CMake+Falco Events: More offset fixes

Update our Falco plugins. Update the Falco Events offset handling to
match the current behavior of libscap, the Go SDK, and the CloudTrail
plugin.

.gitlab-ci.yml

@@ -516,7 +516,7 @@ Windows x64 Package:
     - cmake -G "Visual Studio 17 2022" -A x64
       -DENABLE_LTO=off
       -DBUILD_stratoshark=on -DBUILD_sshdig=on -DBUILD_falcodump=on
-      -DFALCO_PLUGINS="C:/Development/wireshark-x64-libs/falcosecurity-plugins-2025-06-03-1-x64-ws/cloudtrail.dll;C:/Development/wireshark-x64-libs/falcosecurity-plugins-2025-06-03-1-x64-ws/gcpaudit.dll"
+      -DFALCO_PLUGINS="C:/Development/wireshark-x64-libs/falcosecurity-plugins-2025-06-11-1-x64-ws/cloudtrail.dll;C:/Development/wireshark-x64-libs/falcosecurity-plugins-2025-06-11-1-x64-ws/gcpaudit.dll"
       -DENABLE_SIGNED_NSIS=on ..
     - msbuild /verbosity:minimal "/consoleloggerparameters:PerformanceSummary;NoSummary" /maxcpucount Wireshark.sln
     - msbuild /verbosity:minimal /maxcpucount test-programs.vcxproj

cmake/modules/FetchArtifacts.cmake

@@ -138,7 +138,7 @@ if(APPLE)
 
   if(BUILD_stratoshark OR BUILD_falcodump)
     add_artifact(falcosecurity-libs/falcosecurity-libs-bundle-0.21.0-1-macos-universal.tar.xz b0ac98e6f1906f891a8aa8c552639a1d6595aee26adfb730da9ff643d5e4bfaf)
-    add_artifact(falcosecurity-libs/falcosecurity-plugins-2025-06-03-1-macos-universal.tar.xz d34149abc6041e7e76a8096151b7a7de842b43a133e696bce2731a3e1f12655d)
+    add_artifact(falcosecurity-libs/falcosecurity-plugins-2025-06-11-1-macos-universal.tar.xz e23c3b3c469f9cc84d509d7880653b8e0743d11a20105188402fec5cef0fde9d)
   endif()
 endif()
 

plugins/epan/falco_events/sinsp-span.cpp

@@ -1006,14 +1006,13 @@ bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num,
 
     std::vector<ss_plugin_extract_field> fields;
 #if SINSP_CHECK_VERSION(0, 21, 0)
-    std::vector<ss_plugin_extract_value_offsets> offsets;
+    ss_plugin_extract_value_offsets offsets = {nullptr, nullptr};
 #endif
 
     // PPME_PLUGINEVENT_E events have the following format:
     // | scap_evt header | uint32_t sizeof(id) = 4 | uint32_t evt_datalen | uint32_t id | uint8_t[] evt_data |
 
     uint32_t payload_hdr[3] = {4, evt_datalen, ssi->source->id()};
-//    uint32_t payload_hdr_size = (nparams + 1) * 4;
     uint32_t tot_evt_len = (uint32_t)sizeof(scap_evt) + sizeof(payload_hdr) + evt_datalen;
     if (ssi->evt_storage_size < tot_evt_len) {
         while (ssi->evt_storage_size < tot_evt_len) {
@@ -1039,9 +1038,6 @@ bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num,
     // XXX Handle multiple paths, e.g. in/out byte counts.
 
     fields.resize(sinsp_field_len);
-#if SINSP_CHECK_VERSION(0, 21, 0)
-    offsets.resize(sinsp_field_len);
-#endif
     for (size_t i = 0; i < sinsp_field_len; i++) {
         fields.at(i).field_id = sinsp_fields[i].field_id;
         fields.at(i).field = sinsp_fields[i].field_name;
@@ -1053,14 +1049,11 @@ bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num,
         sinsp_fields[i].is_generated = false;
         sinsp_fields[i].data_start = 0;
         sinsp_fields[i].data_length = 0;
-#if SINSP_CHECK_VERSION(0, 21, 0)
-        offsets.at(i) = {nullptr, nullptr};
-#endif
     }
 
