Conversation
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
Bug: Container Name Missing in CacheThe |
Bug: Network Event Struct Mismatch Causes CEL ErrorsNetwork event tests define Additional Locations (3) |
Bug: Trailing Underscore in Unique ID ExpressionThe Additional Locations (1) |
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
Signed-off-by: Amit Schendel <amitschendel@gmail.com>
| objectcache.Container: { | ||
| { | ||
| Name: tt.event.Event.K8s.BasicK8sMetadata.ContainerName, | ||
| //Name: tt.event.Event.K8s.BasicK8sMetadata.ContainerName, |
There was a problem hiding this comment.
Bug: Refactoring Left Container Name Uninitialized
The Name field initialization is commented out in the ContainerInfo struct, leaving an empty struct in the array. This appears to be incomplete refactoring where the developer commented out the old field access pattern but didn't replace it with the new one. The container name should be set to tt.event.Container to properly initialize the test data.
| (event.path.startsWith('/var/run/secrets/kubernetes.io/serviceaccount') && event.path.endsWith('/token')) || | ||
| (event.path.startsWith('/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token')) || | ||
| (event.path.startsWith('/var/run/secrets/eks.amazonaws.com/serviceaccount') && event.path.endsWith('/token'))) && | ||
| !ap.was_path_opened_with_suffix(event.containerId, '/token') |
There was a problem hiding this comment.
Bug: Broad Token Path Check Bypasses Security
The rule changed from checking if any of the 4 specific service account directory prefixes were accessed to checking if any path ending with /token was accessed. This creates a security bypass: if the application profile contains any file ending with /token (like /tmp/myapp/token), it will whitelist access to the actual service account token at /run/secrets/kubernetes.io/serviceaccount/token. The old logic was more secure by specifically checking for service account directory prefixes rather than any path with the /token suffix.
3 participants
Note
Migrate all rules and tests to a unified
event.*schema, generate a combined CRD, and update Go/tooling/dependencies.event.*fields (uniqueId,ruleExpression,eventType), addisTriggerAlertand MITRE metadata.rules-crd.yaml.utils.StructEventinstead of gadget-specific types; align assertions with new message/ID formats.GOTOOLCHAIN=go1.25.0+autoand add steps to generate and upload Rules CRD artifact.inspektor-gadgetto a replacement fork.Written by Cursor Bugbot for commit 6adb258. This will update automatically on new commits. Configure here.