sync code

attachments/nginx/nginx_attachment_util/nginx_attachment_util_ut/nginx_attachment_util_ut.cc

@@ -73,27 +73,27 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
     valid_configuration_file.close();
 
     EXPECT_EQ(initAttachmentConfig(attachment_configuration_file_name.c_str()), 1);
-    EXPECT_EQ(getDbgLevel(), 2);
+    EXPECT_EQ(getDbgLevel(), 2u);
     EXPECT_EQ(getStaticResourcesPath(), static_resources_path);
     EXPECT_EQ(isFailOpenMode(), 0);
-    EXPECT_EQ(getFailOpenTimeout(), 1234);
+    EXPECT_EQ(getFailOpenTimeout(), 1234u);
     EXPECT_EQ(isFailOpenHoldMode(), 1);
-    EXPECT_EQ(getFailOpenHoldTimeout(), 4321);
+    EXPECT_EQ(getFailOpenHoldTimeout(), 4321u);
     EXPECT_EQ(isFailOpenOnSessionLimit(), 1);
-    EXPECT_EQ(getMaxSessionsPerMinute(), 0);
+    EXPECT_EQ(getMaxSessionsPerMinute(), 0u);
-    EXPECT_EQ(getNumOfNginxIpcElements(), 200);
+    EXPECT_EQ(getNumOfNginxIpcElements(), 200u);
-    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000);
+    EXPECT_EQ(getKeepAliveIntervalMsec(), 10000u);
-    EXPECT_EQ(getResProccessingTimeout(), 420);
+    EXPECT_EQ(getResProccessingTimeout(), 420u);
-    EXPECT_EQ(getReqProccessingTimeout(), 42);
+    EXPECT_EQ(getReqProccessingTimeout(), 42u);
-    EXPECT_EQ(getRegistrationThreadTimeout(), 101);
+    EXPECT_EQ(getRegistrationThreadTimeout(), 101u);
-    EXPECT_EQ(getReqHeaderThreadTimeout(), 10);
+    EXPECT_EQ(getReqHeaderThreadTimeout(), 10u);
-    EXPECT_EQ(getReqBodyThreadTimeout(), 155);
+    EXPECT_EQ(getReqBodyThreadTimeout(), 155u);
-    EXPECT_EQ(getResHeaderThreadTimeout(), 1);
+    EXPECT_EQ(getResHeaderThreadTimeout(), 1u);
-    EXPECT_EQ(getResBodyThreadTimeout(), 0);
+    EXPECT_EQ(getResBodyThreadTimeout(), 0u);
-    EXPECT_EQ(getMinRetriesForVerdict(), 1);
+    EXPECT_EQ(getMinRetriesForVerdict(), 1u);
-    EXPECT_EQ(getMaxRetriesForVerdict(), 3);
+    EXPECT_EQ(getMaxRetriesForVerdict(), 3u);
-    EXPECT_EQ(getReqBodySizeTrigger(), 777);
+    EXPECT_EQ(getReqBodySizeTrigger(), 777u);
-    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75);
+    EXPECT_EQ(getWaitingForVerdictThreadTimeout(), 75u);
     EXPECT_EQ(getInspectionMode(), ngx_http_inspection_mode::BLOCKING_THREAD);
 
     EXPECT_EQ(isDebugContext("1.2.3.4", "5.6.7.8", 80, "GET", "test", "/abc"), 1);

components/security_apps/ips/ips_entry.cc

@@ -26,6 +26,8 @@ static const map<string, IPSConfiguration::Context> default_conf_mapping = {
 };
 
 static const IPSConfiguration default_conf(default_conf_mapping);
+static const IPSSignatures default_ips_sigs;
+static const SnortSignatures default_snort_sigs;
 
 IPSEntry::IPSEntry() : TableOpaqueSerialize<IPSEntry>(this) {}
 
@@ -51,9 +53,9 @@ IPSEntry::respond(const ParsedContext &parsed)
     ctx.registerValue(name, buf);
 
     ctx.activate();
-    auto &signatures = getConfigurationWithDefault(IPSSignatures(), "IPS", "IpsProtections");
+    auto &signatures = getConfigurationWithDefault(default_ips_sigs, "IPS", "IpsProtections");
     bool should_drop = signatures.isMatchedPrevent(parsed.getName(), buf);
-    auto &snort_signatures = getConfigurationWithDefault(SnortSignatures(), "IPSSnortSigs", "SnortProtections");
+    auto &snort_signatures = getConfigurationWithDefault(default_snort_sigs, "IPSSnortSigs", "SnortProtections");
     should_drop |= snort_signatures.isMatchedPrevent(parsed.getName(), buf);
     ctx.deactivate();
 

components/security_apps/ips/ips_ut/configuration.cc

@@ -7,7 +7,7 @@ TEST(configuration, basic_context)
 
     IPSConfiguration::Context ctx1(IPSConfiguration::ContextType::HISTORY, 254);
     EXPECT_EQ(ctx1.getType(), IPSConfiguration::ContextType::HISTORY);
-    EXPECT_EQ(ctx1.getHistorySize(), 254);
+    EXPECT_EQ(ctx1.getHistorySize(), 254u);
 
     IPSConfiguration::Context ctx2(IPSConfiguration::ContextType::NORMAL, 0);
     EXPECT_EQ(ctx2.getType(), IPSConfiguration::ContextType::NORMAL);
@@ -42,7 +42,7 @@ TEST(configuration, read_configuration)
 
     auto body = conf.getContext("HTTP_REQUEST_BODY");
     EXPECT_EQ(body.getType(), IPSConfiguration::ContextType::HISTORY);
-    EXPECT_EQ(conf.getHistorySize("HTTP_REQUEST_BODY"), 100);
+    EXPECT_EQ(conf.getHistorySize("HTTP_REQUEST_BODY"), 100u);
 
     auto header = conf.getContext("HTTP_REQUEST_HEADER");
     EXPECT_EQ(header.getType(), IPSConfiguration::ContextType::KEEP);

components/security_apps/ips/ips_ut/entry_ut.cc

@@ -137,8 +137,8 @@ private:
 TEST_F(EntryTest, basic_inherited_functions)
 {
     EXPECT_EQ(IPSEntry::name(), "IPS");
-    EXPECT_EQ(IPSEntry::currVer(), 0);
+    EXPECT_EQ(IPSEntry::currVer(), 0u);
-    EXPECT_EQ(IPSEntry::minVer(), 0);
+    EXPECT_EQ(IPSEntry::minVer(), 0u);
     EXPECT_NE(IPSEntry::prototype(), nullptr);
     EXPECT_EQ(entry.getListenerName(), IPSEntry::name());
 

components/security_apps/ips/ips_ut/resource_ut.cc

@@ -71,7 +71,7 @@ TEST(resources, basic_resource)
     Singleton::Consume<Config::I_Config>::from(conf)->loadConfiguration(resource);
 
     auto loaded_resources = getSettingWithDefault(IPSSignaturesResource(), "IPS", "protections");
-    EXPECT_EQ(loaded_resources.getSignatures().size(), 2);
+    EXPECT_EQ(loaded_resources.getSignatures().size(), 2u);
     auto version = getSettingWithDefault<string>("", "IPS", "VersionId");
     EXPECT_EQ(version, "1234567");
 }

components/security_apps/layer_7_access_control/layer_7_access_control_ut/layer_7_access_control_ut.cc

@@ -247,7 +247,9 @@ Layer7AccessControlTest::verifyReport(
     string log = reportToStr(report);
     dbgTrace(D_L7_ACCESS_CONTROL) << "Report: " << log;
 
-    if (!source_identifier.empty()) EXPECT_THAT(log, HasSubstr("\"httpSourceId\": \"" + source_identifier + "\""));
+    if (!source_identifier.empty()) {
+        EXPECT_THAT(log, HasSubstr("\"httpSourceId\": \"" + source_identifier + "\""));
+    }
     EXPECT_THAT(log, HasSubstr("\"securityAction\": \"" + security_action + "\""));
     EXPECT_THAT(log, HasSubstr("\"eventName\": \"Access Control External Vendor Reputation\""));
     EXPECT_THAT(log, HasSubstr("\"httpHostName\": \"juice-shop.checkpoint.com\""));

components/security_apps/local_policy_mgmt_gen/appsec_practice_section.cc

@@ -404,6 +404,7 @@ AppsecPracticeAntiBotSection::save(cereal::JSONOutputArchive &out_ar) const
 }
 
