Clean up

plaso/data/formatters/macos.yaml

@@ -10,7 +10,7 @@ message:
 - 'Device Model: {device_model}'
 - 'Exception Type: {exception_type}'
 - 'Incident Identifier: {incident_identifier}'
-- 'OS Version: {os_version}'
+- 'Operating system version: {operating_system_version}'
 - 'Parent Process: {parent_process}'
 - 'Parent Process Identifier: {parent_process_identifier}'
 - 'Process Identifier: {process_identifier}'
@@ -20,7 +20,7 @@ short_message:
 - 'Bug Type: {bug_type}'
 - 'Device Model: {device_model}'
 - 'Incident Identifier: {incident_identifier}'
-- 'OS version: {os_version}'
+- 'Operating system version: {operating_system_version}'
 short_source: 'RecoveryLogd'
 source: 'Apple Recovery IPS'
 ---
@@ -34,14 +34,14 @@ message:
 - 'Kernel Version: {kernel_version}'
 - 'Incident Identifier: {incident_identifier}'
 - 'Process List: {process_list}'
-- 'OS Version: {os_version}'
+- 'Operating system version: {operating_system_version}'
 - 'Reason: {reason}'
 short_message:
 - 'Bug Type: {bug_type}'
 - 'Crash Reporter_key: {crash_reporter_key}'
 - 'Device Model: {device_model}'
 - 'Incident Identifier: {incident_identifier}'
-- 'OS Version: {os_version}'
+- 'Operating system version: {operating_system_version}'
 - 'Reason: {reason}'
 short_source: 'StacksIPS'
 source: 'Apple Stacks IPS'

plaso/parsers/ips_plugins/interface.py

@@ -17,8 +17,8 @@ class IPSPlugin(plugins.BasePlugin):
 
   ENCODING = 'utf-8'
 
-  REQUIRED_HEADER_KEYS = []
-  REQUIRED_CONTENT_KEYS = []
+  REQUIRED_HEADER_KEYS = frozenset()
+  REQUIRED_CONTENT_KEYS = frozenset()
 
   _TWO_DIGITS = pyparsing.Word(pyparsing.nums, exact=2).set_parse_action(
       lambda tokens: int(tokens[0], 10))
@@ -37,7 +37,7 @@ class IPSPlugin(plugins.BasePlugin):
       _TWO_DIGITS.set_results_name('seconds') + pyparsing.Suppress('.') +
       _VARYING_DIGITS.set_results_name('fraction') +
       pyparsing.Word(
-          pyparsing.nums + '+' + '-').set_results_name('timezone_delta'))
+          pyparsing.nums + '+' + '-').set_results_name('time_zone_delta'))
 
   def _ParseTimestampValue(self, parser_mediator, timestamp_text):
     """Parses a timestamp string.
@@ -47,8 +47,7 @@ def _ParseTimestampValue(self, parser_mediator, timestamp_text):
       timestamp_text (str): the timestamp to parse.
 
     Returns:
-       dfdatetime.TimeElements: date and time
-          or None if not available.
+       dfdatetime.TimeElements: date and time or None if not available.
     """
     # dfDateTime takes the time zone offset as number of minutes relative from
     # UTC. So for Easter Standard Time (EST), which is UTC-5:00 the sign needs
@@ -57,25 +56,28 @@ def _ParseTimestampValue(self, parser_mediator, timestamp_text):
     parsed_timestamp = self.TIMESTAMP_GRAMMAR.parseString(timestamp_text)
 
     try:
-      time_delta_hours = int(parsed_timestamp['timezone_delta'][:3], 10)
-      time_delta_minutes = int(parsed_timestamp['timezone_delta'][3:], 10)
+      time_delta_hours = int(parsed_timestamp['time_zone_delta'][:3], 10)
+      time_delta_minutes = int(parsed_timestamp['time_zone_delta'][3:], 10)
     except (TypeError, ValueError):
       parser_mediator.ProduceExtractionWarning(
-          'unsupported timezone offset value')
+          'unsupported time zone offset value')
       return None
 
     time_zone_offset = (time_delta_hours * 60) + time_delta_minutes
 
     try:
-      fraction_float = float(f"0.{parsed_timestamp['fraction']}")
+      fraction = parsed_timestamp['fraction']
+      fraction_float = float(f'0.{fraction:s}')
       milliseconds = round(fraction_float * 1000)
 
