remove toMap function by YakirOren · Pull Request #693 · kubescape/node-agent

YakirOren · 2026-01-26T09:32:52Z

Summary by CodeRabbit

Refactor
- Unified rule evaluation into a single evaluator for all event types and removed legacy per-event map-based evaluation and serialization helpers.
- Simplified adapters by removing legacy map-construction helpers and pooling utilities.
New Features
- Added runtime registration for per-event converters to customize event transformation.
- HTTP events now expose an extra http variable in rule evaluations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

coderabbitai · 2026-01-26T09:33:04Z

📝 Walkthrough

Walkthrough

Renamed the CEL evaluator interface to RuleEvaluator, added runtime per-event converters and centralized CEL evaluation/context execution, removed CEL serialization and adapter map-pool utilities, deleted per-adapter ToMap() methods, and unified rule evaluation in RuleManager.

Changes

Cohort / File(s)	Summary
CEL core & interface `pkg/rulemanager/cel/cel.go`, `pkg/rulemanager/cel/cel_interface.go`	Interface renamed `CELRuleEvaluator` → `RuleEvaluator`. Added `eventConverters map[utils.EventType]func(utils.K8sEvent) utils.K8sEvent`, `RegisterEventConverter()`, `createEvalContext()` and `evaluateProgramWithContext()` helpers. Refactored `EvaluateRule`/`EvaluateExpression` to use new flow and runtime type checks.
CEL serialization removed `pkg/rulemanager/cel/serialize.go`	Removed `CelSerializer`, `CelEventSerializer`, and all CEL serialization logic.
RuleManager unification `pkg/rulemanager/rule_manager.go`	Replaced `CELRuleEvaluator` usage with `RuleEvaluator`. Removed per-event/map-based branching and the `evaluateRule` helper; unified evaluator calls for rule and expression evaluation.
Adapter ToMap removals `pkg/rulemanager/ruleadapters/adapters/*` `pkg/rulemanager/ruleadapters/adapters/bpf.go`, `.../capabilities.go`, `.../dns.go`, `.../exec.go`, `.../hardlink.go`, `.../http.go`, `.../iouring.go`, `.../kmod.go`, `.../network.go`, `.../open.go`, `.../ptrace.go`, `.../randomx.go`, `.../ssh.go`, `.../symlink.go`, `.../syscall.go`, `.../unshare.go`	Removed `ToMap(enrichedEvent *events.EnrichedEvent) map[string]interface{}` from all listed adapters, eliminating per-adapter event→map conversion methods.
Pool & adapter interface cleanup `pkg/rulemanager/ruleadapters/adapters/pool.go`, `pkg/rulemanager/ruleadapters/rule_event_expansion.go`	Removed `mapPool` and public pool APIs (`AcquireMap`, `ReleaseMap`, `ReleaseEventMap`) and removed `ToMap()` from `EventRuleAdapter` interface.

Sequence Diagram(s)

sequenceDiagram
    participant RM as RuleManager
    participant EV as EventConverterRegistry
    participant CEL as RuleEvaluator (CEL)
    participant PR as CompiledProgram

    RM->>RM: receive enriched event
    RM->>EV: lookup converter by eventType
    alt converter registered
        EV-->>RM: converted utils.K8sEvent
    else
        EV-->>RM: original utils.K8sEvent
    end
    RM->>CEL: createEvalContext(event)
    CEL->>PR: compile/reuse program (evaluateProgramWithContext)
    PR-->>CEL: raw result
    CEL-->>RM: typed result (bool/string) or error

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Poem

🐇 I hopped through code both neat and clever,
Converters guide events now and ever,
Pools and maps tucked out of sight,
One evaluator brings rules to light,
Hooray — I munch on carrots, change feels lighter.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main objective: removing the ToMap function and related map-based evaluation infrastructure across multiple files and packages.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

📝 Generate docstrings

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/rulemanager/cel/cel.go (1)

27-36: Synchronize access to eventConverters map.

The eventConverters field has unsynchronized read and write operations: reads occur in createEvalContext (line 134) and writes in RegisterEventConverter (line 286). Since Go maps are not concurrent-safe and this method is exposed via the public RuleEvaluator interface, add a RWMutex to protect access.

🛠️ Suggested locking

 type CEL struct {
 	env             *cel.Env
 	objectCache     objectcache.ObjectCache
 	programCache    map[string]cel.Program
 	cacheMutex      sync.RWMutex
 	typeMutex       sync.RWMutex
 	evalContextPool sync.Pool
 	ta              xcel.TypeAdapter
 	tp              *xcel.TypeProvider
 	eventConverters map[utils.EventType]func(utils.K8sEvent) utils.K8sEvent
+	eventConvertersMu sync.RWMutex
 }
@@
-	if converter, exists := c.eventConverters[eventType]; exists {
+	c.eventConvertersMu.RLock()
+	converter, exists := c.eventConverters[eventType]
+	c.eventConvertersMu.RUnlock()
+	if exists {
 		obj, _ = xcel.NewObject(converter(event.Event))
 	} else {
 		obj, _ = xcel.NewObject(event.Event.(utils.CelEvent))
 	}
@@
 func (c *CEL) RegisterEventConverter(eventType utils.EventType, converter func(utils.K8sEvent) utils.K8sEvent) {
+	c.eventConvertersMu.Lock()
 	c.eventConverters[eventType] = converter
+	c.eventConvertersMu.Unlock()
 }

