fix: clone sig metadata properties

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca
 	github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f
-	github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240607205742-90c301111aee
+	github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240920144223-9d62cbdd8935
 	github.com/aquasecurity/tracee/types v0.0.0-20240607205742-90c301111aee
 	github.com/containerd/containerd v1.7.21
 	github.com/docker/docker v26.1.5+incompatible
@@ -43,6 +43,8 @@ require (
 	sigs.k8s.io/controller-runtime v0.18.2
 )
 
+replace github.com/aquasecurity/tracee/signatures/helpers => ./signatures/helpers/
+
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect

go.sum

@@ -408,8 +408,6 @@ github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca
 github.com/aquasecurity/libbpfgo v0.7.0-libbpf-1.4.0.20240729111821-61d531acf4ca/go.mod h1:UpO6kTehEgAGGKR2twztBxvzjTiLiV/cb2xmlYb+TfE=
 github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f h1:O4UmMQViaaP1wKL1eXe7C6VylwrUmUB5mYM+roqnUZg=
 github.com/aquasecurity/tracee/api v0.0.0-20240905132323-d1eaeef6a19f/go.mod h1:Gn6xVkaBkVe1pOQ0++uuHl+lMMClv0TPY8mCQ6j88aA=
-github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240607205742-90c301111aee h1:1KJy6Z2bSpmKQVPShU7hhbXgGVOgMwvzf9rjoWMTYEg=
-github.com/aquasecurity/tracee/signatures/helpers v0.0.0-20240607205742-90c301111aee/go.mod h1:SX08YRCsPFh8CvCvzkV8FSn1sqWAarNVEJq9RSZoF/8=
 github.com/aquasecurity/tracee/types v0.0.0-20240607205742-90c301111aee h1:PDQn0NcQnF/O8wX2zDak0TteAR89IMUTcCm1IwVmo0M=
 github.com/aquasecurity/tracee/types v0.0.0-20240607205742-90c301111aee/go.mod h1:Jwh9OOuiMHXDoGQY12N9ls5YB+j1FlRcXvFMvh1CmIU=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=

signatures/golang/anti_debugging_ptraceme.go

@@ -37,7 +37,7 @@ func (sig *AntiDebuggingPtraceme) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *AntiDebuggingPtraceme) GetMetadata() (detect.SignatureMetadata, error) {
-	return antiDebuggingPtracemeMetada, nil
+	return helpers.CloneMetadataProperties(&antiDebuggingPtracemeMetada), nil
 }
 
 func (sig *AntiDebuggingPtraceme) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/aslr_inspection.go

@@ -37,7 +37,7 @@ func (sig *AslrInspection) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *AslrInspection) GetMetadata() (detect.SignatureMetadata, error) {
-	return aslrInspectionMetadata, nil
+	return helpers.CloneMetadataProperties(&aslrInspectionMetadata), nil
 }
 
 func (sig *AslrInspection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/cgroup_notify_on_release_modification.go

@@ -38,7 +38,7 @@ func (sig *CgroupNotifyOnReleaseModification) Init(ctx detect.SignatureContext)
 }
 
 func (sig *CgroupNotifyOnReleaseModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return cgroupNotifyOnReleaseModificationMetadata, nil
+	return helpers.CloneMetadataProperties(&cgroupNotifyOnReleaseModificationMetadata), nil
 }
 
 func (sig *CgroupNotifyOnReleaseModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/cgroup_release_agent_modification.go

@@ -38,7 +38,7 @@ func (sig *CgroupReleaseAgentModification) Init(ctx detect.SignatureContext) err
 }
 
 func (sig *CgroupReleaseAgentModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return cgroupReleaseAgentModificationMetadata, nil
+	return helpers.CloneMetadataProperties(&cgroupReleaseAgentModificationMetadata), nil
 }
 
 func (sig *CgroupReleaseAgentModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/core_pattern_modification.go

@@ -38,7 +38,7 @@ func (sig *CorePatternModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *CorePatternModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return corePatternModificationMetadata, nil
+	return helpers.CloneMetadataProperties(&corePatternModificationMetadata), nil
 }
 
 func (sig *CorePatternModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/default_loader_modification.go

@@ -41,7 +41,7 @@ func (sig *DefaultLoaderModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DefaultLoaderModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return defaultLoaderModificationMetadata, nil
+	return helpers.CloneMetadataProperties(&defaultLoaderModificationMetadata), nil
 }
 
 func (sig *DefaultLoaderModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/disk_mount.go

@@ -38,7 +38,7 @@ func (sig *DiskMount) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DiskMount) GetMetadata() (detect.SignatureMetadata, error) {
-	return diskMountMetadata, nil
+	return helpers.CloneMetadataProperties(&diskMountMetadata), nil
 }
 
 func (sig *DiskMount) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/docker_abuse.go

