Bugfix/yml alias not found all data output#227 (#241)

* removed no use alias #227

* changed case of object type  return none #227

- serde json value is object type when alias key dont exist in detected record.

* adjust serde_number_to_string function return value change #227

* adjust yml rule to change of aliaskey_alias.txt #227

* merged same regex as static

* create new struct to reduce same output in rule and keyword warn message #227

* changed output position

* removed regression warnings #227

* removed output wanring

* Fixed a possible panic when None. #227

* added parse_message test #227

* added get_serde_number_to_string tests #227

* removed unnecessary test data part in get_serde_numuber_to_string test #227

src/detections/utils.rs

@@ -94,11 +94,14 @@ pub fn get_event_id_key() -> String {
 }
 
 /// serde:Valueの型を確認し、文字列を返します。
-pub fn get_serde_number_to_string(value: &serde_json::Value) -> String {
+pub fn get_serde_number_to_string(value: &serde_json::Value) -> Option<String> {
     if value.is_string() {
-        return value.as_str().unwrap_or("").to_string();
+        return Option::Some(value.as_str().unwrap_or("").to_string());
+    } else if value.is_object() {
+        // Object type is not specified record value.
+        return Option::None;
     } else {
-        return value.to_string();
+        return Option::Some(value.to_string());
     }
 }
 
@@ -163,6 +166,7 @@ pub fn create_tokio_runtime() -> Runtime {
 mod tests {
     use crate::detections::utils;
     use regex::Regex;
+    use serde_json::Value;
 
     #[test]
     fn test_check_regex() {
@@ -191,4 +195,62 @@ mod tests {
         let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate2.exe\"";
         assert!(false == utils::check_allowlist(commandline, &allowlist));
     }
+
+    #[test]
+    /// Serde::Valueの数値型の値を文字列として返却することを確かめるテスト
+    fn test_get_serde_number_to_string() {
+        let json_str = r##"
+        {
+            "Event": {
+                "System": {
+                    "EventID": 11111
+                }
+            }
+        }
+        "##;
+        let event_record: Value = serde_json::from_str(json_str).unwrap();
+
+        assert_eq!(
+            utils::get_serde_number_to_string(&event_record["Event"]["System"]["EventID"]).unwrap(),
+            "11111".to_owned()
+        );
+    }
+
+    #[test]
+    /// Serde::Valueの文字列型の値を文字列として返却することを確かめるテスト
+    fn test_get_serde_number_serde_string_to_string() {
+        let json_str = r##"
+        {
+            "Event": {
+                "EventData": {
+                    "ComputerName": "HayabusaComputer1"
+                }
+            }
+        }
+        "##;
+        let event_record: Value = serde_json::from_str(json_str).unwrap();
+
+        assert_eq!(
+            utils::get_serde_number_to_string(&event_record["Event"]["EventData"]["ComputerName"])
+                .unwrap(),
+            "HayabusaComputer1".to_owned()
+        );
+    }
+
+    #[test]
+    /// Serde::Valueのオブジェクト型の内容を誤って渡した際にNoneを返却することを確かめるテスト
+    fn test_get_serde_number_serde_object_ret_none() {
+        let json_str = r##"
+        {
+            "Event": {
+                "EventData": {
+                    "ComputerName": "HayabusaComputer1"
+                }
+            }
+        }
+        "##;
+        let event_record: Value = serde_json::from_str(json_str).unwrap();
+
+        assert!(utils::get_serde_number_to_string(&event_record["Event"]["EventData"]).is_none());
+    }
 }