upgrade to IG v0.48.0

[matthyx]

Summary by CodeRabbit

• Updates

  • Gadget toolset renamed and bumped to v0.48.0 (advise_seccomp, trace_capabilities, trace_dns, trace_exec, trace_open); container images moved to a new registry path.

• Performance

  • Simplified event data handling to use direct deep-copies, streamlining data ownership and memory flow.

• Features

  • Added ECS runtime alert fields and ECS metadata accessors on events.

• Tests

  • Tests tightened to detect unexpected/extra fields in data sources.

• Chores

  • Dependency versions updated across modules.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates gadget names and image registry/tags to v0.48.0, upgrades many Go module dependencies, removes per-event pooling, and changes tracers to pass direct deep copies via source.DeepCopy(data) into DatasourceEvent payloads. Adds ECS-specific metadata accessors to events and rule failure types. Refactors tests to validate extraneous fields via runtime membership checks.

Changes

Cohort / File(s)	Summary
Makefile Makefile	Updated GADGETS to advise_seccomp, trace_capabilities, trace_dns, trace_exec, trace_open and bumped VERSION to v0.48.0; gadgets task now pulls from ghcr.io/inspektor-gadget/gadget/....
Go module updates go.mod	Upgraded many dependencies and adjusted replace directives (k8s.io/*, containerd, grpc, opentelemetry, prometheus, sigstore, etc.).
Tracer image refs pkg/containerwatcher/v2/tracers/{capabilities,dns,exec,open,syscall}.go	Replaced quay.io image references with ghcr.io/inspektor-gadget/gadget/...:v0.48.0.
Tracer data handling (refactor) pkg/containerwatcher/v2/tracers/{bpf,capabilities,dns,exec,exit,fork,hardlink,http,iouring,kmod,network,open,ptrace,randomx,ssh,symlink,syscall,unshare}.go	Removed pooled allocation + DeepCopyInto usage; tracers now set DatasourceEvent.Data to source.DeepCopy(data) and send that to callbacks.
Datasource pooling removal & ECS enrichment pkg/utils/datasource_event.go	Removed global pooling (dataPools) and GetPooledDataItem(); simplified DatasourceEvent.Release() to call datasource Release directly; added ECS-specific getters to access ECS metadata fields.
ECS enrichment in event and failure types pkg/utils/events.go, pkg/utils/struct_event.go, pkg/rulemanager/types/failure.go	Extended EnrichEvent interface and StructEvent methods with ECS metadata accessors returning empty values in StructEvent. Added ECS runtime alert details to GenericRuleFailure and interface.
Tests: data source fields validation pkg/containerwatcher/v2/tracers/*_test.go (e.g. bpf_test.go, capabilities_test.go, dns_test.go, ... )	Added slices import; replaced strict exact count assertions of datasource fields with presence checks plus iteration on actual fields to detect unexpected extras, improving test robustness.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Feature/rule engine redesign #685: Related to tracer/dataflow updates touching pkg/utils/datasource_event.go and pkg/containerwatcher/v2/tracers, may interact or conflict.
• Feature/ecs alerts #699: Similar changes on gadget naming, image registry updates, event data copying refactors, and ECS-specific enhancements.

Suggested labels

release

Suggested reviewers

• matthyx

Poem

🐰 Gadgets leap from quay to GHCR,
Pools nap softly, copies stir,
Modules climb the version tree,
Tracers carry data freshly,
ECS fields now call to me,
A little hop to v0.48.0 — hooray! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'upgrade to IG v0.48.0' directly and clearly describes the primary change: upgrading Inspektor-Gadget from v0.45.0 to v0.48.0 across multiple files including Makefile, tracer configurations, and dependencies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/containerwatcher/v2/tracers/syscall.go (1)

130-137: Data sharing is protected from Release() but remains vulnerable to mutation by downstream handlers.

The shared event.Data is actually safe from being released during loop iteration because SyscallEventType events are explicitly excluded from Release in the worker pool (see container_watcher.go line 162-163). Additionally, the initial data is already deep-copied when the event is created (line 112), so the loop iterations operate on a stable copy.

However, the design remains fragile: if any downstream handler mutates (rather than releases) the shared data during callback processing, subsequent loop iterations will see corrupted data. The current safeguard depends on the Release() exclusion logic, which is more of a workaround than a definitive fix.

Consider either:

• Deep-copying the data for each syscall iteration, or
• Documenting that downstream handlers must not mutate the shared data and cannot rely on Release() semantics

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 447: Add a clear comment above the replace directive for
github.com/inspektor-gadget/inspektor-gadget =>
github.com/matthyx/inspektor-gadget v0.0.0-20260126124411-303be8df37f7 in go.mod
that states which specific bugfixes or features from the matthyx fork are
required (cite commit hashes or PR numbers if possible), whether this replace is
temporary pending an upstream merge or intended long-term, and include a short
tracking plan: the upstream PR/issue to watch, expected timeline or criteria for
switching back to the official module, and who owns monitoring/updating (e.g.,
team or person).

In `@pkg/utils/datasource_event.go`:
- Around line 881-883: The Release method on DatasourceEvent should guard
against a nil Datasource to avoid panics; update the DatasourceEvent.Release
function to check if e.Datasource is nil and return early if so (consistent with
patterns like getFieldAccessor), otherwise call e.Datasource.Release(e.Data);
ensure the nil-check uses the same style/error-handling conventions as other
methods in this file.

🧹 Nitpick comments (4)

pkg/containerwatcher/v2/tracers/ptrace.go (1)

21-21: Inconsistent image versioning: using :latest instead of pinned version.

Same issue as hardlink.go - using :latest tag instead of a pinned version like dns.go uses.

