search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.58k stars 589 forks source link

[API Client]sketch.attribute_table value error #2839

Open jaegeral opened 1 year ago

jaegeral commented 1 year ago

Describe the bug When pulling sketch.attribute_table() via API it is causing a value error if only intelligence attribute is there.

To Reproduce

  1. Create a blank Sketch
  2. Add a piece of intel to it
  3. run api client sketch.attribute_table

sketch.attributes:

Attributes: {'intelligence': {'ontology': 'intelligence', 'value': {'data': [{'externalURI': 'google.com', 'ioc': '1.2.3.4', 'tags': ['foo'], 'type': 'ipv4'}, {'externalURI': 'fobar.com', 'ioc': '3.3.3.3', 'tags': ['aaaa'], 'type': 'ipv4'}]}}}

Error:

Traceback (most recent call last):
  File "/usr/local/bin/timesketch", line 33, in <module>
    sys.exit(load_entry_point('timesketch-cli-client==20220411', 'console_scripts', 'timesketch')())
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.10/dist-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/timesketch_cli_client-20220411-py3.10.egg/timesketch_cli_client/commands/sketch.py", line 49, in describe_sketch
    sketch.attributes_table,
  File "/usr/local/lib/python3.10/dist-packages/timesketch_api_client-20230208-py3.10.egg/timesketch_api_client/sketch.py", line 96, in attributes_table
    data_frame.columns = ["attribute", "values", "ontology"]
  File "/usr/local/lib/python3.10/dist-packages/pandas/core/generic.py", line 5920, in __setattr__
    return object.__setattr__(self, name, value)
  File "pandas/_libs/properties.pyx", line 69, in pandas._libs.properties.AxisProperty.__set__
  File "/usr/local/lib/python3.10/dist-packages/pandas/core/generic.py", line 822, in _set_axis
    self._mgr.set_axis(axis, labels)
  File "/usr/local/lib/python3.10/dist-packages/pandas/core/internals/managers.py", line 228, in set_axis
    self._validate_set_axis(axis, new_labels)
  File "/usr/local/lib/python3.10/dist-packages/pandas/core/internals/base.py", line 70, in _validate_set_axis
    raise ValueError(
ValueError: Length mismatch: Expected axis has 1 elements, new values have 3 elements
jaegeral commented 1 year ago

Based on the content of sketch.attributes, the current way of implementation likely never worked / was used, as in the top level of the sketch.attributes, those columns do not exist.

Representing this type of data in a single pandas dataframe is not really useful, so I will add a comment to the method that it will be deprecated at some point (in case some one is actually using the method, which I doubt given above error I assume this has never worked).