Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flatten command field types for the jsonpacker #130

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Flatten command field types for the jsonpacker #130

wants to merge 8 commits into from

Conversation

JSCU-CNI
Copy link
Contributor

@JSCU-CNI JSCU-CNI commented Aug 5, 2024
edited
Loading

This PR flattens the field type command in the JSON packer and fixes #132.

Currently the dissect.target project is inconsistent in using the same field name command and the new field type command. This patch makes it possible to upload and aggregate on different records in Elasticsearch with the field name command and differing field types.

For example, see RunKeysPlugin.runkeys and PowerShellHistoryPlugin.powershell_history.

You could argue (and we agree) that this should be fixed in dissect.target as all RecordDescriptors currently using ("string", "command") should perhaps use the new command record type. That makes sense to do in the long run. Perhaps a field called full could be added to the standard output of the command fieldtype dict to still be able to index the full, original, command.

Historically the command field type introduced a backwards incompatible change into dissect. This PR fixes that inconsistency.

@codecov Codecov
Copy link

codecov bot commented Aug 5, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.86%. Comparing base (25d783a) to head (1b5d5cf).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #130   +/-   ##
=======================================
  Coverage   83.85%   83.86%           
=======================================
  Files          34       34           
  Lines        3487     3489    +2     
=======================================
+ Hits         2924     2926    +2     
  Misses        563      563
Flag Coverage Δ
unittests 83.86% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Miauwkeru
Copy link
Contributor

Thanks for your contribution, we will look at the changes later. But for now, could you maybe create an issue and attach it to this PR? It would make keeping track of issues a lot easier for us.

@JSCU-CNI
Copy link
Contributor Author

JSCU-CNI commented Jan 9, 2025

Do you have an update for us regarding this pull request @Miauwkeru?

@EinatFox
Copy link

Hi @JSCU-CNI ,
This PR is on our radar but unfortunately due to low capacity I cannot yet tell when it will get priority.
However, we do agree about the need to fix the inconsistency that record fields named command should not use the command type. I have created a separate issue for that in dissect.target #984. If you can make a PR for it, it will get prioritized for review, and hopefully this will partially resolve your issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Flatten command field types for the jsonpacker
3 participants
@JSCU-CNI @Miauwkeru @EinatFox