Refactored setupapi parser #2717 #2718
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2718 +/- ##
==========================================
+ Coverage 86.21% 86.28% +0.07%
==========================================
Files 481 487 +6
Lines 32788 33062 +274
==========================================
+ Hits 28268 28529 +261
- Misses 4520 4533 +13
Continue to review full report at Codecov.
|
plaso/parsers/setupapi.py
Outdated
| structure (pyparsing.ParseResults): structure of tokens derived from | ||
| log entry. | ||
| time_structure (pyparsing.ParseResults): structure of tokens derived from | ||
| a setupapi time stamp. |
There was a problem hiding this comment.
time stamp => date and time value
There was a problem hiding this comment.
The setupapi documents call this field a timestamp: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/format-of-a-text-log-section-header
Clarified this.
plaso/parsers/setupapi.py
Outdated
|
|
||
| Returns: | ||
| dfdatetime.TimeElements: date and time extracted from the value or None | ||
| if the value does not represent a valid string. |
There was a problem hiding this comment.
a valid string => a valid date and time value
plaso/parsers/setupapi.py
Outdated
|
|
||
| Returns: | ||
| bool: True if this is the correct parser, False otherwise. | ||
| """ | ||
| try: | ||
| structure = self._SETUPAPI_LINE.parseString(lines) | ||
| _ = self._LOG_HEADER_START.parseString(line) |
There was a problem hiding this comment.
remove '_ =', it is not needed
plaso/parsers/winfirewall.py
Outdated
| @@ -224,7 +224,7 @@ def VerifyStructure(self, parser_mediator, line): | |||
| """ | |||
| # TODO: Examine other versions of the file format and if this parser should | |||
| # support them. | |||
| return line == '#Version: 1.5' | |||
| return '#Version: 1.5' in line | |||
There was a problem hiding this comment.
Because of the whitespace matching. Changed this to just have the newline.
tests/parsers/setupapi.py
Outdated
| @@ -101,8 +101,8 @@ def testParseSetupLog(self): | |||
|
|
|||
| self.CheckTimestamp(event.timestamp, '2015-11-22 17:53:29.305000') | |||
|
|
|||
| expected_message = ('Setup Plug and Play Device Install - START') | |||
| expected_short_message = ('START - Setup Plug and Play Device Install') | |||
| expected_message = ('Setup Plug and Play Device Install') | |||
There was a problem hiding this comment.
remove bounding parenthesis
|
@js-forensic - good idea, I thought this had already been done |
plaso/parsers/winfirewall.py
Outdated
| @@ -224,7 +224,8 @@ def VerifyStructure(self, parser_mediator, line): | |||
| """ | |||
| # TODO: Examine other versions of the file format and if this parser should | |||
| # support them. | |||
| return line == '#Version: 1.5' | |||
| stripped_line = line.strip() | |||
|
tox tests are failing: I'll restart them, no luck, seems to be an issue with a dependency #2727 |
|
Ping for @joachimmetz |
plaso/parsers/setupapi.py
Outdated
|
|
||
| def _ParseRecordLogline(self, parser_mediator, structure): | ||
| """Parses a logline record structure and produces events. | ||
| def _BuildDatetime(self, time_structure): |
There was a problem hiding this comment.
Change name of this method to _GetDateTime or equiv to keep it consistent with other parsers
Also changed the EncodedTextReader to not strip every line and updated parsers that relied on this behavior.
There's also more changes that I'd like make to the parser, but I've tried to keep changes to the tests minimal in this first round.