 // LCOV_EXCL_START Reason: no test exist
+// Used for V1Beta1
 WebAppSection::WebAppSection(
     const string &_application_urls,
     const string &_asset_id,
@@ -417,7 +418,7 @@ WebAppSection::WebAppSection(
     const LogTriggerSection &parsed_log_trigger,
     const string &default_mode,
     const AppSecTrustedSources &parsed_trusted_sources,
-    const vector<InnerException> &parsed_exceptions)
+    const std::map<std::string, std::vector<InnerException>> &exceptions)
     :
     application_urls(_application_urls),
     asset_id(_asset_id),
@@ -449,8 +450,11 @@ WebAppSection::WebAppSection(
         overrides.push_back(AppSecOverride(source_ident));
     }
 
-    for (const InnerException &exception : parsed_exceptions) {
+    for (const auto &exception : exceptions) {
-        overrides.push_back(AppSecOverride(exception));
+
+        for (const auto &inner_exception : exception.second) {
+            overrides.push_back(AppSecOverride(inner_exception));
+        }
     }
 }
 

components/security_apps/local_policy_mgmt_gen/exceptions_section.cc

@@ -146,7 +146,9 @@ AppsecException::load(cereal::JSONInputArchive &archive_in)
 {
     dbgTrace(D_LOCAL_POLICY) << "Loading AppSec exception";
     parseAppsecJSONKey<string>("name", name, archive_in);
-    archive_in(CEREAL_NVP(exception_spec));
+    AppsecExceptionSpec single_exception_spec;
+    single_exception_spec.load(archive_in);
+    exception_spec.push_back(single_exception_spec);
 }
 
 void
@@ -174,7 +176,7 @@ ExceptionMatch::ExceptionMatch(const AppsecExceptionSpec &parsed_exception)
 {
     bool single_condition = parsed_exception.isOneCondition();
     for (auto &attrib : attributes) {
-        auto &attrib_name = attrib.first;
+        auto attrib_name = (attrib.first == "sourceIp" ? "sourceIP" : attrib.first);
         auto &attrib_getter = attrib.second;
         auto exceptions_value = attrib_getter(parsed_exception);
         if (exceptions_value.empty()) continue;

components/security_apps/local_policy_mgmt_gen/include/appsec_practice_section.h

@@ -275,7 +275,7 @@ public:
         const LogTriggerSection &parsed_log_trigger,
         const std::string &default_mode,
         const AppSecTrustedSources &parsed_trusted_sources,
-        const std::vector<InnerException> &parsed_exceptions
+        const std::map<std::string, std::vector<InnerException>> &exceptions
     );
 
     // used for V1beta2

components/security_apps/local_policy_mgmt_gen/include/exceptions_section.h

@@ -44,7 +44,7 @@ public:
     bool isOneCondition() const;
 
 private:
-    int conditions_number;
+    int conditions_number = 0;
     std::string action;
     std::vector<std::string> country_code;
     std::vector<std::string> country_name;

components/security_apps/local_policy_mgmt_gen/k8s_policy_utils.cc

@@ -543,21 +543,25 @@ K8sPolicyUtils::createPolicy(
     }
 
     for (const IngressDefinedRule &rule : item.getSpec().getRules()) {
-        string url = rule.getHost();
+        string host = rule.getHost();
         for (const IngressRulePath &uri : rule.getPathsWrapper().getRulePaths()) {
-            if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(url + uri.getPath())) {
+            if (uri.getPath() != "/") {
+                host = host + uri.getPath();
+            }
+            if (!appsec_policy.getAppsecPolicySpec().isAssetHostExist(host)) {
                 dbgTrace(D_LOCAL_POLICY)
                     << "Inserting Host data to the specific asset set:"
                     << "URL: '"
-                    << url
+                    << rule.getHost()
                     << "' uri: '"
                     << uri.getPath()
                     << "'";
-                K ingress_rule = K(url + uri.getPath());
+                K ingress_rule = K(host);
                 policies[annotations_values[AnnotationKeys::PolicyKey]].addSpecificRule(ingress_rule);
             }
         }
     }
+
 }
 
 std::tuple<map<string, AppsecLinuxPolicy>, map<string, V1beta2AppsecLinuxPolicy>>

components/security_apps/local_policy_mgmt_gen/policy_maker_utils.cc

@@ -21,6 +21,7 @@
 using namespace std;
 
 USE_DEBUG_FLAG(D_NGINX_POLICY);
+USE_DEBUG_FLAG(D_LOCAL_POLICY);
 
 void
 SecurityAppsWrapper::save(cereal::JSONOutputArchive &out_ar) const
@@ -185,6 +186,33 @@ PolicyMakerUtils::dumpPolicyToFile(
     return policy_str;
 }
 
+template<class R>
+vector<string>
+extractExceptionAnnotationNames(
+    const R &parsed_rule,
+    const R &default_rule,
+    const string &policy_name)
+{
+    vector<string> annotation_names;
+
+    const R &rule = (!parsed_rule.getExceptions().empty() ? parsed_rule : default_rule);
+    for (const string &exception_name : rule.getExceptions()) {
+        if (exception_name.empty()) {
+            continue;
+        }
+
+        const auto policy_exception = policy_name + "/" + exception_name;
+
+        dbgTrace(D_NGINX_POLICY) << "Adding " << policy_exception << " to exception vector";
+
+        annotation_names.push_back(policy_exception);
+    }
+
+    dbgTrace(D_NGINX_POLICY) << "Number of exceptions related to rule: " << annotation_names.size();
+
+    return annotation_names;
+}
+
 template<class R>
 map<AnnotationTypes, string>
 extractAnnotationsNames(
@@ -217,18 +245,6 @@ extractAnnotationsNames(
         rule_annotation[AnnotationTypes::TRIGGER] = policy_name + "/" + trigger_annotation_name;
     }
 
-    string exception_annotation_name;
-    // TBD: support multiple exceptions
-    if (!parsed_rule.getExceptions().empty() && !parsed_rule.getExceptions()[0].empty()) {
-        exception_annotation_name = parsed_rule.getExceptions()[0];
-    } else if (!default_rule.getExceptions().empty() && !default_rule.getExceptions()[0].empty()) {
-        exception_annotation_name = default_rule.getExceptions()[0];
-    }
-
-    if (!exception_annotation_name.empty()) {
-        rule_annotation[AnnotationTypes::EXCEPTION] = policy_name + "/" + exception_annotation_name;
-    }
-
     string web_user_res_annotation_name =
         parsed_rule.getCustomResponse().empty() ?
         default_rule.getCustomResponse() :
@@ -444,6 +460,7 @@ template<class T, class R>
 R
 getAppsecExceptionSpec(const string &exception_annotation_name, const T &policy)
 {
+    dbgFlow(D_NGINX_POLICY) << "anotation name: " << exception_annotation_name;
     auto exceptions_vec = policy.getAppsecExceptions();
     auto exception_it = extractElement(exceptions_vec.begin(), exceptions_vec.end(), exception_annotation_name);
 
@@ -776,6 +793,7 @@ createExceptionSection(
     const string &exception_annotation_name,
     const T &policy)
 {
+    dbgFlow(D_NGINX_POLICY) << "exception annotation name" << exception_annotation_name;
     AppsecException exception_spec =
         getAppsecExceptionSpec<T, AppsecException>(exception_annotation_name, policy);
     vector<InnerException> res;
@@ -784,6 +802,7 @@ createExceptionSection(
         ExceptionBehavior exception_behavior(exception.getAction());
         res.push_back(InnerException(exception_behavior, exception_match));
     }
+
     return res;
 }
 
