BigQuery exporter does not export ProgramArguments in Plist results

[anttitikkanen]

When using the BigQuery exporter to export hunt results that contain MacOs plist entries, the "ProgramArguments" field will be missing (

grr/grr/proto/grr_response_proto/sysinfo.proto

Line 768 in 8ad8a4d

repeated string ProgramArguments = 7;

).

I suppose this is due to not having a special converter for Plists, so the default converted ignores repeated fields? (

grr/grr/server/grr_response_server/export.py

Line 320 in 3adbc6b

NOTE: DataAgnosticExportConverter discards complex types: repeated

)

[mbushkov]

Correct, an exporter for LaunchdPlist type has to be implemented. To do that, one would need to do the following:

• Define an ExportedLaunchdPlist protobuf and a corresponding Python class. The proto must contain the field metadata of type ExportedMetadata and shouldn't contain repeated fields (it can contain nested fields, though).
• Implement the exporter that would convert LaunchdPlist values into ExportedLaunchdPlist.