Also applies to: 129-148, 285-286

🤖 Fix all issues with AI agents

In `@pkg/rulemanager/cel/cel.go`:
- Around line 254-283: The registerNestedTypes method can panic when obj is nil
or when the resolved objType is not a struct (NumField on non-struct), so add
early guards: return immediately if obj == nil or reflect.TypeOf(obj) == nil,
and after dereferencing pointers return if objType.Kind() != reflect.Struct;
keep existing pointer deref logic, then iterate fields only when
objType.NumField() is safe. Update the CEL.registerNestedTypes function to
perform these nil and non-struct checks before the for-loop so nestedInstance
creation and xcel.RegisterObject calls remain unchanged.
- Around line 126-150: The function createEvalContext currently does an
unchecked type assertion to utils.CelEvent and can panic; change
createEvalContext to return (map[string]any, error), validate the type assertion
when no converter exists (return a descriptive error if event.Event does not
implement utils.CelEvent), propagate errors from xcel.NewObject, and update all
callers of CEL.createEvalContext to handle the returned error (check and
return/handle the error rather than assuming success); keep the existing
behavior of adding "http" when eventType == utils.HTTPEventType.

In `@pkg/rulemanager/rule_manager.go`:
- Around line 382-396: In getUniqueIdAndMessage, stop overwriting the first
evaluation error: after calling
rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message)
check err and return immediately (message, "", err) if non-nil; then evaluate
rule.Expressions.UniqueID, check that error and return if non-nil, and only then
call hashStringToMD5(uniqueID) before returning; this ensures message-evaluation
errors are propagated and uniqueID hashing happens only on a successful
evaluation.

🧹 Nitpick comments (1)

pkg/rulemanager/rule_manager.go (1)
215-216: Reuse the filtered ruleExpressions here.
You already computed ruleExpressions on Line 206; passing it avoids redundant filtering.
♻️ Proposed change
-		shouldAlert, err := rm.celEvaluator.EvaluateRule(enrichedEvent, rule.Expressions.RuleExpression)
+		shouldAlert, err := rm.celEvaluator.EvaluateRule(enrichedEvent, ruleExpressions)

coderabbitai · 2026-01-28T13:06:43Z

+// createEvalContext creates an evaluation context map from an enriched event
+// The context includes the eventType string and the event object wrapped in xcel
+// Uses "event" as the variable name, and for HTTP events also adds "http" variable
+func (c *CEL) createEvalContext(event *events.EnrichedEvent) map[string]any {
+	eventType := event.Event.GetEventType()
+
+	// Apply event converter if one is registered, otherwise cast to CelEvent
+	var obj interface{}
+	if converter, exists := c.eventConverters[eventType]; exists {
+		obj, _ = xcel.NewObject(converter(event.Event))
+	} else {
+		obj, _ = xcel.NewObject(event.Event.(utils.CelEvent))
+	}

-		obj, _ := xcel.NewObject(event.Event.(utils.CelEvent)) // FIXME put safety check here
-		out, _, err := program.Eval(map[string]any{"event": obj, "eventType": string(eventType)})
-		if err != nil {
-			return false, err
-		}
+	evalContext := map[string]any{
+		"eventType": string(eventType),
+		"event":     obj,
+	}

-		if !out.Value().(bool) {
-			return false, nil
-		}
+	// For HTTP events, also add "http" variable
+	if eventType == utils.HTTPEventType {
+		evalContext["http"] = obj
 	}

-	return true, nil
+	return evalContext


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the specific file and function cat -n pkg/rulemanager/cel/cel.go | head -200

Repository: kubescape/node-agent

Length of output: 7441

🏁 Script executed:

# Find all calls to createEvalContext to see callers rg "createEvalContext" --type go -B 2 -A 2

Repository: kubescape/node-agent

Length of output: 1370

🏁 Script executed:

# Check the utils package to understand CelEvent interface fd "utils" --type d

Repository: kubescape/node-agent

Length of output: 91

🏁 Script executed:

# Look for CelEvent interface definition rg "interface.*CelEvent|type.*CelEvent" --type go -A 5

Repository: kubescape/node-agent

Length of output: 486

🏁 Script executed:

# Check event types and converter registration rg "eventConverters|EventType" pkg/rulemanager/cel/cel.go --type go -B 2 -A 2

Repository: kubescape/node-agent

Length of output: 1491

🏁 Script executed:

# Find where converters are registered rg "eventConverters\[" --type go -B 3 -A 3

Repository: kubescape/node-agent

Length of output: 827

🏁 Script executed:

# Find all event types in the utils package rg "type.*Event struct" pkg/utils --type go -A 3

Repository: kubescape/node-agent

Length of output: 753

🏁 Script executed:

