exclude as well the alerts with no decisions that were from list or community blocklist pull

2023-09-20 10:18:09 +02:00 · 2023-09-20 10:18:09 +02:00 · 9c7da86dd3
parent ac01faf483
commit 9c7da86dd3
1 changed files with 17 additions and 3 deletions
--- a/pkg/database/alerts.go
+++ b/pkg/database/alerts.go
@ -17,6 +17,7 @@ import (

 	"github.com/crowdsecurity/go-cs-lib/slicetools"

+	"github.com/crowdsecurity/crowdsec/pkg/apiserver"
 	"github.com/crowdsecurity/crowdsec/pkg/database/ent"
 	"github.com/crowdsecurity/crowdsec/pkg/database/ent/alert"
 	"github.com/crowdsecurity/crowdsec/pkg/database/ent/decision"
@ -859,9 +860,22 @@ func AlertPredicatesFromFilter(filter map[string][]string) ([]predicate.Alert, e
 			predicates = append(predicates, alert.HasDecisionsWith(decision.OriginEQ(value[0])))
 		case "include_capi": //allows to exclude one or more specific origins
 			if value[0] == "false" {
-				predicates = append(predicates, alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.CAPIOrigin))))
-				predicates = append(predicates, alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.ListOrigin))))
-
+				predicates = append(predicates, alert.Or(
+					//do not show alerts with active decisions having origin CAPI or lists
+					alert.And(
+						alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.CAPIOrigin))),
+						alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.ListOrigin))),
+					),
+					alert.And(
+						//do not show neither alerts with no decisions if the Source Scope is lists: or CAPI
+						alert.Not(alert.HasDecisions()),
+						alert.Or(
+							alert.SourceScopeHasPrefix(types.ListOrigin+":"),
+							alert.SourceScopeEQ(apiserver.SCOPE_CAPI_ALIAS_ALIAS),
+						),
+					),
+				),
+				)
 			} else if value[0] != "true" {
 				log.Errorf("Invalid bool '%s' for include_capi", value[0])
 			}