falcosecurity / plugins

Falco plugins registry
Apache License 2.0
85 stars 77 forks source link

fix(plugins/gcp): update extract function #361

Closed lorenzo-merici closed 1 year ago

lorenzo-merici commented 1 year ago

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area plugins

/area registry

/area build

/area documentation

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

poiana commented 1 year ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lorenzo-merici Once this PR has been reviewed and has the lgtm label, please assign ahmedameenaim for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[plugins/gcpaudit/OWNERS](https://github.com/falcosecurity/plugins/blob/master/plugins/gcpaudit/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
github-actions[bot] commented 1 year ago

Rules files suggestions

gcp_auditlog_rules.yaml

Comparing 7164896980320f7138d29a5b13ae102df5e79d08 with latest tag gcpaudit-0.2.2

No changes detected

jasondellaluce commented 1 year ago

/close

Closing this one after discussing it with the contributor. The rationale is that we don't want to move from the current behavior of returning NULL when a field is missing. The correct semantics of Falco is to check whether a field exists or not with the exists operator in case it can return null.

poiana commented 1 year ago

@jasondellaluce: Closed this PR.

In response to [this](https://github.com/falcosecurity/plugins/pull/361#issuecomment-1761226832): >/close > >Closing this one after discussing it with the contributor. The rationale is that we don't want to move from the current behavior of returning NULL when a field is missing. The correct semantics of Falco is to check whether a field exists or not with the `exists` operator in case it can return null. Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.