+      time_elements_tuple = (
+          parsed_timestamp['year'], parsed_timestamp['month'],
+          parsed_timestamp['day'], parsed_timestamp['hours'],
+          parsed_timestamp['minutes'], parsed_timestamp['seconds'],
+          milliseconds)
+
       time_element_object = dfdatetime_time_elements.TimeElementsInMilliseconds(
-          time_elements_tuple=(
-              parsed_timestamp['year'], parsed_timestamp['month'],
-              parsed_timestamp['day'], parsed_timestamp['hours'],
-              parsed_timestamp['minutes'], parsed_timestamp['seconds'],
-              milliseconds),
+          time_elements_tuple=time_elements_tuple,
           time_zone_offset=time_zone_offset)
 
     except (TypeError, ValueError):
@@ -85,11 +87,11 @@ def _ParseTimestampValue(self, parser_mediator, timestamp_text):
     return time_element_object
 
   def CheckRequiredKeys(self, ips_file):
-    """Checks if the ips file's header and content have the keys required by the
-    plugin.
+    """Checks the IPS header and content have the keys required for the plugin.
 
     Args:
       ips_file (IPSFile): the file for which the structure is checked.
+
     Returns:
       bool: True if the file has the required keys defined by the plugin, or
           False if it does not, or if the plugin does not define required
@@ -115,12 +117,12 @@ def CheckRequiredKeys(self, ips_file):
   # pylint: disable=arguments-differ
   @abc.abstractmethod
   def Process(self, parser_mediator, ips_file=None, **unused_kwargs):
-    """Extracts information from an ips log file. This is the main method that
-    an ips plugin needs to implement.
+    """Extracts events from an IPS log file.
 
     Args:
       parser_mediator (ParserMediator): parser mediator.
       ips_file (Optional[IPSFile]): database.
+
     Raises:
       ValueError: If the file value is missing.
     """

plaso/parsers/ips_plugins/recovery_logd.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-"""IPS file parser plugin for Apple crash recovery report."""
+"""IPS log file parser plugin for Apple crash recovery report."""
 
 from plaso.containers import events
 from plaso.parsers import ips_parser
@@ -18,9 +18,9 @@ class AppleRecoveryLogdEvent(events.EventData):
     event_time (dfdatetime.DateTimeValues): date and time of the crash report.
     exception_type (str): type of the exception that caused the crash.
     incident_identifier (str): uuid for crash.
-    os_version (str): version of the operating system.
-    parent_process (str): parent process.
+    operating_system_version (str): version of the operating system.
     parent_process_identifier (int): process identifier of the parent process.
+    parent_process (str): parent process.
     process_identifier (int): process identifier.
     process_launch_time (dfdatetime.DateTimeValues): date and time when the
         process started.
@@ -39,9 +39,9 @@ def __init__(self):
     self.event_time = None
     self.exception_type = None
     self.incident_identifier = None
-    self.os_version = None
-    self.parent_process = None
+    self.operating_system_version = None
     self.parent_process_identifier = None
+    self.parent_process = None
     self.process_identifier = None
     self.process_launch_time = None
     self.user_identifier = None
@@ -53,36 +53,37 @@ class AppleRecoveryLogdIPSPlugin(interface.IPSPlugin):
   NAME = 'apple_recovery_ips'
   DATA_FORMAT = 'IPS recovery logd crash log'
 
-  REQUIRED_HEADER_KEYS = [
+  REQUIRED_HEADER_KEYS = frozenset([
       'app_name', 'app_version', 'bug_type', 'incident_id', 'os_version',
-      'timestamp']
-  REQUIRED_CONTENT_KEYS = [
-      'captureTime', 'modelCode', 'pid', 'procLaunch']
+      'timestamp'])
+  REQUIRED_CONTENT_KEYS = frozenset([
+      'captureTime', 'modelCode', 'pid', 'procLaunch'])
 
   # pylint: disable=unused-argument
   def Process(self, parser_mediator, ips_file=None, **unused_kwargs):
-    """Extracts information from an IPS log file. This is the main method that
-    an IPS plugin needs to implement.
+    """Extracts events from an Apple Crash IPS log file.
 
