parser

package
v0.0.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2026 License: Apache-2.0 Imports: 13 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	SeverityCritical = 0
	SeverityHigh     = 1
	SeverityMedium   = 2
	SeverityLow      = 3
	SeverityInfo     = 4
)

Variables

View Source 
var (
	ErrRuleNotFound     = errors.New("rule not found")
	ErrRuleRootNotFound = errors.New("missing rule section")
	ErrNotSupported     = errors.New("not supported")
	ErrTermNotFound     = errors.New("term not found")
	ErrMissingOrder     = errors.New("'sequence' missing 'order'")
	ErrMissingMatch     = errors.New("'set' missing 'match'")
	ErrInvalidWindow    = errors.New("invalid 'window'")
	ErrTermsMapping     = errors.New("'terms' must be a mapping")
	ErrDuplicateTerm    = errors.New("duplicate term name")
	ErrMissingRuleId    = errors.New("missing rule id")
	ErrMissingRuleHash  = errors.New("missing rule hash")
	ErrMissingCreId     = errors.New("missing cre id")
	ErrInvalidCreId     = errors.New("invalid cre id")
	ErrInvalidRuleId    = errors.New("invalid rule id (must be base58)")
	ErrInvalidRuleHash  = errors.New("invalid rule hash (must be base58)")
	ErrExtractName      = errors.New("invalid extract name (alphanumeric and underscores only)")
	ErrInnerEvent       = errors.New("invalid event on inner node")
)
View Source 
var PromQLValidator = func(expr string) error { return nil }

PromQLValidator validates a PromQL expression. Hook exposed to avoid importing promql dependencies in compiler.

Functions

func Hash added in v0.0.11 

func Hash(h string) string

func HashRule added in v0.0.11 

func HashRule(rule ParseRuleT) (string, error)

func ParseCres 

func ParseCres(data []byte) (map[string]ParseCreT, error)

func RootNode added in v0.0.4 

func RootNode(data []byte) (*yaml.Node, error)

func StableHash added in v0.0.16 

func StableHash(rule ParseRuleT) (string, error)

func WithGenIds added in v0.0.11 

func WithGenIds() func(*parseOptsT)

Types

type EventT 

type EventT struct {
	Origin bool   `json:"origin"`
	Source string `json:"source"`
}

type ExtractT added in v0.0.17 

type ExtractT struct {
	Name       string `json:"name"`
	JqValue    string `json:"jq_value,omitempty"`
	RegexValue string `json:"regex_value,omitempty"`
}

type FieldT 

type FieldT struct {
	Field      string       `json:"field"`
	StrValue   string       `json:"value"`
	JqValue    string       `json:"jq_value"`
	RegexValue string       `json:"regex_value"`
	Count      int          `json:"count"`
	NegateOpts *NegateOptsT `json:"negate"`
	Extract    []ExtractT   `json:"extract,omitempty"`
}

type MatcherT 

type MatcherT struct {
	Match  TermsT        `json:"match"`
	Negate TermsT        `json:"negate"`
	Window time.Duration `json:"window"`
}

type NegateOptsT 

type NegateOptsT struct {
	Window   time.Duration `json:"window"`
	Slide    time.Duration `json:"slide"`
	Anchor   uint32        `json:"anchor"`
	Absolute bool          `json:"absolute"`
}

type NodeMetadataT 

type NodeMetadataT struct {
	RuleHash     string           `json:"rule_hash"`
	RuleId       string           `json:"rule_id"`
	CreId        string           `json:"cre_id"`
	Window       time.Duration    `json:"window"`
	Event        *EventT          `json:"event"`
	Type         schema.NodeTypeT `json:"type"`
	Correlations []string         `json:"correlations"`
	NegateOpts   *NegateOptsT     `json:"negate_opts"`
	Pos          pqerr.Pos        `json:"pos"`
}

type NodeT 

type NodeT struct {
	Metadata NodeMetadataT `json:"metadata"`
	NegIdx   int           `json:"neg_idx"`
	Children []any         `json:"children"`
}

func (*NodeT) IsMatcherNode added in v0.0.19 

func (node *NodeT) IsMatcherNode() bool

func (*NodeT) IsPromNode added in v0.0.19 

func (node *NodeT) IsPromNode() bool

func (*NodeT) WrapError added in v0.0.4 

func (n *NodeT) WrapError(err error) error

type ParseApplicationT 

type ParseApplicationT struct {
	Name          string `yaml:"name,omitempty" json:"name,omitempty"`
	ProcessName   string `yaml:"processName,omitempty" json:"process_name,omitempty"`
	ProcessPath   string `yaml:"processPath,omitempty" json:"process_path,omitempty"`
	ContainerName string `yaml:"containerName,omitempty" json:"container_name,omitempty"`
	ImageUrl      string `yaml:"imageUrl,omitempty" json:"image_url,omitempty"`
	RepoUrl       string `yaml:"repoUrl,omitempty" json:"repo_url,omitempty"`
	Version       string `yaml:"version,omitempty" json:"version,omitempty"`
}