@@ -896,13 +915,16 @@ createMultiRulesSections(
     const string &web_user_res_vec_id,
     const string &web_user_res_vec_type,
     const string &asset_name,
-    const string &exception_name,
+    const std::map<std::string, std::vector<InnerException>> &exceptions)
-    const vector<InnerException> &exceptions)
 {
     PracticeSection practice = PracticeSection(practice_id, practice_type, practice_name);
     vector<ParametersSection> exceptions_result;
     for (auto exception : exceptions) {
-        exceptions_result.push_back(ParametersSection(exception.getBehaviorId(), exception_name));
+
+        const auto &exception_name = exception.first;
+        for (const auto &inner_exception : exception.second) {
+            exceptions_result.push_back(ParametersSection(inner_exception.getBehaviorId(), exception_name));
+        }
     }
 
     vector<RulesTriggerSection> triggers;
@@ -1344,6 +1366,7 @@ PolicyMakerUtils::combineElementsToPolicy(const string &policy_version)
             convertMapToVector(log_triggers), convertMapToVector(web_user_res_triggers)
         )
     );
+
     ExceptionsWrapper exceptions_section({
         ExceptionsRulebase(convertExceptionsMapToVector(inner_exceptions))
     });
@@ -1381,6 +1404,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
     const string &policy_name)
 {
     map<AnnotationTypes, string> rule_annotations = extractAnnotationsNames(rule, default_rule, policy_name);
+
     if (
         !rule_annotations[AnnotationTypes::TRIGGER].empty() &&
         !log_triggers.count(rule_annotations[AnnotationTypes::TRIGGER])
@@ -1403,15 +1427,27 @@ PolicyMakerUtils::createPolicyElementsByRule(
             );
     }
 
-    if (
+    const auto exceptions_annotations = extractExceptionAnnotationNames(rule, default_rule, policy_name);
-        !rule_annotations[AnnotationTypes::EXCEPTION].empty() &&
+    std::map<std::string, std::vector<InnerException>> rule_inner_exceptions;
-        !inner_exceptions.count(rule_annotations[AnnotationTypes::EXCEPTION])
+    if (!exceptions_annotations.empty()) {
-    ) {
+        for (const auto &exception_name :exceptions_annotations) {
-        inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]] =
+            dbgWarning(D_LOCAL_POLICY) << "exceptions name: " << exception_name;
-            createExceptionSection<T>(
+
-                rule_annotations[AnnotationTypes::EXCEPTION],
+            if (rule_inner_exceptions.count(exception_name)) {
-                policy
+                dbgWarning(D_LOCAL_POLICY) << "exception name already exists for that rule: " << exception_name;
-            );
+                continue;
+            }
+
+            if (inner_exceptions.count(exception_name)) {
+                dbgWarning(D_LOCAL_POLICY) << "exception name already exists in inner exceptions: " << exception_name;
+                rule_inner_exceptions[exception_name] = inner_exceptions[exception_name];
+                continue;
+            }
+
+            auto exception_section = createExceptionSection<T>(exception_name, policy);
+            rule_inner_exceptions[exception_name] = exception_section;
+            inner_exceptions[exception_name] = exception_section;
+        }
     }
 
     if (
@@ -1470,8 +1506,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
             web_user_res_triggers[rule_annotations[AnnotationTypes::WEB_USER_RES]].getTriggerId(),
             "WebUserResponse",
             full_url,
-            rule_annotations[AnnotationTypes::EXCEPTION],
+            rule_inner_exceptions
-            inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]
         );
         rules_config[rule_config.getAssetName()] = rule_config;
 
@@ -1498,7 +1533,7 @@ PolicyMakerUtils::createPolicyElementsByRule(
                 log_triggers[rule_annotations[AnnotationTypes::TRIGGER]],
                 rule.getMode(),
                 trusted_sources[rule_annotations[AnnotationTypes::TRUSTED_SOURCES]],
-                inner_exceptions[rule_annotations[AnnotationTypes::EXCEPTION]]
+                rule_inner_exceptions
             );
             web_apps[rule_config.getAssetName()] = web_app;
         }

components/security_apps/orchestration/downloader/downloader_ut/downloader_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "cptest.h"
 #include "config.h"
 #include "config_component.h"

components/security_apps/orchestration/include/updates_process_event.h

@@ -35,6 +35,8 @@ enum class UpdatesFailureReason {
     INSTALL_PACKAGE,
     CHECKSUM_UNMATCHED,
     POLICY_CONFIGURATION,
+    SERVISE_CONFIGURATION,
+    SERVISE_CONFIGURATION_TIMEOUT,
     POLICY_FOG_CONFIGURATION,
     NONE
 
@@ -57,6 +59,8 @@ convertUpdatesFailureReasonToStr(UpdatesFailureReason reason)
         case UpdatesFailureReason::INSTALL_PACKAGE : return "INSTALL_PACKAGE";
         case UpdatesFailureReason::CHECKSUM_UNMATCHED : return "CHECKSUM_UNMATCHED";
         case UpdatesFailureReason::POLICY_CONFIGURATION : return "POLICY_CONFIGURATION";
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : return "SERVISE_CONFIGURATION";
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : return "SERVISE_CONFIGURATION_TIMEOUT";
         case UpdatesFailureReason::POLICY_FOG_CONFIGURATION : return "POLICY_FOG_CONFIGURATION";
         case UpdatesFailureReason::NONE : return "NONE";
     }

components/security_apps/orchestration/include/updates_process_reporter.h

@@ -21,20 +21,24 @@
 #include "config.h"
 #include "debug.h"
 #include "i_orchestration_status.h"
+#include "i_service_controller.h"
 #include "health_check_status/health_check_status.h"
 #include "updates_process_event.h"
 #include "updates_process_report.h"
 
-class UpdatesProcessReporter : public Listener<UpdatesProcessEvent>
+class UpdatesProcessReporter
+        :
+    public Listener<UpdatesProcessEvent>,
+    Singleton::Consume<I_ServiceController>
 {
 public:
     void upon(const UpdatesProcessEvent &event) override;
 
 private:
-    void sendReoprt();
+    void sendReoprt(const std::string &version);
 
     static std::vector<UpdatesProcessReport> reports;
-    uint report_failure_count = 0;
+    std::map<std::string, uint> report_failure_count_map;
 };
 
 #endif // __UPDATES_PROCESS_REPORTER_H__

components/security_apps/orchestration/manifest_controller/manifest_controller_ut/manifest_controller_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "manifest_controller.h"
 
 #include <vector>

components/security_apps/orchestration/modules/modules_ut/orchestration_policy_ut.cc

@@ -43,8 +43,8 @@ TEST_F(PolicyTest, serialization)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(15, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(15u, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(20, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(20u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -63,8 +63,8 @@ TEST_F(PolicyTest, noAgentType)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(15, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(15u, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(20, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(20u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -83,8 +83,8 @@ TEST_F(PolicyTest, zeroSleepIntervels)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(0, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(0u, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(0, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(0u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("http://10.0.0.18:81/control/", orchestration_policy.getFogAddress());
 }
 
@@ -152,7 +152,7 @@ TEST_F(PolicyTest, newOptionalFields)
         ASSERT_TRUE(false) << "Cereal threw an exception: " << e.what();
     }
 
-    EXPECT_EQ(10, orchestration_policy.getErrorSleepInterval());
+    EXPECT_EQ(10u, orchestration_policy.getErrorSleepInterval());
-    EXPECT_EQ(30, orchestration_policy.getSleepInterval());
+    EXPECT_EQ(30u, orchestration_policy.getSleepInterval());
     EXPECT_EQ("https://fog-api-gw-agents.cloud.ngen.checkpoint.com", orchestration_policy.getFogAddress());
 }

components/security_apps/orchestration/modules/modules_ut/orchestration_status_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_status.h"
 
 #include <string>

components/security_apps/orchestration/modules/modules_ut/url_parser_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "url_parser.h"
 
 #include "cptest.h"

components/security_apps/orchestration/orchestration_ut/orchestration_multitenant_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_comp.h"
 
