Falco - 0.35.0

| Packages | Download |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| rpm-x86_64 | |
| deb-x86_64 | |
| tgz-x86_64 | |
| rpm-aarch64 | |
| deb-aarch64 | |
| tgz-aarch64 | |

| Images |
| --------------------------------------------------------------------------- |
| docker pull docker.io/falcosecurity/falco:0.35.0 |
| docker pull public.ecr.aws/falcosecurity/falco:0.35.0 |
| docker pull docker.io/falcosecurity/falco-driver-loader:0.35.0 |
| docker pull docker.io/falcosecurity/falco-no-driver:0.35.0 |

Major Changes

• BREAKING CHANGE: support for metadata enrichment from Mesos has been removed. [#2465] - @leogr
• new(falco): introduce new metrics w/ Falco internal: metrics snapshot option and new metrics config [#2333] - @incertum
• new(scripts): properly manage talos prebuilt drivers [#2537] - @FedeDP
• new(release): released container images are now signed with cosign [#2546] - @LucaGuerra
• new(ci): ported master and release artifacts publishing CI to gha [#2501] - @FedeDP
• new(app_actions): introduce base_syscalls user option [#2428] - @incertum
• new(falco/config): add new configurations for http_output that allow custom CA certificates and stores. [#2458] - @alacuku
• new(cmake): bumped libs to c8b0d6a8fdc1bb3ea9067bc2fdc3ae5858cff48f [#2456] - @FedeDP
• new(userspace): add a new syscall_drop_failed config option to drop failed syscalls exit events [#2456] - @FedeDP

Minor Changes

• update(cmake): bump Falco rules to 1.0.0 [#2618] - @loresuso
• update(cmake): bump libs to 0.11.1 [#2614] - @loresuso
• update(cmake): bump plugins to latest versions [#2610] - @loresuso
• update(cmake): bump falco rules to 1.0.0-rc1 [#2609] - @loresuso
• update(cmake): bump libs to 0.11.0 [#2608] - @loresuso
• cleanup(docs): update release.md [#2599] - @incertum
• update(cmake): bump libs to 0.11.0-rc5 and driver to 5.0.1. [#2600] - @FedeDP
• cleanup(docs): adjust falco readme style and content [#2594] - @incertum
• cleanup(userspace, config): improve metrics UX, add include_empty_values option [#2593] - @incertum
• feat: add the curl and jq packages to the falco-no-driver docker image [#2581] - @therealdwright
• update: add missing exception, required_engine_version, required_plugin_version to -L json output [#2584] - @loresuso
• feat: add image source OCI label to docker images [#2592] - @therealdwright
• cleanup(config): improve falco config [#2571] - @incertum
• update(cmake): bump libs and plugins to latest dev versions [#2586] - @jasondellaluce
• chore(userspace/falco): always print invalid syscalls from custom set [#2578] - @jasondellaluce
• update(build): upgrade falcoctl to 0.5.0 [#2572] - @LucaGuerra
• chore(userspace/falco/app): print all supported plugin caps [#2564] - @jasondellaluce
• update: get rules details with -l or -L flags when json output format is specified [#2544] - @loresuso
• update!: bump libs version, and support latest plugin features, add --nodriver option [#2552] - @jasondellaluce
• cleanup(actions): now modern bpf support -A flag [#2551] - @Andreagit97
• update: falco-driver-loader now uses now uses $TMPDIR if set [#2518] - @jabdr
• update: improve control and UX of ignored events [#2509] - @jasondellaluce
• update: bump libs and adapt Falco to new libsinsp event source management [#2507] - @jasondellaluce
• new(app_actions)!: adjust base_syscalls option, add base_syscalls.repair [#2457] - @incertum
• update(scripts): support al2022 and al2023 in falco-driver-loader. [#2494] - @FedeDP
• update: sync libs with newest event name APIs [#2471] - @jasondellaluce
• update!: remove --mesos-api, -pmesos, and -pm command-line flags [#2465] - @leogr
• cleanup(unit_tests): try making test_configure_interesting_sets more robust [#2464] - @incertum

