Merge remote-tracking branch 'origin/topic/timw/4090-current-spicy-analyzer'

* origin/topic/timw/4090-current-spicy-analyzer:
  Add spicy runtime-support current_analyzer_id(), use it to set id in events

CHANGES

@@ -1,3 +1,7 @@
+7.2.0-dev.18 | 2024-12-18 15:44:40 -0700
+
+  * Add spicy runtime-support current_analyzer_id(), use it to set id in events (Tim Wojtulewicz, Corelight)
+
 7.2.0-dev.16 | 2024-12-18 09:28:33 +0100
 
   * pre-commit: Bump spicy-format to 0.23 (Arne Welzel, Corelight)

VERSION

@@ -1 +1 @@
-7.2.0-dev.16
+7.2.0-dev.18

src/spicy/runtime-support.cc

@@ -206,7 +206,7 @@ void rt::raise_event(const EventHandlerPtr& handler, const hilti::rt::Vector<Val
             throw InvalidValue("null value encountered after conversion");
     }
 
-    event_mgr.Enqueue(handler, std::move(vl));
+    event_mgr.Enqueue(handler, std::move(vl), util::detail::SOURCE_LOCAL, rt::current_analyzer_id());
 }
 
 TypePtr rt::event_arg_type(const EventHandlerPtr& handler, const hilti::rt::integer::safe<uint64_t>& idx) {
@@ -221,6 +221,24 @@ TypePtr rt::event_arg_type(const EventHandlerPtr& handler, const hilti::rt::inte
     return zeek_args[idx];
 }
 
+zeek::analyzer::ID rt::current_analyzer_id() {
+    auto _ = hilti::rt::profiler::start("zeek/rt/current_analyzer_id");
+
+    if ( auto cookie = static_cast<Cookie*>(hilti::rt::context::cookie()) ) {
+        if ( auto x = cookie->protocol ) {
+            return x->analyzer->GetID();
+        }
+        else if ( auto x = cookie->file ) {
+            return 0;
+        }
+        else if ( auto x = cookie->packet ) {
+            return 0;
+        }
+    }
+
+    throw ValueUnavailable("analyzer not available");
+}
+
 ValPtr& rt::current_conn() {
     auto _ = hilti::rt::profiler::start("zeek/rt/current_conn");
 

src/spicy/runtime-support.h

@@ -209,6 +209,14 @@ void raise_event(const EventHandlerPtr& handler, const hilti::rt::Vector<ValPtr>
  */
 TypePtr event_arg_type(const EventHandlerPtr& handler, const hilti::rt::integer::safe<uint64_t>& idx);
 
+/**
+ * Retrieves the analyzer ID for the currently processed Zeek connection.
+ * Assumes that the HILTI context's cookie value has been set accordingly.
+ *
+ * @return Pointer to an analyzer instance
+ */
+zeek::analyzer::ID current_analyzer_id();
+
 /**
  * Retrieves the connection ID for the currently processed Zeek connection.
  * Assumes that the HILTI context's cookie value has been set accordingly.

testing/btest/Baseline/spicy.analyzer-id/out

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CHhAvVGS1DHFjwGM9, PostgreSQL::ssl_request, 3
+CHhAvVGS1DHFjwGM9, ssl_client_hello, 5

testing/btest/Baseline/spicy.profiling/prof.log

@@ -16,6 +16,7 @@ spicy/unit/SSH::Banner::magic 2
 spicy/unit/SSH::Banner::software 2
 spicy/unit/SSH::Banner::version 2
 zeek/event/ssh::banner 2
+zeek/rt/current_analyzer_id 2
 zeek/rt/current_conn 2
 zeek/rt/current_is_orig 2
 zeek/rt/event_arg_type 4

testing/btest/spicy/analyzer-id.zeek

@@ -0,0 +1,11 @@
+#@TEST-DOC: Test that analyzer ID set for spicy protocol analyzers
+#@TEST-EXEC: zeek -r $TRACES/postgresql/psql-aws-ssl-preferred.pcap %INPUT > out
+#@TEST-EXEC: btest-diff out
+
+event PostgreSQL::ssl_request(c: connection) {
+        print c$uid, "PostgreSQL::ssl_request", current_analyzer();
+}
+
+event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec) {
+        print c$uid, "ssl_client_hello", current_analyzer();
+}