 #include "cptest.h"
@@ -471,6 +475,9 @@ TEST_F(OrchestrationMultitenancyTest, handle_virtual_resource)
         )
     ).WillOnce(Return(Maybe<void>()));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(
         mock_service_controller,
         updateServiceConfiguration(

components/security_apps/orchestration/orchestration_ut/orchestration_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "orchestration_comp.h"
 
 #include "cptest.h"
@@ -380,6 +384,10 @@ TEST_F(OrchestrationTest, hybridModeRegisterLocalAgentRoutine)
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
     EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
+
     EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
         .WillOnce(Return())
         .WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
@@ -587,6 +595,9 @@ TEST_F(OrchestrationTest, check_sending_registration_data)
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
     EXPECT_CALL(mock_status, setIsConfigurationUpdated(_));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_ml, yield(A<chrono::microseconds>()))
         .WillOnce(Return())
         .WillOnce(Invoke([] (chrono::microseconds) { throw invalid_argument("stop while loop"); }));
@@ -718,6 +729,9 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdatRollback)
     EXPECT_CALL(mock_status, setPolicyVersion(third_val));
     EXPECT_CALL(mock_status, setPolicyVersion(second_val));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string policy_versions;
     EXPECT_CALL(mock_service_controller, getPolicyVersions()).WillRepeatedly(ReturnRef(policy_versions));
     EXPECT_CALL(mock_update_communication, sendPolicyVersion("13", _)).Times(1).WillOnce(Return(Maybe<void>()));
@@ -895,6 +909,9 @@ TEST_F(OrchestrationTest, orchestrationPolicyUpdate)
     );
     EXPECT_CALL(mock_status, setPolicyVersion(third_val));
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string policy_versions;
     EXPECT_CALL(mock_service_controller, getPolicyVersions()).WillRepeatedly(ReturnRef(policy_versions));
     EXPECT_CALL(mock_update_communication, sendPolicyVersion("13", _)).Times(1).WillOnce(Return(Maybe<void>()));
@@ -1112,6 +1129,9 @@ TEST_F(OrchestrationTest, manifestUpdate)
         )
     );
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     GetResourceFile manifest_file(GetResourceFile::ResourceFileType::MANIFEST);
     EXPECT_CALL(mock_downloader,
         downloadFile(
@@ -1150,6 +1170,8 @@ TEST_F(OrchestrationTest, manifestUpdate)
 
 TEST_F(OrchestrationTest, getBadPolicyUpdate)
 {
+    Debug::setUnitTestFlag(D_UPDATES_PROCESS_REPORTER, Debug::DebugLevel::NOISE);
+
     EXPECT_CALL(
         rest,
         mockRestCall(RestAction::ADD, "proxy", _)
@@ -1196,6 +1218,13 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
     EXPECT_CALL(mock_orchestration_tools, calculateChecksum(Package::ChecksumTypes::SHA256, data_file_path))
         .WillOnce(Return(data_checksum));
 
+    string manifest = "";
+    string policy = "111111";
+    string setting = "";
+
+    string second_val = "12";
+    string third_val = "13";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillRepeatedly(ReturnRef(third_val));
     Maybe<string> new_policy_checksum(string("111111"));
 
     GetResourceFile policy_file(GetResourceFile::ResourceFileType::POLICY);
@@ -1207,12 +1236,6 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
             policy_file
         )
     ).WillOnce(Return(Maybe<std::string>(string(new_policy_path))));
-    string manifest = "";
-    string policy = "111111";
-    string setting = "";
-
-    string second_val = "12";
-    string third_val = "13";
     EXPECT_CALL(mock_service_controller, getPolicyVersion())
         .Times(4)
         .WillOnce(ReturnRef(first_policy_version))
@@ -1246,8 +1269,6 @@ TEST_F(OrchestrationTest, getBadPolicyUpdate)
         )
     );
 
-    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillRepeatedly(ReturnRef(third_val));
-
     EXPECT_CALL(
         mock_service_controller,
         updateServiceConfiguration(string("policy path"), "", expected_data_types, "", "", _)
@@ -1341,6 +1362,9 @@ TEST_F(OrchestrationTest, failedDownloadSettings)
 
     EXPECT_CALL(mock_status, setLastUpdateAttempt());
 
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     string manifest_err =
         "Critical Error: Agent/Gateway was not fully deployed on host 'hostname' "
         "and is not enforcing a security policy. Retry installation or contact Check Point support.";
@@ -1456,6 +1480,10 @@ TEST_P(OrchestrationTest, orchestrationFirstRun)
             }
         )
     );
+
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_service_controller, getPolicyVersion()).WillRepeatedly(ReturnRef(first_policy_version));
     EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
         Invoke(
@@ -1654,6 +1682,10 @@ TEST_F(OrchestrationTest, dataUpdate)
         .WillOnce(Return(data_instance_checksum));
 
     EXPECT_CALL(mock_service_controller, getPolicyVersion()).WillRepeatedly(ReturnRef(first_policy_version));
+
+    string version = "1";
+    EXPECT_CALL(mock_service_controller, getUpdatePolicyVersion()).WillOnce(ReturnRef(version));
+
     EXPECT_CALL(mock_update_communication, getUpdate(_)).WillOnce(
         Invoke(
             [&](CheckUpdateRequest &req)

components/security_apps/orchestration/package_handler/package_handler_ut/package_handler_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "package_handler.h"
 
 #include "cptest.h"

components/security_apps/orchestration/service_controller/service_controller.cc

@@ -29,6 +29,7 @@
 #include "i_orchestration_tools.h"
 #include "customized_cereal_map.h"
 #include "declarative_policy_utils.h"
+#include "updates_process_event.h"
 
 using namespace std;
 using namespace ReportIS;
@@ -65,6 +66,13 @@ public:
         }
         if (error.get()) {
             service_controller->updateReconfStatus(id.get(), service_name.get(), ReconfStatus::FAILED);
+            UpdatesProcessEvent(
+                UpdatesProcessResult::FAILED,
+                UpdatesConfigType::GENERAL,
+                UpdatesFailureReason::SERVISE_CONFIGURATION,
+                string(service_name.get() + ", ID: " + to_string(id.get())),
+                (error_message.isActive() ? " Error: " + error_message.get() : "")
+            ).notify();
             dbgError(D_SERVICE_CONTROLLER)
                 << "Request for service reconfiguration failed to complete. ID: "
                 << id.get()
@@ -1028,6 +1036,12 @@ ServiceController::Impl::sendSignalForServices(
     }
 
     dbgDebug(D_SERVICE_CONTROLLER) << "The reconfiguration has reached a timeout";
+    UpdatesProcessEvent(
+        UpdatesProcessResult::FAILED,
+        UpdatesConfigType::GENERAL,
+        UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT,
+        "The reconfiguration has reached a timeout"
+    ).notify();
     services_reconf_status.clear();
     services_reconf_names.clear();
     return genError("The reconfiguration has reached a timeout");

components/security_apps/orchestration/service_controller/service_controller_ut/service_controller_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+class Package;
+static std::ostream & operator<<(std::ostream &os, const Package &) { return os; }
+
 #include "cptest.h"
 #include <string>
 #include "orchestration_tools.h"

components/security_apps/orchestration/update_communication/hybrid_communication.cc

@@ -120,10 +120,9 @@ HybridCommunication::downloadAttributeFile(const GetResourceFile &resourse_file,
 }
 
 Maybe<void>
-HybridCommunication::sendPolicyVersion(const string &policy_version, const string &) const
+HybridCommunication::sendPolicyVersion(const string &, const string &) const
 {
     dbgFlow(D_ORCHESTRATOR);
-    policy_version.empty();
     return Maybe<void>();
 }
 

components/security_apps/orchestration/updates_process_reporter/updates_process_event.cc

