Fix issues in AptSources artifact and support deb822 format (#2851)

# Linux.Debian.AptSources

The Linux.Debian.AptSources artifact has a number of limitations, all of
which
the changes in this pull request aims to resolve. The new artifact also
provides
parsers that can be imported in other artifacts for inspecting every
single
field in these configuration files.

## Resolved issues

The artifact does not work on current Debian-based systems. One reason
is an
increased usage of the option "signed-by", used to manually specify the
gpg key
file location. The original regex only supports the option "arch" or no
options. The main reason is the that Release files have been replaced
with
InRelease files. The format is similar, just with a gpg key embedded at
the end
of the file. Note that these keys often contain a gpg header "Version:
[…] that
confuses the original VQL.

**Fixes and enhancements**:

- Support for sources files (multi-line [deb822
format](https://manpages.debian.org/bookworm/apt/sources.list.5.en.html#DEB822-STYLE_FORMAT))
- Support options other than "arch" in list files
- Support for any valid usage of whitespace in list files
- Support for comments in (at the end of) list files
- Support for protocols other than http/https in list files
- Support for multiple values in fields/options (arch, lang, targets,
components)
- Parse InRelease files as well as Release files, and prevent the
"Version:
  GnuPG" header line from interfering with the "Version" field
- Group the query results by cache file, preventing duplicate entries
without
  records

After improving the list file parser, I also added a parser for the new
file
format, likely to replace the one-line list file format in the future:
deb822.
This file format allows each entry to have multiple values (deb +
deb-src,
multiple URIs and options), and each file may contain multiple entries
separated by blank lines. GPG keys may be embedded, and the format is
very
lenient on whitespace usage and allowing multi-line values.

The parser should handle any kind of strange, but valid, formatting,
like

```
Key: Value
Key2  : Value
Key3:
# Comment
# Comment
		  Value
```

and so on. Due to limitations in the go regex library (no support for
look-arounds) and the complexity of multi-value fields and options, the
parser
VQL is complex and split in a number of functions.

Columns are dynamic in order to support every known (and future/unknown)
options. This has pros and cons, but it is future-proof. Every known
option
name is normalised to the names referred to in the man page, which are
camel-cased (pascal-cased) and plural.

## Considerations

The main motivation behind improving this artifact was to have a working
apt
sources parser. Since this artifact is part of velociraptor and not the
exchange (velociraptor-docs), I've tried to make the parsers handle
everything
I can throw at it. I am happy to include tests, but before I do that, I
would
like to get some feedback.

I kept the original query, but I also included two others. I feel that a
table
including every parsed field, like all options, is handy. Likewise, a
flattened
version is also very useful to work on in a notebook. This results in
two
rounds of parsing sources files (due to how flatting happens at an early
stage), and the third query parses cache files as well, like before.
This
shouldn't have any noticeable effect on any normal system, but if there
are
ways I can rewrite the VQL do only parse the files once, for both the
combined
and flattened results, that would of course by much nicer. And perhaps
something belongs in notebook suggestions?

I see lots of potential in this artifact, but for starters, I'd like it
to
work and be useful for importing in other artifacts. Working with
inrelease-path and signed-by options in future enhancements may be
useful.

I find it a bit tricky to get an overview of all the supported features
of
artifact YAML, so feel free to point out how I may improve the
documentation,
ways to export functions (without including all "private" helper
functions),
and how to improve the current three–query solution.

