chore(all): change all detect.Finding to pointers

Due to the change in the previous types commit, a mutex was added to the detect.Finding struct. In order not to break existing usage, the new mutex was added not as a pointer. This would cause a mutex copy almost everywhere, making the change ineffective. As such, the struct must be passed as a reference everywhere instead.
aquasecurity · Dec 31, 2023 · 5d7d6c7 · 5d7d6c7
1 parent e00fe43
commit 5d7d6c7
Show file tree

Hide file tree

Showing 97 changed files with 250 additions and 252 deletions.
diff --git a/cmd/tracee-rules/output.go b/cmd/tracee-rules/output.go
@@ -39,8 +39,8 @@ func setupTemplate(inputTemplateFile string) (*template.Template, error) {
 	}
 }
 
-func setupOutput(w io.Writer, webhook string, webhookTemplate string, contentType string, outputTemplate string) (chan detect.Finding, error) {
-	out := make(chan detect.Finding)
+func setupOutput(w io.Writer, webhook string, webhookTemplate string, contentType string, outputTemplate string) (chan *detect.Finding, error) {
+	out := make(chan *detect.Finding)
 	var err error
 
 	var tWebhook *template.Template
@@ -77,7 +77,7 @@ func setupOutput(w io.Writer, webhook string, webhookTemplate string, contentTyp
 	return out, nil
 }
 
-func sendToWebhook(t *template.Template, res detect.Finding, webhook string, webhookTemplate string, contentType string) error {
+func sendToWebhook(t *template.Template, res *detect.Finding, webhook string, webhookTemplate string, contentType string) error {
 	var payload string
 
 	switch {

diff --git a/cmd/tracee-rules/output_test.go b/cmd/tracee-rules/output_test.go
@@ -91,7 +91,7 @@ HostName: foobar.local
 			sm, err := signature.FakeSignature{}.GetMetadata()
 			require.NoError(t, err)
 
-			findingCh <- detect.Finding{
+			findingCh <- &detect.Finding{
 				Data: map[string]interface{}{
 					"foo1": "bar1, baz1",
 					"foo2": []string{"bar2", "baz2"},
@@ -165,7 +165,7 @@ func Test_sendToWebhook(t *testing.T) {
 			name:              "sad path, with an invalid template",
 			contentType:       "application/foo",
 			inputTemplateFile: "testdata/goldens/broken.tmpl",
-			expectedError:     `error writing to the template: template: broken.tmpl:1:3: executing "broken.tmpl" at <.InvalidField>: can't evaluate field InvalidField in type detect.Finding`,
+			expectedError:     `error writing to the template: template: broken.tmpl:1:3: executing "broken.tmpl" at <.InvalidField>: can't evaluate field InvalidField in type *detect.Finding`,
 		},
 		{
 			name:          "sad path, no --webhook-template flag specified",
@@ -194,7 +194,7 @@ func Test_sendToWebhook(t *testing.T) {
 			inputTemplate, _ := setupTemplate(tc.inputTemplateFile)
 
 			m, _ := tc.inputSignature.GetMetadata()
-			actualError := sendToWebhook(inputTemplate, detect.Finding{
+			actualError := sendToWebhook(inputTemplate, &detect.Finding{
 				Data: map[string]interface{}{
 					"foo1": "bar1, baz1",
 					"foo2": []string{"bar2", "baz2"},
@@ -221,12 +221,12 @@ func TestOutputTemplates(t *testing.T) {
 
 	testCases := []struct {
 		testName     string
-		finding      detect.Finding
+		finding      *detect.Finding
 		expectedJson string
 	}{
 		{
 			testName: "Should output finding as raw JSON",
-			finding: detect.Finding{
+			finding: &detect.Finding{
 				Data: map[string]interface{}{
 					"a": 123,
 					"b": "c",

diff --git a/cmd/tracee/cmd/analyze.go b/cmd/tracee/cmd/analyze.go
@@ -133,7 +133,7 @@ tracee analyze --events anti_debugging events.json`,
 		ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 		defer stop()
 
-		engineOutput := make(chan detect.Finding)
+		engineOutput := make(chan *detect.Finding)
 		engineInput := make(chan protocol.Event)
 		producerFinished := make(chan interface{})
 
@@ -196,7 +196,7 @@ func produce(ctx context.Context, done chan interface{}, inputFile *os.File, eng
 	}
 }
 
