try to use a consistent order for the output_fields and tags for more…

… outputs Signed-off-by: Thomas Labarussias <[email protected]>
falcosecurity · Feb 28, 2024 · d9a5902 · d9a5902
1 parent f42b5c0
commit d9a5902
Show file tree

Hide file tree

Showing 20 changed files with 73 additions and 61 deletions.
diff --git a/handlers.go b/handlers.go
@@ -24,6 +24,7 @@ import (
 	"io"
 	"log"
 	"net/http"
+	"sort"
 	"strings"
 	"text/template"
 	"time"
@@ -152,6 +153,10 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) {
 		}
 	}
 
+	if len(falcopayload.Tags) != 0 {
+		sort.Strings(falcopayload.Tags)
+	}
+
 	nullClient.CountMetric("falco.accepted", 1, []string{"priority:" + falcopayload.Priority.String()})
 	stats.Falco.Add(strings.ToLower(falcopayload.Priority.String()), 1)
 	promLabels := map[string]string{"rule": falcopayload.Rule, "priority": falcopayload.Priority.String(), "source": falcopayload.Source, "k8s_ns_name": kn, "k8s_pod_name": kp}

diff --git a/outputs/alertmanager.go b/outputs/alertmanager.go
@@ -20,6 +20,7 @@ package outputs
 import (
 	"encoding/json"
 	"log"
+	"sort"
 	"strconv"
 	"strings"
 	"time"
@@ -103,6 +104,7 @@ func newAlertmanagerPayload(falcopayload types.FalcoPayload, config *types.Confi
 		amPayload.Labels[Hostname] = falcopayload.Hostname
 	}
 	if len(falcopayload.Tags) != 0 {
+		sort.Strings(falcopayload.Tags)
 		amPayload.Labels["tags"] = strings.Join(falcopayload.Tags, ",")
 	}
 

diff --git a/outputs/alertmanager_test.go b/outputs/alertmanager_test.go
@@ -30,7 +30,7 @@ import (
 const defaultThresholds = `[{"priority":"critical", "value":10000}, {"priority":"critical", "value":1000}, {"priority":"critical", "value":100} ,{"priority":"warning", "value":10}, {"priority":"warning", "value":1}]`
 
 func TestNewAlertmanagerPayloadO(t *testing.T) {
-	expectedOutput := `[{"labels":{"proc_name":"falcosidekick","priority":"Debug","severity": "information","proc_tty":"1234","eventsource":"syscalls","hostname":"test-host","rule":"Test rule","source":"falco","tags":"test,example"},"annotations":{"info":"This is a test from falcosidekick","description":"This is a test from falcosidekick","summary":"Test rule"}}]`
+	expectedOutput := `[{"labels":{"proc_name":"falcosidekick","priority":"Debug","severity": "information","proc_tty":"1234","eventsource":"syscalls","hostname":"test-host","rule":"Test rule","source":"falco","tags":"example,test"},"annotations":{"info":"This is a test from falcosidekick","description":"This is a test from falcosidekick","summary":"Test rule"}}]`
 	var f types.FalcoPayload
 	d := json.NewDecoder(strings.NewReader(falcoTestInput))
 	d.UseNumber()

diff --git a/outputs/datadog.go b/outputs/datadog.go
@@ -18,7 +18,9 @@ limitations under the License.
 package outputs
 
 import (
+	"fmt"
 	"log"
+	"sort"
 
 	"github.com/falcosecurity/falcosidekick/types"
 )
@@ -40,19 +42,17 @@ func newDatadogPayload(falcopayload types.FalcoPayload) datadogPayload {
 	var d datadogPayload
 	var tags []string
 
