Changes to remove provides support #275 (#610)

ForensicArtifacts · Feb 10, 2024 · 3e69de8 · 3e69de8
1 parent 6304c2b
commit 3e69de8
Show file tree

Hide file tree

Showing 7 changed files with 3 additions and 15 deletions.
diff --git a/artifacts/artifact.py b/artifacts/artifact.py
@@ -12,8 +12,6 @@ class ArtifactDefinition(object):
     aliases (list[str]): aliases that identify the artifact definition.
     description (str): description.
     name (str): name that uniquely identifiers the artifact definition.
-    provides (list[str]): hints to what information the artifact definition
-        provides.
     sources (list[str]): sources.
     supported_os (list[str]): supported operating systems.
     urls (list[str]): URLs with more information about the artifact definition.
@@ -31,7 +29,6 @@ def __init__(self, name, aliases=None, description=None):
     self.aliases = aliases or []
     self.description = description
     self.name = name
-    self.provides = []
     self.sources = []
     self.supported_os = []
     self.urls = []
@@ -94,8 +91,6 @@ def AsDict(self):
       artifact_definition['aliases'] = self.aliases
     if self.supported_os:
       artifact_definition['supported_os'] = self.supported_os
-    if self.provides:
-      artifact_definition['provides'] = self.provides
     if self.urls:
       artifact_definition['urls'] = self.urls
     return artifact_definition
diff --git a/artifacts/definitions.py b/artifacts/definitions.py
@@ -29,6 +29,7 @@
     # labels have been deprecated as of version 20220311.
     'labels',
     'name',
+    # `provides` have been deprecated.
     'provides',
     'sources',
     'supported_os',

diff --git a/artifacts/reader.py b/artifacts/reader.py
@@ -221,8 +221,6 @@ def ReadArtifactDefinitionValues(self, artifact_definition_values):
       raise errors.FormatError(
           f'Invalid artifact definition: {name:s} urls is not a list.')
 
-    artifact_definition.provides = artifact_definition_values.get(
-        'provides', [])
     self._ReadSupportedOS(artifact_definition_values, artifact_definition, name)
     artifact_definition.urls = urls
     self._ReadSources(artifact_definition_values, artifact_definition, name)

diff --git a/docs/sources/Format-specification.md b/docs/sources/Format-specification.md
@@ -21,7 +21,6 @@ Value | Description
 aliases | Optional list of alternate names to identify the artifact definition. Also see: See section: [Name](#name).
 doc | The description (or documentation). A human readable string that describes the artifact definition. See section: [Description](#description).
 name | The name. An unique string that identifies the artifact definition. See section: [Name](#name).
-provides | Optional list of *TODO*
 sources | A list of source definitions. See section: [Sources](#sources).
 supported_os | Optional list that indicates which operating systems the artifact definition applies to. See section: [Supported operating system](#supported-operating-system).
 urls | Optional list of URLs with more contextual information. Ideally the artifact definition links to an article that discusses the artifact in more depth for example on [Digital Forensics Artifact Knowledge Base](https://github.com/ForensicArtifacts/artifacts-kb).
@@ -32,6 +31,7 @@ Value | Description
 --- | ---
 conditions | Optional list of conditions that describe when the artifact definition should apply. Note that conditions have been deprecated as of version 20220710.
 labels | Optional list of predefined labels. Note that labels have been deprecated as of version 20220311.
+provides | Optional list of placeholder values that the artifact provides.
 
 ## Name
 

diff --git a/test_data/definitions.json b/test_data/definitions.json
@@ -1 +1 @@
-[{"name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "provides": ["environ_allusersprofile"], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "provides": ["current_control_set"], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "provides": ["users.homedir"], "supported_os": ["Windows"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}]
+[{"name": "SecurityEventLogEvtx", "sources": [{"attributes": {"paths": ["%%environ_systemroot%%\\System32\\winevt\\Logs\\Security.evtx"]}, "type": "FILE"}], "supported_os": ["Windows"], "doc": "Windows Security Event log for Vista or later systems.", "urls": ["http://www.forensicswiki.org/wiki/Windows_XML_Event_Log_(EVTX)"]}, {"name": "AllUsersProfileEnvironmentVariable", "sources": [{"attributes": {"keys": ["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProfilesDirectory", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\AllUsersProfile"]}, "type": "REGISTRY_KEY"}], "supported_os": ["Windows"], "doc": "The %AllUsersProfile% environment variable.", "urls": ["http://support.microsoft.com/kb//214653"]}, {"name": "CurrentControlSet", "sources": [{"attributes": {"key_value_pairs": [{"value": "Current", "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\Select"}]}, "type": "REGISTRY_VALUE"}], "supported_os": ["Windows"], "doc": "The control set the system is currently using.", "urls": ["https://code.google.com/p/winreg-kb/wiki/SystemKeys"]}, {"name": "WMIProfileUsersHomeDir", "sources": [{"attributes": {"query": "SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'"}, "type": "WMI"}], "supported_os": ["Windows"], "doc": "Get user homedir from Win32_UserProfile based on a known user's SID.\n\nThis artifact relies on having the SID field users.sid populated in the knowledge\nbase. We expect it to be collected with WindowsRegistryProfiles to\nsupply the rest of the user information.\n", "urls": ["http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx"]}, {"name": "EventLogs", "sources": [{"attributes": {"names": ["ApplicationEventLog", "ApplicationEventLogEvtx", "SecurityEventLog", "SecurityEventLogEvtx", "SystemEventLog", "SystemEventLogEvtx"]}, "type": "ARTIFACT_GROUP"}], "doc": "Windows Event logs.", "supported_os": ["Windows"]}, {"name": "RedhatPackagesList", "sources": [{"attributes": {"args": ["-qa"], "cmd": "/bin/rpm"}, "type": "COMMAND"}], "doc": "Linux output of rpm -qa.", "supported_os": ["Linux"]}, {"name": "OSXLoadedKexts", "sources": [{"attributes": {"args": [], "cmd": "/usr/sbin/kextstat"}, "type": "COMMAND"}], "doc": "Mac OS X Loaded Kernel Extensions.", "supported_os": ["Darwin"]}]
diff --git a/test_data/definitions.yaml b/test_data/definitions.yaml
@@ -17,7 +17,6 @@ sources:
     keys:
     - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory'
     - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\AllUsersProfile'
-provides: [environ_allusersprofile]
 supported_os: [Windows]
 urls: ['http://support.microsoft.com/kb//214653']
 ---
@@ -28,7 +27,6 @@ sources:
   attributes:
     key_value_pairs:
     - {key: 'HKEY_LOCAL_MACHINE\SYSTEM\Select', value: 'Current'}
-provides: [current_control_set]
 supported_os: [Windows]
 urls: ['https://code.google.com/p/winreg-kb/wiki/SystemKeys']
 ---
@@ -42,7 +40,6 @@ doc: |
 sources:
 - type: WMI
   attributes: {query: SELECT * FROM Win32_UserProfile WHERE SID='%%users.sid%%'}
-provides: [users.homedir]
 supported_os: [Windows]
 urls: ['http://msdn.microsoft.com/en-us/library/windows/desktop/ee886409(v=vs.85).aspx']
 ---

diff --git a/tests/reader_test.py b/tests/reader_test.py
@@ -178,9 +178,6 @@ def testReadFileObject(self):
     artifact_definition = artifact_definitions[3]
     self.assertEqual(artifact_definition.name, 'WMIProfileUsersHomeDir')
 
-    expected_provides = sorted(['users.homedir'])
-    self.assertEqual(sorted(artifact_definition.provides), expected_provides)
-
     self.assertEqual(len(artifact_definition.sources), 1)
     source_type = artifact_definition.sources[0]
     self.assertIsNotNone(source_type)