Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implemented Apple biome file parser #4878

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Implemented Apple biome file parser #4878

wants to merge 12 commits into from

Conversation

rick-slin
Copy link
Contributor

@rick-slin rick-slin commented Apr 18, 2024
edited by joachimmetz

One line description of pull request

The parser handles the Apple biome files (aka SEGB). Two parser plugins are included for application installation and launch.

Related issue (if applicable): fixes #4812

Notes:

All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

  • Automated checks (GitHub Actions, AppVeyor) pass
  • No new new dependencies are required or l2tdevtools has been updated
  • Reviewer assigned

@joachimmetz joachimmetz self-requested a review May 2, 2024 04:13
@joachimmetz joachimmetz self-assigned this May 2, 2024
@joachimmetz
Copy link
Member

Thanks for the PR, I'll take a look as time permits.

@joachimmetz
Copy link
Member

rebased with upstream for failing CI tests

@joachimmetz
Copy link
Member

@rick-slin PTAL, CI tests are failing https://github.com/log2timeline/plaso/actions/runs/8957629211/job/24600914034?pr=4878#step:7:3036

======================================================================
ERROR: testExamineEventAndCompileReport (analysis.browser_search.BrowserSearchAnalysisTest)
Tests the ExamineEvent and CompileReport functions.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/__w/plaso/plaso/tests/analysis/browser_search.py", line 23, in testExamineEventAndCompileReport
    storage_writer = self._ParseAndAnalyzeFile(
  File "/__w/plaso/plaso/./tests/analysis/test_lib.py", line 76, in _ParseAndAnalyzeFile
    storage_writer = self._ParseFile(path_segments, parser)
  File "/__w/plaso/plaso/./tests/analysis/test_lib.py", line 138, in _ParseFile
    self._ProcessEventData(storage_writer)
  File "/__w/plaso/plaso/./tests/analysis/test_lib.py", line 148, in _ProcessEventData
    event_data_timeliner = timeliner.EventDataTimeliner(
  File "/__w/plaso/plaso/./plaso/engine/timeliner.py", line 61, in __init__
    self._ReadConfigurationFile()
  File "/__w/plaso/plaso/./plaso/engine/timeliner.py", line 354, in _ReadConfigurationFile
    for timeliner_definition in configuration_file.ReadFromFile(path):
  File "/__w/plaso/plaso/./plaso/engine/yaml_timeliner_file.py", line 120, in ReadFromFile
    for yaml_definition in self._ReadFromFileObject(file_object):
  File "/__w/plaso/plaso/./plaso/engine/yaml_timeliner_file.py", line 108, in _ReadFromFileObject
    yield self._ReadTimelinerDefinition(yaml_definition)
  File "/__w/plaso/plaso/./plaso/engine/yaml_timeliner_file.py", line 88, in _ReadTimelinerDefinition
    timeliner_definition.attribute_mappings = {
  File "/__w/plaso/plaso/./plaso/engine/yaml_timeliner_file.py", line 89, in <dictcomp>
    attribute_mapping['name']: attribute_mapping['description']
KeyError: 'description'

@rick-slin
Copy link
Contributor Author

The more I think about this PR, the more I'm convinced that reverse engineering proto definition files and compiling them into the python classes for proper parsing is the better solution. @joachimmetz What do you think? It will take more work on my end, but I think it would be worthwhile. Would the proto file be part of the plaso repo or just the compile python classes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachimmetz joachimmetz Awaiting requested review from joachimmetz

At least 1 approving review is required to merge this pull request.

Assignees

@joachimmetz joachimmetz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create parser and parser plugins for Apple Biome files (aka: SEBG files)
2 participants
@rick-slin @joachimmetz