Falco event modeling #1175
Falco event modeling #1175
Conversation
gardener-robot
added
needs/review
|
please also adhere to linter-rules (see linked errors from linter-step). you can run linter locally using |
|
@marwinski You need rebase this pull request with latest master branch. Please check. |
gardener-robot
added
size/m
plus: make linter a bit happier
marwinski
force-pushed
the
falco_event_modeling
branch
from
57ee7fe to
fbdd145
Compare
dso/model.py
Outdated
| @@ -566,6 +676,8 @@ class ArtefactMetadata: | |||
| | OsID | |||
| | CustomRescoring | |||
| | ComplianceSnapshot | |||
| | FalcoEventGroup | |||
There was a problem hiding this comment.
I think it might be more adequate to group debug/non-debug events under one common artefact-metadata-type (you can of course have different subtypes handled within falco's odg-extension) - from ODG's pov, I think this discrimination is an unsignificant implementation detail.
in fact, you already use the same label for github-tracking-issues (which kind of shows you seem to see it the same way)
zkdev
force-pushed
the
falco_event_modeling
branch
from
72a243a to
9abf7e7
Compare
zkdev
force-pushed
the
falco_event_modeling
branch
from
9abf7e7 to
ebf895c
Compare
| @@ -89,6 +90,9 @@ def datasource_to_datatypes(datasource: str) -> tuple[str]: | |||
| Datatype.ARTEFACT_SCAN_INFO, | |||
| Datatype.DIKI_FINDING, | |||
| ), | |||
| Datasource.FALCO: ( | |||
| Datatype.FALCO_FINDING, | |||
There was a problem hiding this comment.
Does the falco extension not also emit Datatype.ARTEFACT_SCAN_INFO entries?
|
|
||
|
|
||
| @dataclasses.dataclass(frozen=True) | ||
| class ExceptionTemplate: |
There was a problem hiding this comment.
Why does this require a dedicated class? If this is intended to model an exception in general (i.e. it is likely that there are more attributes to be added in the future), I propose to rename this class to something like DikiException and only reflect template in the attribute's name (like it is done already).
| @dataclasses.dataclass(frozen=True) | ||
| class Node: | ||
| name: str | ||
| count: int |
There was a problem hiding this comment.
Out of curiosity (might as well be a candidate for a doc string), what does count count in the context of a node?
| class FalcoEventGroup: | ||
| ''' | ||
| FalcoEventGroup represents a group of Falco events that are similar in | ||
| nature. In almost all cases those are false posities and can be ignored. |
| :param count int: | ||
| number of events in this group. | ||
| :param group_hash str: | ||
| hash of the group (event fiields and values that form the group), |
| @@ -587,6 +711,7 @@ def from_dict(raw: dict): | |||
| SastSubType, | |||
| SastStatus, | |||
| MatchCondition, | |||
| FalcoPriority, | |||
There was a problem hiding this comment.
We'd also have to add FalcoFindingSubType here, however, can't we just cast all enums in general like so?
cast=[enum.Enum],
Release note: