Use separate-json-attributes

Question

Use separate-json-attributes

forensicmatt opened this issue 2 years ago · comments

Curious why not use separate-json-attributes for the EvtxParserSettings?

The issue with not using this settings is that it causes inconsistent json attribute naming standard:

When ever a XML element as an attribute, the JSON field will split into a #text and #attributes. This causes issues on many fronts. Using separate-json-attributes setting for the parser will normalize the fields and an XML element's value will always be the field name and any element attributes will be placed under <ELEMENT_NAME>_attributes. This prevents inconsistent field names in JSON serializations.

Some other references:

If you are open to this I can create a PR

Matthew Seyer · Answer 1 · Fri Jan 07 2022 11:38:55 GMT+0800 (China Standard Time)

https://github.com/Yamato-Security/hayabusa/blob/3e4660622cbea84fc0612e80f0805a8b45c47cc3/src/main.rs#L365

fscc-jamesd · Answer 2 · Fri Jan 07 2022 22:33:06 GMT+0800 (China Standard Time)

Hi @forensicmatt

Thanks for raising this issue. I have created PR #54 which should implement what you're discussing here. Do you want to take a look and make sure I've implemented it as you were thinking?

I'll merge into master once it's been reviewed.

Matthew Seyer · Answer 3 · Sun Jan 09 2022 05:54:13 GMT+0800 (China Standard Time)

Looks good. Now you wont have to guess when its going to be Attribute or Attribute.#text