@@ -111,6 +111,18 @@ UpdatesProcessEvent::parseDescription() const
             err << "Failed to configure the fog address: " << detail << ". Error: " << description;
             break;
         }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : {
+            err
+                << "Request for service reconfiguration failed to complete. Service name: "
+                << detail
+                << ". Error: "
+                << description;
+            break;
+        }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : {
+            err << detail;
+            break;
+        }
         case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : {
             err << description;
             break;
@@ -170,6 +182,14 @@ UpdatesProcessEvent::getDescriptionWithoutErrors() const
             err << "Failed to configure the fog address: " << detail;
             break;
         }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION : {
+            err << "Request for service reconfiguration failed to complete. Service name: " << detail;
+            break;
+        }
+        case UpdatesFailureReason::SERVISE_CONFIGURATION_TIMEOUT : {
+            err << detail;
+            break;
+        }
         case UpdatesFailureReason::ORCHESTRATION_SELF_UPDATE : {
             err << description;
             break;

components/security_apps/orchestration/updates_process_reporter/updates_process_reporter.cc

@@ -29,14 +29,21 @@ void
 UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
 {
     if (event.getReason() == UpdatesFailureReason::CHECK_UPDATE) {
+        auto i_controller = Singleton::Consume<I_ServiceController>::by<UpdatesProcessReporter>();
+        string version = i_controller->getUpdatePolicyVersion();
         if (event.getResult() == UpdatesProcessResult::SUCCESS && reports.empty()) {
             dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished successfully";
-            report_failure_count = 0;
+            report_failure_count_map.erase(version);
             return;
         }
-        dbgTrace(D_UPDATES_PROCESS_REPORTER) << "Update proccess finished with errors";
+        if (report_failure_count_map.find(version) == report_failure_count_map.end()) {
-        report_failure_count++;
+            report_failure_count_map[version] = 0;
-        if (report_failure_count <= 1) {
+        }
+        report_failure_count_map[version]++;
+        dbgTrace(D_UPDATES_PROCESS_REPORTER)
+            << "Update proccess finished with errors. Count: "
+            << report_failure_count_map[version];
+        if (report_failure_count_map[version] <= 1) {
             reports.clear();
             return;
         }
@@ -48,7 +55,7 @@ UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
                 event.parseDescription()
             )
         );
-        sendReoprt();
+        sendReoprt(version);
         return;
     }
     if (event.getResult() == UpdatesProcessResult::SUCCESS || event.getResult() == UpdatesProcessResult::UNSET) return;
@@ -58,12 +65,13 @@ UpdatesProcessReporter::upon(const UpdatesProcessEvent &event)
 }
 
 void
-UpdatesProcessReporter::sendReoprt()
+UpdatesProcessReporter::sendReoprt(const string &version)
 {
     stringstream full_reports;
     UpdatesFailureReason failure_reason = UpdatesFailureReason::NONE;
     full_reports << "Updates process reports:" << endl;
-    full_reports << "report failure count:" << report_failure_count << endl;
+    full_reports << "Policy version: " << version << endl;
+    full_reports << "report failure count:" << report_failure_count_map[version] << endl;
     for (const auto &report : reports) {
         if (report.getReason() != UpdatesFailureReason::CHECK_UPDATE) {
             failure_reason = report.getReason();

components/utils/generic_rulebase/evaluators/trigger_eval.cc

@@ -50,7 +50,7 @@ TriggerMatcher::evalVariable() const
         << "Trying to match trigger. ID: "
         << trigger_id << ", Current set IDs: "
         << makeSeparatedStr(bc_trigger_id_ctx.ok() ? *bc_trigger_id_ctx : set<GenericConfigId>(), ", ");
-    if (bc_trigger_id_ctx.ok() && bc_trigger_id_ctx.unpack().count(trigger_id) > 0 ) return true;
+    if (bc_trigger_id_ctx.ok()) return bc_trigger_id_ctx.unpack().count(trigger_id) > 0;
 
     auto rule = getConfiguration<BasicRuleConfig>("rulebase", "rulesConfig");
     return rule.ok() && rule.unpack().isTriggerActive(trigger_id);

core/attachments/http_configuration/http_configuration_ut/http_configuration_ut.cc

@@ -71,24 +71,24 @@ TEST_F(HttpAttachmentUtilTest, GetValidAttachmentConfiguration)
 
     HttpAttachmentConfiguration conf_data_out;
     EXPECT_EQ(conf_data_out.init(attachment_configuration_file_name), 1);
-    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_enabled"), 0);
+    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_enabled"), 0u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_timeout"), 1234);
+    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_timeout"), 1234u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_hold_enabled"), 0);
+    EXPECT_EQ(conf_data_out.getNumericalValue("is_fail_open_mode_hold_enabled"), 0u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_hold_timeout"), 4321);
+    EXPECT_EQ(conf_data_out.getNumericalValue("fail_open_hold_timeout"), 4321u);
     EXPECT_EQ(conf_data_out.getStringValue("sessions_per_minute_limit_verdict"), "Accept");
-    EXPECT_EQ(conf_data_out.getNumericalValue("max_sessions_per_minute"), 0);
+    EXPECT_EQ(conf_data_out.getNumericalValue("max_sessions_per_minute"), 0u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("num_of_nginx_ipc_elements"), 200);
+    EXPECT_EQ(conf_data_out.getNumericalValue("num_of_nginx_ipc_elements"), 200u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("keep_alive_interval_msec"), 10000);
+    EXPECT_EQ(conf_data_out.getNumericalValue("keep_alive_interval_msec"), 10000u);
     EXPECT_EQ(conf_data_out.getNumericalValue("dbg_level"), 2u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_proccessing_timeout_msec"), 420);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_proccessing_timeout_msec"), 420u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_proccessing_timeout_msec"), 42);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_proccessing_timeout_msec"), 42u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("registration_thread_timeout_msec"), 101);
+    EXPECT_EQ(conf_data_out.getNumericalValue("registration_thread_timeout_msec"), 101u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_header_thread_timeout_msec"), 10);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_header_thread_timeout_msec"), 10u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("req_body_thread_timeout_msec"), 155);
+    EXPECT_EQ(conf_data_out.getNumericalValue("req_body_thread_timeout_msec"), 155u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_header_thread_timeout_msec"), 1);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_header_thread_timeout_msec"), 1u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("res_body_thread_timeout_msec"), 80);
+    EXPECT_EQ(conf_data_out.getNumericalValue("res_body_thread_timeout_msec"), 80u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("waiting_for_verdict_thread_timeout_msec"), 60);
+    EXPECT_EQ(conf_data_out.getNumericalValue("waiting_for_verdict_thread_timeout_msec"), 60u);
-    EXPECT_EQ(conf_data_out.getNumericalValue("nginx_inspection_mode"), 1);
+    EXPECT_EQ(conf_data_out.getNumericalValue("nginx_inspection_mode"), 1u);
 }
 
 TEST_F(HttpAttachmentUtilTest, GetMalformedAttachmentConfiguration)

core/config/config.cc

@@ -306,6 +306,7 @@ private:
     string log_files_prefix = "/var/log";
     string default_config_directory_path = "/conf/";
     string config_directory_path = "";
+    string error_to_report = "";
 
     TypeWrapper empty;
 };
@@ -802,6 +803,7 @@ bool
 ConfigComponent::Impl::commitFailure(const string &error)
 {
     dbgError(D_CONFIG) << error;
+    error_to_report = error;
     new_resource_nodes.clear();
     new_configuration_nodes.clear();
     new_settings_nodes.clear();
@@ -937,7 +939,7 @@ ConfigComponent::Impl::reloadConfigurationContinuesWrapper(const string &version
 
     mainloop->stop(routine_id);
     LoadNewConfigurationStatus finished(id, service_name, !res, true);
-    if (!res) finished.setError("Failed to reload configuration");
+    if (!res) finished.setError(error_to_report);
     I_TimeGet *time = Singleton::Consume<I_TimeGet>::by<ConfigComponent>();
     auto send_status_time_out = time->getMonotonicTime() + chrono::seconds(180);
     while (time->getMonotonicTime() < send_status_time_out) {

core/core_ut/cache_ut.cc

@@ -151,10 +151,10 @@ TEST(TempCaching, capacity)
     cache.createEntry(3);
     cache.createEntry(4);
 
