6129: Prevent duplicate CR attribute instances that may be created from TSK_INTERESTING_ARTIFACT_HIT in Correlation engine

Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java

@@ -59,6 +59,22 @@ public class CorrelationAttributeUtil {
         return Bundle.CorrelationAttributeUtil_emailaddresses_text();
     }
 
+    /**
+     * Makes zero to many correlation attribute instances from the attributes of
+     * an artifact.
+     *
+     * IMPORTANT: The correlation attribute instances are NOT added to the
+     * central repository by this method.
+     *
+     * @param artifact An artifact.
+     *
+     * @return A list, possibly empty, of correlation attribute instances for
+     *         the artifact.
+     */
+    public static List<CorrelationAttributeInstance> makeCorrAttrsFromArtifact(BlackboardArtifact artifact) {
+        return makeCorrAttrsFromArtifact(artifact, true );
+    }
+    
     /**
      * Makes zero to many correlation attribute instances from the attributes of
      * an artifact.
@@ -75,12 +91,21 @@ public class CorrelationAttributeUtil {
      * checking is easy to forget, while catching exceptions is enforced.
      *
      * @param artifact              An artifact.
+     * @param resolveSourceArtifact A flag to indicate whether to resolve the
+     *                              source artifact, if the given artifact is 
+     *                              of type TSK_INTERESTING_ARTIFACT_HIT.
      *
      * @return A list, possibly empty, of correlation attribute instances for
      *          the artifact.
      */
-    public static List<CorrelationAttributeInstance> makeCorrAttrsFromArtifact(BlackboardArtifact artifact) {
+    public static List<CorrelationAttributeInstance> makeCorrAttrsFromArtifact(BlackboardArtifact artifact, boolean resolveSourceArtifact) {
         List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
+        
+        // If the artifact is of type TSK_INTERESTING_ARTIFACT_HIT, and the caller 
+        // has not indicated to resolve the source artifact, then return an empty list.
+        if ((artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()) && (resolveSourceArtifact == false) ) {
+            return correlationAttrs;
+        }
         try {
             BlackboardArtifact sourceArtifact = getCorrAttrSourceArtifact(artifact);
             if (sourceArtifact != null) {

Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java

@@ -455,8 +455,11 @@ public class IngestEventsListener {
             List<CorrelationAttributeInstance> eamArtifacts = new ArrayList<>();
 
             for (BlackboardArtifact bbArtifact : bbArtifacts) {
-                // eamArtifact will be null OR a EamArtifact containing one EamArtifactInstance.
-                List<CorrelationAttributeInstance> convertedArtifacts = CorrelationAttributeUtil.makeCorrAttrsFromArtifact(bbArtifact);
+                // If the incoming artifact is of type TSK_INTERESTING_ARTIFACT_HIT, 
+                // do not resolve to the source artifact, as correlation attributes 
+                // for the source artifact would have laready been created, 
+                // when the event for that source artifact was received.
+                List<CorrelationAttributeInstance> convertedArtifacts = CorrelationAttributeUtil.makeCorrAttrsFromArtifact(bbArtifact, false);
                 for (CorrelationAttributeInstance eamArtifact : convertedArtifacts) {
                     try {
                         // Only do something with this artifact if it's unique within the job