Use fullPath (#259)

* use fullPath

* fixed units

* fixed paths

* handle modify RB

* Adding pod name to rules

Signed-off-by: Amit Schendel <[email protected]>

* Fixing new types

Signed-off-by: Amit Schendel <[email protected]>

* Adding new pkg versions

Signed-off-by: Amit Schendel <[email protected]>

* Adding correct am alerts

Signed-off-by: Amit Schendel <[email protected]>

* use containerID for cache

* remove containerd prefix

* fixed unit

---------

Signed-off-by: Amit Schendel <[email protected]>
Signed-off-by: David Wertenteil <[email protected]>
Co-authored-by: Amit Schendel <[email protected]>

go.mod

@@ -5,7 +5,7 @@ go 1.21.3
 toolchain go1.21.4
 
 require (
-	github.com/armosec/armoapi-go v0.0.379
+	github.com/armosec/armoapi-go v0.0.385
 	github.com/armosec/utils-k8s-go v0.0.26
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cilium/ebpf v0.14.0

go.sum

@@ -111,8 +111,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/armosec/armoapi-go v0.0.379 h1:y9pIjRQmfWoQ5zuFS9PRKRsPtZAPWVyDNSYJZBc2I5Q=
-github.com/armosec/armoapi-go v0.0.379/go.mod h1:THr0weLNkxJvZPgwk2GSCtGWw4ERGDYo81g9MqHOUwk=
+github.com/armosec/armoapi-go v0.0.385 h1:zkVQ/ZHcdE8cYP6Ca/tWsgVsgxTQxHfUNQ907RQykE4=
+github.com/armosec/armoapi-go v0.0.385/go.mod h1:THr0weLNkxJvZPgwk2GSCtGWw4ERGDYo81g9MqHOUwk=
 github.com/armosec/gojay v1.2.17 h1:VSkLBQzD1c2V+FMtlGFKqWXNsdNvIKygTKJI9ysY8eM=
 github.com/armosec/gojay v1.2.17/go.mod h1:vuvX3DlY0nbVrJ0qCklSS733AWMoQboq3cFyuQW9ybc=
 github.com/armosec/utils-go v0.0.57 h1:0RaqexK+t7HeKWfldBv2C1JiLLGuUx9FP0DGWDNRJpg=

mocks/testdata/collection_applicationprofiles.json

@@ -3,7 +3,9 @@
     "kind": "ApplicationProfile",
     "metadata": {
         "annotations": {
-            "kubescape.io/resource-size": "24"
+            "kubescape.io/resource-size": "24",
+            "kubescape.io/completion": "complete",
+            "kubescape.io/status": "completed"
         },
         "labels": {
             "kubescape.io/instance-template-hash": "94c495554",

mocks/testdata/collection_networkneighbors.json

@@ -2,7 +2,10 @@
     "apiVersion": "spdx.softwarecomposition.kubescape.io/v1beta1",
     "kind": "NetworkNeighbors",
     "metadata": {
-        "annotations": { },
+        "annotations": {
+            "kubescape.io/completion": "complete",
+            "kubescape.io/status": "completed"
+         },
         "labels": {
             "kubescape.io/workload-api-group": "apps",
             "kubescape.io/workload-api-version": "v1",

mocks/testdata/nginx_applicationprofiles.json

@@ -3,7 +3,9 @@
     "kind": "ApplicationProfile",
     "metadata": {
         "annotations": {
-            "kubescape.io/resource-size": "85"
+            "kubescape.io/resource-size": "85",
+            "kubescape.io/completion": "complete",
+            "kubescape.io/status": "completed"
         },
         "creationTimestamp": "2024-03-19T09:27:05Z",
         "labels": {

mocks/testdata/nginx_networkneighbors.json

@@ -3,6 +3,8 @@
     "kind": "NetworkNeighbors",
     "metadata": {
         "annotations": {
+            "kubescape.io/completion": "complete",
+            "kubescape.io/status": "completed"
         },
         "creationTimestamp": "2024-03-19T09:24:57Z",
         "labels": {

pkg/containerwatcher/v1/open.go

@@ -15,7 +15,7 @@ func (ch *IGContainerWatcher) openEventCallback(event *traceropentype.Event) {
 		// dropped event
 		logger.L().Ctx(ch.ctx).Warning("open tracer got drop events - we may miss some realtime data", helpers.Interface("event", event), helpers.String("error", event.Message))
 	}
-	if event.Ret > -1 && event.Path != "" {
+	if event.Ret > -1 && event.FullPath != "" {
 		ch.openWorkerChan <- event
 	}
 }

pkg/exporters/alert_manager.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"node-agent/pkg/malwaremanager"
 	"node-agent/pkg/ruleengine"
+	"node-agent/pkg/utils"
 	"os"
 	"time"
 