     Args:
       parser_mediator (ParserMediator): parser mediator.
       ips_file (Optional[IpsFile]): database.
+
     Raises:
       ValueError: If the file value is missing.
     """
     if ips_file is None:
       raise ValueError('Missing ips_file value')
 
+    ips_exception = ips_file.content.get('exception', {})
+
     event_data = AppleRecoveryLogdEvent()
     event_data.application_name = ips_file.header.get('app_name')
     event_data.application_version = ips_file.header.get('app_version')
     event_data.bug_type = ips_file.header.get('bug_type')
     event_data.crash_reporter_key = ips_file.content.get('crashReporterKey')
     event_data.device_model = ips_file.content.get('modelCode')
-    event_data.exception_type = ips_file.content.get(
-          'exception', {}).get('type')
+    event_data.exception_type = ips_exception.get('type')
     event_data.incident_identifier = ips_file.header.get('incident_id')
-    event_data.os_version = ips_file.header.get('os_version')
+    event_data.operating_system_version = ips_file.header.get('os_version')
     event_data.parent_process = ips_file.content.get('parentProc')
     event_data.parent_process_identifier = ips_file.content.get('parentPid')
     event_data.process_identifier = ips_file.content.get('pid')

plaso/parsers/ips_plugins/stacks_ips.py

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-"""IPS file parser plugin for Apple stacks report."""
+"""IPS log file parser plugin for Apple stacks report."""
 
 from plaso.containers import events
 from plaso.parsers import ips_parser
@@ -14,10 +14,10 @@ class AppleStacksIPSEvent(events.EventData):
     crash_reporter_key (str): Key of the crash reporter.
     device_model (str): model of the device.
     event_time (dfdatetime.DateTimeValues): date and time of the crash report.
-    kernel_version (str): kernel version.
     incident_identifier (str): uuid for crash.
+    kernel_version (str): kernel version.
+    operating_system_version (str): version of the operating system.
     process_list (str): list of process names running at the time of the crash.
-    os_version (str): version of the operating system.
     reason (str): reason for the crash.
   """
 
@@ -30,10 +30,10 @@ def __init__(self):
     self.crash_reporter_key = None
     self.device_model = None
     self.event_time = None
-    self.kernel_version = None
     self.incident_identifier = None
+    self.kernel_version = None
+    self.operating_system_version = None
     self.process_list = None
-    self.os_version = None
     self.reason = None
 
 
@@ -43,18 +43,19 @@ class AppleStacksIPSPlugin(interface.IPSPlugin):
   NAME = 'apple_stacks_ips'
   DATA_FORMAT = 'IPS stacks crash log'
 
-  REQUIRED_HEADER_KEYS = ['bug_type', 'incident_id', 'os_version', 'timestamp']
-  REQUIRED_CONTENT_KEYS = [
-      'build', 'crashReporterKey', 'kernel', 'product', 'reason']
+  REQUIRED_HEADER_KEYS = frozenset([
+      'bug_type', 'incident_id', 'os_version', 'timestamp'])
+  REQUIRED_CONTENT_KEYS = frozenset([
+      'build', 'crashReporterKey', 'kernel', 'product', 'reason'])
 
   # pylint: disable=unused-argument
   def Process(self, parser_mediator, ips_file=None, **unused_kwargs):
-    """Extracts information from an IPS log file. This is the main method that
-    an IPS plugin needs to implement.
+    """Extracts information from an Apple stacks crash IPS log file.
 
     Args:
       parser_mediator (ParserMediator): parser mediator.
       ips_file (Optional[IpsFile]): database.
+
     Raises:
       ValueError: If the file value is missing.
     """
@@ -67,7 +68,7 @@ def Process(self, parser_mediator, ips_file=None, **unused_kwargs):
     event_data.device_model = ips_file.content.get('product')
     event_data.kernel_version = ips_file.content.get('kernel')
     event_data.incident_identifier = ips_file.header.get('incident_id')
-    event_data.os_version = ips_file.header.get('os_version')
+    event_data.operating_system_version = ips_file.header.get('os_version')
     event_data.reason = ips_file.content.get('reason')
 
     process_list = [

tests/parsers/ips_plugins/recovery_logd.py

@@ -28,12 +28,12 @@ def testProcess(self):
         'bug_type': '309',
         'crash_reporter_key': 'c0dec0dec0dec0dec0dec0dec0dec0dec0de0001',
         'device_model': 'iBridge2,14',
-        'exception_type': 'EXC_CRASH',
         'event_time': '2023-06-08T14:49:13.520+00:00',
+        'exception_type': 'EXC_CRASH',
         'incident_identifier': '9505C5CC-07DE-4E81-BCCE-60D07C96D1B1',
-        'os_version': 'Bridge OS 7.5 (20P5058)',
-        'parent_process': 'launchd',
+        'operating_system_version': 'Bridge OS 7.5 (20P5058)',
         'parent_process_identifier': 1,
+        'parent_process': 'launchd',
         'process_identifier': 74,
         'process_launch_time': '2023-06-08T14:49:12.507+00:00',
         'user_identifier': 501}