anomalyx-normalize 0.4.1

anomalyx normalization: any input format -> the ax-core RecordSet
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246

//! XML parser — scan reports (Nessus/OpenVAS), SOAP, and configs.
//!
//! XML is a tree, so we flatten it to rows by finding the **record element**:
//! the most-repeated group of sibling elements (e.g. `<ReportItem>` under a
//! Nessus `<ReportHost>`, or `<vuln>` in a report). Each such element becomes a
//! row whose columns are its **attributes** plus its **leaf child elements**
//! (text-only children), type-inferred. With no repetition the document is a
//! single record (e.g. a config) and the root element becomes one row.
//!
//! Flattened this way it feeds `structural` and `dist` like any other corpus.
//! Detected by an `<?xml` declaration (`STRONG`) or a leading element tag
//! (`TEXT`); extensions `.xml` / `.nessus`.

use crate::infer;
use crate::parser::{Confidence, FormatParser, STRONG, TEXT};
use crate::table::TableBuilder;
use ax_core::{AxError, Column, Value};
use roxmltree::{Document, Node};
use std::collections::BTreeMap;

#[derive(Debug, Default, Clone)]
pub struct XmlParser;

/// Selects the record elements: the largest group of same-named sibling elements
/// (first such group in document order on a tie). Falls back to the root element
/// as a single record when nothing repeats.
fn find_records<'a, 'input>(doc: &'a Document<'input>) -> Vec<Node<'a, 'input>> {
    let mut best: Vec<Node> = Vec::new();
    for parent in doc.descendants().filter(Node::is_element) {
        // Group this parent's direct element children by tag, preserving order.
        let mut groups: Vec<(&str, Vec<Node>)> = Vec::new();
        for child in parent.children().filter(Node::is_element) {
            let name = child.tag_name().name();
            match groups.iter_mut().find(|(n, _)| *n == name) {
                Some(group) => group.1.push(child),
                None => groups.push((name, vec![child])),
            }
        }
        for (_, nodes) in groups {
            if nodes.len() >= 2 && nodes.len() > best.len() {
                best = nodes;
            }
        }
    }
    if best.is_empty() {
        best.push(doc.root_element());
    }
    best
}

/// Is this element a leaf (no child elements of its own)?
fn is_leaf(node: &Node) -> bool {
    !node.children().any(|c| c.is_element())
}

impl XmlParser {
    fn err(&self, msg: impl std::fmt::Display) -> AxError {
        AxError::Parse {
            format: self.id().to_string(),
            message: msg.to_string(),
        }
    }
}

impl FormatParser for XmlParser {
    fn id(&self) -> &'static str {
        "xml"
    }
    fn extensions(&self) -> &'static [&'static str] {
        &["xml", "nessus"]
    }
    fn sniff(&self, bytes: &[u8]) -> Option<Confidence> {
        let text = std::str::from_utf8(bytes).ok()?;
        let trimmed = text.trim_start();
        if trimmed.starts_with("<?xml") {
            return Some(STRONG);
        }
        // A leading element tag (`<` then a name char) is XML; `<` then a digit is
        // a syslog priority, not XML.
        let after = trimmed.strip_prefix('<')?;
        after
            .starts_with(|c: char| c.is_ascii_alphabetic() || c == '_')
            .then_some(TEXT)
    }
    fn parse(&self, _source: &str, bytes: &[u8]) -> Result<Vec<Column>, AxError> {
        let text = std::str::from_utf8(bytes).map_err(|e| self.err(e))?;
        let doc = Document::parse(text).map_err(|e| self.err(e))?;
        let mut builder = TableBuilder::new();
        for record in find_records(&doc) {
            let mut row: BTreeMap<String, Value> = BTreeMap::new();
            for attr in record.attributes() {
                row.insert(attr.name().to_string(), infer::infer_scalar(attr.value()));
            }
            for child in record.children().filter(Node::is_element) {
                if is_leaf(&child) {
                    let text = child.text().unwrap_or("").trim();
                    let cell = if text.is_empty() {
                        Value::Null
                    } else {
                        infer::infer_scalar(text)
                    };
                    row.insert(child.tag_name().name().to_string(), cell);
                }
            }
            builder.push_row(row);
        }
        Ok(builder.finish())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use ax_core::ColType;

    const REPORT: &str = r#"<?xml version="1.0"?>
<vulns>
  <vuln id="1" severity="high"><name>SQLi</name><port>443</port></vuln>
  <vuln id="2" severity="low"><name>XSS</name><port>80</port></vuln>
  <vuln id="3" severity="high"><name>RCE</name><port>22</port></vuln>
</vulns>"#;

    fn parse(s: &str) -> Vec<Column> {
        XmlParser.parse("-", s.as_bytes()).unwrap()
    }
    fn col<'a>(cols: &'a [Column], name: &str) -> &'a Column {
        cols.iter()
            .find(|c| c.name == name)
            .unwrap_or_else(|| panic!("missing column {name}"))
    }