     bool status = true;
 #if SINSP_CHECK_VERSION(0, 21, 0)
-    if (!ssi->source->extract_fields_and_offsets(ssi->evt, sinsp_field_len, fields.data(), offsets.data())) {
+    if (!ssi->source->extract_fields_and_offsets(ssi->evt, sinsp_field_len, fields.data(), &offsets)) {
         status = false;
     }
 #else
@@ -1080,15 +1073,18 @@ bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num,
                 status = false;
             }
 #if SINSP_CHECK_VERSION(0, 21, 0)
-            if (offsets.at(i).start && offsets.at(i).length && offsets.at(i).start[0] >= PLUGIN_EVENT_HEADER_SIZE && offsets.at(i).length[0] > 0) {
-                // We dissect data in its own TVB,
-                int start = (int) offsets.at(i).start[0] - PLUGIN_EVENT_HEADER_SIZE;
-                int length = (int) offsets.at(i).length[0];
-                if (start == 0 && length == 0) {
-                    sinsp_fields[i].is_generated = true;
+            if (offsets.start && offsets.length) {
+                uint32_t start = offsets.start[i];
+                uint32_t length = offsets.length[i];
+                if (start >= PLUGIN_EVENT_HEADER_SIZE) {
+                    // We dissect data in its own TVB,
+                    start -= PLUGIN_EVENT_HEADER_SIZE;
+                    if (start == 0 && length == 0) {
+                        sinsp_fields[i].is_generated = true;
+                    }
+                    sinsp_fields[i].data_start = start;
+                    sinsp_fields[i].data_length = length;
                 }
-                sinsp_fields[i].data_start = start;
-                sinsp_fields[i].data_length = length;
             }
 #endif
         }

tools/win-setup.ps1

@@ -75,7 +75,7 @@ $X64Archives = @{
     "brotli/brotli-1.0.9-1-win64ws.zip" = "3f8d24aec8668201994327ff8d8542fe507d1d468a500a1aec50d0415f695aab";
     "c-ares/c-ares-1.34.4-x64-windows-ws.zip" = "b82429cce98c164f5a094b172238cea33c130130634a722656bd0981209240cb";
     "falcosecurity-libs/falcosecurity-libs-0.21.0-1-x64-ws.7z" = "917eca3b676e1201d48acfbb72660fcd7af4ce40fe5112bb1ce689d957c18c4a";
-    "falcosecurity-libs/falcosecurity-plugins-2025-06-03-1-x64-ws.7z" = "666adaca28c221577c866cb17f51409191ddf49e88695aa2d98be7eaf128a762";
+    "falcosecurity-libs/falcosecurity-plugins-2025-06-11-1-x64-ws.7z" = "35062b7fecd5e2cb01750b28eb154d7abb6d47abcf1c6a7357b8af7a137e72d8";
     "gnutls/gnutls-3.8.9-1-x64-mingw-dynamic-ws.zip" = "e673c28e84925a3e4b7d2eff54e6f613c180787b8fc79da0513cb62ba0520449";
     "krb5/krb5-1.21.3-1-x64-windows-ws.zip" = "49b83da4baa476c4c31ed3ee463f962114a469b8c3d601db68bdb6bc03a88e42";
     "libgcrypt/libgcrypt-bundle-1.11.1-1-x64-mingw-dynamic-ws.zip" = "2987e0b57f4509c02a26d146950a1bcb630bc0cca57b2dcce54b357936a7db3b";
@@ -107,7 +107,7 @@ $Arm64Archives = @{
     "brotli/brotli-1.0.9-1-win64armws.zip" = "5ba1b62ebc514d55c3eae85a00ff107e587b6e7cb1275e2d33fcddcd49f8e2af";
     "c-ares/c-ares-1.34.4-arm64-windows-ws.zip" = "f1cff731bd7d53effebf79dc64f199a82b875ecbfb3049f67e37765e34847a32";
     "falcosecurity-libs/falcosecurity-libs-0.21.0-1-arm64-ws.7z" = "222a691e704989144c91b08612ab7e0af1a6721a7f0bc3ac17452de3342a654e";
-    "falcosecurity-libs/falcosecurity-plugins-2025-06-03-1-arm64-ws.7z" = "637a4c087af1ac57175f60d40f13da999968e1e991aecadad8f604b43404e749";
+    "falcosecurity-libs/falcosecurity-plugins-2025-06-11-1-arm64-ws.7z" = "3f1850a0547eeb910e455515733e7876f9c5da15624ecd865a4d1714c1d5b604";
     "gnutls/gnutls-3.8.9-1-arm64-mingw-dynamic-ws.zip" = "cde2c25696531ea9600c93e0f3ced08f752dba3d10d3b9c5afaf290ffd797068";
     "krb5/krb5-1.21.3-1-arm64-windows-ws.zip" = "26166173cb653fdf2153c311a9f611a76575359393222cebd5228842632a0ccb";
     "libgcrypt/libgcrypt-bundle-1.11.1-1-arm64-mingw-dynamic-ws.zip" = "a7170343edaa732ab04e76874972291b9875cbd1e394c3bfcee13b89e608719f";