---------

Co-authored-by: Mike Cohen <mike@velocidex.com>

.github/workflows/go.yml

@@ -12,7 +12,7 @@ jobs:
     name: Build
     # We used to build on ubuntu-18.04 but that is now deprecated by
     # GitHub. Earlier distributions will have to use the musl build.
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
 
     - name: Check out code into the Go module directory

artifacts/testdata/files/debian/.gitattributes

@@ -0,0 +1 @@
+* text eol=lf

artifacts/testdata/files/debian/au.archive.ubuntu.com_ubuntu_dists_jammy_InRelease

@@ -0,0 +1,32 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Origin: Ubuntu
+Label: Ubuntu
+Suite: jammy
+Version: 22.04
+Codename: jammy
+Date: Thu, 21 Apr 2022 17:16:08 UTC
+Architectures: amd64 arm64 armhf i386 ppc64el riscv64 s390x
+Components: main restricted universe multiverse
+Description: Ubuntu Jammy 22.04
+MD5Sum:
+ 8f73d18065a4f05ee7362c50553ea4b26ca2b4b3786472676b6b1ee58b4cff72         17832892 universe/source/Sources.xz
+Acquire-By-Hash: yes
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAEBCgAGBQJiYZF3AAoJEIcZINGZG8k8oMMQAJGLXDzjk/IxqaxUwhgx8F/S
+ultWd3vuBeWK1guBZAl4dbmunNZBbKNYcOGlOmpVF9jBZtVQ0jVWhcuVbTPfkUO/
+sz1fVWn12lzBnETsV5v6Nscz03NgNlojkD8jlEWV7xxPWh9r+CNZ8y5LzwTwlufZ
+e4dm8L5d2nhHDsajX8f7ZRcch4TH7jPN2AwHWtn7yASTzUbrQ/S9shQjP1dQI38Z
+VrKbBzvma9neoTzRalDf+CGGmtykfhdbT0nMGFdHXtUGNZU0QUoSw+0KxWuXwo8O
+nJ5H8bN5w1+Dur8LUn2yPXZcjF7GkeGnIk1FSyleV+UOzGN1f/0T7OpId36spQ9Y
+2w24Fij4xvRHQC+uD6VYSz+YXjB5qD6u00PrzqBHP8wDgJwJPBHbncuwBbpsiJBv
+HQ4mYRLPWz9UCmWXXVOao/nYM+Y++M1FYwhUuptFx9HHJFuR/UILzP4/WFJTMfzs
+UGVcOfyoXqi/cTZJ+Rr/S6jhecpNbUAoA2VG4ZjX1ZSaS3Hupd4t7PdCHoWB7ODT
+AscDVBEidU5kimmZzo6nWNDU8LfhSUrS0inbX0YMcBweaLWpMMtB+Ffu6mvy6Ejn
+P+w15a4DgOg53uxHaq/pzp7IIEfhJGfwyhznN4f86pOX6BHWikGcGHBL62WywHSK
+pxgP/fNHYqIhYWCgUWeM
+=DmDL
+-----END PGP SIGNATURE-----

artifacts/testdata/files/debian/sources.list

@@ -0,0 +1,52 @@
+## EOL upgrade sources.list
+# Required
+deb http://archive.ubuntu.com/ubuntu jammy main restricted universe multiverse
+deb http://archive.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse
+deb http://archive.ubuntu.com/ubuntu jammy-security main restricted universe multiverse
+
+# Optional
+deb http://archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse
+
+# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
+# newer versions of the distribution.
+deb http://au.archive.ubuntu.com/ubuntu jammy main restricted
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy main restricted
+
+## Major bug fix updates produced after the final release of the
+## distribution.
+deb http://au.archive.ubuntu.com/ubuntu jammy-updates main restricted
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy-updates main restricted
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team. Also, please note that software in universe WILL NOT receive any
+## review or updates from the Ubuntu security team.
+deb http://au.archive.ubuntu.com/ubuntu jammy universe
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy universe
+deb http://au.archive.ubuntu.com/ubuntu jammy-updates universe
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy-updates universe
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team, and may not be under a free licence. Please satisfy yourself as to
+## your rights to use the software. Also, please note that software in
+## multiverse WILL NOT receive any review or updates from the Ubuntu
+## security team.
+deb http://au.archive.ubuntu.com/ubuntu jammy multiverse
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy multiverse
+deb http://au.archive.ubuntu.com/ubuntu jammy-updates multiverse
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy-updates multiverse
+
+## N.B. software from this repository may not have been tested as
+## extensively as that contained in the main release, although it includes
+## newer versions of some applications which may provide useful features.
+## Also, please note that software in backports WILL NOT receive any review
+## or updates from the Ubuntu security team.
+deb http://au.archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy-backports main restricted universe multiverse
+
+
+deb http://au.archive.ubuntu.com/ubuntu jammy-security main restricted
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy-security main restricted
+deb http://au.archive.ubuntu.com/ubuntu jammy-security universe
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy-security universe
+deb http://au.archive.ubuntu.com/ubuntu jammy-security multiverse
+# deb-src http://au.archive.ubuntu.com/ubuntu groovy-security multiverse

