[1.6.4] Alert Context map[] if using AppSec collection

[LaurenceJJones]

We have found that if you are currently using the AppSec collection and a scenario triggers, the context will get flooded with map[] for properties that should be empty.

We are investigating from CrowdSec side what is happening here, however, from the console side we are working to flush any contexts that are map[] as this is not real data and should be removed.

[github-actions]

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[github-actions]

@LaurenceJJones: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

• /kind feature
• /kind enhancement
• /kind refactoring
• /kind bug
• /kind packaging

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Update: we have merged a fix to the context file itself, please run:

cscli hub update && cscli hub upgrade

To download the latest context file, and then run systemctl restart crowdsec to ensure the context is reloaded before adding a comment to this discussion.

[LaurenceJJones]

link to problematic code:

crowdsec/pkg/alertcontext/alertcontext.go

Lines 171 to 210 in fdd3737

	for _, value := range values {
	var val string
	output, err := expr.Run(value, map[string]interface{}{"match": match, "evt": evt, "req": request})
	if err != nil {
	errors = append(errors, fmt.Errorf("failed to get value for %s: %w", key, err))
	continue
	}
	switch out := output.(type) {
	case string:
	val = out
	if val != "" && !slices.Contains(tmpContext[key], val) {
	tmpContext[key] = append(tmpContext[key], val)
	}
	case []string:
	for _, v := range out {
	if v != "" && !slices.Contains(tmpContext[key], v) {
	tmpContext[key] = append(tmpContext[key], v)
	}
	}
	case int:
	val = strconv.Itoa(out)
	if val != "" && !slices.Contains(tmpContext[key], val) {
	tmpContext[key] = append(tmpContext[key], val)
	}
	case []int:
	for _, v := range out {
	val = strconv.Itoa(v)
	if val != "" && !slices.Contains(tmpContext[key], val) {
	tmpContext[key] = append(tmpContext[key], val)
	}
	}
	default:
	val := fmt.Sprintf("%v", output)
	if val != "" && !slices.Contains(tmpContext[key], val) {
	tmpContext[key] = append(tmpContext[key], val)
	}
	}
	}

The default case is hit and "%v" returns a string of any value in this case an empty map meaning map[] is returned and non empty string is valid.