misp-stix v2.4.177 - Opinion, Sightings & STIX 2 pattern handling fixed

v2.4.177 - 2023-09-22

Chg

• [package] New version bump
• [poetry] Updated dependencies & bumped lock file

Fix

• [stix2 import] Variable name typo
• [stix2 import] Removing the LIKE comparison operator from the list of forbidden pattern operators
• [stix2 import] STIX 2 Patterns parser cleanup
• [stix2 import] Custom opinion objects parsing method typo
• Comment typo
• [stix2 import] Custom opinion objects parsing method typo
• Comment typo
• [stix2 export] Avoiding issues with Opinion & Sighting objects having references to custom objects

Wip

• [stix2 import] Finished supporting the last multiple values in patterns
• [stix2 import] Handling more 'multiple' pattern values after IN comparison operator
• [stix2 import] Pattern values after an IN comparison operator should always be tuples
• [stix2 import] Supporting multiple IP values in pattern with an IN comparison operator
• [stix2 import] Improved more types of patterns by checking whether the values are in a list or tuple
• [stix2 import] Better pattern values parsing
• [stix2 import] Better pattern comparison operator parsing

misp-stix v2.4.176 released with a few fixes and changes on the relationships handling

v2.4.176 (2023-09-14)

Changes

• [poetry] Bumped lock file with latest dependencies version. [Christian Studer]

• [package] Bumped new version. [Christian Studer]

• [stix2 import] Changed the relationships content storing. [Christian Studer]

  • We do not need a dictionary with keys defining
    which value is the referenced uuid or the
    relationship type, as a tuple with the sorted 2
    values makes the job
  • It also allows us to use a set to store the
    references to avoid storing multiple times the
    same relationship to the same target
  • Both previous points will help handling the
    opposite relationships

• [stix2 import] More accurate relationship type between a sample and the malware it is the sample of. [Christian Studer]

• [poetry] Bumped latest pymisp version. [Christian Studer]

Fix

• [tests] Quick fix on embedded galaxies in attributes tests, as the opposite references handling creates uncertainty in relationships order. [Christian Studer]

• [stix2 import] Handling opposite relationships. [Christian Studer]

  • This is usefull for instance when an Indicator
    is imported to MISP as an Attribute, and has a
    relationship with another SDO imported as a MISP
    Object, in which case the relationship used to
    be lost because for now, an attribute does not
    support references in MISP.
    Now we use the opposite reference to keep the
    link between the converted MISP Object and
    Attribute

• [stix2 import] Added missing relationship parsing. [Christian Studer]

  • References between MISP objects and attribute or
    object were handled only when the Galaxies are
    parsed in their MISP standard format form. They
    were missing when Galaxies are imported as tag
    names, which shouldn't change object references

• [stix2 import] Reusing code which removed also a typo. [Christian Studer]

• [stix2 import] Added missing continue to avoid additional handling for observable objects already handled. [Christian Studer]

• [stix2 export] Remove attack pattern ID from name attribute. [Tomas Lima]

Other

• Add: [poetry] Added stix-edh dependency for STIX 1 Markings. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'parser_feature' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'parser_feature' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'main' of github.com:misp/misp-stix into parser_feature. [Christian Studer]

• Wip: [stix2 import] Handling standalone Observable objects. [Christian Studer]

  • We started changing the Observable objects converters
    in order to start parsing those which are standalone
    and not referenced by SDOs
  • A lot more Observable object types to be added

• Merge branch 'main' of github.com:misp/misp-stix into parser_feature. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge pull request #38 from SYNchroACK/fix/attack-pattern-name. [Alexandre Dulaunoy]

  Remove attack pattern ID from name attribute

What's Changed

• Remove attack pattern ID from name attribute by @SYNchroACK in #38

Full Changelog: v2.4.175...v2.4.176

misp-stix v2.4.175 released with a major update on the STIX to MISP feature, including STIX 2.1 Malware objects parsing enhancement, and the support of STIX 2.1 Malware Analysis objects

WiP: Moving the conversion ability

This release is the beginning of an important WiP phase in which we will move the STIX 2 to MISP conversion capacity in specific classes outside of the 'main' parsing feature in order to bring more readability to the code base and make debugging easier.

Once the conversion capacity is moved, the main parsing classes are going to handle the loading, parsing and results handling features only. There will be no change on the way users can use the different available classes, helpers and command-line feature as it only is an internal code structuring change.

With the release, Attack Pattern, Malware and Malware-Analysis objects conversion to MISP already has been ported.
There might be some code / mapping duplication for now as a proper clean-up will be performed once the entire conversion capacity is moved.

Unreleased but included in the latest PyPi version:

Changes

• [poetry] Bumped latest pymisp version. [Christian Studer]

v2.4.175 (2023-08-24)

Changes

• [poetry] Updated lock file. [Christian Studer]

• [poetry] Updated lock file. [Christian Studer]

• [package] Set new version. [Christian Studer]

• [init] Clearer classes & methods import as well as noqa added to imports. [Christian Studer]

• [poetry] Bumped latest lock file. [Christian Studer]

• [package] Bumped version (& pymisp) [Christian Studer]

Fix

• [workflow] Testing both internal & external STIX content to import to MISP. [Christian Studer]

• [tests] Fixed test samples for external Malware objects converted as Galaxies. [Christian Studer]

• [stix2 import] Some clean-up - Removed unused stuff & Added missing stuff. [Christian Studer]

• [stix2 import] Fixed failing message. [Christian Studer]

• [stix2 import] Some pycodestyle clean-up. [Christian Studer]

