[FEAT] tracee source flag

[NDStrahilevitz]

1. Remove analyze subcommand
2. Integrate functionality as a source flag in tracee - "analyze" will merely be a reingestion of event input into the pipeline
3. Split pipeline beginning into an interface for a source program
4. Two implemented source subprograms - eBPF and json file - which can feed the pipeline
5. Open Question: How do we prevent an already derived event from rederiving and introducing duplicates in the output

[geyslan]

5. The old idea of having a pipeline object would solve it. It would have a derived flag to be checked.

[NDStrahilevitz]

5. The old idea of having a pipeline object would solve it. It would have a derived flag to be checked.

So when ingesting an event from a file can we by default mark it as "resolved" "derived" or whatever? Because consider that a usecase of analyze is exactly testing new signatures and event derivations.

[geyslan]

So when ingesting an event from a file can we by default mark it as "resolved" "derived" or whatever? Because consider that a usecase of analyze is exactly testing new signatures and event derivations.

I suppose so, since they're the final output from pipeline already - or am I missing some corner case?

[NDStrahilevitz]

So when ingesting an event from a file can we by default mark it as "resolved" "derived" or whatever? Because consider that a usecase of analyze is exactly testing new signatures and event derivations.

I suppose so, since they're the final output from pipeline already - or am I missing some corner case?

That we would miss these events in the context of testing new signatures/derived evens/general affects of "plugins", which is one of the point of (what was) analyze.