    #[test]
    fn repeated_element_becomes_rows_with_attrs_and_leaf_children() {
        let cols = parse(REPORT);
        // Three <vuln> records.
        assert_eq!(col(&cols, "id").cells.len(), 3);
        // Attributes are columns (id typed Int, severity categorical Str).
        assert_eq!(col(&cols, "id").ty, ColType::Int);
        assert_eq!(
            col(&cols, "id").cells,
            vec![Value::Int(1), Value::Int(2), Value::Int(3)]
        );
        assert_eq!(
            col(&cols, "severity").cells,
            vec![
                Value::Str("high".into()),
                Value::Str("low".into()),
                Value::Str("high".into())
            ]
        );
        // Leaf child elements are columns (name Str, port Int).
        assert_eq!(col(&cols, "name").cells[0], Value::Str("SQLi".into()));
        assert_eq!(col(&cols, "port").ty, ColType::Int);
        assert_eq!(
            col(&cols, "port").cells,
            vec![Value::Int(443), Value::Int(80), Value::Int(22)]
        );
    }

    #[test]
    fn picks_the_deepest_repeated_group_not_a_leaf() {
        // <name> and <port> each occur 3 times globally, but the repeated SIBLING
        // group is <vuln>; the records must be the vulns, not the names.
        assert_eq!(parse(REPORT).len(), 4); // id, severity, name, port columns
        assert_eq!(col(&parse(REPORT), "name").cells.len(), 3);
    }

    #[test]
    fn tie_breaks_to_the_first_repeated_group() {
        // Two groups of equal count (2) under one parent; the FIRST (a) wins, so
        // the rows carry `x`, not `y`.
        let cols = parse(r#"<root><a x="1"/><a x="2"/><b y="3"/><b y="4"/></root>"#);
        assert_eq!(col(&cols, "x").cells, vec![Value::Int(1), Value::Int(2)]);
        assert!(
            cols.iter().all(|c| c.name != "y"),
            "the later group must lose"
        );
    }

    #[test]
    fn non_leaf_children_are_not_flattened() {
        // A child with its own children (<meta>) is not a leaf and must not become
        // a column; only the leaf <tag> does.
        let cols = parse(
            "<items><item id=\"1\"><meta><sub>d</sub></meta><tag>a</tag></item>\
             <item id=\"2\"><meta><sub>d</sub></meta><tag>b</tag></item></items>",
        );
        assert_eq!(
            col(&cols, "tag").cells,
            vec![Value::Str("a".into()), Value::Str("b".into())]
        );
        assert!(
            cols.iter().all(|c| c.name != "meta"),
            "non-leaf child skipped"
        );
    }

    #[test]
    fn no_repetition_treats_root_as_one_record() {
        let cols = parse("<config><host>web01</host><port>8080</port></config>");
        assert_eq!(col(&cols, "host").cells, vec![Value::Str("web01".into())]);
        assert_eq!(col(&cols, "port").cells, vec![Value::Int(8080)]);
    }

    #[test]
    fn empty_leaf_is_null() {
        let cols = parse("<r><a>x</a><b></b></r>");
        assert_eq!(col(&cols, "a").cells[0], Value::Str("x".into()));
        assert_eq!(col(&cols, "b").cells[0], Value::Null);
    }

    #[test]
    fn malformed_xml_errors() {
        assert!(matches!(
            XmlParser.parse("-", b"<unclosed>"),
            Err(AxError::Parse { .. })
        ));
        assert!(matches!(
            XmlParser.parse("-", b"not xml at all"),
            Err(AxError::Parse { .. })
        ));
    }

    #[test]
    fn sniff_recognizes_xml() {
        assert_eq!(XmlParser.sniff(REPORT.as_bytes()), Some(STRONG)); // <?xml
        assert_eq!(XmlParser.sniff(b"<vulns><vuln/></vulns>"), Some(TEXT)); // bare element
        assert_eq!(XmlParser.sniff(b"  <root>x</root>"), Some(TEXT)); // leading whitespace
        assert_eq!(XmlParser.sniff(b"<34>Oct syslog"), None); // syslog priority, not XML
        assert_eq!(XmlParser.sniff(b"{\"a\":1}"), None);
        assert_eq!(XmlParser.sniff(b"a,b,c\n1,2,3"), None);
    }

    #[test]
    fn claims_xml_extensions() {
        assert_eq!(XmlParser.extensions(), &["xml", "nessus"]);
    }

    #[test]
    fn resolves_by_extension_and_content() {
        let reg = crate::parser::ParserRegistry::default();
        assert_eq!(reg.resolve("scan.xml", b"zz").unwrap().id(), "xml");
        assert_eq!(reg.resolve("scan.nessus", b"zz").unwrap().id(), "xml");
        assert_eq!(reg.resolve("-", REPORT.as_bytes()).unwrap().id(), "xml");
    }
}