# Find which event types embed or implement CelEvent rg "CelEvent|K8sEvent" pkg/utils --type go -B 2 -A 2 | head -100

Repository: kubescape/node-agent

Length of output: 4225

🏁 Script executed:

# Search for RegisterEventConverter calls to see which types have converters rg "RegisterEventConverter" --type go -B 3 -A 3

Repository: kubescape/node-agent

Length of output: 876

🏁 Script executed:

# Check events package for event implementations fd "events" pkg/ebpf --type d

Repository: kubescape/node-agent

Length of output: 80

🏁 Script executed:

# Look at event types in the ebpf/events package rg "type.*Event struct" pkg/ebpf/events --type go | head -20

Repository: kubescape/node-agent

Length of output: 177

🏁 Script executed:

# Find the CelEvent interface definition to see what it requires cat -n pkg/utils/cel.go | head -50

Repository: kubescape/node-agent

Length of output: 1262

🏁 Script executed:

# Find all event type implementations and check which embed CelEvent interface types rg "type.*struct" pkg/ebpf/events --type go -A 10 | head -150

Repository: kubescape/node-agent

Length of output: 1712

🏁 Script executed:

# Check what event types are used in the system rg "EventType.*=" pkg/utils --type go | head -30

Repository: kubescape/node-agent

Length of output: 1333

🏁 Script executed:

# Look for where RegisterEventConverter is actually called rg "RegisterEventConverter" --type go -l

Repository: kubescape/node-agent

Length of output: 127

🏁 Script executed:

# Find where RegisterEventConverter is called (not just defined) rg "\.RegisterEventConverter\(" --type go -B 3 -A 3

Repository: kubescape/node-agent

Length of output: 46

🏁 Script executed:

# Check all event type implementations in pkg/ebpf/events fd "\.go$" pkg/ebpf/events --exec basename {} \;

Repository: kubescape/node-agent

Length of output: 114

🏁 Script executed:

# Look at one event implementation to see if it implements CelEvent rg "type.*Event struct" pkg/ebpf/events/dns.go --type go -A 20

Repository: kubescape/node-agent

Length of output: 126

🏁 Script executed:

# Check which events are actually created/used in the system rg "EventType|GetEventType" pkg/ebpf/events --type go | head -40

Repository: kubescape/node-agent

Length of output: 2433

🏁 Script executed:

# Find StructEvent definition and check if it implements CelEvent rg "type StructEvent struct" pkg/utils --type go -A 50 | head -70

Repository: kubescape/node-agent

Length of output: 6321

🏁 Script executed:

# Check what K8sEvent interface requires rg "type K8sEvent interface" pkg/utils --type go -A 20

Repository: kubescape/node-agent

Length of output: 914

🏁 Script executed:

# Find where events are actually created to see what types are used rg "StructEvent\{" --type go | head -20

Repository: kubescape/node-agent

Length of output: 1833

🏁 Script executed:

# Look for any event implementations that might satisfy CelEvent rg "func.*StructEvent.*Get" pkg/utils --type go | head -30

Repository: kubescape/node-agent

Length of output: 2220

🏁 Script executed:

# Check if StructEvent implements the required CelEvent sub-interfaces rg "type CapabilitiesEvent|type DNSEvent|type ExecEvent|type IOUring|type LinkEvent|type NetworkEvent|type OpenEvent|type SshEvent|type SyscallEvent|type KmodEvent|type UnshareEvent|type BpfEvent" pkg/utils --type go -A 5

Repository: kubescape/node-agent

Length of output: 2882

🏁 Script executed:

# Check if StructEvent is explicitly implementing any of these interfaces rg "func.*StructEvent.*Get(Args|Capability|Cmd|Comm|Container|DNSName|DstIP|DstPort|Flags|FullPath|Module)" pkg/utils/struct_event.go --type go

Repository: kubescape/node-agent

Length of output: 743

🏁 Script executed:

# Count total methods on StructEvent rg "func $\*?StructEvent$" pkg/utils/struct_event.go --type go | wc -l

Repository: kubescape/node-agent

Length of output: 65

🏁 Script executed:

# Get better count of StructEvent methods rg "^func $\*StructEvent$" pkg/utils/struct_event.go --type go | wc -l

Repository: kubescape/node-agent

Length of output: 65

🏁 Script executed:

# Check if StructEvent implements all required methods for CelEvent # First let's see the complete list of all methods needed rg "type.*Event interface" pkg/utils/events.go --type go -A 10 | grep "Get"

Repository: kubescape/node-agent

Length of output: 1751

🏁 Script executed:

# Verify the type assertion scenario - does ALL code using events call RegisterEventConverter? rg "RegisterEventConverter" --type go

Repository: kubescape/node-agent

Length of output: 338

🏁 Script executed:

# Search for tests that might show what happens with unregistered event types rg "createEvalContext|EvaluateRule|EvaluateExpression" --type go -B 5 -A 5 | head -80

Repository: kubescape/node-agent

Length of output: 5743

🏁 Script executed:

