Changes to make timeliner support date-less log formats log2timeline#…

…4697
joachimmetz · Mar 29, 2024 · 26e6c1a · 26e6c1a
1 parent 2bbf16c
commit 26e6c1a
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 15 deletions.
diff --git a/plaso/containers/events.py b/plaso/containers/events.py
@@ -136,6 +136,18 @@ def CopyFromYearLessLogHelper(self, year_less_log_helper):
     self.last_relative_date = (year_less_log_helper.last_relative_year, 0, 0)
     self.latest_date = (year_less_log_helper.latest_year, 1, 1)
 
+  def GetEarliestDate(self):
+    """Retrieves the earliest date adjusted to the granularity.
+
+    Returns:
+      tuple[int, int, int]: earliest date as tuple of year, month and day of
+          month or None if not available.
+    """
+    if self.earliest_date and self.granularity == self.GRANULARITY_NO_YEARS:
+      return self.earliest_date[0], 0, 0
+
+    return self.earliest_date
+
   def GetEventDataStreamIdentifier(self):
     """Retrieves the identifier of the associated event data stream.
 
@@ -147,6 +159,31 @@ def GetEventDataStreamIdentifier(self):
     """
     return self._event_data_stream_identifier
 
+  def GetLastRelativeDate(self):
+    """Retrieves the last relative date adjusted to the granularity.
+
+    Returns:
+      tuple[int, int, int]: last relative date as tuple of year, month and day
+          of month or None if not available.
+    """
+    if (self.last_relative_date and
+        self.granularity == self.GRANULARITY_NO_YEARS):
+      return self.last_relative_date[0], 0, 0
+
+    return self.last_relative_date
+
+  def GetLatestDate(self):
+    """Retrieves the latest date adjusted to the granularity.
+
+    Returns:
+      tuple[int, int, int]: latest date as tuple of year, month and day of
+          month or None if not available.
+    """
+    if self.latest_date and self.granularity == self.GRANULARITY_NO_YEARS:
+      return self.latest_date[0], 0, 0
+
+    return self.latest_date
+
   def SetEventDataStreamIdentifier(self, event_data_stream_identifier):
     """Sets the identifier of the associated event data stream.
 

diff --git a/plaso/engine/timeliner.py b/plaso/engine/timeliner.py
@@ -118,21 +118,22 @@ def _GetBaseDate(self, storage_writer, event_data):
     else:
       date_less_log_helper = date_less_log_helpers[0]
 
-      earliest_date = date_less_log_helper.earliest_date
-      last_relative_date = date_less_log_helper.last_relative_date
-      latest_date = date_less_log_helper.latest_date
-      current_date = self._current_date
+      earliest_date = date_less_log_helper.GetEarliestDate()
+      last_relative_date = date_less_log_helper.GetLastRelativeDate()
+      latest_date = date_less_log_helper.GetLatestDate()
 
       if date_less_log_helper.granularity == (
           date_less_log_helper.GRANULARITY_NO_YEARS):
-        if earliest_date:
-          earliest_date = (earliest_date[0], 0, 0)
-        if last_relative_date:
-          last_relative_date = (last_relative_date[0], 0, 0)
-        if latest_date:
-          latest_date = (latest_date[0], 0, 0)
+        current_date = (self._current_date[0], 0, 0)
+      else:
+        current_date = self._current_date
 
-        current_date = (current_date[0], 0, 0)
+      if earliest_date is None or last_relative_date is None:
+        last_date = None
+      else:
+        last_date = tuple(map(
+            lambda earliest, last_relative: earliest + last_relative,
+            earliest_date, last_relative_date))
 
       if earliest_date is None and latest_date is None:
         message = (
@@ -143,10 +144,10 @@ def _GetBaseDate(self, storage_writer, event_data):
 
         base_date = current_date
 
-      elif earliest_date[0] + last_relative_date[0] < current_date[0]:
-        base_date = (earliest_date[0], 1, 1)
+      elif last_date < current_date:
+        base_date = earliest_date
 
-      elif latest_date[0] < current_date[0]:
+      elif latest_date < current_date:
         message = (
             f'earliest date: {earliest_date[0]:d}-{earliest_date[1]:d}-'
             f'{earliest_date[2]:d} as base date would exceed current date: '

diff --git a/tests/engine/timeliner.py b/tests/engine/timeliner.py
@@ -106,7 +106,7 @@ def testGetBaseDate(self):
     event_data_timeliner._base_dates = {}
 
     base_date = event_data_timeliner._GetBaseDate(storage_writer, event_data)
-    self.assertEqual(base_date, (2012, 1, 1))
+    self.assertEqual(base_date, (2012, 0, 0))
 
     number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
         'timelining_warning')