@@ -38,7 +38,7 @@ func (sig *DockerAbuse) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DockerAbuse) GetMetadata() (detect.SignatureMetadata, error) {
-	return dockerAbuseMetadata, nil
+	return helpers.CloneMetadataProperties(&dockerAbuseMetadata), nil
 }
 
 func (sig *DockerAbuse) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/dropped_executable.go

@@ -35,7 +35,7 @@ func (sig *DroppedExecutable) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DroppedExecutable) GetMetadata() (detect.SignatureMetadata, error) {
-	return droppedExecutableMetadata, nil
+	return helpers.CloneMetadataProperties(&droppedExecutableMetadata), nil
 }
 
 func (sig *DroppedExecutable) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/dynamic_code_loading.go

@@ -37,7 +37,7 @@ func (sig *DynamicCodeLoading) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *DynamicCodeLoading) GetMetadata() (detect.SignatureMetadata, error) {
-	return dynamicCodeLoadingMetadata, nil
+	return helpers.CloneMetadataProperties(&dynamicCodeLoadingMetadata), nil
 }
 
 func (sig *DynamicCodeLoading) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/fileless_execution.go

@@ -35,7 +35,7 @@ func (sig *FilelessExecution) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *FilelessExecution) GetMetadata() (detect.SignatureMetadata, error) {
-	return filelessExecutionMetadata, nil
+	return helpers.CloneMetadataProperties(&filelessExecutionMetadata), nil
 }
 
 func (sig *FilelessExecution) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/hidden_file_created.go

@@ -38,7 +38,7 @@ func (sig *HiddenFileCreated) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *HiddenFileCreated) GetMetadata() (detect.SignatureMetadata, error) {
-	return hiddenFileCreatedMetadata, nil
+	return helpers.CloneMetadataProperties(&hiddenFileCreatedMetadata), nil
 }
 
 func (sig *HiddenFileCreated) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/illegitimate_shell.go

@@ -40,7 +40,7 @@ func (sig *IllegitimateShell) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *IllegitimateShell) GetMetadata() (detect.SignatureMetadata, error) {
-	return illegitimateShellMetadata, nil
+	return helpers.CloneMetadataProperties(&illegitimateShellMetadata), nil
 }
 
 func (sig *IllegitimateShell) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/k8s_service_account_token.go

@@ -43,7 +43,7 @@ func (sig *K8SServiceAccountToken) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *K8SServiceAccountToken) GetMetadata() (detect.SignatureMetadata, error) {
-	return k8SServiceAccountTokenMetadata, nil
+	return helpers.CloneMetadataProperties(&k8SServiceAccountTokenMetadata), nil
 }
 
 func (sig *K8SServiceAccountToken) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/kernel_module_loading.go

@@ -35,7 +35,7 @@ func (sig *KernelModuleLoading) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *KernelModuleLoading) GetMetadata() (detect.SignatureMetadata, error) {
-	return kernelModuleLoadingMetadata, nil
+	return helpers.CloneMetadataProperties(&kernelModuleLoadingMetadata), nil
 }
 
 func (sig *KernelModuleLoading) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/kubernetes_api_connection.go

@@ -36,7 +36,7 @@ func (sig *K8sApiConnection) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *K8sApiConnection) GetMetadata() (detect.SignatureMetadata, error) {
-	return k8sApiConnectionMetadata, nil
+	return helpers.CloneMetadataProperties(&k8sApiConnectionMetadata), nil
 }
 
 func (sig *K8sApiConnection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/kubernetes_certificate_theft_attempt.go

@@ -40,7 +40,7 @@ func (sig *KubernetesCertificateTheftAttempt) Init(ctx detect.SignatureContext)
 }
 
 func (sig *KubernetesCertificateTheftAttempt) GetMetadata() (detect.SignatureMetadata, error) {
-	return kubernetesCertificateTheftAttemptMetadata, nil
+	return helpers.CloneMetadataProperties(&kubernetesCertificateTheftAttemptMetadata), nil
 }
 
 func (sig *KubernetesCertificateTheftAttempt) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/ld_preload.go

@@ -40,7 +40,7 @@ func (sig *LdPreload) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *LdPreload) GetMetadata() (detect.SignatureMetadata, error) {
-	return ldPreloadMetadata, nil
+	return helpers.CloneMetadataProperties(&ldPreloadMetadata), nil
 }
 
 func (sig *LdPreload) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/proc_fops_hooking.go

@@ -35,7 +35,7 @@ func (sig *ProcFopsHooking) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ProcFopsHooking) GetMetadata() (detect.SignatureMetadata, error) {
-	return procFopsHookingMetadata, nil
+	return helpers.CloneMetadataProperties(&procFopsHookingMetadata), nil
 }
 
 func (sig *ProcFopsHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/proc_kcore_read.go

@@ -38,7 +38,7 @@ func (sig *ProcKcoreRead) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ProcKcoreRead) GetMetadata() (detect.SignatureMetadata, error) {
-	return procKcoreReadMetadata, nil
+	return helpers.CloneMetadataProperties(&procKcoreReadMetadata), nil
 }
 
 func (sig *ProcKcoreRead) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/proc_mem_access.go