# Let's check if StructEvent methods match what CelEvent requires # Get all CelEvent sub-interface methods and verify StructEvent has them cat -n pkg/utils/events.go | grep -A 100 "type CelEvent interface"

Repository: kubescape/node-agent

Length of output: 46

🏁 Script executed:

# Verify StructEvent has all necessary Get methods - let's count them comprehensively cat pkg/utils/struct_event.go | grep "^func (e \*StructEvent) Get" | wc -l

Repository: kubescape/node-agent

Length of output: 66

🏁 Script executed:

# Look for any tests or comments showing what happens with non-CelEvent types rg "CelEvent|createEvalContext" pkg/rulemanager/cel --type go -B 3 -A 3

Repository: kubescape/node-agent

Length of output: 2661

🏁 Script executed:

# Check if there are any other event implementations besides StructEvent fd "\.go$" --exec grep -l "implements.*K8sEvent\|GetEventType()" {} \; | grep -E "event|Event" | head -20

Repository: kubescape/node-agent

Length of output: 265

🏁 Script executed:

# Check if StructEvent actually implements CelEvent by verifying all required methods # Get all methods required by CelEvent sub-interfaces cat pkg/utils/events.go | grep -A 500 "type CelEvent interface" | head -100

Repository: kubescape/node-agent

Length of output: 46

🏁 Script executed:

# Verify StructEvent implements all the methods - check for GetUpperLayer which was mentioned rg "GetUpperLayer|GetPupperLayer|GetSyscall|GetNumAnswers|GetProto|GetQr" pkg/utils/struct_event.go --type go

Repository: kubescape/node-agent

Length of output: 1188

🏁 Script executed:

# Check if there are any other K8sEvent implementations besides StructEvent rg "implements.*K8sEvent|type.*Event.*struct" pkg/utils --type go | grep -v "StructEvent\|CelEvent\|interface"

Repository: kubescape/node-agent

Length of output: 240

🏁 Script executed:

# Look for HTTPData and other event types that might not implement CelEvent rg "type HTTP|type Datasource" pkg/utils --type go -A 5

Repository: kubescape/node-agent

Length of output: 705

🏁 Script executed:

# Check if DatasourceEvent implements the necessary methods for CelEvent rg "func.*DatasourceEvent.*Get" pkg/utils/datasource_event.go --type go

Repository: kubescape/node-agent

Length of output: 3116

🏁 Script executed:

# Let's see the full DatasourceEvent definition cat -n pkg/utils/datasource_event.go

Repository: kubescape/node-agent

Length of output: 36207

🏁 Script executed:

# Check where DatasourceEvent is used and if it goes through CEL evaluation rg "DatasourceEvent" --type go -B 2 -A 2

Repository: kubescape/node-agent

Length of output: 30013

Add error handling for type assertion to prevent panics on unsupported event types.

Line 137 contains an unchecked type assertion that will panic if an event type doesn't implement utils.CelEvent and no converter is registered. While current implementations (StructEvent and DatasourceEvent) do implement CelEvent, the code has no safeguard against future event types that may not. Change the function signature to return an error and validate the assertion before wrapping:

🛠️ Suggested change (createEvalContext + callers)

-func (c *CEL) createEvalContext(event *events.EnrichedEvent) map[string]any { +func (c *CEL) createEvalContext(event *events.EnrichedEvent) (map[string]any, error) { eventType := event.Event.GetEventType() // Apply event converter if one is registered, otherwise cast to CelEvent var obj interface{} if converter, exists := c.eventConverters[eventType]; exists { obj, _ = xcel.NewObject(converter(event.Event)) } else { - obj, _ = xcel.NewObject(event.Event.(utils.CelEvent)) + celEvt, ok := event.Event.(utils.CelEvent) + if !ok { + return nil, fmt.Errorf("event type %s does not implement utils.CelEvent and no converter is registered", eventType) + } + obj, _ = xcel.NewObject(celEvt) } evalContext := map[string]any{ "eventType": string(eventType), "event": obj, } @@ - return evalContext + return evalContext, nil } @@ - evalContext := c.createEvalContext(event) + evalContext, ctxErr := c.createEvalContext(event) + if ctxErr != nil { + return false, ctxErr + } @@ - evalContext := c.createEvalContext(event) + evalContext, ctxErr := c.createEvalContext(event) + if ctxErr != nil { + return "", ctxErr + }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

// createEvalContext creates an evaluation context map from an enriched event

// The context includes the eventType string and the event object wrapped in xcel

// Uses "event" as the variable name, and for HTTP events also adds "http" variable

func (c *CEL) createEvalContext(event *events.EnrichedEvent) map[string]any {

eventType := event.Event.GetEventType()

// Apply event converter if one is registered, otherwise cast to CelEvent

var obj interface{}

if converter, exists := c.eventConverters[eventType]; exists {

obj, _ = xcel.NewObject(converter(event.Event))

} else {

obj, _ = xcel.NewObject(event.Event.(utils.CelEvent))

