Unexpected user warnings in stdout for pinfo

Question

Unexpected user warnings in stdout for pinfo

jkppr opened this issue a year ago · 2 comments

Describe the problem:

Pinfo supports a list of output formats. This comes handy when using the output in another command or script downstream. Example: pinfo.py --output_format json /tmp/evidence.plaso | jq -r '.storage_counters.parsers' can be used to get the count of parsed events in a machine processable way.

However, there is a CheckOutDated function in the plaso/cli/tools.py that checks if the Plaso version used is > 180 days old and sends a warning to stderr via logger.warning and also prints a warning to stdout via self._PrintUserWarning.

This warning via self._PrintUserWarning does not respect the output format defined by the user when calling the tool and will always print to stdout. This behaviour does result in breaking tool chains that expect to get a json output as requested. Additionally the problem happens after 180 days which makes it even more difficult to address this problem when developing a tool chain in the first place since the behaviour changes unexpectedly.

To Reproduce:

Plaso version: 20230717
Example execution:

$ pinfo.py --output_format json /tmp/evidence.plaso
2024-01-18 11:24:41,695 [WARNING] (MainProcess) PID:861 <tools> This version of plaso is more than 6 months old. (<= Logger on stderr)
WARNING: the version of plaso you are using is more than 6 months old. We (<= _PrintUserWarning on stdout)
strongly recommend to update it.

{...} (<= Expected json output)

So for the example from the problem description above:

$ pinfo.py --output_format json /tmp/evidence.plaso | jq -r '.storage_counters.parsers'
2024-01-18 11:39:13,843 [WARNING] (MainProcess) PID:864 <tools> This version of plaso is more than 6 months old. (<= stderr)
parse error: Invalid numeric literal at line 1, column 8 (<= cannot parse the string warning on stdout)

Expected behavior:

The tool should respect the output format chosen by the user when it comes to stdout output.

I can see two options to solve this:

Have _PrintUserWarning send its messages to stderr via the logger module instead of printing it to stdout. (probably the easiest solution)
Make _PrintUserWarning aware of the output format requested and integrate the warning as part of the requested format. Example: When json is requested, add a "warnings" key that contains the message.

Additional context

The problem described above caused already breaking problems in Timesketch and Turbinia.

Answer 1 · 2024-01-18T12:12:40.000Z

If I'm not mistaken you could use --write to redirect the output without the warning to a file, but printing the warning to stderr sounds good to me as well. Realize that stdout gives no guarantees about the encoding.

Answer 2 · 2024-01-18T12:24:45.000Z

Yes, I can confirm using the -w / --write argument and write the output to file does skip the user warning on stdout. Depending on the use-case this is a good workaround for now.