@@ -45,6 +46,12 @@ func InitAlertManagerExporter(alertManagerURL string) *AlertManagerExporter {
 }
 
 func (ame *AlertManagerExporter) SendRuleAlert(failedRule ruleengine.RuleFailure) {
+	processTree := failedRule.GetRuntimeProcessDetails().ProcessTree
+	process := utils.GetProcessFromProcessTree(&processTree, failedRule.GetBaseRuntimeAlert().InfectedPID)
+	if process == nil {
+		logger.L().Error("Failed to get process from process tree")
+		return
+	}
 	sourceUrl := fmt.Sprintf("https://armosec.github.io/kubecop/alertviewer/?AlertMessage=%s&AlertRuleName=%s&AlertRuleID=%s&AlertFix=%s&AlertNamespace=%s&AlertPod=%s&AlertContainer=%s&AlertProcess=%s",
 		failedRule.GetRuleAlert().RuleDescription,
 		failedRule.GetBaseRuntimeAlert().AlertName,
@@ -53,7 +60,7 @@ func (ame *AlertManagerExporter) SendRuleAlert(failedRule ruleengine.RuleFailure
 		failedRule.GetRuntimeAlertK8sDetails().Namespace,
 		failedRule.GetRuntimeAlertK8sDetails().PodName,
 		failedRule.GetRuntimeAlertK8sDetails().ContainerName,
-		fmt.Sprintf("%s (%d)", failedRule.GetRuntimeProcessDetails().ProcessTree.Comm, failedRule.GetRuntimeProcessDetails().ProcessTree.PID),
+		fmt.Sprintf("%s (%d)", process.Comm, process.PID),
 	)
 	summary := fmt.Sprintf("Rule '%s' in '%s' namespace '%s' failed", failedRule.GetBaseRuntimeAlert().AlertName, failedRule.GetRuntimeAlertK8sDetails().PodName, failedRule.GetRuntimeAlertK8sDetails().Namespace)
 	myAlert := models.PostableAlert{
@@ -79,12 +86,12 @@ func (ame *AlertManagerExporter) SendRuleAlert(failedRule ruleengine.RuleFailure
 				"severity":       PriorityToStatus(failedRule.GetBaseRuntimeAlert().Severity),
 				"host":           ame.Host,
 				"node_name":      ame.NodeName,
-				"pid":            fmt.Sprintf("%d", failedRule.GetRuntimeProcessDetails().ProcessTree.PID),
-				"ppid":           fmt.Sprintf("%d", failedRule.GetRuntimeProcessDetails().ProcessTree.PPID),
-				"pcomm":          failedRule.GetRuntimeProcessDetails().ProcessTree.Pcomm,
-				"comm":           failedRule.GetRuntimeProcessDetails().ProcessTree.Comm,
-				"uid":            fmt.Sprintf("%d", failedRule.GetRuntimeProcessDetails().ProcessTree.Uid),
-				"gid":            fmt.Sprintf("%d", failedRule.GetRuntimeProcessDetails().ProcessTree.Gid),
+				"pid":            fmt.Sprintf("%d", process.PID),
+				"ppid":           fmt.Sprintf("%d", process.PPID),
+				"pcomm":          process.Pcomm,
+				"comm":           process.Comm,
+				"uid":            fmt.Sprintf("%d", process.Uid),
+				"gid":            fmt.Sprintf("%d", process.Gid),
 			},
 		},
 	}
@@ -123,7 +130,7 @@ func (ame *AlertManagerExporter) SendMalwareAlert(malwareResult malwaremanager.M
 				"container_name":         malwareResult.GetTriggerEvent().GetBaseEvent().GetContainer(),
 				"namespace":              malwareResult.GetTriggerEvent().GetBaseEvent().GetNamespace(),
 				"pod_name":               malwareResult.GetTriggerEvent().GetBaseEvent().GetPod(),
-				"size":                   *malwareResult.GetBasicRuntimeAlert().Size,
+				"size":                   malwareResult.GetBasicRuntimeAlert().Size,
 				"md5hash":                malwareResult.GetBasicRuntimeAlert().MD5Hash,
 				"sha256hash":             malwareResult.GetBasicRuntimeAlert().SHA256Hash,
 				"sha1hash":               malwareResult.GetBasicRuntimeAlert().SHA1Hash,

pkg/exporters/alert_manager_test.go

@@ -95,11 +95,10 @@ func TestSendMalwareAlert(t *testing.T) {
 		t.Fatalf("Failed to create new Alertmanager exporter")
 	}
 	// Call SendAlert
-	sizeStr := "2MiB"
 	exporter.SendMalwareAlert(&mmtypes.GenericMalwareResult{
 		BasicRuntimeAlert: apitypes.BaseRuntimeAlert{
 			AlertName:  "testmalware",
-			Size:       &sizeStr,
+			Size:       "2MiB",
 			MD5Hash:    "testmalwarehash",
 			SHA1Hash:   "testmalwarehash",
 			SHA256Hash: "testmalwarehash",