-	for i, j := range falcopayload.OutputFields {
-		switch v := j.(type) {
-		case string:
-			tags = append(tags, i+":"+v)
-		default:
-			continue
-		}
+	for _, i := range getSortedStringKeys(falcopayload.OutputFields) {
+		tags = append(tags, fmt.Sprintf("%v:%v", i, falcopayload.OutputFields[i]))
+
 	}
 	tags = append(tags, "source:"+falcopayload.Source)
 	if falcopayload.Hostname != "" {
 		tags = append(tags, Hostname+":"+falcopayload.Hostname)
 	}
+
 	if len(falcopayload.Tags) != 0 {
+		sort.Strings(falcopayload.Tags)
 		tags = append(tags, falcopayload.Tags...)
 	}
 	d.Tags = tags

diff --git a/outputs/datadog_test.go b/outputs/datadog_test.go
@@ -27,7 +27,7 @@ import (
 )
 
 func TestNewDatadogPayload(t *testing.T) {
-	expectedOutput := `{"title":"Test rule","text":"This is a test from falcosidekick","alert_type":"info","source_type_name":"falco","tags":["proc.name:falcosidekick", "source:syscalls", "hostname:test-host", "test", "example"]}`
+	expectedOutput := `{"title":"Test rule","text":"This is a test from falcosidekick","alert_type":"info","source_type_name":"falco","tags":["proc.name:falcosidekick", "source:syscalls", "hostname:test-host", "example", "test"]}`
 	var f types.FalcoPayload
 	json.Unmarshal([]byte(falcoTestInput), &f)
 	s, _ := json.Marshal(newDatadogPayload(f))

diff --git a/outputs/discord.go b/outputs/discord.go
@@ -20,6 +20,7 @@ package outputs
 import (
 	"fmt"
 	"log"
+	"sort"
 	"strings"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -78,23 +79,19 @@ func newDiscordPayload(falcopayload types.FalcoPayload, config *types.Configurat
 	embedFields := make([]discordEmbedFieldPayload, 0)
 	var embedField discordEmbedFieldPayload
 
-	for i, j := range falcopayload.OutputFields {
-		switch v := j.(type) {
-		case string:
-			embedField = discordEmbedFieldPayload{i, fmt.Sprintf("```%s```", v), true}
-		default:
-			continue
-		}
-		embedFields = append(embedFields, embedField)
-	}
-
 	embedFields = append(embedFields, discordEmbedFieldPayload{Rule, falcopayload.Rule, true})
 	embedFields = append(embedFields, discordEmbedFieldPayload{Priority, falcopayload.Priority.String(), true})
 	embedFields = append(embedFields, discordEmbedFieldPayload{Source, falcopayload.Source, true})
 	if falcopayload.Hostname != "" {
 		embedFields = append(embedFields, discordEmbedFieldPayload{Hostname, falcopayload.Hostname, true})
 	}
+
+	for _, i := range getSortedStringKeys(falcopayload.OutputFields) {
+		embedField = discordEmbedFieldPayload{i, fmt.Sprintf("```%v```", falcopayload.OutputFields[i]), true}
+		embedFields = append(embedFields, embedField)
+	}
 	if len(falcopayload.Tags) != 0 {
+		sort.Strings(falcopayload.Tags)
 		embedFields = append(embedFields, discordEmbedFieldPayload{Tags, strings.Join(falcopayload.Tags, ", "), true})
 	}
 	embedFields = append(embedFields, discordEmbedFieldPayload{Time, falcopayload.Time.String(), true})

diff --git a/outputs/discord_test.go b/outputs/discord_test.go
@@ -37,11 +37,6 @@ func TestNewDiscordPayload(t *testing.T) {
 				Description: "This is a test from falcosidekick",
 				Color:       "12370112", // light grey
 				Fields: []discordEmbedFieldPayload{
-					{
-						Name:   "proc.name",
-						Value:  fmt.Sprintf("```%s```", "falcosidekick"),
-						Inline: true,
-					},
 					{
 						Name:   "rule",
 						Value:  "Test rule",
@@ -62,9 +57,14 @@ func TestNewDiscordPayload(t *testing.T) {
 						Value:  "test-host",
 						Inline: true,
 					},
+					{
+						Name:   "proc.name",
+						Value:  fmt.Sprintf("```%s```", "falcosidekick"),
+						Inline: true,
+					},
 					{
 						Name:   "tags",
-						Value:  "test, example",
+						Value:  "example, test",
 						Inline: true,
 					},
 					{

diff --git a/outputs/googlechat.go b/outputs/googlechat.go
@@ -20,6 +20,7 @@ package outputs
 import (
 	"bytes"
 	"log"
+	"sort"
 	"strings"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -72,6 +73,13 @@ func newGooglechatPayload(falcopayload types.FalcoPayload, config *types.Configu
 		}
 	}
 