-    EXPECT_EQ(cache.size(), 5);
+    EXPECT_EQ(cache.size(), 5u);
-    EXPECT_EQ(cache.capacity(), 0);
+    EXPECT_EQ(cache.capacity(), 0u);
     cache.capacity(3);
-    EXPECT_EQ(cache.size(), 3);
+    EXPECT_EQ(cache.size(), 3u);
     EXPECT_FALSE(cache.doesKeyExists(0));
     EXPECT_FALSE(cache.doesKeyExists(1));
     EXPECT_TRUE(cache.doesKeyExists(2));
@@ -162,7 +162,7 @@ TEST(TempCaching, capacity)
     EXPECT_TRUE(cache.doesKeyExists(4));
 
     cache.createEntry(5);
-    EXPECT_EQ(cache.size(), 3);
+    EXPECT_EQ(cache.size(), 3u);
     EXPECT_FALSE(cache.doesKeyExists(2));
     EXPECT_TRUE(cache.doesKeyExists(3));
     EXPECT_TRUE(cache.doesKeyExists(4));
@@ -170,7 +170,7 @@ TEST(TempCaching, capacity)
 
     cache.capacity(0);
     cache.createEntry(6);
-    EXPECT_EQ(cache.size(), 4);
+    EXPECT_EQ(cache.size(), 4u);
     EXPECT_TRUE(cache.doesKeyExists(3));
     EXPECT_TRUE(cache.doesKeyExists(4));
     EXPECT_TRUE(cache.doesKeyExists(5));
@@ -178,7 +178,7 @@ TEST(TempCaching, capacity)
 
     cache.deleteEntry(5);
     cache.capacity(2);
-    EXPECT_EQ(cache.size(), 2);
+    EXPECT_EQ(cache.size(), 2u);
     EXPECT_TRUE(cache.doesKeyExists(4));
     EXPECT_TRUE(cache.doesKeyExists(6));
 }

core/core_ut/maybe_res_ut.cc

@@ -161,6 +161,7 @@ public:
     public:
         MyValue(int _x) : x(_x) { addObj(this); }
         MyValue(const MyValue &other) : x(other.x) {  addObj(this); }
+        MyValue & operator=(const MyValue &other) = default;
         ~MyValue() { delObj(this); }
         bool operator==(const MyValue &other) const { return x==other.x; }
         bool operator!=(const MyValue &other) const { return x!=other.x; }
@@ -208,9 +209,9 @@ TEST_F(MaybeAssignments, ValValRval)
     Maybe<MyValue, MyValue> m(MyValue(1));
 
     // Change the value
-    EXPECT_EQ(1, m->x);
+    EXPECT_EQ(m->x, 1);
     m = 2;
-    EXPECT_EQ(2, m->x);
+    EXPECT_EQ(m->x, 2);
 }
 
 TEST_F(MaybeAssignments, ValValLval)

core/include/general/common.h

@@ -28,6 +28,7 @@
 #include <memory>
 #include <string>
 #include <vector>
+#include <map>
 #include <sstream>
 #include <iomanip>
 #include <sys/types.h>
@@ -145,6 +146,30 @@ operator<<(ostream &os, const vector<Printable> &obj)
     return os;
 }
 
+// LCOV_EXCL_START Reason: Currently not used in 4.8 coverage but is used in alpine.
+template <typename PrintableKey, typename PrintableValue>
+ostream &
+operator<<(ostream &os, const pair<PrintableKey, PrintableValue> &)
+{
+    // Uncomment when g++ 4.8 is no longer supported
+    // return os << obj.first << ':' << obj.second;
+    return os;
+}
+// LCOL_EXCL_STOP
+
+template <typename PrintableKey, typename PrintableValue>
+ostream &
+operator<<(ostream &os, const map<PrintableKey, PrintableValue> &)
+{
+    // Uncomment when g++ 4.8 is no longer supported
+    // bool first = true;
+    // for (const auto &pair : obj) {
+    //     os << (first ? "" : ", ") << pair;
+    //     first = false;
+    // }
+    return os;
+}
+
 } // namespace std
 
 #endif // __COMMON_H__

core/intelligence_is_v2/intelligence_is_v2_ut/intelligence_comp_v2_ut.cc

@@ -1,3 +1,7 @@
+#include <sstream>
+namespace Intelligence { class Response; }
+std::ostream & operator<<(std::ostream &os, const Intelligence::Response &);
+
 #include "intelligence_comp_v2.h"
 
 #include "config.h"
@@ -642,7 +646,7 @@ TEST_F(IntelligenceComponentTestV2, multiAssetsIntelligenceTest)
     auto maybe_ans = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans.ok());
     auto vec = maybe_ans.unpack();
-    EXPECT_EQ(vec.size(), 3);
+    EXPECT_EQ(vec.size(), 3u);
 
     auto iter = vec.begin();
 
@@ -962,11 +966,11 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     ).WillOnce(Return(HTTPResponse(HTTPStatusCode::HTTP_OK, paging_in_progress_response_str1)));
 
     request.setAssetsLimit(2);
-    EXPECT_EQ(request.getAssetsLimit(), 2);
+    EXPECT_EQ(request.getAssetsLimit(), 2u);
     auto maybe_ans1 = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans1.ok());
     auto vec1 = maybe_ans1.unpack();
-    EXPECT_EQ(vec1.size(), 1);
+    EXPECT_EQ(vec1.size(), 1u);
     EXPECT_EQ(request.isPagingFinished(), false);
 
     EXPECT_CALL(messaging_mock, sendSyncMessage(HTTPMethod::POST, _, _, MessageCategory::INTELLIGENCE, _)
@@ -975,7 +979,7 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     auto maybe_ans2 = intell->queryIntelligence<Profile>(request);
     EXPECT_TRUE(maybe_ans2.ok());
     auto vec2 = maybe_ans2.unpack();
-    EXPECT_EQ(vec2.size(), 2);
+    EXPECT_EQ(vec2.size(), 2u);
     EXPECT_EQ(request.isPagingFinished(), false);
 
     EXPECT_CALL(messaging_mock, sendSyncMessage(HTTPMethod::POST, _, _, MessageCategory::INTELLIGENCE, _)
@@ -985,7 +989,7 @@ TEST_F(IntelligenceComponentTestV2, pagingQueryTest)
     if (!maybe_ans3.ok()) cout << maybe_ans3.getErr() + "\n";
     EXPECT_TRUE(maybe_ans3.ok());
     auto vec3 = maybe_ans3.unpack();
-    EXPECT_EQ(vec3.size(), 1);
+    EXPECT_EQ(vec3.size(), 1u);
     EXPECT_EQ(request.isPagingFinished(), true);
 
     vector<AssetReply<Profile>>::iterator assets_iter = vec3.begin();
@@ -1316,7 +1320,6 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
     QueryRequest request(Condition::EQUALS, "category", "cloud", true, AttributeKeyType::NONE);
     request.activatePaging();
     request.setAssetsLimit(10);
-    vector<AssetReply<Profile>> objects_reply;
     vector<string> objects_ids;
     do {
         auto object_result = intell->queryIntelligence<Profile>(request, true);
@@ -1325,10 +1328,9 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
             break;
         }
 
-        objects_reply = object_result.unpack();
+        if ((*object_result).empty()) break;
-        if (objects_reply.empty()) break;
 
-        for (const AssetReply<Profile> &current_object : objects_reply) {
+        for (const AssetReply<Profile> &current_object : *object_result) {
             if (current_object.getMainAttributes().empty()) {
                 continue;
             }
@@ -1337,5 +1339,5 @@ TEST_F(IntelligenceComponentTestV2, ignoreInProgressQueryTest_2)
         }
     } while (!request.isPagingFinished());
 
-    EXPECT_EQ(objects_ids.size(), 2);
+    EXPECT_EQ(objects_ids.size(), 2u);
 }

core/intelligence_is_v2/intelligence_is_v2_ut/invalidation_ut.cc

@@ -609,7 +609,7 @@ TEST_F(IntelligenceInvalidation, invalidation_callback)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
     EXPECT_EQ(recieved_invalidations[0].getMainAttributes().begin()->getStringSetAttr("attr2").unpack(), vals);
 }
 
