From 9759ff5850a0cc3501977e576f348b3584f67ab2 Mon Sep 17 00:00:00 2001
From: Federico Di Pierro <nierro92@gmail.com>
Date: Mon, 7 Oct 2024 09:28:06 +0200
Subject: [PATCH 1/5] fix(userspace/falco): fix event set selection for plugin
 with parsing capability.

In live mode we need to use the source_info inspectors instead of the offline inspector.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
---
 .../actions/configure_interesting_sets.cpp    | 24 +++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/userspace/falco/app/actions/configure_interesting_sets.cpp b/userspace/falco/app/actions/configure_interesting_sets.cpp
index 914073007b9..86f2b894867 100644
--- a/userspace/falco/app/actions/configure_interesting_sets.cpp
+++ b/userspace/falco/app/actions/configure_interesting_sets.cpp
@@ -78,11 +78,27 @@ static void select_event_set(falco::app::state& s,
 
 	/* Load PPM event codes needed by plugins with parsing capability */
 	libsinsp::events::set<ppm_event_code> plugin_ev_codes;
-	for(const auto& p : s.offline_inspector->get_plugin_manager()->plugins()) {
-		if(!(p->caps() & CAP_PARSING)) {
-			continue;
+	if(s.is_capture_mode()) {
+		// In capture mode, we need to use the offline inspector
+		// because plugins are inited under it; see init_inspectors action.
+		for(const auto& p : s.offline_inspector->get_plugin_manager()->plugins()) {
+			if(!(p->caps() & CAP_PARSING)) {
+				continue;
+			}
+			plugin_ev_codes.merge(p->parse_event_codes());
+		}
+	} else {
+		// In live mode, we need to use inspectors from the loaded sources,
+		// because plugins are inited under them; see init_inspectors action.
+		for(const auto& src : s.loaded_sources) {
+			auto src_info = s.source_infos.at(src);
+			for(const auto& p : src_info->inspector->get_plugin_manager()->plugins()) {
+				if(!(p->caps() & CAP_PARSING)) {
+					continue;
+				}
+				plugin_ev_codes.merge(p->parse_event_codes());
+			}
 		}
-		plugin_ev_codes.merge(p->parse_event_codes());
 	}
 	const auto plugin_sc_set = libsinsp::events::event_set_to_sc_set(plugin_ev_codes);
 	const auto plugin_names = libsinsp::events::sc_set_to_event_names(plugin_sc_set);

From 8fb0475b12f25d3ecf9c739d4eeb0b3de1ae1bf6 Mon Sep 17 00:00:00 2001
From: Luca Guerra <luca@guerra.sh>
Date: Tue, 1 Oct 2024 16:24:17 +0000
Subject: [PATCH 2/5] fix(engine): disable comma separated vectors in cxxopts

Signed-off-by: Luca Guerra <luca@guerra.sh>
---
 userspace/falco/app/options.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/userspace/falco/app/options.cpp b/userspace/falco/app/options.cpp
index d0422ff0a0e..7a1df394dc2 100644
--- a/userspace/falco/app/options.cpp
+++ b/userspace/falco/app/options.cpp
@@ -19,6 +19,9 @@ limitations under the License.
 #include "../configuration.h"
 #include "config_falco.h"
 
+// disable cxxopts vector delimiter, meaning that
+// -o test1,test2,test3 won't be treated like -o test1 -o test2 -o test3
+#define CXXOPTS_VECTOR_DELIMITER '\0'
 #include <cxxopts.hpp>
 
 #include <fstream>

From b586d970880ae3bf55d1286bd81b7fd0d619441b Mon Sep 17 00:00:00 2001
From: Luca Guerra <luca@guerra.sh>
Date: Tue, 8 Oct 2024 08:27:52 +0000
Subject: [PATCH 3/5] fix(engine): allow null init_config for plugin info

Signed-off-by: Luca Guerra <luca@guerra.sh>
---
 userspace/falco/config_json_schema.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/userspace/falco/config_json_schema.h b/userspace/falco/config_json_schema.h
index ba6419e72b3..ba9546c897d 100644
--- a/userspace/falco/config_json_schema.h
+++ b/userspace/falco/config_json_schema.h
@@ -593,6 +593,9 @@ const char config_schema_string[] = LONG_STRING_CONST(
                         },
                         {
                             "type": "string"
+                        },
+                        {
+                            "type": "null"
                         }
                     ]
                 },

