interface conversion: interface {} is []string, not string

[ctdfo]

Describe the bug
We are getting the interface conversion: interface {} is []string, not string error in our logs.

How to reproduce it
Install the Falco Helm chart with Falcosidekick (using version 4.3.0, which corresponds to app version 0.37.1). Have the UI open at the Events section with refresh on (I put it at the default of 10s). Then create an event (I opened a shell in one of the running pods to cause the Terminal shell in container alert). You will notice the interface conversion: interface {} is []string, not string in the logs.

Expected behaviour
No interface conversion: interface {} is []string, not string error.

Screenshots

Environment

• Falco version:
  0.37.1

• System info:
  Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) UI updates #1 SMP Fri Feb 23 23:44:30 UTC 2024

• Cloud provider or hardware configuration:
  AKS
• OS:
  NAME="Alpine Linux"
  ID=alpine
  VERSION_ID=3.15.10
  PRETTY_NAME="Alpine Linux v3.15"
  HOME_URL="https://alpinelinux.org/"
  BUG_REPORT_URL="https://bugs.alpinelinux.org/"
  /app $

• Kernel:
  Linux falco-falcosidekick-ui-5f89b8bc9d-zn869 5.15.148.2-2.cm2 UI updates #1 SMP Fri Feb 23 23:44:30 UTC 2024 x86_64 Linux

• Installation method:
  Kubernetes

Additional context
I am not quite sure where this is coming from. Could it possibly be from the string conversion in the CountKeyBy function:

[Issif]

Hi,

Can you provide me the exact json payload generated by Falco? Did you customize the rule to change the tags or used output fields?

[ctdfo]

Hi,

Can you provide me the exact json payload generated by Falco? Did you customize the rule to change the tags or used output fields?

Hi @Issif, I am not quite sure what you meant by the exact json generated by Falco, but this is the Falco log output of the event that replicates the issue:
{"hostname":"aks-default-32511568-vmss000087","output":"14:50:45.460592981: Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc _exepath=/usr/bin/dash parent=runc command=sh terminal=34816 exe_flags=EXE_WRITABLE container_id=9af8a917fc3e container_image=docker.io/falcosecurity/falco-no-driver container_image_tag=0.37.1 container_name=falco k8s_ns=falco k8s_pod_name=falco-44ddf)","priority":"Notice","rule":"Terminal shell in container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","shell"],"time":"2024-04-24T14:50: 45.460592981Z", "output_fields": {"container.id":"9af8a917fc3e","container.image.repository":"docker.io/falcosecurity/falco-no-driver","container.image.tag":"0.37.1","container.name":"falco","evt.arg.flags":"EXE_WR ITABLE","evt.time":1713970245460592981,"evt.type":"execve","k8s.ns.name":"falco","k8s.pod.name":"falco-44ddf","proc.cmdline":"sh","proc.exepath":"/usr/bin/dash","proc.name":"sh","proc.pname":"runc","proc.tty":34816 ,"user.loginuid":-1,"user.name":"root","user.uid":0}}

Please, let me know if this is not what you meant.

[Issif]

This is exactly what I wanted, thanks a lot, it will allow me to try to reproduce. Thanks

[Issif]

The PR #145 fixes that issue, it will be included in the next release. The ETA is before summer.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jemag]

@Issif would it be possible to have a new version this Fall?