artifacts/testdata/files/debian/status

@@ -0,0 +1,138 @@
+Package: adduser
+Status: install ok installed
+Priority: important
+Section: admin
+Installed-Size: 608
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Architecture: all
+Multi-Arch: foreign
+Version: 3.118ubuntu5
+Depends: passwd, debconf (>= 0.5) | debconf-2.0
+Suggests: liblocale-gettext-perl, perl, ecryptfs-utils (>= 67-1)
+Conffiles:
+ /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2
+Description: add and remove users and groups
+ This package includes the 'adduser' and 'deluser' commands for creating
+ and removing users.
+ .
+  - 'adduser' creates new users and groups and adds existing users to
+    existing groups;
+  - 'deluser' removes users and groups and removes users from a given
+    group.
+ .
+ Adding users with 'adduser' is much easier than adding them manually.
+ Adduser will choose appropriate UID and GID values, create a home
+ directory, copy skeletal user configuration, and automate setting
+ initial values for the user's password, real name and so on.
+ .
+ Deluser can back up and remove users' home directories
+ and mail spool or all the files they own on the system.
+ .
+ A custom script can be executed after each of the commands.
+Original-Maintainer: Debian Adduser Developers <adduser@packages.debian.org>
+
+Package: adwaita-icon-theme
+Status: install ok installed
+Priority: optional
+Section: gnome
+Installed-Size: 5234
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Architecture: all
+Multi-Arch: foreign
+Version: 41.0-1ubuntu1
+Replaces: adwaita-icon-theme-full (<< 41.0-1ubuntu1), gnome-themes-standard-data (<< 3.18.0-2~)
+Depends: hicolor-icon-theme, gtk-update-icon-cache, ubuntu-mono | adwaita-icon-theme-full
+Recommends: librsvg2-common
+Breaks: adwaita-icon-theme-full (<< 41.0-1ubuntu1), gnome-themes-standard-data (<< 3.18.0-2~)
+Description: default icon theme of GNOME (small subset)
+ This package contains the default icon theme used by the GNOME desktop.
+ The icons are used in many of the official gnome applications like eog,
+ evince, system monitor, and many more.
+ .
+ This package only contains a small subset of the original GNOME icons which
+ are not provided by the Humanity icon theme, to avoid installing many
+ duplicated icons. Please install adwaita-icon-theme-full if you want the full
+ set.
+Original-Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
+
+Package: adwaita-icon-theme-full
+Status: install ok installed
+Priority: optional
+Section: gnome
+Installed-Size: 21330
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Architecture: all
+Multi-Arch: foreign
+Source: adwaita-icon-theme
+Version: 41.0-1ubuntu1
+Replaces: adwaita-icon-theme (<< 41.0-1ubuntu1), gnome-themes-standard-data (<< 3.18.0-2~)
+Provides: gnome-icon-theme-symbolic
+Depends: adwaita-icon-theme (= 41.0-1ubuntu1), gtk-update-icon-cache
+Recommends: librsvg2-common
+Breaks: adwaita-icon-theme (<< 41.0-1ubuntu1), gnome-themes-standard-data (<< 3.18.0-2~)
+Description: default icon theme of GNOME
+ This package contains the default icon theme used by the GNOME desktop.
+ The icons are used in many of the official GNOME applications like eog,
+ Evince, system monitor, and many more.
+Original-Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
+
+Package: alsa-topology-conf
+Status: install ok installed
+Priority: optional
+Section: libs
+Installed-Size: 420
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Architecture: all
+Multi-Arch: foreign
+Version: 1.2.5.1-2
+Replaces: libasound2-data (<< 1.2.1)
+Breaks: libasound2-data (<< 1.2.1)
+Enhances: libasound2-data
+Description: ALSA topology configuration files
+ This package contains ALSA topology configuration files that can be used
+ by libasound2 for specific audio hardware.
+ .
+ ALSA is the Advanced Linux Sound Architecture.
+Original-Maintainer: Debian ALSA Maintainers <pkg-alsa-devel@lists.alioth.debian.org>
+Homepage: https://www.alsa-project.org/
+
+Package: alsa-ucm-conf
+Status: install ok installed
+Priority: optional
+Section: libs
+Installed-Size: 560
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Architecture: all
+Multi-Arch: foreign
+Version: 1.2.6.3-1ubuntu1.7
+Depends: libasound2 (>= 1.2.4)
+Description: ALSA Use Case Manager configuration files
+ This package contains ALSA Use Case Manager configuration of audio
+ input/output names and routing for specific audio hardware. They can be
+ used with the alsaucm tool.
+ .
+ ALSA is the Advanced Linux Sound Architecture.
+Homepage: https://www.alsa-project.org/
+Original-Maintainer: Debian ALSA Maintainers <pkg-alsa-devel@lists.alioth.debian.org>
+
+Package: amd64-microcode
+Status: install ok installed
+Priority: standard
+Section: non-free/admin
+Installed-Size: 82
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Architecture: amd64
+Version: 3.20191218.1ubuntu2.1
+Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs
+Breaks: intel-microcode (<< 2)
+Conffiles:
+ /etc/default/amd64-microcode eaa8a5fa3fb59af4f0f55e851a6e9b20
+ /etc/modprobe.d/amd64-microcode-blacklist.conf 71327241f6583b34944e638a955aba91
+Description: Processor microcode firmware for AMD CPUs
+ This package contains microcode patches for all AMD AMD64
+ processors.  AMD releases microcode patches to correct
+ processor behavior as documented in the respective processor
+ revision guides.
+ .
+ For Intel processors, please refer to the intel-microcode package.
+Original-Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>