@@ -653,7 +653,7 @@ TEST_F(IntelligenceInvalidation, delete_invalidation_callback)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_short_handling)
@@ -697,7 +697,7 @@ TEST_F(IntelligenceInvalidation, invalidation_short_handling)
     json << invalidation2.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 }
 
 TEST_F(IntelligenceInvalidation, routine_registration)
@@ -792,7 +792,7 @@ TEST_F(IntelligenceInvalidation, invalidation_flow_with_multiple_assets)
     json1 << not_matching_invalidation.genObject();
     mock_invalidation->performRestCall(json1);
 
-    EXPECT_EQ(recieved_invalidations.size(), 0);
+    EXPECT_EQ(recieved_invalidations.size(), 0u);
 
     auto matching_second_main_attribute = StrAttributes()
         .addStringAttr("attr3", "3");
@@ -808,7 +808,7 @@ TEST_F(IntelligenceInvalidation, invalidation_flow_with_multiple_assets)
     json2 << matching_invalidation.genObject();
     mock_invalidation->performRestCall(json2);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_cb_match_2_registred_assets)
@@ -868,7 +868,7 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_2_registred_assets)
     json << matching_invalidation.genObject();
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 2);
+    EXPECT_EQ(recieved_invalidations.size(), 2u);
 }
 
 TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
@@ -931,5 +931,5 @@ TEST_F(IntelligenceInvalidation, invalidation_cb_match_by_registration_id)
     cout << json.str() << endl;
     mock_invalidation->performRestCall(json);
 
-    EXPECT_EQ(recieved_invalidations.size(), 1);
+    EXPECT_EQ(recieved_invalidations.size(), 1u);
 }

core/intelligence_is_v2/intelligence_is_v2_ut/json_stream_ut.cc

@@ -42,7 +42,7 @@ addSlashesToSpecialChars(const string &input)
         case '\"':
         case '\\':
             output += '\\';
-            //no break
+            // fallthrough
         default:
             output += c;
             break;

core/intelligence_is_v2/intelligence_is_v2_ut/query_request_v2_ut.cc

@@ -136,12 +136,12 @@ TEST(QueryRequestTestV2, AttributesTest)
     request.setRequestedAttr("countryName");
     SerializableAttributesMap request_attributes_map2 = request.getRequestedAttributes();
 
-    EXPECT_EQ(request_attributes_map2.getAttributeByKey("attributes.countryName"), 500);
+    EXPECT_EQ(request_attributes_map2.getAttributeByKey("attributes.countryName"), 500u);
 
     request.setRequestedAttr("reputationSeverity", 30);
     SerializableAttributesMap request_attributes_map3 = request.getRequestedAttributes();
 
-    EXPECT_EQ(request_attributes_map3.getAttributeByKey("attributes.reputationSeverity"), 30);
+    EXPECT_EQ(request_attributes_map3.getAttributeByKey("attributes.reputationSeverity"), 30u);
 
     string output_json =
     "{\n"

core/intelligence_is_v2/intelligence_is_v2_ut/query_response_v2_ut.cc

@@ -155,13 +155,13 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
         obj2.loadFromJson(ss.str());
     }
 
-    EXPECT_EQ(obj.getAmountOfAssets(), 2);
+    EXPECT_EQ(obj.getAmountOfAssets(), 2u);
-    EXPECT_EQ(obj2.getAmountOfAssets(), 2);
+    EXPECT_EQ(obj2.getAmountOfAssets(), 2u);
     EXPECT_EQ(obj.getResponseStatus(), ResponseStatus::DONE);
     EXPECT_EQ(obj2.getResponseStatus(), ResponseStatus::DONE);
-    EXPECT_EQ(obj.getData().begin()->getAssetSchemaVersion(), 1);
+    EXPECT_EQ(obj.getData().begin()->getAssetSchemaVersion(), 1u);
     EXPECT_EQ(obj.getData().begin()->getAssetType(), "workload-cloud-ip");
-    EXPECT_EQ(obj.getData().begin()->getAssetTypeSchemaVersion(), 1);
+    EXPECT_EQ(obj.getData().begin()->getAssetTypeSchemaVersion(), 1u);
     EXPECT_EQ(obj.getData().begin()->getAssetPermissionGroupId(), "some-group-id");
     EXPECT_EQ(obj.getData().begin()->getAssetName(), "[1.1.1.1]");
     EXPECT_EQ(obj.getData().begin()->getAssetClass(), "workload");
@@ -188,7 +188,7 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
     EXPECT_EQ(soucres_it->getAssetId(), "50255c3172b4fb7fda93025f0bfaa7abefd1");
     EXPECT_EQ(soucres_it->getTTL(), chrono::seconds(120));
     EXPECT_EQ(soucres_it->getExpirationTime(), "2020-07-29T11:21:12.253Z");
-    EXPECT_EQ(soucres_it->getConfidence(), 500);
+    EXPECT_EQ(soucres_it->getConfidence(), 500u);
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData().toString(), "red");
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData1().toString(), "Omry");
 
@@ -198,15 +198,15 @@ TEST(QueryResponseTestV2, QueryResponseTestV2)
     EXPECT_EQ(soucres_it->getAssetId(), "cb068860528cb6bfb000cc35e79f11aeefed2");
     EXPECT_EQ(soucres_it->getTTL(), chrono::seconds(120));
     EXPECT_EQ(soucres_it->getExpirationTime(), "2020-07-29T11:21:12.253Z");
-    EXPECT_EQ(soucres_it->getConfidence(), 600);
+    EXPECT_EQ(soucres_it->getConfidence(), 600u);
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData().toString(), "white");
     EXPECT_EQ(soucres_it->getAttributes().begin()->getData1().toString(), "Max");
 
     vector<AssetReply<stringData1>> asset_collections = obj.getData();
-    EXPECT_EQ(asset_collections.size(), 1);
+    EXPECT_EQ(asset_collections.size(), 1u);
     vector<AssetReply<stringData1>>::const_iterator asset_collections_it = asset_collections.begin();
     vector<stringData1> asset_sources = asset_collections_it->getData();
-    EXPECT_EQ(asset_sources.size(), 2);
+    EXPECT_EQ(asset_sources.size(), 2u);
     vector<stringData1>::iterator asset_sources_it = asset_sources.begin();
 
     EXPECT_EQ(asset_sources_it->getData().toString(), "red");

core/logging/logging_ut/logging_ut.cc

@@ -101,7 +101,7 @@ public:
     }
 };
 
-class LogTest : public testing::TestWithParam<bool>
+class LogTest : public testing::Test
 {
 public:
     LogTest()
@@ -909,7 +909,7 @@ TEST_F(LogTest, OfflineK8sSvcBulkLogs)
     EXPECT_EQ(local_body, str1);
 }
 
-TEST_P(LogTest, metrics_check)
+TEST_F(LogTest, metrics_check)
 {
     loadFakeConfiguration(true, false, "", 3);
     Tags tag1 = Tags::POLICY_INSTALLATION;
@@ -935,15 +935,9 @@ TEST_P(LogTest, metrics_check)
         "    \"sentLogsBulksSum\": 3\n"
         "}";
 
-    bool is_named_query = GetParam();
-    if (is_named_query) {
     EXPECT_THAT(AllMetricEvent().performNamedQuery(), ElementsAre(Pair("Logging data", logging_metric_str)));
-    } else {
     EXPECT_THAT(AllMetricEvent().query(), ElementsAre(logging_metric_str));
 }
-}
-
-INSTANTIATE_TEST_CASE_P(metrics_check, LogTest, ::testing::Values(false, true));
 