pkg/exporters/csv_exporter.go

@@ -122,7 +122,7 @@ func (ce *CsvExporter) SendMalwareAlert(malwareResult malwaremanager.MalwareResu
 		malwareResult.GetBasicRuntimeAlert().MD5Hash,
 		malwareResult.GetBasicRuntimeAlert().SHA256Hash,
 		malwareResult.GetBasicRuntimeAlert().SHA1Hash,
-		*malwareResult.GetBasicRuntimeAlert().Size,
+		malwareResult.GetBasicRuntimeAlert().Size,
 		malwareResult.GetTriggerEvent().GetBaseEvent().GetNamespace(),
 		malwareResult.GetTriggerEvent().GetBaseEvent().GetPod(),
 		malwareResult.GetTriggerEvent().GetBaseEvent().GetContainer(),

pkg/exporters/csv_exporter_test.go

@@ -31,11 +31,10 @@ func TestCsvExporter(t *testing.T) {
 			RuleDescription: "Application profile is missing",
 		},
 	})
-	sizeStr := "2MiB"
 	csvExporter.SendMalwareAlert(&mmtypes.GenericMalwareResult{
 		BasicRuntimeAlert: apitypes.BaseRuntimeAlert{
 			AlertName:  "testmalware",
-			Size:       &sizeStr,
+			Size:       "2MiB",
 			MD5Hash:    "testmalwarehash",
 			SHA1Hash:   "testmalwarehash",
 			SHA256Hash: "testmalwarehash",

pkg/exporters/http_exporter_test.go

@@ -165,11 +165,10 @@ func TestSendMalwareAlertHTTPExporter(t *testing.T) {
 	assert.NoError(t, err)
 
 	// Create a mock malware description
-	sizeStr := "2MiB"
 	malwareDesc := &mmtypes.GenericMalwareResult{
 		BasicRuntimeAlert: apitypes.BaseRuntimeAlert{
 			AlertName:  "testmalware",
-			Size:       &sizeStr,
+			Size:       "2MiB",
 			MD5Hash:    "testmalwarehash",
 			SHA1Hash:   "testmalwarehash",
 			SHA256Hash: "testmalwarehash",

pkg/exporters/syslog_exporter.go

@@ -146,7 +146,7 @@ func (se *SyslogExporter) SendMalwareAlert(malwareResult malwaremanager.MalwareR
 					},
 					{
 						Name:  "size",
-						Value: *malwareResult.GetBasicRuntimeAlert().Size,
+						Value: malwareResult.GetBasicRuntimeAlert().Size,
 					},
 					{
 						Name:  "namespace",

pkg/exporters/syslog_exporter_test.go

@@ -93,12 +93,11 @@ func TestSyslogExporter(t *testing.T) {
 			RuleDescription: "Application profile is missing",
 		},
 	})
-	sizeStr := "2MiB"
 
 	syslogExp.SendMalwareAlert(&mmtypes.GenericMalwareResult{
 		BasicRuntimeAlert: apitypes.BaseRuntimeAlert{
 			AlertName:  "testmalware",
-			Size:       &sizeStr,
+			Size:       "2MiB",
 			MD5Hash:    "testmalwarehash",
 			SHA1Hash:   "testmalwarehash",
 			SHA256Hash: "testmalwarehash",

pkg/malwaremanager/v1/clamav/clamav.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"node-agent/pkg/malwaremanager"
 	mmtypes "node-agent/pkg/malwaremanager/v1/types"
+	"node-agent/pkg/utils"
 	nautils "node-agent/pkg/utils"
 	"time"
 