artifacts/testdata/server/testcases/debian.in.yaml

@@ -0,0 +1,32 @@
+Queries:
+ - SELECT OSPath.Basename AS OSPath, *
+   FROM Artifact.Linux.Debian.AptSources(
+      source="Sources",
+      linuxAptSourcesGlobs=[dict(ListGlobs=srcDir + "/artifacts/testdata/files/debian/sources.list")],
+      aptCacheDirectory=srcDir + "/artifacts/testdata/files/debian/"
+   )
+
+ - SELECT OSPath.Basename AS OSPath, *
+   FROM Artifact.Linux.Debian.AptSources(
+      source="SourcesFlattened",
+      linuxAptSourcesGlobs=[dict(ListGlobs=srcDir + "/artifacts/testdata/files/debian/sources.list")],
+      aptCacheDirectory=srcDir + "/artifacts/testdata/files/debian/"
+   )
+
+ - SELECT OSPath.Basename as OSPath,
+      NULL AS Mtime,
+      NULL AS Ctime,
+      NULL AS Atime,
+      NULL AS Source, *
+
+   FROM Artifact.Linux.Debian.AptSources(
+      source="SourcesCacheFiles",
+      linuxAptSourcesGlobs=[dict(ListGlobs=srcDir + "/artifacts/testdata/files/debian/sources.list")],
+      aptCacheDirectory=srcDir + "/artifacts/testdata/files/debian/"
+   )
+   WHERE Record
+
+
+ - SELECT *
+   FROM Artifact.Linux.Debian.Packages(
+      linuxDpkgStatus=srcDir + "/artifacts/testdata/files/debian/status")