Update falcosecurity/falco Docker tag to v0.37.0

This MR contains the following updates:

Package	Type	Update	Change
falcosecurity/falco		minor	0.36.2 -> 0.37.0
falcosecurity/falco	ironbank-docker	minor	0.36.2 -> 0.37.0
falcosecurity/falco	stage	minor	0.36.2 -> 0.37.0

---

Release Notes

falcosecurity/falco (falcosecurity/falco)

v0.37.0

Compare Source

Released on 2024-01-30

Breaking Changes

• The deprecated rate-limiter mechanism is removed as it is no longer used.
  • the deprecated outputs.rate Falco config is removed.
  • the deprecated outputs.max_burst Falco config is removed.
• The deprecated --userspace CLI option is removed as it is no longer used.
• The falco-driver-loader script will be removed and embedded into falcoctl. The new falcoctl driven implementation will drop:
  • --source-only CLI option.
  • BPF_USE_LOCAL_KERNEL_SOURCES environment variable.
  • DRIVER_CURL_OPTIONS environment variable.
  • FALCO_BPF_PROBE environment variable is not used by the new falcoctl driver loader, since it is already deprecated and will be removed in the next major version. Some env vars were renamed:
  • DRIVERS_REPO env variable has been replaced by FALCOCTL_DRIVER_NAME or --name command line argument for falcoctl driver command
  • DRIVERS_NAME env variable has been replaced by FALCOCTL_DRIVER_REPOS, or --repo command line argument for falcoctl driver command
  • DRIVER_KERNEL_RELEASE env variable has been replaced by --kernelrelease command line argument for falcoctl driver install command
  • DRIVER_KERNEL_VERSION env variable has been replaced by --kernelversion command line argument for falcoctl driver install command
  • DRIVER_INSECURE_DOWNLOAD env variable has been replaced by --http-insecure command line argument for falcoctl driver install command
• Remove -K/-k options from Falco in favor of the new k8smeta plugin.
• Drop plugins shipped with Falco since plugins are now be managed by falcoctl.
• Falco 0.37.0 allows environment variables to be expanded even if they are part of a string. This introduces small breaking changes:
  • Previously, environment variables used in YAML that were empty or defined as “” would be expanded to the default value. This was not consistent with the way YAML was handled in other cases, where we only returned the default values if the node was not defined. Now expanded env vars retain the same behavior of all other variables.
  • Falco 0.37.0 will return default value for nodes that cannot be parsed to chosen type.
  • program_output command will be env-expanded at init time, instead of letting popen and thus the sh shell expand it. This is technically a breaking change even if no behavioral change is expected. Also, you can avoid env var expansion by using ${{FOO}} instead of ${FOO}. It will resolve to ${FOO} and won't be resolved to the env var value.

Major Changes

• new!: dropped falco-driver-loader script in favor of new falcoctl driver command [#​2905] - @​FedeDP
• update!: bump libs to latest and deprecation of k8s metadata options and configs [#​2914] - @​jasondellaluce
• cleanup(falco)!: remove outputs.rate and outputs.max_burst from Falco config [#​2841] - @​Andreagit97
• cleanup(falco)!: remove --userspace support [#​2839] - @​Andreagit97
• new(engine): add selective overrides for Falco rules [#​2981] - @​LucaGuerra
• feat(userspace/falco): falco administrators can now configure the http output to compress the data sent as well as enable keep alive for the connection. Two new fields (compress_uploads and keep_alive) in the http_output block of the falco.yaml file can be used for that purpose. Both are disabled by default. [#​2974] - @​sgaist
• new(userspace): support env variable expansion in all yaml, even inside strings. [#​2918] - @​FedeDP
• new(scripts): add a way to enforce driver kind and falcoctl enablement when installing Falco from packages and dialog is not present. [#​2773] - @​vjjmiras
• new(falco): print system info when Falco starts [#​2927] - @​Andreagit97
• new: driver selection in falco.yaml [#​2413] - @​therealbobo
• new(build): enable compilation on win32 and macOS. [#​2889] - @​therealbobo
• feat(userspace/falco): falco administrators can now configure the address on which the webserver listen using the new listen_address field in the webserver block of the falco.yaml file. [#​2890] - @​sgaist

Minor Changes

• update(userspace/falco): add engine_version_semver key in /versions endpoint [#​2899] - @​loresuso
• update: default ruleset upgrade to version 3.0 [#​3034] - @​leogr
• update!(config): soft deprecation of drop stats counters in syscall_event_drops [#​3015] - @​incertum
• update(cmake): bumped falcoctl tool to v0.7.1. [#​3030] - @​FedeDP
• update(rule_loader): deprecate the append flag in Falco rules [#​2992] - @​Andreagit97
• cleanup!(cmake): drop bundled plugins in Falco [#​2997] - @​FedeDP
• update(config): clarify deprecation notices + list all env vars [#​2988] - @​incertum
• update: now the watch_config_files config option monitors file/directory moving and deletion, too [#​2965] - @​NitroCao
• update(userspace): enhancements in rule description feature [#​2934] - @​jasondellaluce
• update(userspace/falco): add libsinsp state metrics option [#​2883] - @​incertum
• update(doc): Add Thought Machine as adopters [#​2919] - @​RichardoC
• update(docs): add Wireshark/Logray as adopter [#​2867] - @​geraldcombs
• update: engine_version in semver representation [#​2838] - @​loresuso
• update(userspace/engine): modularize rule compiler, fix and enrich rule descriptions [#​2817] - @​jasondellaluce

