From d152d7a008ba7851f19f61ba5e195a748f5a373f Mon Sep 17 00:00:00 2001
From: Maxwell Koo <maxk@narfindustries.com>
Date: Thu, 29 Jun 2017 12:22:26 -0400
Subject: [PATCH] Return a list of correlation artifacts when converting a
 blackboard artifact to capture more attributes

---
 .../DataContentViewerOtherCases.java          | 12 +++-----
 .../datamodel/EamArtifactUtil.java            | 29 +++++++++++--------
 .../eventlisteners/CaseEventListener.java     |  5 ++--
 .../eventlisteners/IngestEventsListener.java  | 18 ++++++------
 4 files changed, 33 insertions(+), 31 deletions(-)

diff --git a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java
index fa2a8ee360..899f6d27be 100644
--- a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java
+++ b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java
@@ -358,8 +358,7 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
 
     /**
      * Scan a Node for blackboard artifacts / content that we can correlate on
-     * and create the corresponding Central Repository artifacts for
-     * display
+     * and create the corresponding Central Repository artifacts for display
      *
      * @param node The node to view
      *
@@ -380,10 +379,7 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
             EamDb dbManager = EamDb.getInstance();
             artifactTypes = dbManager.getCorrelationTypes();
             if (bbArtifact != null) {
-                EamArtifact eamArtifact = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, false, artifactTypes, false);
-                if (eamArtifact != null) {
-                    ret.add(eamArtifact);
-                }
+                ret.addAll(EamArtifactUtil.fromBlackboardArtifact(bbArtifact, false, artifactTypes, false));
             }
         } catch (EamDbException ex) {
             LOGGER.log(Level.SEVERE, "Error retrieving correlation types", ex); // NON-NLS
@@ -475,8 +471,8 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
      *
      * @param eamArtifact Artifact to use for ArtifactTypeEnum matching
      *
-     * @return List of Central Repository Artifact Instances, empty
-     *         list if none found
+     * @return List of Central Repository Artifact Instances, empty list if none
+     *         found
      */
     public Collection<EamArtifactInstance> getReferenceInstancesAsArtifactInstances(EamArtifact eamArtifact) {
         Collection<EamArtifactInstance> eamArtifactInstances = new ArrayList<>();
diff --git a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamArtifactUtil.java b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamArtifactUtil.java
index 1561df72d2..8e167674c5 100644
--- a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamArtifactUtil.java
+++ b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamArtifactUtil.java
@@ -18,6 +18,7 @@
  */
 package org.sleuthkit.autopsy.centralrepository.datamodel;
 
+import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Level;
 import org.openide.util.NbBundle.Messages;
@@ -46,31 +47,32 @@ public class EamArtifactUtil {
         return Bundle.EamArtifactUtil_emailaddresses_text();
     }
 
-    /*
+    /**
      * Static factory method to examine a BlackboardArtifact to determine if it
      * has contents that can be used for Correlation. If so, return a
      * EamArtifact with a single EamArtifactInstance within. If not, return
      * null.
      *
-     * @param bbArtifact BlackboardArtifact to examine @return EamArtifact or
-     * null
+     * @param bbArtifact BlackboardArtifact to examine
+     * @return List of EamArtifacts
      */
-    public static EamArtifact fromBlackboardArtifact(BlackboardArtifact bbArtifact,
+    public static List<EamArtifact> fromBlackboardArtifact(BlackboardArtifact bbArtifact,
             boolean includeInstances,
             List<EamArtifact.Type> artifactTypes,
             boolean checkEnabled) {
 
-        EamArtifact eamArtifact = null;
+        List<EamArtifact> eamArtifacts = new ArrayList<>();
+
         for (EamArtifact.Type aType : artifactTypes) {
             if ((checkEnabled && aType.isEnabled()) || !checkEnabled) {
-                eamArtifact = getTypeFromBlackboardArtifact(aType, bbArtifact);
-            }
-            if (null != eamArtifact) {
-                break;
+                EamArtifact eamArtifact = getTypeFromBlackboardArtifact(aType, bbArtifact);
+                if (eamArtifact != null) {
+                    eamArtifacts.add(eamArtifact);
+                }
             }
         }
 