@@ -41,7 +41,7 @@ func (sig *ProcMemAccess) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ProcMemAccess) GetMetadata() (detect.SignatureMetadata, error) {
-	return procMemAccessMetadata, nil
+	return helpers.CloneMetadataProperties(&procMemAccessMetadata), nil
 }
 
 func (sig *ProcMemAccess) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/proc_mem_code_injection.go

@@ -41,7 +41,7 @@ func (sig *ProcMemCodeInjection) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ProcMemCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
-	return procMemCodeInjectionMetadata, nil
+	return helpers.CloneMetadataProperties(&procMemCodeInjectionMetadata), nil
 }
 
 func (sig *ProcMemCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/process_vm_write_code_injection.go

@@ -36,7 +36,7 @@ func (sig *ProcessVmWriteCodeInjection) Init(ctx detect.SignatureContext) error
 }
 
 func (sig *ProcessVmWriteCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
-	return processVmWriteCodeInjectionMetadata, nil
+	return helpers.CloneMetadataProperties(&processVmWriteCodeInjectionMetadata), nil
 }
 
 func (sig *ProcessVmWriteCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/ptrace_code_injection.go

@@ -39,7 +39,7 @@ func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *PtraceCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
-	return ptraceCodeInjectionMetadata, nil
+	return helpers.CloneMetadataProperties(&ptraceCodeInjectionMetadata), nil
 }
 
 func (sig *PtraceCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/rcd_modification.go

@@ -43,7 +43,7 @@ func (sig *RcdModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *RcdModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return rcdModificationMetadata, nil
+	return helpers.CloneMetadataProperties(&rcdModificationMetadata), nil
 }
 
 func (sig *RcdModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/sched_debug_recon.go

@@ -37,7 +37,7 @@ func (sig *SchedDebugRecon) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *SchedDebugRecon) GetMetadata() (detect.SignatureMetadata, error) {
-	return schedDebugReconMetadata, nil
+	return helpers.CloneMetadataProperties(&schedDebugReconMetadata), nil
 }
 
 func (sig *SchedDebugRecon) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/scheduled_task_modification.go

@@ -43,7 +43,7 @@ func (sig *ScheduledTaskModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *ScheduledTaskModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return scheduledTaskModificationMetadata, nil
+	return helpers.CloneMetadataProperties(&scheduledTaskModificationMetadata), nil
 }
 
 func (sig *ScheduledTaskModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/stdio_over_socket.go

@@ -37,7 +37,7 @@ func (sig *StdioOverSocket) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *StdioOverSocket) GetMetadata() (detect.SignatureMetadata, error) {
-	return stdioOverSocketMetadata, nil
+	return helpers.CloneMetadataProperties(&stdioOverSocketMetadata), nil
 }
 
 func (sig *StdioOverSocket) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/sudoers_modification.go

@@ -40,7 +40,7 @@ func (sig *SudoersModification) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *SudoersModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return sudoersModificationMetadata, nil
+	return helpers.CloneMetadataProperties(&sudoersModificationMetadata), nil
 }
 
 func (sig *SudoersModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/syscall_table_hooking.go

@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 
+	"github.com/aquasecurity/tracee/signatures/helpers"
 	"github.com/aquasecurity/tracee/types/detect"
 	"github.com/aquasecurity/tracee/types/protocol"
 	"github.com/aquasecurity/tracee/types/trace"
@@ -34,7 +35,7 @@ func (sig *SyscallTableHooking) Init(ctx detect.SignatureContext) error {
 }
 
 func (sig *SyscallTableHooking) GetMetadata() (detect.SignatureMetadata, error) {
-	return syscallTableHookingMetadata, nil
+	return helpers.CloneMetadataProperties(&syscallTableHookingMetadata), nil
 }
 
 func (sig *SyscallTableHooking) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/golang/system_request_key_config_modification.go

@@ -37,7 +37,7 @@ func (sig *SystemRequestKeyConfigModification) Init(ctx detect.SignatureContext)
 }
 
 func (sig *SystemRequestKeyConfigModification) GetMetadata() (detect.SignatureMetadata, error) {
-	return systemRequestKeyConfigModificationMetadata, nil
+	return helpers.CloneMetadataProperties(&systemRequestKeyConfigModificationMetadata), nil
 }
 
 func (sig *SystemRequestKeyConfigModification) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {

signatures/helpers/helpers.go

@@ -444,6 +444,8 @@ func GetProtoHTTPByName(
 // TODO: since this helper is a workaround to avoid data races,
 // perhaps a better solution would be to convert Properties into
 // a concrete structure.
-func CloneMetadataProperties(m *detect.SignatureMetadata) {
-	m.Properties = maps.Clone(m.Properties)
+func CloneMetadataProperties(m *detect.SignatureMetadata) detect.SignatureMetadata {
+	copy := *m
+	copy.Properties = maps.Clone(m.Properties)
+	return copy
 }