 TEST_F(LogTest, DeleteStreamTest)
 {
@@ -1564,7 +1558,7 @@ TEST_F(LogTest, ObfuscationTest)
     EXPECT_EQ(getBodyFogMessage(), expected_obfuscated_log);
     ASSERT_NE(sysog_routine, nullptr);
     sysog_routine();
-    EXPECT_EQ(capture_syslog_cef_data.size(), 2);
+    EXPECT_EQ(capture_syslog_cef_data.size(), 2u);
     for (const string &str : capture_syslog_cef_data) {
         EXPECT_THAT(str, AnyOf(HasSubstr("String='Another string'"), HasSubstr("String=\"Another string\"")));
     }

core/mainloop/mainloop_ut/mainloop_ut.cc

@@ -504,7 +504,7 @@ TEST_F(MainloopTest, get_routine_id)
 {
     cptestPrepareToDie();
     auto cb = [this] () {
-        EXPECT_EQ(mainloop->getCurrentRoutineId().unpack(), 1);
+        EXPECT_EQ(mainloop->getCurrentRoutineId().unpack(), 1u);
         EXPECT_DEATH(mainloop->run(), "MainloopComponent::Impl::run was called while it was already running");
     };
     mainloop->addOneTimeRoutine(

core/messaging/include/dummy_socket.h

@@ -76,7 +76,7 @@ public:
     writeToSocket(const std::string &msg)
     {
         acceptSocket();
-        EXPECT_EQ(write(connection_fd, msg.data(), msg.size()), msg.size());
+        EXPECT_EQ(write(connection_fd, msg.data(), msg.size()), static_cast<int>(msg.size()));
     }
 
 private:

core/report/report.cc

@@ -176,6 +176,8 @@ Report::getSyslog() const
     if (!origin_syslog.empty()) {
         report.push(origin_syslog);
     }
+    auto severity_str = "eventSeverity=\"" + TagAndEnumManagement::convertToString(severity) + '"';
+    report.push(severity_str);
     if (!event_data_syslog.empty()) {
         report.push(event_data_syslog);
     }
@@ -218,6 +220,8 @@ Report::getCef() const
     if (!origin_cef.empty()) {
         report.pushExtension(origin_cef);
     }
+    auto severity_str = "eventSeverity=\"" + TagAndEnumManagement::convertToString(severity) + '"';
+    report.pushExtension(severity_str);
     if (!event_data_cef.empty()) {
         report.pushExtension(event_data_cef);
     }

core/report/report_ut/report_ut.cc

@@ -87,7 +87,7 @@ TEST(TagTest, TagStringTest)
     set<string> tags_string;
     for (Tags tag : makeRange<Tags>()) {
         tags_string = TagAndEnumManagement::convertToString({tag});
-        ASSERT_EQ(tags_string.size(), 1);
+        ASSERT_EQ(tags_string.size(), 1u);
         Maybe<Tags> tag_from_string = TagAndEnumManagement::convertStringToTag(*tags_string.begin());
         ASSERT_TRUE(tag_from_string.ok());
         EXPECT_EQ(tag_from_string.unpack(), tag);
@@ -572,6 +572,7 @@ TEST_F(ReportTest, testSyslogWithoutServiceName)
         "<133>1 0:0:0.123Z cpnano-agent-001 UnnamedNanoService - 0 - "
         "title='Log Test' agent=\"Secret\" eventTraceId=\"\" eventSpanId=\"\" "
         "issuingEngineVersion=\"\" serviceName=\"Unnamed Nano Service\" serviceId=\"\" serviceFamilyId=\"\" "
+        "eventSeverity=\"Info\""
     );
 }
 
@@ -612,6 +613,7 @@ TEST_F(ReportTest, testSyslog)
         "title='Log Test' agent=\"Secret\"") +
         " eventTraceId=\"\" eventSpanId=\"\" issuingEngineVersion=\"\"" +
         " serviceName=\"Access Control App\" serviceId=\"\" serviceFamilyId=\"\"" +
+        " eventSeverity=\"Info\"" +
         string(" ArrayOfArraies=\"[ [ a, b \\], [ 1, 2 \\] \\]\"") +
         string(" DataWithNewLine=\"new\\r\\nline\"") +
         string(" DataWithQuote=\"data\\'bla\"");
@@ -654,7 +656,9 @@ TEST_F(ReportTest, testCef)
         "CEF:0|Check Point|AccessControlApp||Event Driven|Log Test|Low|"
         "eventTime=0:0:0.123 agent=\"Secret\" eventTraceId=\"\" eventSpanId=\"\" issuingEngineVersion=\"\""
         " serviceName=\"Access Control App\" serviceId=\"\""
-        " serviceFamilyId=\"\" Bond=\"1\" DataWithQuote=\"data\\'bla\""
+        " serviceFamilyId=\"\" Bond=\"1\""
+        " eventSeverity=\"Info\""
+        " DataWithQuote=\"data\\'bla\""
     );
 }
 

core/rest/rest_ut/rest_config_ut.cc

@@ -162,7 +162,7 @@ TEST_F(RestConfigTest, basic_flow)
     I_MainLoop::Routine stop_routine = [&] () {
         EXPECT_EQ(connect(file_descriptor, (struct sockaddr*)&sa, sizeof(struct sockaddr)), 0);
         string msg = "POST /add-test HTTP/1.1\r\nContent-Length: 10\r\n\r\n{\"num\": 5}";
-        EXPECT_EQ(write(file_descriptor, msg.data(), msg.size()), msg.size());
+        EXPECT_EQ(write(file_descriptor, msg.data(), msg.size()), static_cast<int>(msg.size()));
 
         while(!TestServer::g_num) {
             mainloop->yield(true);

core/shmem_ipc/shmem_ipc_ut/shmem_ipc_ut.cc

@@ -264,8 +264,8 @@ TEST_F(SharedIPCTest, ensure_right_permissions)
         stat(queue_name, &info);
         EXPECT_EQ(info.st_uid, uid);
         EXPECT_EQ(info.st_gid, gid);
-        EXPECT_EQ(info.st_mode & S_IRUSR, S_IRUSR);
+        EXPECT_EQ(info.st_mode & S_IRUSR, static_cast<uint>(S_IRUSR));
-        EXPECT_EQ(info.st_mode & S_IWUSR, S_IWUSR);
+        EXPECT_EQ(info.st_mode & S_IWUSR, static_cast<uint>(S_IWUSR));
-        EXPECT_NE(info.st_mode & S_IXUSR, S_IXUSR);
+        EXPECT_NE(info.st_mode & S_IXUSR, static_cast<uint>(S_IXUSR));
     }
 }

nodes/orchestration/package/local-default-policy.yaml

@@ -1,15 +1,16 @@
 policies:
   default:
-    triggers:
-    - appsec-default-log-trigger
     mode: detect-learn
-    practices:
+    practices: [appsec-best-practice]
-    - webapp-default-practice
+    triggers: [appsec-log-trigger]
-    custom-response: appsec-default-web-user-response
+    custom-response: 403-forbidden
+    source-identifiers: ""
+    trusted-sources: ""
+    exceptions: []
   specific-rules: []
 
 practices:
-  - name: webapp-default-practice
+  - name: appsec-best-practice
     openapi-schema-validation:
       configmap: []
       override-mode: detect-learn
@@ -34,7 +35,7 @@ practices:
       override-mode: detect-learn
 
 log-triggers:
-  - name: appsec-default-log-trigger
+  - name: appsec-log-trigger
     access-control-logging:
       allow-events: false
       drop-events: true
@@ -57,7 +58,7 @@ log-triggers:
         format: json
 
 custom-responses:
-  - name: appsec-default-web-user-response
+  - name: 403-forbidden
     mode: response-code-only
     http-response-code: 403
 

nodes/orchestration/package/open-appsec-ctl.sh

@@ -1710,7 +1710,7 @@ is_apply_policy_needed()
         return 0
     fi
     local_policy_modification_time=$(stat -c %Y ${var_policy_file})
-    if [ "${local_policy_modification_time}" -eq "${last_local_policy_modification_time}" ] || [ -z ${last_local_policy_modification_time} ]; then
+    if [ "${local_policy_modification_time}" == "${last_local_policy_modification_time}" ]; then
         return 1
     fi
     return 0