@@ -107,30 +108,27 @@ func (c *ClamAVClient) handleExecEvent(execEvent *tracerexectype.Event, containe
 				logger.L().Error("Error getting file size of %s", helpers.String("path", result.Path), helpers.Error(err))
 			}
 			path := strings.TrimPrefix(result.Path, os.Getenv("HOST_ROOT"))
-			commandLine := fmt.Sprintf("%s %s", execEvent.Comm, strings.Join(execEvent.Args, " "))
-			sizeStr := humanize.IBytes(uint64(size))
+
+			commandLine := fmt.Sprintf("%s %s", utils.GetExecPathFromEvent(execEvent), utils.GetExecArgsFromEvent(execEvent))
 			return &mmtypes.GenericMalwareResult{
 				BasicRuntimeAlert: apitypes.BaseRuntimeAlert{
-					AlertName:   result.Description,
-					InfectedPID: execEvent.Pid,
-					Arguments: map[string]interface{}{
-						"hardlink": execEvent.ExePath,
-						"path":     path,
-					},
+					AlertName:      result.Description,
+					InfectedPID:    execEvent.Pid,
 					FixSuggestions: FixSuggestions,
 					SHA1Hash:       sha1hash,
 					SHA256Hash:     sha256hash,
 					MD5Hash:        md5hash,
 					Severity:       10, // TODO: Get severity from api.
-					Size:           &sizeStr,
+					Size:           humanize.IBytes(uint64(size)),
 					Timestamp:      time.Unix(int64(execEvent.Timestamp), 0),
 				},
 				RuntimeProcessDetails: apitypes.ProcessTree{
 					ProcessTree: apitypes.Process{
 						Comm:       execEvent.Comm,
-						Gid:        execEvent.Gid,
+						Path:       path,
+						Gid:        &execEvent.Gid,
 						PID:        execEvent.Pid,
-						Uid:        execEvent.Uid,
+						Uid:        &execEvent.Uid,
 						UpperLayer: execEvent.UpperLayer,
 						PPID:       execEvent.Ppid,
 						Pcomm:      execEvent.Pcomm,
@@ -199,26 +197,25 @@ func (c *ClamAVClient) handleOpenEvent(openEvent *traceropentype.Event, containe
 			}
 
 			path := strings.TrimPrefix(result.Path, os.Getenv("HOST_ROOT"))
-			sizeStr := humanize.IBytes(uint64(size))
 			return &mmtypes.GenericMalwareResult{
 				BasicRuntimeAlert: apitypes.BaseRuntimeAlert{
 					AlertName:      result.Description,
-					Arguments:      map[string]interface{}{"path": path},
 					InfectedPID:    openEvent.Pid,
 					FixSuggestions: FixSuggestions,
 					SHA1Hash:       sha1hash,
 					SHA256Hash:     sha256hash,
 					MD5Hash:        md5hash,
 					Severity:       10, // TODO: Get severity from api.
-					Size:           &sizeStr,
+					Size:           humanize.IBytes(uint64(size)),
 					Timestamp:      time.Unix(int64(openEvent.Timestamp), 0),
 				},
 				RuntimeProcessDetails: apitypes.ProcessTree{
 					ProcessTree: apitypes.Process{
 						Comm: openEvent.Comm,
-						Gid:  openEvent.Gid,
+						Path: path,
+						Gid:  &openEvent.Gid,
 						PID:  openEvent.Pid,
-						Uid:  openEvent.Uid,
+						Uid:  &openEvent.Uid,
 					},
 					ContainerID: openEvent.Runtime.ContainerID,
 				},

pkg/malwaremanager/v1/malware_manager.go

@@ -230,14 +230,12 @@ func (mm *MalwareManager) enrichMalwareResult(malwareResult malwaremanager.Malwa
 		baseRuntimeAlert.SHA256Hash = sha256hash
 	}
 
-	if baseRuntimeAlert.Size == nil && hostPath != "" {
+	if baseRuntimeAlert.Size == "" && hostPath != "" {
 		size, err := utils.GetFileSize(hostPath)
 		if err != nil {
-			sizeStr := ""
-			baseRuntimeAlert.Size = &sizeStr
+			baseRuntimeAlert.Size = ""
 		} else {
-			size := humanize.Bytes(uint64(size))
-			baseRuntimeAlert.Size = &size
+			baseRuntimeAlert.Size = humanize.Bytes(uint64(size))
 		}
 	}
 
@@ -282,6 +280,10 @@ func (mm *MalwareManager) enrichMalwareResult(malwareResult malwaremanager.Malwa
 		runtimeProcessDetails.ProcessTree.Comm = comm
 	}
 
+	if runtimeProcessDetails.ProcessTree.Path == "" && path != "" {
+		runtimeProcessDetails.ProcessTree.Path = path
+	}
+
 	if mm.containerIdToShimPid.Has(malwareResult.GetRuntimeProcessDetails().ContainerID) {
 		shimPid := mm.containerIdToShimPid.Get(malwareResult.GetRuntimeProcessDetails().ContainerID)
 		tree, err := utils.CreateProcessTree(&runtimeProcessDetails.ProcessTree, shimPid)

pkg/objectcache/applicationactivitiescache_interface.go

@@ -3,7 +3,6 @@ package objectcache
 import "github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 
 type ApplicationActivityCache interface {
-	IsCached(kind, namespace, name string) bool
 	GetApplicationActivity(namespace, name string) *v1beta1.ApplicationActivity
 }
 
@@ -15,6 +14,3 @@ type ApplicationActivityCacheMock struct {
 func (ap *ApplicationActivityCacheMock) GetApplicationActivity(namespace, name string) *v1beta1.ApplicationActivity {
 	return nil
 }
-func (ap *ApplicationActivityCacheMock) IsCached(kind, namespace, name string) bool {
-	return true
-}