Add JSON struct tags #39
Conversation
|
|
||
| // Any non-standard fields will end up in here | ||
| AdditionalFields map[string]interface{} `yaml:",inline"` | ||
| AdditionalFields map[string]interface{} `yaml:",inline,omitempty" json:",inline,omitempty"` |
There was a problem hiding this comment.
Unfortunately I don't think the "inline" keyword works for json (in the yaml package used here it outputs the values at the same level of nesting as the other struct fields)
What's the use case for json output? YAML output makes sense here so that you can programmatically edit rules and then marshal them out to valid Sigma rules again
There was a problem hiding this comment.
Velociraptor emits all results in Json and we want to include the rule itself as part of the hit. Without the Json tags we get all the empty fields which just take up space.
There was a problem hiding this comment.
Though I do wonder if you'd get better results converting YAML to JSON yourself e.g. like this https://github.com/ghodss/yaml/blob/d8423dcdf3440d0a5baffc6f90a11e4128545620/yaml.go#L104
That way you'd get support for things like inline
Anyway, doesn't hurt to have these tags so I'll merge
|
|
||
| // Any non-standard fields will end up in here | ||
| AdditionalFields map[string]interface{} `yaml:",inline"` | ||
| AdditionalFields map[string]interface{} `yaml:",inline,omitempty" json:",inline,omitempty"` |
There was a problem hiding this comment.
Though I do wonder if you'd get better results converting YAML to JSON yourself e.g. like this https://github.com/ghodss/yaml/blob/d8423dcdf3440d0a5baffc6f90a11e4128545620/yaml.go#L104
That way you'd get support for things like inline
Anyway, doesn't hurt to have these tags so I'll merge
No description provided.