Feature/ecs alerts

[jnathangreeg]

Overview

Summary by CodeRabbit

• New Features

  • Added ECS runtime/context accessors to event objects for richer ECS metadata.

• Bug Fixes

  • Improved event data handling and consistency across tracers (reduces pooled-data issues).

• Chores

  • Version bumped to v0.48.0.
  • Migrated gadget images to the updated registry.
  • Updated project dependencies.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

Bumps gadget VERSION to v0.48.0, switches gadget image references from quay.io to ghcr.io, refactors tracer event data to use source.DeepCopy(...) instead of pooled items, removes internal data pooling, adds ECS accessor methods on DatasourceEvent/EnrichEvent, and applies broad dependency updates in go.mod.

Changes

Cohort / File(s)	Change Summary
Makefile Configuration Makefile	Bumped VERSION to v0.48.0, updated GADGETS list to advise_seccomp trace_capabilities trace_dns trace_exec trace_open, and switched image export/pull paths from quay.io/matthiasb_1/gadgets to ghcr.io/inspektor-gadget/gadget.
Go Module Dependencies go.mod	Large set of dependency bumps across Kubernetes, containerd, OpenTelemetry, gRPC, sigstore, procfs, and others; updated replace for inspektor-gadget.
Data Pooling Core pkg/utils/datasource_event.go	Removed dataPools and GetPooledDataItem; DatasourceEvent.Release() now delegates to e.Datasource.Release(e.Data); added ECS accessor methods on DatasourceEvent.
EnrichEvent / StructEvent ECS API pkg/utils/events.go, pkg/utils/struct_event.go	Added ECS-specific accessor methods to EnrichEvent interface and implemented no-op (empty-string) accessors on StructEvent.
Data Pooling Refactor — Tracers pkg/containerwatcher/v2/tracers/* .../bpf.go, .../capabilities.go, .../dns.go, .../exec.go, .../exit.go, .../fork.go, .../hardlink.go, .../http.go, .../iouring.go, .../kmod.go, .../network.go, .../open.go, .../ptrace.go, .../randomx.go, .../ssh.go, .../symlink.go, .../syscall.go, .../unshare.go	Replaced pooled-data allocation + DeepCopyInto with source.DeepCopy(data) when emitting DatasourceEvent in tracer subscription handlers; updated some tracer image constants to GHCR v0.48.0 paths.
Tracer Tests — Field Validation pkg/containerwatcher/v2/tracers/*_test.go	Added slices import and replaced strict field-count assertions with loops that assert every actual field is expected (detect unexpected fields); preserved per-field existence checks; some tests extended expected field lists (e.g., DNS, exec).

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• matthyx

Poem

🐰 Deep copies hop where pools once played,
Fresh data blossoms, no stowaway.
Images moved to GHCR's gate,
Version leapt to forty‑eight.
A rabbit cheers the tidy trail — hooray! 🥕✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Feature/ecs alerts' is vague and uses a generic branch-naming convention rather than a clear description of the actual changes in the changeset.	Replace the title with a specific, descriptive summary of the main change, such as 'Add ECS alert details and support to runtime events and tracers' or 'Enable ECS enrichment in alerts and refactor data pooling approach'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@go.mod`:
- Around line 61-65: Update the k8s.io/kubectl dependency to v0.35.0 to match
the other Kubernetes packages; locate the go.mod entry for the module
"k8s.io/kubectl" and change its version from v0.34.1 to v0.35.0, then run the
module tooling (e.g., go get k8s.io/kubectl@v0.35.0 and go mod tidy) to ensure
all transitive dependencies and go.sum are updated accordingly.

In `@pkg/containerwatcher/v2/tracers/kmod.go`:
- Around line 109-111: The closure passed to datasource.Subscribe captures the
loop variable d but should use the callback's source parameter instead; update
the event construction in the Subscribe callback (the function literal passed to
Subscribe in kmod.go) to set Datasource to source (and call
source.DeepCopy(data)) rather than d, so kt.callback receives the actual
triggering datasource in the utils.DatasourceEvent.

In `@pkg/containerwatcher/v2/tracers/symlink.go`:
- Around line 108-111: In the Subscribe callback inside the loop over
gadgetCtx.GetDataSources() the closure uses the loop variable d, which can be
captured incorrectly; change the callback to use the provided source parameter
when constructing the DatasourceEvent (e.g., call
st.callback(&utils.DatasourceEvent{Datasource: source, Data:
source.DeepCopy(data), EventType: utils.SymlinkEventType})) and similarly update
any other tracer callbacks with identical patterns so Release()/field access
target the correct datasource instead of the loop variable d.

🧹 Nitpick comments (3)

pkg/containerwatcher/v2/tracers/ssh.go (1)

113-115: Use callback parameter source instead of loop variable d for semantic clarity.

The callback receives source as the data source that triggered the subscription; using it instead of the loop variable d is semantically more correct and clearer in intent.

♻️ Proposed fix

- st.callback(&utils.DatasourceEvent{Datasource: d, Data: source.DeepCopy(data), EventType: utils.SSHEventType})
+ st.callback(&utils.DatasourceEvent{Datasource: source, Data: source.DeepCopy(data), EventType: utils.SSHEventType})

pkg/utils/datasource_event.go (1)

881-883: Add a nil guard in Release() to avoid panics on synthetic events.

Defensive checks protect callers that build DatasourceEvent manually (tests/mocks) without a datasource.

🛡️ Proposed fix

 func (e *DatasourceEvent) Release() {
-	e.Datasource.Release(e.Data)
+	if e == nil || e.Datasource == nil || e.Data == nil {
+		return
+	}
+	e.Datasource.Release(e.Data)
 }

pkg/containerwatcher/v2/tracers/network.go (1)

140-148: Consider nil check for event parameter.

The callback method accesses event.GetContainerID() and event.GetPID() without checking if event is nil. While the current caller always passes a non-nil event, a defensive check would improve robustness.

♻️ Optional defensive nil check

 // callback handles events from the tracer
 func (nt *NetworkTracer) callback(event utils.NetworkEvent) {
-	if nt.eventCallback != nil {
+	if nt.eventCallback != nil && event != nil {
 		// Extract container ID and process ID from the network event
 		containerID := event.GetContainerID()
 		processID := event.GetPID()
 
 		nt.eventCallback(event, containerID, processID)
 	}
 }