+	widgets = append(widgets, widget{KeyValue: keyValue{"rule", falcopayload.Rule}})
+	widgets = append(widgets, widget{KeyValue: keyValue{"priority", falcopayload.Priority.String()}})
+	widgets = append(widgets, widget{KeyValue: keyValue{"source", falcopayload.Source}})
+	if falcopayload.Hostname != "" {
+		widgets = append(widgets, widget{KeyValue: keyValue{Hostname, falcopayload.Hostname}})
+	}
+
 	for _, i := range getSortedStringKeys(falcopayload.OutputFields) {
 		widgets = append(widgets, widget{
 			KeyValue: keyValue{
@@ -81,15 +89,8 @@ func newGooglechatPayload(falcopayload types.FalcoPayload, config *types.Configu
 		})
 	}
 
-	widgets = append(widgets, widget{KeyValue: keyValue{"rule", falcopayload.Rule}})
-	widgets = append(widgets, widget{KeyValue: keyValue{"priority", falcopayload.Priority.String()}})
-	widgets = append(widgets, widget{KeyValue: keyValue{"source", falcopayload.Source}})
-
-	if falcopayload.Hostname != "" {
-		widgets = append(widgets, widget{KeyValue: keyValue{Hostname, falcopayload.Hostname}})
-	}
-
 	if len(falcopayload.Tags) != 0 {
+		sort.Strings(falcopayload.Tags)
 		widgets = append(widgets, widget{
 			KeyValue: keyValue{
 				TopLabel: "tags",

diff --git a/outputs/googlechat_test.go b/outputs/googlechat_test.go
@@ -35,12 +35,6 @@ func TestNewGoogleChatPayload(t *testing.T) {
 				Sections: []section{
 					{
 						Widgets: []widget{
-							{
-								keyValue{
-									TopLabel: "proc.name",
-									Content:  "falcosidekick",
-								},
-							},
 							{
 								keyValue{
 									TopLabel: "rule",
@@ -65,10 +59,16 @@ func TestNewGoogleChatPayload(t *testing.T) {
 									Content:  "test-host",
 								},
 							},
+							{
+								keyValue{
+									TopLabel: "proc.name",
+									Content:  "falcosidekick",
+								},
+							},
 							{
 								keyValue{
 									TopLabel: "tags",
-									Content:  "test, example",
+									Content:  "example, test",
 								},
 							},
 							{

diff --git a/outputs/loki.go b/outputs/loki.go
@@ -20,6 +20,7 @@ package outputs
 import (
 	"fmt"
 	"log"
+	"sort"
 	"strings"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -68,6 +69,7 @@ func newLokiPayload(falcopayload types.FalcoPayload, config *types.Configuration
 	}
 
 	if len(falcopayload.Tags) != 0 {
+		sort.Strings(falcopayload.Tags)
 		s["tags"] = strings.Join(falcopayload.Tags, ",")
 	}
 

diff --git a/outputs/loki_test.go b/outputs/loki_test.go
@@ -32,7 +32,7 @@ func TestNewLokiPayload(t *testing.T) {
 			{
 				Stream: map[string]string{
 					"hostname": "test-host",
-					"tags":     "test,example",
+					"tags":     "example,test",
 					"rule":     "Test rule",
 					"source":   "syscalls",
 					"priority": "Debug",

diff --git a/outputs/mattermost.go b/outputs/mattermost.go
@@ -20,6 +20,7 @@ package outputs
 import (
 	"bytes"
 	"log"
+	"sort"
 	"strings"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -54,6 +55,7 @@ func newMattermostPayload(falcopayload types.FalcoPayload, config *types.Configu
 		field.Short = true
 		fields = append(fields, field)
 		if len(falcopayload.Tags) != 0 {
+			sort.Strings(falcopayload.Tags)
 			field.Title = Tags
 			field.Value = strings.Join(falcopayload.Tags, ", ")
 			field.Short = true

diff --git a/outputs/mattermost_test.go b/outputs/mattermost_test.go
@@ -61,7 +61,7 @@ func TestMattermostPayload(t *testing.T) {
 					},
 					{
 						Title: "tags",
-						Value: "test, example",
+						Value: "example, test",
 						Short: true,
 					},
 					{

diff --git a/outputs/pagerduty.go b/outputs/pagerduty.go
@@ -20,6 +20,7 @@ package outputs
 import (
 	"context"
 	"log"
+	"sort"
 	"strings"
 	"time"
 