-func process(finding detect.Finding) {
+func process(finding *detect.Finding) {
 	event, err := tracee.FindingToEvent(finding)
 	if err != nil {
 		logger.Fatalw("Failed to convert finding to event", "err", err)

diff --git a/pkg/ebpf/finding.go b/pkg/ebpf/finding.go
@@ -9,7 +9,7 @@ import (
 
 // FindingToEvent converts a detect.Finding into a trace.Event
 // This is used because the pipeline expects trace.Event, but the rule engine returns detect.Finding
-func FindingToEvent(f detect.Finding) (*trace.Event, error) {
+func FindingToEvent(f *detect.Finding) (*trace.Event, error) {
 	s, ok := f.Event.Payload.(trace.Event)
 
 	if !ok {
@@ -24,7 +24,7 @@ func FindingToEvent(f detect.Finding) (*trace.Event, error) {
 	return newEvent(int(eventDefID), f, s), nil
 }
 
-func newEvent(id int, f detect.Finding, e trace.Event) *trace.Event {
+func newEvent(id int, f *detect.Finding, e trace.Event) *trace.Event {
 	arguments := getArguments(f, e)
 	metadata := getMetadataFromSignatureMetadata(f.SigMetadata)
 
@@ -65,7 +65,7 @@ func newEvent(id int, f detect.Finding, e trace.Event) *trace.Event {
 	}
 }
 
-func getArguments(f detect.Finding, triggerEvent trace.Event) []trace.Argument {
+func getArguments(f *detect.Finding, triggerEvent trace.Event) []trace.Argument {
 	arguments := make([]trace.Argument, 0, len(f.Data))
 
 	for k, v := range f.Data {

diff --git a/pkg/ebpf/finding_test.go b/pkg/ebpf/finding_test.go
@@ -100,7 +100,7 @@ func TestFindingToEvent(t *testing.T) {
 	}
 
 	finding := createFakeEventAndFinding()
-	got, err := FindingToEvent(finding)
+	got, err := FindingToEvent(&finding)
 
 	assert.NoError(t, err)
 

diff --git a/pkg/ebpf/signature_engine.go b/pkg/ebpf/signature_engine.go
@@ -19,7 +19,7 @@ func (t *Tracee) engineEvents(ctx context.Context, in <-chan *trace.Event) (<-ch
 	out := make(chan *trace.Event)
 	errc := make(chan error, 1)
 
-	engineOutput := make(chan detect.Finding, 10000)
+	engineOutput := make(chan *detect.Finding, 10000)
 	engineInput := make(chan protocol.Event, 10000)
 	engineOutputEvents := make(chan *trace.Event, 10000)
 	source := engine.EventSources{Tracee: engineInput}

diff --git a/pkg/server/grpc/event_data.go b/pkg/server/grpc/event_data.go
@@ -768,10 +768,10 @@ func convertPktMeta(v *trace.PktMeta) (*pb.EventValue, error) {
 }
 
 func convertToStruct(arg trace.Argument) (*pb.EventValue, error) {
-	i, ok := arg.Value.(detect.FindingData)
+	i, ok := arg.Value.(detect.FindingDataStruct)
 	if !ok {
 		logger.Errorw(
-			"Can't convert event argument. Please add it as a GRPC event data type or implement detect.FindingData interface.",
+			"Can't convert event argument. Please add it as a GRPC event data type or implement detect.FindingDataStruct interface.",
 			"name",
 			arg.Name,
 			"type",

diff --git a/pkg/signatures/benchmark/benchmark_test.go b/pkg/signatures/benchmark/benchmark_test.go
@@ -82,7 +82,7 @@ func BenchmarkEngineWithCodeInjectionSignature(b *testing.B) {
 				// Produce events without timing it
 				b.StopTimer()
 				inputs := ProduceEventsInMemory(inputEventsCount)
-				output := make(chan detect.Finding, inputEventsCount)
+				output := make(chan *detect.Finding, inputEventsCount)
 
 				s, err := bc.sigFunc()
 				require.NoError(b, err, bc.name)
@@ -132,7 +132,7 @@ func BenchmarkEngineWithMultipleSignatures(b *testing.B) {
 				// Produce events without timing it
 				b.StopTimer()
 				inputs := ProduceEventsInMemory(inputEventsCount)
-				output := make(chan detect.Finding, inputEventsCount*len(sigs))
+				output := make(chan *detect.Finding, inputEventsCount*len(sigs))
 
 				config := engine.Config{
 					Signatures: sigs,
@@ -190,7 +190,7 @@ func BenchmarkEngineWithNSignatures(b *testing.B) {
 					// Produce events without timing it
 					b.StopTimer()
 					inputs := ProduceEventsInMemory(inputEventsCount)
-					output := make(chan detect.Finding, inputEventsCount*len(sigs))
+					output := make(chan *detect.Finding, inputEventsCount*len(sigs))
 
 					config := engine.Config{
 						Signatures: sigs,
@@ -222,6 +222,6 @@ func waitForEventsProcessed(eventsCh chan protocol.Event) context.Context {
 	return ctx
 }
 