}

obj, _ := xcel.NewObject(event.Event.(utils.CelEvent)) // FIXME put safety check here

out, _, err := program.Eval(map[string]any{"event": obj, "eventType": string(eventType)})

if err != nil {

return false, err

}

evalContext := map[string]any{

"eventType": string(eventType),

"event": obj,

}

if !out.Value().(bool) {

return false, nil

}

// For HTTP events, also add "http" variable

if eventType == utils.HTTPEventType {

evalContext["http"] = obj

}

return true, nil

return evalContext

// createEvalContext creates an evaluation context map from an enriched event

// The context includes the eventType string and the event object wrapped in xcel

// Uses "event" as the variable name, and for HTTP events also adds "http" variable

func (c *CEL) createEvalContext(event *events.EnrichedEvent) (map[string]any, error) {

eventType := event.Event.GetEventType()

// Apply event converter if one is registered, otherwise cast to CelEvent

var obj interface{}

if converter, exists := c.eventConverters[eventType]; exists {

obj, _ = xcel.NewObject(converter(event.Event))

} else {

celEvt, ok := event.Event.(utils.CelEvent)

if !ok {

return nil, fmt.Errorf("event type %s does not implement utils.CelEvent and no converter is registered", eventType)

}

obj, _ = xcel.NewObject(celEvt)

}

evalContext := map[string]any{

"eventType": string(eventType),

"event": obj,

}

// For HTTP events, also add "http" variable

if eventType == utils.HTTPEventType {

evalContext["http"] = obj

}

return evalContext, nil

}

🤖 Prompt for AI Agents

In `@pkg/rulemanager/cel/cel.go` around lines 126 - 150, The function createEvalContext currently does an unchecked type assertion to utils.CelEvent and can panic; change createEvalContext to return (map[string]any, error), validate the type assertion when no converter exists (return a descriptive error if event.Event does not implement utils.CelEvent), propagate errors from xcel.NewObject, and update all callers of CEL.createEvalContext to handle the returned error (check and return/handle the error rather than assuming success); keep the existing behavior of adding "http" when eventType == utils.HTTPEventType.

coderabbitai · 2026-01-28T13:06:44Z

+// registerNestedTypes registers nested pointer types found in the given object
+// This ensures that CEL can properly resolve nested types in expressions
+func (c *CEL) registerNestedTypes(obj interface{}) {
+	objType := reflect.TypeOf(obj)
+	if objType.Kind() == reflect.Ptr {
+		objType = objType.Elem()
+	}
+
+	// Iterate through all fields of the struct
+	for i := 0; i < objType.NumField(); i++ {
+		field := objType.Field(i)
+		fieldType := field.Type
+
+		// Check if field is a pointer to a custom type
+		if fieldType.Kind() == reflect.Ptr {
+			elemType := fieldType.Elem()
+
+			// Skip built-in types (net.Header, etc.) - only register custom structs
+			if elemType.Kind() == reflect.Struct && elemType.PkgPath() != "" {
+				// Create a zero instance of the nested type
+				nestedInstance := reflect.New(elemType).Interface()
+
+				// Register the nested type
+				xcelObj, xcelTyp := xcel.NewObject(nestedInstance)
+				fields := xcel.NewFields(xcelObj)
+				xcel.RegisterObject(c.ta, c.tp, xcelObj, xcelTyp, fields)
+			}
+		}
+	}
+}


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's locate and examine the actual file find . -name "cel.go" -path "*/rulemanager/cel/*" | head -20

Repository: kubescape/node-agent

Length of output: 92

🏁 Script executed:

# Get the content of the file around lines 254-283 if [ -f "pkg/rulemanager/cel/cel.go" ]; then wc -l pkg/rulemanager/cel/cel.go fi

Repository: kubescape/node-agent

Length of output: 94

🏁 Script executed:

# Read the function to see the actual implementation cat -n pkg/rulemanager/cel/cel.go | sed -n '250,290p'

Repository: kubescape/node-agent

Length of output: 1527

🏁 Script executed:

# Test Go reflect behavior with nil and non-struct types python3 << 'EOF' # We need to create a small Go test to verify the reflect behavior test_code = '''package main import ( "fmt" "reflect" ) func main() { // Test 1: reflect.TypeOf(nil) var nilVal interface{} = nil nilType := reflect.TypeOf(nilVal) fmt.Printf("Test 1 - reflect.TypeOf(nil): %v\\n", nilType) // Test 2: What happens when we try NumField on nil type if nilType != nil { fmt.Printf("Test 2 - NumField on nil type: not testing (type is not nil)\\n") } else { fmt.Printf("Test 2 - nilType is nil, so calling NumField would panic\\n") } // Test 3: Non-struct type var intVal interface{} = 42 intType := reflect.TypeOf(intVal) fmt.Printf("Test 3 - Type of int value: %v, Kind: %v\\n", intType, intType.Kind()) // Test 4: Try NumField on non-struct if intType.Kind() != reflect.Struct { fmt.Printf("Test 4 - Attempting NumField on non-struct will panic\\n") // Uncomment to test: intType.NumField() } } ''' with open('/tmp/test_reflect.go', 'w') as f: f.write(test_code) print("Created test code") EOF

