fix(userspace/libsinsp): correct fallback for arg-less proc.* fields

[leogr]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

/kind sync

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Parsing of ARG_ALLOWED fields in output formatting (e.g., proc_args=%proc.args) was broken because the val == check always returned false. This fix drops the unnecessary checks so that argid = -1 is set /, argname is cleared where appropriate, and correctly sets field-name length using std::size(...)-1.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

We likely need to issue Falco 0.42.1 because of this.

Tenatively for
/milestone 0.23.0
(but we likely need 0.22.2)

Does this PR introduce a user-facing change?:

fix(userspace/libsinsp): correct fallback for arg-less proc.* fields

[codecov]

Codecov Report

❌ Patch coverage is 47.36842% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.92%. Comparing base (0376a8f) to head (287784b).
⚠️ Report is 5 commits behind head on master.

Files with missing lines	Patch %	Lines
userspace/libsinsp/sinsp_filtercheck_thread.cpp	47.36%	10 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2704   +/-   ##
=======================================
  Coverage   76.91%   76.92%           
=======================================
  Files         294      294           
  Lines       30862    30853    -9     
  Branches     4689     4680    -9     
=======================================
- Hits        23739    23735    -4     
+ Misses       7123     7118    -5     

Flag	Coverage Δ
libsinsp	76.92% <47.36%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[terror96]

/lgtm

again, out of curiosity: why is that in some cases in the body of catch we set m_argid and clear `m_argname`` but not always?

[leogr]

/lgtm

again, out of curiosity: why is that in some cases in the body of catch we set m_argid and clear `m_argname`` but not always?

m_argid is for numerically indexed (e.g., proc.args[1]), wherever m_argname is for key access (e.g. proc.env[HOME]), so we update clean one or the other depending on the case. In one case, we update both of them, since that particular field proc.aenv supports both numerical and key arguments (this is kinda of an experimental approach, we usually don't have it in other fields).

That said, I don't like this legacy implementation too much. These code paths should be reviewed and eventually refactored with a cleaner approach, but this is outside the scope of this PR 👼

[leogr]

/milestone 0.22.2

[ekoops]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, leogr, terror96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ekoops,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment