Allow analyzer violations to explicitly set tag.

We could already pass an overriding tag to `Analyzer::AnalyzerConfirmation()`, but we didn't have that ability for `AnalyzerViolation`, leading to the two potentially mismatching in the analyzer they report.
2025-10-09 01:58:20 +00:00 · 2022-04-12 09:34:05 +02:00 · 2022-04-12 09:34:05 +02:00 · d2e8c5e887
commit d2e8c5e887
parent d29160e9de
6 changed files with 16 additions and 9 deletions
--- a/src/packet_analysis/Analyzer.cc
+++ b/src/packet_analysis/Analyzer.cc
@ -182,7 +182,7 @@ void Analyzer::AnalyzerConfirmation(session::Session* session, zeek::Tag arg_tag
 	}

 void Analyzer::AnalyzerViolation(const char* reason, session::Session* session, const char* data,
-                                 int len)
+                                 int len, zeek::Tag arg_tag)
 	{
 	if ( ! analyzer_violation )
 		return;
@ -201,7 +201,7 @@ void Analyzer::AnalyzerViolation(const char* reason, session::Session* session,
 	else
 		r = make_intrusive<StringVal>(reason);

-	const auto& tval = tag.AsVal();
+	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
 	event_mgr.Enqueue(analyzer_violation, session->GetVal(), tval, val_mgr->Count(0), std::move(r));
 	}

--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@ -156,7 +156,8 @@ public:
 	 * @param len If \a data is given, the length of it.
 	 */
 	virtual void AnalyzerViolation(const char* reason, session::Session* session,
-	                               const char* data = nullptr, int len = 0);
+	                               const char* data = nullptr, int len = 0,
+	                               zeek::Tag tag = zeek::Tag());

 	/**
 	 * Returns true if ProtocolConfirmation() has been called at least