-func ignoreFinding(_ detect.Finding) {
+func ignoreFinding(_ *detect.Finding) {
 	// noop
 }
diff --git a/pkg/signatures/benchmark/signature/golang/anti_debugging.go b/pkg/signatures/benchmark/signature/golang/anti_debugging.go
@@ -60,7 +60,7 @@ func (sig *antiDebugging) OnEvent(event protocol.Event) error {
 	if requestString != "PTRACE_TRACEME" {
 		return nil
 	}
-	sig.cb(detect.Finding{
+	sig.cb(&detect.Finding{
 		SigMetadata: sig.metadata,
 		Event:       event,
 		Data: map[string]interface{}{

diff --git a/pkg/signatures/benchmark/signature/golang/code_injection.go b/pkg/signatures/benchmark/signature/golang/code_injection.go
@@ -75,7 +75,7 @@ func (sig *codeInjection) OnEvent(event protocol.Event) error {
 				return err
 			}
 			if sig.processMemFileRegexp.MatchString(pathname.Value.(string)) {
-				sig.cb(detect.Finding{
+				sig.cb(&detect.Finding{
 					// Signature: sig,
 					SigMetadata: sig.metadata,
 					Event:       event,
@@ -93,7 +93,7 @@ func (sig *codeInjection) OnEvent(event protocol.Event) error {
 		}
 		requestString := request.Value.(string)
 		if requestString == "PTRACE_POKETEXT" || requestString == "PTRACE_POKEDATA" {
-			sig.cb(detect.Finding{
+			sig.cb(&detect.Finding{
 				// Signature: sig,
 				SigMetadata: sig.metadata,
 				Event:       event,
@@ -116,7 +116,7 @@ func (sig *codeInjection) OnEvent(event protocol.Event) error {
 		//			if err != nil {
 		//				return err
 		//			}
-		//			sig.cb(detect.Finding{
+		//			sig.cb(&detect.Finding{
 		// Signature: sig,
 		//				SigMetadata: sig.metadata,
 		//				Payload:     ee,

diff --git a/pkg/signatures/engine/engine.go b/pkg/signatures/engine/engine.go
@@ -41,7 +41,7 @@ type Engine struct {
 	signaturesIndex  map[detect.SignatureEventSelector][]detect.Signature
 	signaturesMutex  sync.RWMutex
 	inputs           EventSources
-	output           chan detect.Finding
+	output           chan *detect.Finding
 	waitGroup        sync.WaitGroup
 	config           Config
 	stats            metrics.Stats
@@ -61,7 +61,7 @@ func (engine *Engine) Stats() *metrics.Stats {
 // NewEngine creates a new signatures-engine with the given arguments
 // inputs and outputs are given as channels created by the consumer
 // Signatures are not loaded at this point, Init must be called to perform config side effects.
-func NewEngine(config Config, sources EventSources, output chan detect.Finding) (*Engine, error) {
+func NewEngine(config Config, sources EventSources, output chan *detect.Finding) (*Engine, error) {
 	if sources.Tracee == nil || output == nil {
 		return nil, fmt.Errorf("nil input received")
 	}
@@ -143,7 +143,7 @@ func (engine *Engine) unloadAllSignatures() {
 }
 
 // matchHandler is a function that runs when a signature is matched
-func (engine *Engine) matchHandler(res detect.Finding) {
+func (engine *Engine) matchHandler(res *detect.Finding) {
 	_ = engine.stats.Detections.Increment()
 	engine.output <- res
 }

diff --git a/pkg/signatures/engine/engine_test.go b/pkg/signatures/engine/engine_test.go
@@ -313,7 +313,7 @@ func TestEngine_ConsumeSources(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.Background())
 			inputs := EventSources{}
 			inputs.Tracee = make(chan protocol.Event, 1)
-			outputChan := make(chan detect.Finding, 1)
+			outputChan := make(chan *detect.Finding, 1)
 
 			defer func() {
 				// signal the end
@@ -423,7 +423,7 @@ func TestEngine_GetSelectedEvents(t *testing.T) {
 	}
 
 	config := Config{Signatures: sigs}
-	e, err := NewEngine(config, EventSources{Tracee: make(chan protocol.Event)}, make(chan detect.Finding))
+	e, err := NewEngine(config, EventSources{Tracee: make(chan protocol.Event)}, make(chan *detect.Finding))
 	require.NoError(t, err, "constructing engine")
 