♻️ Suggested fix for version consistency

-	ptraceImageName = "ghcr.io/inspektor-gadget/gadget/ptrace:latest"
+	ptraceImageName = "ghcr.io/inspektor-gadget/gadget/ptrace:v0.48.0"

pkg/containerwatcher/v2/tracers/kmod.go (1)

22-22: Consider pinning to a specific version tag for reproducibility.

Other tracers in this PR (e.g., open.go, exec.go, syscall.go) use the explicit v0.48.0 tag, while this uses :latest. Using :latest can lead to unexpected behavior changes when the image is updated upstream.

Suggested fix

-	kmodImageName = "ghcr.io/inspektor-gadget/gadget/kmod:latest"
+	kmodImageName = "ghcr.io/inspektor-gadget/gadget/kmod:v0.48.0"

pkg/containerwatcher/v2/tracers/fork.go (1)

21-21: Consider pinning to a specific version tag for reproducibility.

Similar to the kmod tracer, this uses :latest while other tracers in this PR use :v0.48.0. Pinning to an explicit version ensures consistent behavior across deployments.

Suggested fix

-	forkImageName = "ghcr.io/inspektor-gadget/gadget/fork:latest"
+	forkImageName = "ghcr.io/inspektor-gadget/gadget/fork:v0.48.0"

pkg/containerwatcher/v2/tracers/exit.go (1)

21-21: Consider pinning to a specific version tag for reproducibility.

Similar to kmod and fork tracers, this uses :latest while other tracers in this PR use :v0.48.0. Pinning to an explicit version ensures consistent behavior across deployments.

Suggested fix

-	exitImageName = "ghcr.io/inspektor-gadget/gadget/exit:latest"
+	exitImageName = "ghcr.io/inspektor-gadget/gadget/exit:v0.48.0"

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, check for any references to the fork or explanation in the codebase
rg -i "matthyx" . --type=md --type=yaml --type=toml 2>/dev/null | head -20

# Check if there are comments near the replace directive in go.mod
rg -B 3 -A 3 "matthyx/inspektor-gadget" go.mod

# Look for any explanations in code comments or documentation
rg -i "fork" . --type=md --type=go -B 2 -A 2 2>/dev/null | head -40

Repository: kubescape/node-agent

Length of output: 3137

---

🏁 Script executed:

# Read the go.mod file around line 447 to check for comments
sed -n '440,455p' go.mod

# Check for any changelog or documentation about this
find . -name "CHANGELOG*" -o -name "RELEASE*" -o -name "HISTORY*" | head -5

# Look for any comments in go.mod that might explain the fork
rg "//.*fork|//.*inspektor" go.mod

# Check recent git history if available
git log --oneline go.mod 2>/dev/null | head -10

Repository: kubescape/node-agent

Length of output: 461

---

🏁 Script executed:

# Get the full commit message
git show 17f9530 --no-patch --format=fuller 2>/dev/null || echo "Git show failed"

# Get the diff for go.mod changes in that commit
git show 17f9530 -- go.mod 2>/dev/null | head -80

# Check if there are any comments or documentation about why the fork is needed
rg "inspektor-gadget|IG|v0.48" docs/ --type=md 2>/dev/null | head -20

# Look for any PR or issue references
rg "#[0-9]{3,}" . --type=md --type=go -B 2 -A 2 2>/dev/null | grep -i "inspektor\|fork\|IG" | head -10

Repository: kubescape/node-agent

Length of output: 4169

---

Document the fork's purpose and add a tracking plan for official release adoption.

The inspektor-gadget dependency is replaced with a fork (matthyx/inspektor-gadget) via a replace directive at line 447. While the fork appears intentional (authored by core contributor matthyx), there is no documentation explaining why the fork is necessary or when it can be replaced with an official release. Add a comment in go.mod clarifying:

• What specific features or fixes the fork provides that aren't available in the official release
• Whether this is temporary (pending upstream merge) or long-term
• Expected timeline for adopting the official release if applicable

🤖 Prompt for AI Agents

In `@go.mod` at line 447, Add a clear comment above the replace directive for
github.com/inspektor-gadget/inspektor-gadget =>
github.com/matthyx/inspektor-gadget v0.0.0-20260126124411-303be8df37f7 in go.mod
that states which specific bugfixes or features from the matthyx fork are
required (cite commit hashes or PR numbers if possible), whether this replace is
temporary pending an upstream merge or intended long-term, and include a short
tracking plan: the upstream PR/issue to watch, expected timeline or criteria for
switching back to the official module, and who owns monitoring/updating (e.g.,
team or person).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Missing nil check on Datasource before calling Release.

If e.Datasource is nil, this will panic. Other methods in this file (e.g., getFieldAccessor at line 168) check for nil Datasource. Consider adding a guard here for consistency and safety.

🛡️ Suggested fix

 func (e *DatasourceEvent) Release() {
+	if e.Datasource == nil {
+		return
+	}
 	e.Datasource.Release(e.Data)
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func (e *DatasourceEvent) Release() {
	pool, loaded := dataPools.Load(e.EventType)
	if loaded {
	pool.(*sync.Pool).Put(e.Data)
	}
	e.Datasource.Release(e.Data)
	}
	func (e *DatasourceEvent) Release() {
	if e.Datasource == nil {
	return
	}
	e.Datasource.Release(e.Data)
	}

🤖 Prompt for AI Agents

In `@pkg/utils/datasource_event.go` around lines 881 - 883, The Release method on
DatasourceEvent should guard against a nil Datasource to avoid panics; update
the DatasourceEvent.Release function to check if e.Datasource is nil and return
early if so (consistent with patterns like getFieldAccessor), otherwise call
e.Datasource.Release(e.Data); ensure the nil-check uses the same
style/error-handling conventions as other methods in this file.