Repository: kubescape/node-agent

Length of output: 150

🏁 Script executed:

# Check the call sites to see how registerNestedTypes is called rg "registerNestedTypes" --type go -B 3 -A 3

Repository: kubescape/node-agent

Length of output: 1032

🏁 Script executed:

# Let's check what Go version is available and create a simpler test cat > /tmp/reflect_test.go << 'GOEOF' package main import ( "fmt" "reflect" ) func main() { // Test 1: nil type var nilVal interface{} nilType := reflect.TypeOf(nilVal) fmt.Printf("Test 1 - nil type is nil: %v\n", nilType == nil) // Test 2: non-struct type nonStructVal := 42 nonStructType := reflect.TypeOf(nonStructVal) fmt.Printf("Test 2 - int type kind: %v (is not Struct)\n", nonStructType.Kind()) // Test 3: Will NumField panic on non-struct? fmt.Println("Test 3 - Would call panic on NumField for non-struct") // Test 4: struct type type MyStruct struct { Field1 string } structType := reflect.TypeOf(MyStruct{}) fmt.Printf("Test 4 - struct type kind: %v\n", structType.Kind()) fmt.Printf("Test 4 - struct NumField: %v\n", structType.NumField()) } GOEOF # Try to run it if Go is available if command -v go &> /dev/null; then go run /tmp/reflect_test.go 2>&1 || echo "Go execution had issue" else echo "Go not available in sandbox" fi

Repository: kubescape/node-agent

Length of output: 241

🏁 Script executed:

# Let's check the actual function implementation in context if [ -f "pkg/rulemanager/cel/cel.go" ]; then echo "=== Function at lines 254-283 ===" sed -n '254,283p' pkg/rulemanager/cel/cel.go echo "" echo "=== Context before (lines 240-253) ===" sed -n '240,253p' pkg/rulemanager/cel/cel.go echo "" echo "=== Context after (lines 284-300) ===" sed -n '284,300p' pkg/rulemanager/cel/cel.go fi

Repository: kubescape/node-agent

Length of output: 1640

🏁 Script executed:

# Check all call sites to see what's passed to registerNestedTypes rg "registerNestedTypes" -B 5 -A 1 pkg/rulemanager/cel/

Repository: kubescape/node-agent

Length of output: 1015

Add nil and non-struct guards in registerNestedTypes.
Passing nil or a non-struct value will panic at NumField(). Add early returns to handle these cases.

🛠️ Proposed guard

func (c *CEL) registerNestedTypes(obj interface{}) { objType := reflect.TypeOf(obj) + if objType == nil { + return + } if objType.Kind() == reflect.Ptr { objType = objType.Elem() } + if objType.Kind() != reflect.Struct { + return + }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

// registerNestedTypes registers nested pointer types found in the given object

// This ensures that CEL can properly resolve nested types in expressions

func (c *CEL) registerNestedTypes(obj interface{}) {

objType := reflect.TypeOf(obj)

if objType.Kind() == reflect.Ptr {

objType = objType.Elem()

}

// Iterate through all fields of the struct

for i := 0; i < objType.NumField(); i++ {

field := objType.Field(i)

fieldType := field.Type

// Check if field is a pointer to a custom type

if fieldType.Kind() == reflect.Ptr {

elemType := fieldType.Elem()

// Skip built-in types (net.Header, etc.) - only register custom structs

if elemType.Kind() == reflect.Struct && elemType.PkgPath() != "" {

// Create a zero instance of the nested type

nestedInstance := reflect.New(elemType).Interface()

// Register the nested type

xcelObj, xcelTyp := xcel.NewObject(nestedInstance)

fields := xcel.NewFields(xcelObj)

xcel.RegisterObject(c.ta, c.tp, xcelObj, xcelTyp, fields)

}

}

}

}

// registerNestedTypes registers nested pointer types found in the given object

// This ensures that CEL can properly resolve nested types in expressions

func (c *CEL) registerNestedTypes(obj interface{}) {

objType := reflect.TypeOf(obj)

if objType == nil {

return

}

if objType.Kind() == reflect.Ptr {

objType = objType.Elem()

}

if objType.Kind() != reflect.Struct {

return

}

// Iterate through all fields of the struct

for i := 0; i < objType.NumField(); i++ {

field := objType.Field(i)

fieldType := field.Type

// Check if field is a pointer to a custom type

if fieldType.Kind() == reflect.Ptr {

elemType := fieldType.Elem()

// Skip built-in types (net.Header, etc.) - only register custom structs

if elemType.Kind() == reflect.Struct && elemType.PkgPath() != "" {

// Create a zero instance of the nested type

nestedInstance := reflect.New(elemType).Interface()

// Register the nested type

xcelObj, xcelTyp := xcel.NewObject(nestedInstance)

fields := xcel.NewFields(xcelObj)

xcel.RegisterObject(c.ta, c.tp, xcelObj, xcelTyp, fields)

