP = 'debug-event-group' + + +@dataclasses.dataclass(frozen=True) +class FalcoFinding(Finding): + subtype: FalcoFindingSubType + finding: FalcoDebugEventGroup | FalcoEventGroup + + @dataclasses.dataclass class ArtefactMetadata: ''' @@ -676,8 +689,7 @@ class ArtefactMetadata: | OsID | CustomRescoring | ComplianceSnapshot - | FalcoEventGroup - | FalcoDebugEventGroup + | FalcoFinding | dict # fallback, there should be a type ) discovery_date: datetime.date | None = None # required for finding specific SLA tracking