From c5ffbc6c6fcc7d7793f978445ef3a35b3e5c9a22 Mon Sep 17 00:00:00 2001
From: Luca Guerra <luca@guerra.sh>
Date: Tue, 8 Oct 2024 08:47:29 +0000
Subject: [PATCH 4/5] update(tests): add tests for plugin init_config

Signed-off-by: Luca Guerra <luca@guerra.sh>
---
 .../falco/test_configuration_schema.cpp       | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/unit_tests/falco/test_configuration_schema.cpp b/unit_tests/falco/test_configuration_schema.cpp
index 2774fca2f52..85da84c5987 100644
--- a/unit_tests/falco/test_configuration_schema.cpp
+++ b/unit_tests/falco/test_configuration_schema.cpp
@@ -18,6 +18,7 @@ limitations under the License.
 #include <gtest/gtest.h>
 #include <falco/configuration.h>
 #include <falco_test_var.h>
+#include <nlohmann/json.hpp>
 
 #define EXPECT_VALIDATION_STATUS(res, status)                                                     \
 	do {                                                                                          \
@@ -102,8 +103,13 @@ TEST(Configuration, plugin_init_config) {
       sslCertificate: /etc/falco/falco.pem
 )";
 
+	auto plugin_config_json = nlohmann::json::parse(
+	        R"({"maxEventSize": 262144, "sslCertificate": "/etc/falco/falco.pem"})");
+
 	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
 	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	auto parsed_init_config = nlohmann::json::parse(falco_config.m_plugins[0].m_init_config);
+	EXPECT_EQ(parsed_init_config, plugin_config_json);
 
 	config = R"(
 plugins:
@@ -114,6 +120,30 @@ TEST(Configuration, plugin_init_config) {
 
 	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
 	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	parsed_init_config = nlohmann::json::parse(falco_config.m_plugins[0].m_init_config);
+	EXPECT_EQ(parsed_init_config, plugin_config_json);
+
+	config = R"(
+plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config: ""
+)";
+
+	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
+	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	EXPECT_EQ(falco_config.m_plugins[0].m_init_config, "");
+
+	config = R"(
+plugins:
+  - name: k8saudit
+    library_path: libk8saudit.so
+    init_config: null
+)";
+
+	EXPECT_NO_THROW(res = falco_config.init_from_content(config, {}));
+	EXPECT_VALIDATION_STATUS(res, yaml_helper::validation_ok);
+	EXPECT_EQ(falco_config.m_plugins[0].m_init_config, "");
 }
 
 TEST(Configuration, schema_yaml_helper_validator) {

From 9356e036027ebba79fe2609baa20122075137766 Mon Sep 17 00:00:00 2001
From: Federico Di Pierro <nierro92@gmail.com>
Date: Tue, 8 Oct 2024 12:09:21 +0200
Subject: [PATCH 5/5] update(changelog): updated changelog for 0.39.1.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
---
 CHANGELOG.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index eac79edae2e..a69fb8b58c8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,24 @@
 # Change Log
 
+## v0.39.1
+
+Released on 2024-10-09
+
+### Bug Fixes
+
+* fix(engine): allow null init_config for plugin info [[#3372](https://github.com/falcosecurity/falco/pull/3372)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(engine): fix parsing issues in -o key={object} when the object definition contains a comma [[#3363](https://github.com/falcosecurity/falco/pull/3363)] - [@LucaGuerra](https://github.com/LucaGuerra)
+* fix(userspace/falco): fix event set selection for plugin with parsing capability [[#3368](https://github.com/falcosecurity/falco/pull/3368)] - [@FedeDP](https://github.com/FedeDP)
+
+### Statistics
+
+|   MERGED PRS    | NUMBER |
+|-----------------|--------|
+| Not user-facing |      0 |
+| Release note    |      3 |
+| Total           |      3 |
+
+
 ## v0.39.0
 
 Released on 2024-10-01