}

}

}

}

🤖 Prompt for AI Agents

In `@pkg/rulemanager/cel/cel.go` around lines 254 - 283, The registerNestedTypes method can panic when obj is nil or when the resolved objType is not a struct (NumField on non-struct), so add early guards: return immediately if obj == nil or reflect.TypeOf(obj) == nil, and after dereferencing pointers return if objType.Kind() != reflect.Struct; keep existing pointer deref logic, then iterate fields only when objType.NumField() is safe. Update the CEL.registerNestedTypes function to perform these nil and non-struct checks before the for-loop so nestedInstance creation and xcel.RegisterObject calls remain unchanged.

coderabbitai · 2026-01-28T13:06:44Z

 func (rm *RuleManager) getUniqueIdAndMessage(enrichedEvent *events.EnrichedEvent, rule typesv1.Rule) (string, string, error) {
-	// Special event types are evaluated by map because we're doing parsing optimizations
-	// TODO: Manage special event types in a better way
-	eventType := enrichedEvent.Event.GetEventType()
-	if eventType == utils.HTTPEventType {
-		eventAdapter, ok := rm.adapterFactory.GetAdapter(eventType)
-		if !ok {
-			logger.L().Error("RuleManager - no adapter registered for event type", helpers.String("eventType", string(eventType)))
-			return "", "", nil
-		}
-		eventMap := eventAdapter.ToMap(enrichedEvent)
-		defer adapters.ReleaseEventMap(eventMap)
-
-		message, err := rm.celEvaluator.EvaluateExpressionByMap(eventMap, rule.Expressions.Message, eventType)
-		if err != nil {
-			logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(err))
-		}
-		uniqueID, err := rm.celEvaluator.EvaluateExpressionByMap(eventMap, rule.Expressions.UniqueID, eventType)
-		if err != nil {
-			logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(err))
-		}
-		uniqueID = hashStringToMD5(uniqueID)
-		return message, uniqueID, err
-	} else {
-		message, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message)
-		if err != nil {
-			logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(err))
-		}
-		uniqueID, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.UniqueID)
-		if err != nil {
-			logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(err))
-		}
+	// All event types now use the unified EvaluateExpression path
+	// HTTP events are handled in the CEL evaluator with type-safe access
+	message, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message)
+	if err != nil {
+		logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(err))
+	}
+	uniqueID, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.UniqueID)
+	if err != nil {
+		logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(err))
+	}

-		uniqueID = hashStringToMD5(uniqueID)
+	uniqueID = hashStringToMD5(uniqueID)

-		return message, uniqueID, err
-	}
+	return message, uniqueID, err


⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the actual implementation of the function cat -n pkg/rulemanager/rule_manager.go | sed -n '382,396p'

Repository: kubescape/node-agent

Length of output: 897

🏁 Script executed:

# Let's get more context around this function to understand its full scope cat -n pkg/rulemanager/rule_manager.go | sed -n '375,410p'

Repository: kubescape/node-agent

Length of output: 1532

🏁 Script executed:

# Search for callers of getUniqueIdAndMessage to understand how errors are handled rg "getUniqueIdAndMessage" --type go -A 3 -B 3

Repository: kubescape/node-agent

Length of output: 1210

🏁 Script executed:

# Look for tests related to this function rg "getUniqueIdAndMessage\|TestGetUniqueIdAndMessage" --type go

Repository: kubescape/node-agent

Length of output: 46

Don't overwrite message-evaluation errors.
err is overwritten by the uniqueID evaluation, so a failed message expression can yield an empty message with a nil error. The function should return on the first error instead.

🛠️ Proposed fix

- message, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message) - if err != nil { - logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(err)) - } - uniqueID, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.UniqueID) - if err != nil { - logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(err)) - } - - uniqueID = hashStringToMD5(uniqueID) - - return message, uniqueID, err + message, msgErr := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message) + if msgErr != nil { + logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(msgErr)) + return "", "", msgErr + } + uniqueID, idErr := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.UniqueID) + if idErr != nil { + logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(idErr)) + return "", "", idErr + } + + uniqueID = hashStringToMD5(uniqueID) + + return message, uniqueID, nil

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

func (rm *RuleManager) getUniqueIdAndMessage(enrichedEvent *events.EnrichedEvent, rule typesv1.Rule) (string, string, error) {

// Special event types are evaluated by map because we're doing parsing optimizations

// TODO: Manage special event types in a better way

eventType := enrichedEvent.Event.GetEventType()

if eventType == utils.HTTPEventType {

eventAdapter, ok := rm.adapterFactory.GetAdapter(eventType)

if !ok {

logger.L().Error("RuleManager - no adapter registered for event type", helpers.String("eventType", string(eventType)))

return "", "", nil

}

eventMap := eventAdapter.ToMap(enrichedEvent)

defer adapters.ReleaseEventMap(eventMap)

message, err := rm.celEvaluator.EvaluateExpressionByMap(eventMap, rule.Expressions.Message, eventType)

if err != nil {

logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(err))

}

uniqueID, err := rm.celEvaluator.EvaluateExpressionByMap(eventMap, rule.Expressions.UniqueID, eventType)

if err != nil {

logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(err))