-        if (null != eamArtifact && includeInstances) {
+        if (!eamArtifacts.isEmpty() && includeInstances) {
             try {
                 AbstractFile af = Case.getCurrentCase().getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
                 if (null == af) {
@@ -92,14 +94,17 @@ public class EamArtifactUtil {
                         TskData.FileKnown.UNKNOWN,
                         EamArtifactInstance.GlobalStatus.LOCAL
                 );
-                eamArtifact.addInstance(eamInstance);
+
+                for (EamArtifact eamArtifact : eamArtifacts) {
+                    eamArtifact.addInstance(eamInstance);
+                }
             } catch (TskCoreException ex) {
                 LOGGER.log(Level.SEVERE, "Error creating artifact instance.", ex); // NON-NLS
                 return null;
             }
         }
 
-        return eamArtifact;
+        return eamArtifacts;
     }
 
     /**
diff --git a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
index bbeee8c722..b69894a436 100644
--- a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
+++ b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
@@ -20,6 +20,7 @@ package org.sleuthkit.autopsy.centralrepository.eventlisteners;
 
 import java.beans.PropertyChangeEvent;
 import java.beans.PropertyChangeListener;
+import java.util.List;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
 import org.openide.util.NbBundle.Messages;
@@ -142,8 +143,8 @@ public class CaseEventListener implements PropertyChangeListener {
 
                 if (dbManager.getBadTags().contains(tagName.getDisplayName())) {
                     try {
-                        EamArtifact eamArtifact = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, true, dbManager.getCorrelationTypes(), true);
-                        if (null != eamArtifact) {
+                        List<EamArtifact> convertedArtifacts = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, true, dbManager.getCorrelationTypes(), true);
+                        for (EamArtifact eamArtifact : convertedArtifacts) {
                             eamArtifact.getInstances().get(0).setComment(bbTagAdded.getComment());
                             Runnable r = new BadFileTagRunner(eamArtifact);
                             // TODO: send r into a thread pool instead
diff --git a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java
index 6f03556d1e..bce503eab7 100644
--- a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java
+++ b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java
@@ -44,14 +44,15 @@ import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb;
 
 /**
- * Listen for ingest events and update entries in the Central Repository database accordingly
+ * Listen for ingest events and update entries in the Central Repository
+ * database accordingly
  */
 public class IngestEventsListener {
 
     private static final Logger LOGGER = Logger.getLogger(EamArtifact.class.getName());
 
     final Collection<String> addedCeArtifactTrackerSet = new LinkedHashSet<>();
-    
+
     private final PropertyChangeListener pcl1 = new IngestModuleEventListener();
     private final PropertyChangeListener pcl2 = new IngestJobEventListener();
 
@@ -92,9 +93,8 @@ public class IngestEventsListener {
                     try {
                         for (BlackboardArtifact bbArtifact : bbArtifacts) {
                             // eamArtifact will be null OR a EamArtifact containing one EamArtifactInstance.
-                            EamArtifact eamArtifact = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, true, dbManager.getCorrelationTypes(), true);
-                            if (null != eamArtifact) {
-
+                            List<EamArtifact> convertedArtifacts = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, true, dbManager.getCorrelationTypes(), true);
+                            for (EamArtifact eamArtifact : convertedArtifacts) {
                                 try {
                                     // Only do something with this artifact if it's unique within the job
                                     if (addedCeArtifactTrackerSet.add(eamArtifact.toString())) {
@@ -105,7 +105,7 @@ public class IngestEventsListener {
                                         List<String> caseDisplayNames = dbManager.getListCasesHavingArtifactInstancesKnownBad(eamArtifact);
                                         if (!caseDisplayNames.isEmpty()) {
                                             postCorrelatedBadArtifactToBlackboard(bbArtifact,
-                                                caseDisplayNames);
+                                                    caseDisplayNames);
                                         }
                                         eamArtifacts.add(eamArtifact);
                                     }
@@ -140,7 +140,7 @@ public class IngestEventsListener {
                     // @@@ This isnt' entirely accurate to do here.  We could have multiple
                     // ingest jobs at the same time
                     addedCeArtifactTrackerSet.clear();
-                    
+
                 } // DATA_SOURCE_ANALYSIS_COMPLETED
                 break;
             }
@@ -153,7 +153,7 @@ public class IngestEventsListener {
 
         try {
             AbstractFile af = bbArtifact.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
-        
+
             String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
             BlackboardArtifact tifArtifact = af.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
             BlackboardAttribute att = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
@@ -163,7 +163,7 @@ public class IngestEventsListener {
             tifArtifact.addAttribute(att);
             tifArtifact.addAttribute(att2);
             tifArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID()));
-        
+
             try {
                 // index the artifact for keyword search
                 Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard();