alerts-bugsfixes

Author: hhftechnology

internal/api/handlers/dashboard_analysis.go

@@ -270,6 +270,25 @@ func GetAlertsAnalysis(dockerClient *docker.Client, cfg *config.Config, ttlCache
 			}
 		}
 
+		// Normalize nested cscli fields to match the CrowdSecAlert contract.
+		// cscli nests value/scope under source{} and origin/type under decisions[0].
+		for _, item := range alerts {
+			node, ok := item.(map[string]interface{})
+			if !ok {
+				continue
+			}
+			if src, ok := node["source"].(map[string]interface{}); ok {
+				node["value"] = src["value"]
+				node["scope"] = src["scope"]
+			}
+			if decs, ok := node["decisions"].([]interface{}); ok && len(decs) > 0 {
+				if d, ok := decs[0].(map[string]interface{}); ok {
+					node["origin"] = d["origin"]
+					node["type"] = d["type"]
+				}
+			}
+		}
+
 		logger.Info("Alerts analysis retrieved successfully", "count", len(alerts))
 
 		result := gin.H{"alerts": alerts, "count": len(alerts)}

internal/history/service.go

@@ -363,13 +363,26 @@ func parseAlertsOutput(output string) ([]AlertSnapshot, error) {
 		if !ok {
 			continue
 		}
+
+		// value and scope are nested under the "source" sub-object
+		source, _ := node["source"].(map[string]interface{})
+
+		// origin and type come from the first decision entry
+		var origin, decType string
+		if decs, ok := node["decisions"].([]interface{}); ok && len(decs) > 0 {
+			if d, ok := decs[0].(map[string]interface{}); ok {
+				origin = asString(d["origin"])
+				decType = asString(d["type"])
+			}
+		}
+
 		alerts = append(alerts, AlertSnapshot{
 			ID:          asInt64(node["id"]),
 			Scenario:    asString(node["scenario"]),
-			Scope:       asString(node["scope"]),
-			Value:       asString(node["value"]),
-			Origin:      asString(node["origin"]),
-			Type:        asString(node["type"]),
+			Scope:       asString(source["scope"]),
+			Value:       asString(source["value"]),
+			Origin:      origin,
+			Type:        decType,
 			EventsCount: int(asInt64(node["events_count"])),
 			StartAt:     asString(node["start_at"]),
 			StopAt:      asString(node["stop_at"]),

internal/history/store_test.go

@@ -136,3 +136,42 @@ func TestParseDecisionsOutputNestedAndFlat(t *testing.T) {
 		t.Fatalf("expected flat decision value")
 	}
 }
+
+func TestParseAlertsOutputNestedSource(t *testing.T) {
+	input := `[{
+		"id": 7,
+		"scenario": "crowdsecurity/http-probing",
+		"events_count": 11,
+		"start_at": "2024-01-01T00:00:00Z",
+		"stop_at":  "2024-01-01T00:05:00Z",
+		"source": {"scope": "Ip", "value": "1.2.3.4"},
+		"decisions": [{"origin": "crowdsec", "type": "ban"}]
+	}]`
+
+	alerts, err := parseAlertsOutput(input)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if len(alerts) != 1 {
+		t.Fatalf("expected 1 alert, got %d", len(alerts))
+	}
+	a := alerts[0]
+	if a.Value != "1.2.3.4" {
+		t.Errorf("Value: got %q, want %q", a.Value, "1.2.3.4")
+	}
+	if a.Scope != "Ip" {
+		t.Errorf("Scope: got %q, want %q", a.Scope, "Ip")
+	}
+	if a.Origin != "crowdsec" {
+		t.Errorf("Origin: got %q, want %q", a.Origin, "crowdsec")
+	}
+	if a.Type != "ban" {
+		t.Errorf("Type: got %q, want %q", a.Type, "ban")
+	}
+	if a.Scenario != "crowdsecurity/http-probing" {
+		t.Errorf("Scenario: got %q, want crowdsecurity/http-probing", a.Scenario)
+	}
+	if a.EventsCount != 11 {
+		t.Errorf("EventsCount: got %d, want 11", a.EventsCount)
+	}
+}