new: add possibility to retrieve details about rules with filter_details_visitor

[loresuso]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind release

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area tests

/area proposals

/area CI

What this PR does / why we need it:
This PR introduces a specialized visitor that can be used to construct a normalized form of a rule, containing all the macros, lists, operators, and fields it uses in JSON format. The functionality is embedded in the -l/-L flags and can be triggered when the output is set to JSON.
This functionality can be used later in CI tools for rules to e.g understand how to automatically handle and increase rules version.

Example:

$ sudo ./userspace/falco/falco -c ../falco.yaml -l "Launch Privileged Container" -o "json_output=true" | jq 
Fri May 12 10:23:13 2023: Falco version: 0.34.1-194+f5c7574 (x86_64)
Fri May 12 10:23:13 2023: Falco initialized with configuration file: ../falco.yaml
Fri May 12 10:23:13 2023: Loading rules from file /etc/falco/falco_rules.yaml
Fri May 12 10:23:13 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
{
  "conditionFields": [
    "evt.num",
    "container.id",
    "container.privileged",
    "container.image.repository",
    "proc.vpid",
    "evt.dir",
    "evt.type"
  ],
  "description": "Detect the initial process started in a privileged container. Exceptions are made for known trusted images.",
  "exceptionFields": [],
  "lists": [
    "redhat_io_images_privileged",
    "falco_privileged_images",
    "trusted_images"
  ],
  "macros": [
    "redhat_image",
    "aws_eks_core_images",
    "user_trusted_containers",
    "allowed_openshift_registry_root",
    "openshift_image",
    "never_true",
    "falco_privileged_containers",
    "user_privileged_containers",
    "container",
    "spawned_process",
    "allowed_aws_ecr_registry_root_for_eks",
    "container_started"
  ],
  "name": "Launch Privileged Container",
  "operators": [
    "endswith",
    "startswith",
    "in",
    "!=",
    "="
  ],
  "outputFields": [
    "user.name",
    "user.loginuid",
    "proc.cmdline",
    "proc.pid",
    "container.name",
    "container.id",
    "container.image.repository",
    "container.image.tag"
  ],
  "priority": "Informational"
}

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

update: get rules details with `-l` or `-L` flags when json output format is specified

[loresuso]

cc @jasondellaluce

[FedeDP]

This is super cool and highly requested! Thank you @loresuso !

[jasondellaluce]

Links to #2372 and potentially fixes it, if we just add the information about the evt.types matched by each rule.

[loresuso]

Last two commits address the following:

• retrieving information about enabled rules
• information about lists and macros when the global -L option is specified

This will allow to check for instance (check https://github.com/falcosecurity/rules/blob/main/RELEASE.md for further details):

• if a rule used to be disabled and then enabled, patch number of version of the rule must be increased
• adding, removing elements from lists, same as above

Currently working on adding evt.type information

[Andreagit97]

Left some minor comments, LGTM!

[Andreagit97]

I would initialize both describe_all_rules and describe_rule variables here

options::options()
	: event_buffer_format(sinsp_evt::PF_NORMAL),
	  gvisor_config(""),	
	  list_fields(false),
	  list_plugins(false),
	  list_syscall_events(false),
	  markdown(false),
	  modern_bpf(false)
{
}

[loresuso]

They should already have their default I guess in options.cpp

[leogr]

/milestone 0.35.0

[jasondellaluce]

Looks good Lore:

• Left you a simple comment on that thing about exceptions and list of operators
• Left you suggestions to cover corner cases in the macro/list visitor search
• Once all's done, we'll need to rebase on top of update!: bump libs version, and support latest plugin features, add --nodriver option #2552, that should bump the libs and hopefully fix the broken tests

[loresuso]

Just rebased and everything's green, I think we are there now!

[jasondellaluce]

/approve

Thanks! This is great!

[poiana]

LGTM label has been added.

Git tree hash: 76ba42e28e821ab6c89ef3774628d821c834d360

[Andreagit97]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, jasondellaluce, loresuso

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Andreagit97,jasondellaluce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment