Rename context filters to scope filters

This commit updates the terminology within the Tracee codebase,
replacing occurrences of "context filters" with "scope filters".
By doing so, it enhances the clarity and intuitiveness of the user interface
and documentation.

docs/docs/flags/events.1.md

@@ -11,7 +11,7 @@ tracee **\-\-events** - Select which events to trace
 
 ## SYNOPSIS
 
-tracee **\-\-events** [<event-name1(,[-]event-name2...)\> | <[-]event-name1(,set1...)\> | <set1(,[-]event-name1,[-]event-name2...)\> | <event1.args.arg-field[=|!=]value\> | <event1.retval[=|!=|<|\>|<=|\>=]value\> | <event1.context.context-field[=|!=|<|\>|<=|\>=]value\> | <event.context.container\>] ...
+tracee **\-\-events** [<event-name1(,[-]event-name2...)\> | <[-]event-name1(,set1...)\> | <set1(,[-]event-name1,[-]event-name2...)\> | <event1.args.arg-field[=|!=]value\> | <event1.retval[=|!=|<|\>|<=|\>=]value\> | <event1.scope.field[=|!=|<|\>|<=|\>=]value\> | <event.scope.container\>] ...
 
 ## DESCRIPTION
 
@@ -25,7 +25,7 @@ The **\-\-events** flag allows you to select which events to trace by defining f
 
 - Event return value: Filter events based on their return value using 'event-name.retval'. The event return value expression follows the syntax of a numerical expression.
 
-- Event context fields: Filter events based on the non-argument fields defined in the trace.Event struct using 'event-name.context.field'. Refer to the json tags in the trace.Event struct located in the types/trace package for the correct field names, and the event filtering section in the documentation for a full list.
+- Event scope fields: Filter events based on the non-argument fields defined in the trace.Event struct using 'event-name.scope.field'. Refer to the json tags in the trace.Event struct located in the types/trace package for the correct field names, and the event filtering section in the documentation for a full list.
 
 ## FILTER EXPRESSION
 
@@ -40,7 +40,7 @@ Multiple flags are combined with AND logic, while multiple values within a singl
 Available for:
 
 - return value
-- context fields
+- scope fields
 
 NOTE: Expressions containing '<' or '\>' tokens must be escaped!
 
@@ -52,7 +52,7 @@ Available for:
 
 - event arguments
 - return value
-- context fields
+- scope fields
 
 Strings can be compared as a prefix if ending with '\*', or as a suffix if starting with '\*'.
 
@@ -125,11 +125,11 @@ Available only for:
 - To trace only 'openat' events that have 'processName' equal to 'ls', use the following flag:
 
   ```console
-  --events openat.context.processName=ls
+  --events openat.scope.processName=ls
   ```
 
 - To trace only 'security_file_open' events coming from a container, use the following flag:
 
   ```console
-  --events security_file_open.context.container
+  --events security_file_open.scope.container
   ```

docs/docs/policies/rules.md

@@ -6,7 +6,7 @@ Below are several examples on configuring events in the Tracee Policy.
 
 ## Events
 
-Every event that is specified within the `rules` section supports three types of filters: `context`, `arguments` and `return value`. 
+Every event that is specified within the `rules` section supports three types of filters: `scope`, `arguments` and `return value`. 
 
 ### Type of Events
 
@@ -64,17 +64,17 @@ spec:
 	    event: do_sigaction
 ```
 
-## Context filters
+## Scope filters
 
-Context is data which is collected along the event. They can be filtered like:
+Further refinement of the policy's scope is achievable through the application of scope filters:
 
 ```yaml
 apiVersion: tracee.aquasec.com/v1beta1
 kind: Policy
 metadata:
-	name: sample-context-filter
+	name: sample-scope-filter
 	annotations:
-		description: sample context filter
+		description: sample scope filter
 spec:
 	scope:
 	    - global
@@ -84,7 +84,7 @@ spec:
 		- pid=1000
 ```
 
-The context filters supported are:
+The scope filters supported are:
 
 #### p, pid, processId
 

docs/man/events.1

@@ -26,8 +26,8 @@ tracee \f[B]--events\f[R] [<event-name1(,[-]event-name2\&...)> |
 <set1(,[-]event-name1,[-]event-name2\&...)> |
 <event1.args.arg-field[=|!=]value> |
 <event1.retval[=|!=|<|>|<=|>=]value> |
-<event1.context.context-field[=|!=|<|>|<=|>=]value> |
-<event.context.container>] \&...
+<event1.scope.scope-field[=|!=|<|>|<=|>=]value> |
+<event.scope.container>] \&...
 .SS DESCRIPTION
 .PP
 The \f[B]--events\f[R] flag allows you to select which events to trace
@@ -49,8 +49,8 @@ Event return value: Filter events based on their return value using
 The event return value expression follows the syntax of a numerical
 expression.
 .IP \[bu] 2
-Event context fields: Filter events based on the non-argument fields
-defined in the trace.Event struct using `event-name.context.field'.
+Event scope fields: Filter events based on the non-argument fields
+defined in the trace.Event struct using `event-name.scope.field'.
 Refer to the json tags in the trace.Event struct located in the
 types/trace package for the correct field names, and the event filtering
 section in the documentation for a full list.
@@ -72,7 +72,7 @@ Available for:
 .IP \[bu] 2
 return value
 .IP \[bu] 2
-context fields
+scope fields
 .PP
 NOTE: Expressions containing `<' or `>' tokens must be escaped!
 .SS STRING EXPRESSION OPERATORS
@@ -85,7 +85,7 @@ event arguments
 .IP \[bu] 2
 return value
 .IP \[bu] 2
-context fields
+scope fields
 .PP
 Strings can be compared as a prefix if ending with `*', or as a suffix
 if starting with `*'.
@@ -202,7 +202,7 @@ the following flag:
 .IP
 .nf
 \f[C]
---events openat.context.processName=ls
+--events openat.scope.processName=ls
 \f[R]
 .fi
 .RE
@@ -213,7 +213,7 @@ the following flag:
 .IP
 .nf
 \f[C]
---events security_file_open.context.container
+--events security_file_open.scope.container
 \f[R]
 .fi
 .RE

pkg/cmd/flags/capture.go

@@ -126,8 +126,8 @@ func PrepareCapture(captureSlice []string, newBinary bool) (config.CaptureConfig
 			capture.Net.CaptureLength = 96 // default payload
 		} else if strings.HasPrefix(c, "pcap:") {
 			capture.Net.CaptureSingle = false // remove default mode
-			context := strings.TrimPrefix(c, "pcap:")
-			fields := strings.Split(context, ",")
+			scope := strings.TrimPrefix(c, "pcap:")
+			fields := strings.Split(scope, ",")
 			for _, field := range fields {
 				if field == "single" {
 					capture.Net.CaptureSingle = true
@@ -144,33 +144,33 @@ func PrepareCapture(captureSlice []string, newBinary bool) (config.CaptureConfig
 			}
 			capture.Net.CaptureLength = 96 // default payload
 		} else if strings.HasPrefix(c, "pcap-options:") {
-			context := strings.TrimPrefix(c, "pcap-options:")
-			context = strings.ToLower(context) // normalize
-			if context == "none" {
+			scope := strings.TrimPrefix(c, "pcap-options:")
+			scope = strings.ToLower(scope) // normalize
+			if scope == "none" {
 				capture.Net.CaptureFiltered = false // proforma
-			} else if context == "filtered" {
+			} else if scope == "filtered" {
 				capture.Net.CaptureFiltered = true
 			}
 		} else if strings.HasPrefix(c, "pcap-snaplen:") {
-			context := strings.TrimPrefix(c, "pcap-snaplen:")
+			scope := strings.TrimPrefix(c, "pcap-snaplen:")
 			var amount uint64
 			var err error
-			context = strings.ToLower(context) // normalize
-			if context == "default" {
+			scope = strings.ToLower(scope) // normalize
+			if scope == "default" {
 				amount = 96 // default payload
-			} else if context == "max" {
+			} else if scope == "max" {
 				amount = (1 << 16) - 1 // max length for IP packets
-			} else if context == "headers" {
+			} else if scope == "headers" {
 				amount = 0 // sets headers only length for capturing (default)
-			} else if strings.HasSuffix(context, "kb") ||
-				strings.HasSuffix(context, "k") {
-				context = strings.TrimSuffix(context, "kb")
-				context = strings.TrimSuffix(context, "k")
-				amount, err = strconv.ParseUint(context, 10, 64)
+			} else if strings.HasSuffix(scope, "kb") ||
+				strings.HasSuffix(scope, "k") {
+				scope = strings.TrimSuffix(scope, "kb")
+				scope = strings.TrimSuffix(scope, "k")
+				amount, err = strconv.ParseUint(scope, 10, 64)
 				amount *= 1024 // result in bytes
-			} else if strings.HasSuffix(context, "b") {
-				context = strings.TrimSuffix(context, "b")
-				amount, err = strconv.ParseUint(context, 10, 64)
+			} else if strings.HasSuffix(scope, "b") {
+				scope = strings.TrimSuffix(scope, "b")
+				amount, err = strconv.ParseUint(scope, 10, 64)
 			} else {
 				return config.CaptureConfig{}, errfmt.Errorf("could not parse pcap snaplen: missing b or kb ?")
 			}

pkg/cmd/flags/event.go

@@ -61,7 +61,7 @@ func parseEventFlag(flag string) ([]eventFlag, error) {
 	//
 
 	if operatorIdx == -1 { // no operator, as a set flag