}

uniqueID = hashStringToMD5(uniqueID)

return message, uniqueID, err

} else {

message, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message)

if err != nil {

logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(err))

}

uniqueID, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.UniqueID)

if err != nil {

logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(err))

}

// All event types now use the unified EvaluateExpression path

// HTTP events are handled in the CEL evaluator with type-safe access

message, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message)

if err != nil {

logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(err))

}

uniqueID, err := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.UniqueID)

if err != nil {

logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(err))

}

uniqueID = hashStringToMD5(uniqueID)

uniqueID = hashStringToMD5(uniqueID)

return message, uniqueID, err

}

return message, uniqueID, err

func (rm *RuleManager) getUniqueIdAndMessage(enrichedEvent *events.EnrichedEvent, rule typesv1.Rule) (string, string, error) {

// All event types now use the unified EvaluateExpression path

// HTTP events are handled in the CEL evaluator with type-safe access

message, msgErr := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message)

if msgErr != nil {

logger.L().Error("RuleManager - failed to evaluate message", helpers.Error(msgErr))

return "", "", msgErr

}

uniqueID, idErr := rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.UniqueID)

if idErr != nil {

logger.L().Error("RuleManager - failed to evaluate unique ID", helpers.Error(idErr))

return "", "", idErr

}

uniqueID = hashStringToMD5(uniqueID)

return message, uniqueID, nil

}

🤖 Prompt for AI Agents

In `@pkg/rulemanager/rule_manager.go` around lines 382 - 396, In getUniqueIdAndMessage, stop overwriting the first evaluation error: after calling rm.celEvaluator.EvaluateExpression(enrichedEvent, rule.Expressions.Message) check err and return immediately (message, "", err) if non-nil; then evaluate rule.Expressions.UniqueID, check that error and return if non-nil, and only then call hashStringToMD5(uniqueID) before returning; this ensures message-evaluation errors are propagated and uniqueID hashing happens only on a successful evaluation.

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/rulemanager/cel/cel.go`:
- Around line 239-241: The RegisterEventConverter method writes to the
CEL.eventConverters map without synchronization while createEvalContext reads it
concurrently, causing a data race; add a sync.RWMutex field (e.g.,
eventConvertersMu) to the CEL struct and use eventConvertersMu.Lock()/Unlock()
in RegisterEventConverter and eventConvertersMu.RLock()/RUnlock() around reads
in createEvalContext to protect access, or alternatively enforce that
RegisterEventConverter is only called during initialization before NewCEL
returns.

matthyx

2 questions and remove the evalContextPool (maybe I missed other fields you can remove, it would be cool to check)

matthyx · 2026-01-29T07:54:55Z

@@ -31,19 +32,18 @@ type CEL struct {
 	evalContextPool sync.Pool


I think you can remove this now

matthyx · 2026-01-29T08:00:01Z

+	// Apply event converter if one is registered, otherwise cast to CelEvent
+	var obj interface{}
+	if converter, exists := c.eventConverters[eventType]; exists {
+		obj, _ = xcel.NewObject(converter(event.Event))


so this is the magic?

Signed-off-by: Yakir Oren <yakiroren@gmail.com>

YakirOren marked this pull request as ready for review January 28, 2026 12:52

YakirOren force-pushed the feature/remove-to-map branch from d5edce8 to 7fff37e Compare January 28, 2026 12:55

coderabbitai Bot reviewed Jan 28, 2026

View reviewed changes

YakirOren force-pushed the feature/remove-to-map branch from 7fff37e to 23b8d53 Compare January 28, 2026 13:15

coderabbitai Bot reviewed Jan 28, 2026

View reviewed changes

Comment thread pkg/rulemanager/cel/cel.go

YakirOren force-pushed the feature/remove-to-map branch 2 times, most recently from 3180547 to c2743f0 Compare January 28, 2026 14:08

matthyx reviewed Jan 29, 2026

View reviewed changes

remove toMap

a940649

Signed-off-by: Yakir Oren <yakiroren@gmail.com>

YakirOren force-pushed the feature/remove-to-map branch from c2743f0 to a940649 Compare January 29, 2026 08:19

matthyx approved these changes Jan 29, 2026

View reviewed changes

matthyx added the release Create release label Jan 29, 2026

matthyx merged commit 7319b1f into main Jan 29, 2026
27 checks passed

matthyx deleted the feature/remove-to-map branch January 29, 2026 09:15

coderabbitai Bot mentioned this pull request Feb 13, 2026

optimize CEL rule evaluation performance #716

Open

This was referenced Mar 29, 2026

Feature/cel prefilter #759

Merged

feat: eBPF event deduplication before CEL rule evaluation #762

Merged

		@@ -31,19 +32,18 @@ type CEL struct {
		evalContextPool sync.Pool

Conversation

YakirOren commented Jan 26, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Jan 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Poem

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jan 28, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jan 28, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jan 28, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

matthyx left a comment

Choose a reason for hiding this comment

Uh oh!

matthyx Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

YakirOren Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

matthyx Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

YakirOren commented Jan 26, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Jan 26, 2026 •

edited

Loading