Bug Fixes

• fix: unquote quoted URL's to avoid libcurl errors [#2596] - @therealdwright
• fix(userspace/engine): store alternatives as array in -L json output [#2597] - @loresuso
• fix(userspace/engine): store required engine version as string in -L json output [#2595] - @loresuso
• fix(userspace/falco): report plugin deps rules issues in any case [#2589] - @jasondellaluce
• fix(userspace): hotreload on wrong metrics [#2582] - @therealbobo
• fix(userspace): check the supported number of online CPUs with modern bpf [#2575] - @Andreagit97
• fix(userspace/falco): don't hang on terminating error when multi sourcing [#2576] - @jasondellaluce
• fix(userspace/falco): properly format numeric values in metrics [#2569] - @jasondellaluce
• fix(scripts): properly support debian kernel releases embedded in kernel version [#2377] - @FedeDP

Non user-facing changes

• docs(README.md): add scope/status badge and simply doc structure [#2611] - @leogr
• build(deps): Bump submodules/falcosecurity-rules from 3471984 to 16fb709 [#2598] - @dependabot[bot]
• docs(proposals): Falco roadmap management [#2547] - @leogr
• build(deps): Bump submodules/falcosecurity-rules from b2290ad to 3471984 [#2577] - @dependabot[bot]
• update(build): libs 0.11.0-rc2 [#2573] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to b2290ad [#2570] - @dependabot[bot]
• update(ci): use repo instead of master branch for reusable workflows [#2568] - @LucaGuerra
• cleanup(ci): cleaned up circleci workflow. [#2566] - @FedeDP
• build(deps): Bump requests from 2.26.0 to 2.31.0 in /test [#2567] - @dependabot[bot]
• fix(ci): simplify and fix multi-arch image publishing process [#2542] - @LucaGuerra
• fix(ci): get the manifest for the correct tag [#2563] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 3f52480 to 6da15ae [#2559] - @dependabot[bot]
• fix(ci): properly use docker save to store images. [#2560] - @FedeDP
• fix(ci): docker arg is named TARGETARCH. [#2558] - @FedeDP
• fix(ci): set docker TARGET_ARCH [#2557] - @FedeDP
• fix(ci): use normal docker to build docker images, instead of buildx. [#2556] - @FedeDP
• docs: improve documentation and description of base_syscalls option [#2515] - @Happy-Dude
• Updating Falco branding guidelines [#2493] - @aijamalnk
• build(deps): Bump submodules/falcosecurity-rules from f773578 to 6da15ae [#2553] - @dependabot[bot]
• fix(cmake): properly exclude prereleases when fetching latest tag from cmake [#2550] - @FedeDP
• fix(ci): load falco image before building falco-driver-loader [#2549] - @LucaGuerra
• fix(ci): correctly tag slim manifest [#2545] - @LucaGuerra
• cleanup(config): modern bpf is no more experimental [#2538] - @Andreagit97
• new(ci): add RC/prerelease support [#2533] - @LucaGuerra
• fix(ci): configure ECR public region [#2531] - @LucaGuerra
• fix(ci): falco images directory, ecr login [#2528] - @LucaGuerra
• fix(ci): separate rpm/bin/bin-static/deb packages before publication, rename bin-static [#2527] - @LucaGuerra
• fix(ci): add Cloudfront Distribution ID [#2525] - @LucaGuerra
• fix(ci): escape heredoc [#2521] - @LucaGuerra
• chore(ci): build-musl-package does not need to wait for build-packages anymore [#2520] - @FedeDP
• fix: ci Falco version [#2516] - @FedeDP
• fix(ci): fetch version step, download rpms/debs, minor change [#2519] - @LucaGuerra
• chore(ci): properly install recent version of git (needed >= 2.18 by checkout action) [#2514] - @FedeDP
• fix(ci): enable toolset before every make command [#2513] - @LucaGuerra
• fix(ci): remove unnecessary mv [#2512] - @LucaGuerra
• fix(ci): bucket -> bucket_suffix [#2511] - @LucaGuerra
• build(deps): Bump submodules/falcosecurity-rules from 5857874 to 1bd7e4a [#2478] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 694adf5 to 5857874 [#2473] - @dependabot[bot]
• cleanup(ci): properly set a concurrency for CI workflows. [#2470] - @FedeDP
• build(deps): Bump submodules/falcosecurity-rules from e0646a0 to 694adf5 [#2466] - @dependabot[bot]
• build(deps): Bump submodules/falcosecurity-rules from 0b0f50f to e0646a0 [#2460] - @dependabot[bot]

Release Manager @FedeDP