type ParseCreT 

type ParseCreT struct {
	Id              string              `yaml:"id,omitempty" json:"id,omitempty"`
	Severity        uint                `yaml:"severity" json:"severity"`
	Title           string              `yaml:"title,omitempty" json:"title,omitempty"`
	Category        string              `yaml:"category,omitempty" json:"category,omitempty"`
	Tags            []string            `yaml:"tags,omitempty" json:"tags,omitempty"`
	Author          string              `yaml:"author,omitempty" json:"author,omitempty"`
	Description     string              `yaml:"description,omitempty" json:"description,omitempty"`
	Impact          string              `yaml:"impact,omitempty" json:"impact,omitempty"`
	ImpactScore     uint                `yaml:"impactScore,omitempty" json:"impact_score,omitempty"`
	Cause           string              `yaml:"cause,omitempty" json:"cause,omitempty"`
	Mitigation      string              `yaml:"mitigation,omitempty" json:"mitigation,omitempty"`
	MitigationScore uint                `yaml:"mitigationScore,omitempty" json:"mitigation_score,omitempty"`
	References      []string            `yaml:"references,omitempty" json:"references,omitempty"`
	Reports         uint                `yaml:"reports,omitempty" json:"reports,omitempty"`
	Applications    []ParseApplicationT `yaml:"applications,omitempty" json:"applications,omitempty"`
}

type ParseEventT 

type ParseEventT struct {
	Source string `yaml:"source"`
	Origin bool   `yaml:"origin,omitempty" json:"origin,omitempty"`
}

type ParseExtractT added in v0.0.17 

type ParseExtractT struct {
	Name       string `yaml:"name"`
	JqValue    string `yaml:"jq,omitempty"`
	RegexValue string `yaml:"regex,omitempty"`
}

type ParseNegateOptsT 

type ParseNegateOptsT struct {
	Window   string `yaml:"window,omitempty"`
	Slide    string `yaml:"slide,omitempty"`
	Anchor   uint32 `yaml:"anchor,omitempty"`
	Absolute bool   `yaml:"absolute,omitempty"`
}

type ParseOptT added in v0.0.11 

type ParseOptT func(*parseOptsT)

type ParsePromQL added in v0.0.19 

type ParsePromQL struct {
	Expr     string       `yaml:"expr"`
	Interval string       `yaml:"interval,omitempty"`
	For      string       `yaml:"for,omitempty"`
	Event    *ParseEventT `yaml:"event,omitempty"`
}

type ParseRuleDataT 

type ParseRuleDataT struct {
	Sequence *ParseSequenceT `yaml:"sequence,omitempty"`
	Set      *ParseSetT      `yaml:"set,omitempty"`
}

type ParseRuleMetadataT 

type ParseRuleMetadataT struct {
	Name    string `yaml:"name,omitempty" json:"name,omitempty"`
	Id      string `yaml:"id,omitempty" json:"id,omitempty"`
	Hash    string `yaml:"hash,omitempty" json:"hash,omitempty"`
	Gen     uint   `yaml:"generation" json:"generation"`
	Kind    string `yaml:"kind,omitempty" json:"kind,omitempty"`
	Version string `yaml:"version,omitempty" json:"version,omitempty"`
}

type ParseRuleT 

type ParseRuleT struct {
	Metadata ParseRuleMetadataT `yaml:"metadata,omitempty" json:"metadata,omitempty"`
	Cre      ParseCreT          `yaml:"cre,omitempty" json:"cre,omitempty"`
	Rule     ParseRuleDataT     `yaml:"rule,omitempty" json:"rule,omitempty"`
}

type ParseSequenceT 

type ParseSequenceT struct {
	Window       string       `yaml:"window"`
	Correlations []string     `yaml:"correlations,omitempty"`
	Event        *ParseEventT `yaml:"event,omitempty"`
	Origin       bool         `yaml:"origin,omitempty"`
	Order        []ParseTermT `yaml:"order,omitempty"`
	Negate       []ParseTermT `yaml:"negate,omitempty"`
}

type ParseSetT 

type ParseSetT struct {
	Window       string       `yaml:"window,omitempty"`
	Correlations []string     `yaml:"correlations,omitempty"`
	Event        *ParseEventT `yaml:"event,omitempty"`
	Match        []ParseTermT `yaml:"match,omitempty"`
	Negate       []ParseTermT `yaml:"negate,omitempty"`
}

type ParseTermT 

type ParseTermT struct {
	Field      string            `yaml:"field,omitempty"`
	StrValue   string            `yaml:"value,omitempty"`
	JqValue    string            `yaml:"jq,omitempty"`
	RegexValue string            `yaml:"regex,omitempty"`
	Count      int               `yaml:"count,omitempty"`
	Set        *ParseSetT        `yaml:"set,omitempty"`
	Sequence   *ParseSequenceT   `yaml:"sequence,omitempty"`
	NegateOpts *ParseNegateOptsT `yaml:",inline,omitempty"`
	PromQL     *ParsePromQL      `yaml:"promql,omitempty"`
	Extract    []ParseExtractT   `yaml:"extract,omitempty"`
}

func (*ParseTermT) UnmarshalYAML 

func (o *ParseTermT) UnmarshalYAML(unmarshal func(any) error) error

type PromQLT added in v0.0.19 

type PromQLT struct {
	Expr     string         `json:"expr"`
	For      *time.Duration `json:"for,omitempty"`
	Interval *time.Duration `json:"interval,omitempty"`
}

type RulesT 

type RulesT struct {
	Rules  []ParseRuleT          `yaml:"rules"`
	Root   *yaml.Node            `yaml:"-"`
	TermsT map[string]ParseTermT `yaml:"terms,omitempty"`
	TermsY map[string]*yaml.Node `yaml:"-"`
}

func Read added in v0.0.4 

func Read(rdr io.Reader, opts ...ParseOptT) (*RulesT, error)

func Unmarshal added in v0.0.7 

func Unmarshal(data []byte) (*RulesT, error)

type TermsT 

type TermsT struct {
	Fields []FieldT `json:"fields"`
}

type TreeT 

type TreeT struct {
	Nodes []*NodeT `json:"nodes"`
}

func Parse 

func Parse(data []byte, opts ...ParseOptT) (*TreeT, error)

func ParseRules 

func ParseRules(config *RulesT, opts []ParseOptT) (*TreeT, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.