@@ -68,6 +69,7 @@ func createPagerdutyEvent(falcopayload types.FalcoPayload, config types.Pagerdut
 		falcopayload.OutputFields[Hostname] = falcopayload.Hostname
 	}
 	if len(falcopayload.Tags) != 0 {
+		sort.Strings(falcopayload.Tags)
 		details["tags"] = strings.Join(falcopayload.Tags, ", ")
 	}
 	event := pagerduty.V2Event{

diff --git a/outputs/rocketchat.go b/outputs/rocketchat.go
@@ -20,6 +20,7 @@ package outputs
 import (
 	"bytes"
 	"log"
+	"sort"
 	"strings"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -48,6 +49,7 @@ func newRocketchatPayload(falcopayload types.FalcoPayload, config *types.Configu
 		field.Short = true
 		fields = append(fields, field)
 		if len(falcopayload.Tags) != 0 {
+			sort.Strings(falcopayload.Tags)
 			field.Title = Tags
 			field.Value = strings.Join(falcopayload.Tags, ", ")
 			field.Short = true

diff --git a/outputs/rocketchat_test.go b/outputs/rocketchat_test.go
@@ -56,7 +56,7 @@ func TestNewRocketchatPayload(t *testing.T) {
 					},
 					{
 						Title: "tags",
-						Value: "test, example",
+						Value: "example, test",
 						Short: true,
 					},
 					{

diff --git a/outputs/slack.go b/outputs/slack.go
@@ -20,6 +20,7 @@ package outputs
 import (
 	"bytes"
 	"log"
+	"sort"
 	"strings"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -79,6 +80,7 @@ func newSlackPayload(falcopayload types.FalcoPayload, config *types.Configuratio
 			fields = append(fields, field)
 		}
 		if len(falcopayload.Tags) != 0 {
+			sort.Strings(falcopayload.Tags)
 			field.Title = Tags
 			field.Value = strings.Join(falcopayload.Tags, ", ")
 			field.Short = true

diff --git a/outputs/slack_test.go b/outputs/slack_test.go
@@ -61,7 +61,7 @@ func TestNewSlackPayload(t *testing.T) {
 					},
 					{
 						Title: "tags",
-						Value: "test, example",
+						Value: "example, test",
 						Short: true,
 					},
 					{

diff --git a/outputs/teams.go b/outputs/teams.go
@@ -19,6 +19,7 @@ package outputs
 
 import (
 	"log"
+	"sort"
 	"strings"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -65,18 +66,6 @@ func newTeamsPayload(falcopayload types.FalcoPayload, config *types.Configuratio
 	}
 
 	if config.Teams.OutputFormat == All || config.Teams.OutputFormat == "facts" || config.Teams.OutputFormat == "" {
-		for i, j := range falcopayload.OutputFields {
-			switch v := j.(type) {
-			case string:
-				fact.Name = i
-				fact.Value = v
-			default:
-				continue
-			}
-
-			facts = append(facts, fact)
-		}
-
 		fact.Name = Rule
 		fact.Value = falcopayload.Rule
 		facts = append(facts, fact)
@@ -91,7 +80,15 @@ func newTeamsPayload(falcopayload types.FalcoPayload, config *types.Configuratio
 			fact.Value = falcopayload.Hostname
 			facts = append(facts, fact)
 		}
+
+		for _, i := range getSortedStringKeys(falcopayload.OutputFields) {
+			fact.Name = i
+			fact.Value = falcopayload.OutputFields[i].(string)
+			facts = append(facts, fact)
+		}
+
 		if len(falcopayload.Tags) != 0 {
+			sort.Strings(falcopayload.Tags)
 			fact.Name = Tags
 			fact.Value = strings.Join(falcopayload.Tags, ", ")
 			facts = append(facts, fact)