From 0a0dd7143b7d4ae5ed3d211f91edf91ec223f300 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 31 Aug 2022 10:00:30 -0700
Subject: [PATCH] Add is_used attribute to an ID if used in a signature eval
 statement

---
 src/RuleCondition.cc                          |  4 +++
 .../signatures.signature-cond-used/.stderr    |  1 +
 .../signatures.signature-cond-used/.stdout    |  3 ++
 .../btest/signatures/signature-cond-used.zeek | 29 +++++++++++++++++++
 4 files changed, 37 insertions(+)
 create mode 100644 testing/btest/Baseline/signatures.signature-cond-used/.stderr
 create mode 100644 testing/btest/Baseline/signatures.signature-cond-used/.stdout
 create mode 100644 testing/btest/signatures/signature-cond-used.zeek

diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
index 39d21e9a4b..35eb903f2b 100644
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@@ -180,6 +180,10 @@ RuleConditionEval::RuleConditionEval(const char* func)
 			rules_error("eval function parameters must be a 'signature_state' "
 			            "and a 'string' type",
 			            func);
+
+		std::vector<AttrPtr> attrv{make_intrusive<Attr>(ATTR_IS_USED, nullptr)};
+		id->AddAttrs(
+			make_intrusive<Attributes>(std::move(attrv), id->GetType(), false, id->IsGlobal()));
 		}
 	}
 
diff --git a/testing/btest/Baseline/signatures.signature-cond-used/.stderr b/testing/btest/Baseline/signatures.signature-cond-used/.stderr
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/signatures.signature-cond-used/.stderr
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Baseline/signatures.signature-cond-used/.stdout b/testing/btest/Baseline/signatures.signature-cond-used/.stdout
new file mode 100644
index 0000000000..bdcb875b90
--- /dev/null
+++ b/testing/btest/Baseline/signatures.signature-cond-used/.stdout
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+signature_cond, GET /download/CHANGES.bro-aux.txt HTTP/1.1\x0d\x0aUser-Agent: Wget/1.14 (darwin12.2.0)\x0d\x0aAccept: */*\x0d\x0aHost: bro.org\x0d\x0aConnection: Keep-Alive\x0d\x0a\x0d\x0a
+signature_match, GET, GET /download/CHANGES.bro-aux.txt HTTP/1.1\x0d\x0aUser-Agent: Wget/1.14 (darwin12.2.0)\x0d\x0aAccept: */*\x0d\x0aHost: bro.org\x0d\x0aConnection: Keep-Alive\x0d\x0a\x0d\x0a
diff --git a/testing/btest/signatures/signature-cond-used.zeek b/testing/btest/signatures/signature-cond-used.zeek
new file mode 100644
index 0000000000..a93f33596b
--- /dev/null
+++ b/testing/btest/signatures/signature-cond-used.zeek
@@ -0,0 +1,29 @@
+# @TEST-DOC: The function signature_cond used for eval in test.sig should not be reported as unused
+# @TEST-EXEC: zeek -b %INPUT -r $TRACES/http/get.trace
+# @TEST-EXEC: btest-diff .stderr
+# @TEST-EXEC: btest-diff .stdout
+module SignatureEvalTest;
+
+@load-sigs ./test.sig
+
+event signature_match(state: signature_state, msg: string, data: string)
+        {
+        print "signature_match", msg, data;
+        }
+
+function signature_cond(state: signature_state, data: string): bool
+        {
+        print "signature_cond", data;
+        return T;
+        }
+
+
+@TEST-START-FILE test.sig
+signature my-first-sig {
+        ip-proto == tcp
+        dst-port == 80
+        payload /GET/
+        event "GET"
+        eval SignatureEvalTest::signature_cond
+}
+@TEST-END-FILE