 	err = e.Init()
@@ -476,7 +476,7 @@ func TestEngine_LoadSignature(t *testing.T) {
 			source := EventSources{
 				Tracee: input,
 			}
-			output := make(chan detect.Finding)
+			output := make(chan *detect.Finding)
 			engine, err := NewEngine(Config{}, source, output)
 			require.NoError(t, err)
 

diff --git a/pkg/signatures/regosig/aio.go b/pkg/signatures/regosig/aio.go
@@ -209,14 +209,14 @@ func (a *aio) OnEvent(event protocol.Event) error {
 		switch v := value.(type) {
 		case bool:
 			if v {
-				a.cb(detect.Finding{
+				a.cb(&detect.Finding{
 					Data:        nil,
 					Event:       event,
 					SigMetadata: a.sigIDToMetadata[sigID],
 				})
 			}
 		case map[string]interface{}:
-			a.cb(detect.Finding{
+			a.cb(&detect.Finding{
 				Data:        v,
 				Event:       event,
 				SigMetadata: a.sigIDToMetadata[sigID],

diff --git a/pkg/signatures/regosig/aio_test.go b/pkg/signatures/regosig/aio_test.go
@@ -100,7 +100,7 @@ func AioOnEventSpec(t *testing.T, target string, partial bool) {
 		modules map[string]string
 		event   trace.Event
 		// findings are grouped by signature identifier for comparison
-		findings  map[string]detect.Finding
+		findings  map[string]*detect.Finding
 		wantError string
 	}{
 		{
@@ -119,7 +119,7 @@ func AioOnEventSpec(t *testing.T, target string, partial bool) {
 					},
 				},
 			},
-			findings: map[string]detect.Finding{
+			findings: map[string]*detect.Finding{
 				"TRC-BOOL": {
 					Data: nil,
 					Event: trace.Event{
@@ -172,7 +172,7 @@ func AioOnEventSpec(t *testing.T, target string, partial bool) {
 					},
 				},
 			},
-			findings: map[string]detect.Finding{
+			findings: map[string]*detect.Finding{
 				"TRC-OBJECT": {
 					Data: map[string]interface{}{
 						"p1": "test",

diff --git a/pkg/signatures/regosig/traceerego.go b/pkg/signatures/regosig/traceerego.go
@@ -168,14 +168,14 @@ func (sig *RegoSignature) OnEvent(event protocol.Event) error {
 		switch v := results[0].Expressions[0].Value.(type) {
 		case bool:
 			if v {
-				sig.cb(detect.Finding{
+				sig.cb(&detect.Finding{
 					Data:        nil,
 					Event:       event,
 					SigMetadata: sig.metadata,
 				})
 			}
 		case map[string]interface{}:
-			sig.cb(detect.Finding{
+			sig.cb(&detect.Finding{
 				Data:        v,
 				Event:       event,
 				SigMetadata: sig.metadata,

diff --git a/signatures/golang/anti_debugging_ptraceme.go b/signatures/golang/anti_debugging_ptraceme.go
@@ -62,7 +62,7 @@ func (sig *AntiDebuggingPtraceme) OnEvent(event protocol.Event) error {
 			if err != nil {
 				return err
 			}
-			sig.cb(detect.Finding{
+			sig.cb(&detect.Finding{
 				SigMetadata: metadata,
 				Event:       event,
 				Data:        nil,

diff --git a/signatures/golang/anti_debugging_ptraceme_test.go b/signatures/golang/anti_debugging_ptraceme_test.go
@@ -17,7 +17,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 	testCases := []struct {
 		Name     string
 		Events   []trace.Event
-		Findings map[string]detect.Finding
+		Findings map[string]*detect.Finding
 	}{
 		{
 			Name: "should trigger detection",
@@ -34,7 +34,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 					},
 				},
 			},
-			Findings: map[string]detect.Finding{
+			Findings: map[string]*detect.Finding{
 				"TRC-102": {
 					Data: nil,
 					Event: trace.Event{
@@ -81,7 +81,7 @@ func TestAntiDebuggingPtraceme(t *testing.T) {
 					},
 				},
 			},
-			Findings: map[string]detect.Finding{},
+			Findings: map[string]*detect.Finding{},
 		},
 	}
 

diff --git a/signatures/golang/aslr_inspection.go b/signatures/golang/aslr_inspection.go
@@ -67,7 +67,7 @@ func (sig *AslrInspection) OnEvent(event protocol.Event) error {
 			if err != nil {
 				return err
 			}
-			sig.cb(detect.Finding{
+			sig.cb(&detect.Finding{
 				SigMetadata: metadata,
 				Event:       event,
 				Data:        nil,