From 7d812d5fe888ce3da09fb7596feb8e3b9c5c2a8e Mon Sep 17 00:00:00 2001 From: Lorenzo Susini Date: Thu, 2 Nov 2023 12:01:21 +0000 Subject: [PATCH 1/2] update(build/registry): make sure new artifacts requirements contain the new `engine_version_semver` key. All the rules are already modified to contain a semver string Signed-off-by: Lorenzo Susini --- build/registry/requirements.go | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/build/registry/requirements.go b/build/registry/requirements.go index 1b6b34d8..a5d504e2 100644 --- a/build/registry/requirements.go +++ b/build/registry/requirements.go @@ -22,7 +22,6 @@ import ( "errors" "fmt" "os" - "strconv" "strings" "github.com/blang/semver" @@ -31,7 +30,7 @@ import ( const ( rulesEngineAnchor = "- required_engine_version" - engineVersionKey = "engine_version" + engineVersionKey = "engine_version_semver" ) // ErrReqNotFound error when the requirements are not found in the rulesfile. @@ -65,13 +64,21 @@ func rulesfileRequirement(filePath string) (*oci.ArtifactRequirement, error) { // Split the requirement and parse the version to semVer. tokens := strings.Split(fileScanner.Text(), ":") - reqVer, err := semver.ParseTolerant(tokens[1]) + reqVer, err := semver.Parse(tokens[1]) if err != nil { - return nil, fmt.Errorf("unable to parse to semVer the version requirement %q", tokens[1]) + reqVer, err = semver.ParseTolerant(tokens[1]) + if err != nil { + return nil, fmt.Errorf("unable to parse requirement %q: expected a numeric value or a valid semver string", tokens[1]) + } + reqVer = semver.Version{ + Major: 0, + Minor: reqVer.Major, + Patch: 0, + } } return &oci.ArtifactRequirement{ Name: engineVersionKey, - Version: strconv.FormatUint(reqVer.Major, 10), + Version: reqVer.String(), }, nil } From 533022a40dd0a0f5c04d9a976190b0401969c1bf Mon Sep 17 00:00:00 2001 From: Lorenzo Susini Date: Thu, 2 Nov 2023 14:23:27 +0000 Subject: [PATCH 2/2] update(rules): no need for double quoting required engine version value Signed-off-by: Lorenzo Susini --- rules/falco-incubating_rules.yaml | 2 +- rules/falco-sandbox_rules.yaml | 2 +- rules/falco_rules.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml index 6dbd30d0..27174c6d 100644 --- a/rules/falco-incubating_rules.yaml +++ b/rules/falco-incubating_rules.yaml @@ -25,7 +25,7 @@ # Starting with version 8, the Falco engine supports exceptions. # However the Falco rules file does not use them by default. -- required_engine_version: "0.26.0" +- required_engine_version: 0.26.0 - macro: open_write condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0) diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml index 932d4c09..945244b8 100644 --- a/rules/falco-sandbox_rules.yaml +++ b/rules/falco-sandbox_rules.yaml @@ -25,7 +25,7 @@ # Starting with version 8, the Falco engine supports exceptions. # However the Falco rules file does not use them by default. -- required_engine_version: "0.26.0" +- required_engine_version: 0.26.0 # Currently disabled as read/write are ignored syscalls. The nearly # similar open_write/open_read check for files being opened for diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index f1a3ec6a..c3738b0c 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -25,7 +25,7 @@ # Starting with version 8, the Falco engine supports exceptions. # However the Falco rules file does not use them by default. -- required_engine_version: "0.26.0" +- required_engine_version: 0.26.0 # Currently disabled as read/write are ignored syscalls. The nearly # similar open_write/open_read check for files being opened for