Bug Fixes

• fix(userspace/metric): minor fixes in new libsinsp state metrics handling [#​3033] - @​incertum
• fix(userspace/engine): avoid storing escaped strings in engine defs [#​3028] - @​jasondellaluce
• fix(userspace/engine): cache latest rules compilation output [#​2900] - @​jasondellaluce
• fix(userspace/engine): solve description of macro-only rules [#​2898] - @​jasondellaluce
• fix(userspace/engine): fix memory leak [#​2877] - @​therealbobo

Non user-facing changes

• fix: nlohmann_json lib include path [#​3032] - @​federico-sysdig
• chore: bump falco rules [#​3021] - @​Andreagit97
• chore: bump Falco to libs 0.14.1 [#​3020] - @​Andreagit97
• chore(build): remove outdated development libs [#​2946] - @​federico-sysdig
• chore(falco): bump Falco to 000d576 libs commit [#​2944] - @​Andreagit97
• fix(gha): update rpmsign [#​2856] - @​LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 424b258 to 1221b9e [#​3000] - @​dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 2ac430b to c39d31a [#​3019] - @​dependabot[bot]
• cleanup(falco.yaml): rename none in nodriver [#​3012] - @​Andreagit97
• update(config): graduate outputs_queue to stable [#​3016] - @​incertum
• update(cmake): bump falcoctl to v0.7.0. [#​3009] - @​FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 1221b9e to 2ac430b [#​3007] - @​dependabot[bot]
• chore(ci): bumped rn2md to latest master. [#​3006] - @​FedeDP
• chore: bump Falco to latest libs [#​3002] - @​Andreagit97
• chore: bump driver version [#​2998] - @​Andreagit97
• Add addl source related methods [#​2939] - @​mstemm
• build(deps): Bump submodules/falcosecurity-rules from cd33bc3 to 424b258 [#​2993] - @​dependabot[bot]
• cleanup(engine): clarify deprecation notice for engines [#​2987] - @​LucaGuerra
• update(cmake): bumped falcoctl to v0.7.0-rc1. [#​2983] - @​FedeDP
• chore(ci): revert #​2961. [#​2984] - @​FedeDP
• build(deps): Bump submodules/falcosecurity-testing from 930170b to 9b9630e [#​2980] - @​dependabot[bot]
• chore: bump Falco to latest libs [#​2977] - @​Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from 262f569 to cd33bc3 [#​2976] - @​dependabot[bot]
• Allow enabling rules by ruleset id in addition to name [#​2920] - @​mstemm
• chore(ci): enable aarch64 falco driver loader tests. [#​2961] - @​FedeDP
• chore(unit_tests): added more tests for yaml env vars expansion. [#​2972] - @​FedeDP
• chore(falco.yaml): use HOME env var for ebpf probe path. [#​2971] - @​FedeDP
• chore: bump falco to latest libs [#​2970] - @​Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from dd38952 to 262f569 [#​2969] - @​dependabot[bot]
• update(readme): add actuated.dev badge [#​2967] - @​LucaGuerra
• chore(cmake,docker): bumped falcoctl to v0.7.0-beta5. [#​2968] - @​FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 64e2adb to dd38952 [#​2959] - @​dependabot[bot]
• fix(docker): small fixes in docker entrypoints for new driver loader. [#​2966] - @​FedeDP
• chore(build): allow usage of non-bundled nlohmann-json [#​2947] - @​federico-sysdig
• update(ci): enable actuated.dev [#​2945] - @​LucaGuerra
• cleanup: fix several warnings from a Clang build [#​2948] - @​federico-sysdig
• chore(docker/falco): add back some deps to falco docker image. [#​2932] - @​FedeDP
• build(deps): Bump submodules/falcosecurity-testing from 92c313f to 5248e6d [#​2937] - @​dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from e206c1a to 8f0520f [#​2904] - @​dependabot[bot]
• cleanup(falco): remove decode_uri as it is no longer used [#​2933] - @​LucaGuerra
• update(engine): port decode_uri in falco engine [#​2912] - @​LucaGuerra
• chore(falco): update to libs on nov 28th [#​2929] - @​LucaGuerra
• cleanup(falco): remove init in the configuration constructor [#​2917] - @​Andreagit97
• build(deps): Bump submodules/falcosecurity-rules from 8f0520f to 64e2adb [#​2908] - @​dependabot[bot]
• cleanup(userspace/engine): remove legacy k8saudit implementation [#​2913] - @​jasondellaluce
• fix(gha): disable branch protection rule trigger for scorecard [#​2911] - @​LucaGuerra
• chore(gha): set cosign-installer to v3.1.2 [#​2901] - @​LucaGuerra
• new(docs): sync changelog for 0.36.2. [#​2894] - @​FedeDP
• Run OpenSSF Scorecard in pipeline [#​2888] - @​maxgio92
• cleanup: replace banned.h with semgrep [#​2881] - @​LucaGuerra
• chore(gha): upgrade GitHub actions [#​2876] - @​LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from a22d0d7 to e206c1a [#​2865] - @​dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from d119706 to a22d0d7 [#​2860] - @​dependabot[bot]
• fix(gha): use fedora instead of centos 7 for package publishing [#​2854] - @​LucaGuerra
• chore(gha): pin versions to hashes [#​2849] - @​LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from c366d5b to d119706 [#​2847] - @​dependabot[bot]
• new(ci): properly link libs and driver releases linked to a Falco release [#​2846] - @​FedeDP
• build(deps): Bump submodules/falcosecurity-rules from 7a7cf24 to c366d5b [#​2842] - @​dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 77ba57a to 7a7cf24 [#​2836] - @​dependabot[bot]
• chore(ci): bumped rn2md to latest master. [#​2844] - @​FedeDP

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.