-		if strings.Contains(flag, ".") { // "openat.context.container" edge case
+		if strings.Contains(flag, ".") { // "openat.scope.container" edge case
 			evtParts, err := getEventFilterParts(flag, flag)
 			if err != nil {
 				return []eventFlag{}, errfmt.WrapError(err)

pkg/cmd/flags/event_test.go

@@ -153,18 +153,18 @@ func TestParseEventFlag(t *testing.T) {
 		},
 		{
 			name:      "ValidEventFlag",
-			eventFlag: "openat.context.userId=0",
+			eventFlag: "openat.scope.userId=0",
 			expected: []eventFlag{
 				{
-					full:              "openat.context.userId=0",
-					eventFilter:       "openat.context.userId",
+					full:              "openat.scope.userId=0",
+					eventFilter:       "openat.scope.userId",
 					eventName:         "openat",
-					eventOptionType:   "context",
+					eventOptionType:   "scope",
 					eventOptionName:   "userId",
 					operator:          "=",
 					values:            "0",
 					operatorAndValues: "=0",
-					filter:            "context.userId=0",
+					filter:            "scope.userId=0",
 				},
 			},
 			expectedError: nil,
@@ -207,13 +207,13 @@ func TestParseEventFlag(t *testing.T) {
 		},
 		{
 			name:      "ValidEventFlag",
-			eventFlag: "open.context.container",
+			eventFlag: "open.scope.container",
 			expected: []eventFlag{
 				{
-					full:              "open.context.container",
-					eventFilter:       "open.context.container",
+					full:              "open.scope.container",
+					eventFilter:       "open.scope.container",
 					eventName:         "open",
-					eventOptionType:   "context",
+					eventOptionType:   "scope",
 					eventOptionName:   "container",
 					operator:          "",
 					values:            "",

pkg/cmd/flags/filter.go

@@ -31,7 +31,7 @@ Strings can be compared as a prefix if ending with '*' or as suffix if starting
 Event return value can be accessed using 'event_name.retval' and provide a way to filter an event by its return value.
 Event return value expression has the same syntax as a numerical expression.
 
-Event context fields can be accessed using 'event_name.context.field', this can be used to filter an event by the non arguments
+Event scope fields can be accessed using 'event_name.scope.field', this can be used to filter an event by the non arguments
 fields defined in the trace.Event struct.
 Refer to the json tags in the trace.Event struct located in the types/trace package for the correct field names, and the event filtering
 section in the documentation for a full list.
@@ -81,8 +81,8 @@ Event examples:
   --events openat.args.pathname='/tmp*'                         | only trace 'openat' events that have 'pathname' prefixed by /tmp
   --events openat.args.pathname='*shadow'                       | only trace 'openat' events that have 'pathname' suffixed by shadow
   --events openat.args.pathname!=/tmp/1,/bin/ls                 | don't trace 'openat' events that have 'pathname' equals /tmp/1 or /bin/ls
-  --events openat.context.processName=ls                        | only trace 'openat' events that have 'processName' equal to 'ls'
-  --events security_file_open.context.container                 | only trace 'security_file_open' events coming from a container
+  --events openat.scope.processName=ls                          | only trace 'openat' events that have 'processName' equal to 'ls'
+  --events security_file_open.scope.container                   | only trace 'security_file_open' events coming from a container
 
 Note: some of the above operators have special meanings in different shells.
 To 'escape' those operators, please use single quotes, e.g.: 'uid>0', '/tmp*'

pkg/cmd/flags/policy.go

@@ -81,13 +81,13 @@ func PrepareFilterMapsFromPolicies(policies []k8s.PolicyInterface) (PolicyScopeM
 					continue
 				}
 
-				// at this point we know the filter is an event context filter
-				// context filters are provided without "context." prefix so we need to add it
-				evtContextFlags, err := parseEventFlag(fmt.Sprintf("%s.context.%s", r.Event, f))
+				// at this point we know the filter is an event scope filter
+				// scope filters are provided without "scope." prefix so we need to add it
+				evtScopeFlags, err := parseEventFlag(fmt.Sprintf("%s.scope.%s", r.Event, f))
 				if err != nil {
 					return nil, nil, errfmt.WrapError(err)
 				}
-				eventFlags = append(eventFlags, evtContextFlags...)
+				eventFlags = append(eventFlags, evtScopeFlags...)
 			}
 		}
 
@@ -274,7 +274,7 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa
 				continue
 			}
 
-			// at this point, we can assume that event flag is an event option filter (args, retval, context),
+			// at this point, we can assume that event flag is an event option filter (args, retval, scope),
 			// so, as a sugar, we can add the event name to be filtered
 			eventFilter.Equal = append(eventFilter.Equal, evtFlag.eventName)
 
@@ -289,8 +289,8 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa
 				continue
 			}
 
-			if evtFlag.eventOptionType == "context" {
-				err := p.ContextFilter.Parse(evtFilter, operatorAndValues)
+			if evtFlag.eventOptionType == "scope" {
+				err := p.ScopeFilter.Parse(evtFilter, operatorAndValues)
 				if err != nil {
 					return nil, err
 				}