New transformer: `basename()`
leogr opened this issue · 3 comments
Motivation
The basename()
transformer will make it easier for rule authors to write concise and effective rules, particularly for fields returning a full path by extracting the base name from a field returning a full path.
Note that this is particularly useful in conjunction with proc.exepath
which provides the resolved symlink path eventually, since proc.exe
can't provide the resolved path because it, by convention, equals to argv[0]
.
Feature
Introduce the basename(<path>)
transformer that works similarly to the basename util.
This transformer returns the base name of a given <path>
(i.e. a string) as an argument.
Alternatives
No compelling alternatives. For the record, some discarded solutions:
- changing
proc.exe
(breaking change + inconsistency) - adding new fields (eg.
proc.exepath.basename
) comes with too many cons:- redundant with fields modifiers (ie.
basename()
) - would require similar fields for
proc.pexepath
andproc.aexepath
, increasing complexity - the solution is not reusable
- redundant with fields modifiers (ie.
Additional context
I fully support this feature request!
Just the first thing that comes to mind, introducing basename
would also probably conflict with fd.filename
, that is basename(fd.name)
would be totally the same thing as fd.filename
. We would probably need a deprecation plan for that field or other similar ones if any.
fd.filename
. We would probably need a deprecation plan for that field or other similar ones if any.
Totally 👍
/assign