• [stix2 import] A few typing and unused methods fixed. [Christian Studer]

• [stix2 import] Fixed debugging messages handling in the command-line feature. [Christian Studer]

• [stix2 import] Removed unused UUID extraction method & made the method to populate object attributes common to all converters. [Christian Studer]

• [stix2 import] Fixed reverse malware handling depending on the is_family flag. [Christian Studer]

• [stix2 import] Added the missing object attributes populating method. [Christian Studer]

• [stix2 import] Removed the UUID handling methods in the parsers directory to keep using the original ones from importparser as a MISP event also need some of those methods. [Christian Studer]

• [tests] Fixed STIX 2.0 test method names. [Christian Studer]

• [stix2 export] Some more pycodestyle to make the mapping cleaner. [Christian Studer]

• [stix2 import] Some quick pycodestyle to make the mapping cleaner. [Christian Studer]

• [stix2 import] Fixed debugging messages handling in the command-line feature. [Christian Studer]

Other

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'parser_feature' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'main' of github.com:misp/misp-stix into parser_feature. [Christian Studer]

• Merge branch 'dev' of github.com:misp/misp-stix into parser_feature. [Christian Studer]

• Wip: [stix2 import] Properly handling Observable. [Christian Studer]

  • We moved the InternalSTIX2toMISPParser back to
    its previous state regarding observable objects
    handling because we do not generate standalone
    observable objects with the MISP to STIX feature
  • We fixed some bad observable handling in the
    External parser to avoid issues with the used
    flag which was not handled correctly in some
    cases

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'parser_feature' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Fix; [stix2 import] Avoiding issues with missing time import. [Christian Studer]

• Merge branch 'parser_feature' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'parser_feature' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Wip: [stix2 import] Better Observable objects handling. [Christian Studer]

  • Objects referenced by malware & malware-analysis
    SDOs are now handled with no duplication issue

• Wip: [stix2 import] Better parsing for some malware-analysis reference fields. [Christian Studer]

• Wip: [stix2 import] Storing observable objects differently. [Christian Studer]

  • Preparing for their parsing as standalone
    objects or with multiple references from
    different SDOs to the same Observable

• Fix; [stix2 import] Fixed Malware conversion as MISP Object. [Christian Studer]

  • In the case we do not need to return the converted
    MISP objects, we should not yield the objects,
    as an iterator needs to be consumed, which we
    do only when we convert the Malware as a Galaxy
    Cluster too and add it to the appropriate
    attributes of the MISP object

• Merge branch 'main' of github.com:misp/misp-stix into parser_feature. [Christian Studer]

• Wip: [stix2 import] Handling the Malware Analysis objects in the main parsing classes. [Christian Studer]

• Wip: [stix2 import] Parsing & Converting STIX 2.1 Malware Analysis objects. [Christian Studer]

  • We need to add the parsing mechanisms in the
    main parsers
  • Some more love is required to handle some of the
    fields referenced by the malware analysis object

• Merge branch 'main' of github.com:misp/misp-stix into parser_feature. [Christian Studer]

• Wip: [stix2 import] Parsing specific cases where a STIX 2 Malware object is converted as both an object and a galaxy. [Christian Studer]

  • We're adding the galaxy to the attributes with
    an ids flag in all the MISP objects that are
    generated from the conversion of the Malware
    object - there are sometimes software, file or
    artifact objects too coming from the different
    references the Malware object has

• Wip: [stix2 import] Added missing galaxy as tag names parsing methods & properly handling the galaxy conversion case. [Christian Studer]

• Wip: [stix2 import] Added pluggable Observable objects conversion class to handle observable objects references by malware objects. [Christian Studer]

• Wip: [stix2 import] Calling the already existing converters. [Christian Studer]

  • We keep the parsing methods in the parser scripts
    as they are for now, in order to avoid breaking
    the whole parsing mechanism for the other STIX
    objects which conversion methods are not
    implemented in the conversion directory yet

• Wip: [stix2 import] Properly converting STIX 2.1 Malware objects. [Christian Studer]

• Wip: [stix2 import] Clarified class names, script names, and improved malware objects parsing. [Christian Studer]

• Wip: [stix2 import] Converting script objects from STIX 2 Malware objects. [Christian Studer]

• Fix; [stix2 import] Fixed Malware galaxies meta fields parsing. [Christian Studer]

• Wip: [stix2 import] Porting the conversion capacity with the mappings into the parsers sub-directory. [Christian Studer]

• Wip: [stix2 import] Externalising conversion capacity to specific parsers. [Christian Studer]

  • Starting with Attack Pattern & Malware (WiP) objects

Full Changelog: v2.4.174...v2.4.175

misp-stix v2.4.174

v2.4.174 (2023-07-31)

Changes

• [poetry] Bumped lock file. [Christian Studer]

• [stix import] Simplified data path. [Christian Studer]

• [tests] Updated tests for sightings import. [Christian Studer]

  • Also changed some sample to have different order
    with Identity objects in order to test properly
    our recent changes on loading and converting the
    sightings, which purpose was to avoid issues
    with the STIX objects order

• [stix2 import] Updated the External STIX 2 Identity objects mapping to MISP organization objects following recent updates on that template. [Christian Studer]

• [readme] Updated MISP collections to STIX 1 export example. [Christian Studer]

• [readme] Updated usage documentation following recent changes on the command-line feature and some helper methods. [Christian Studer]

• [poetry] Bumped latest dependencies. [Christian Studer]

Fix

• [stix2 import] Differenciating between internal and external stix content regarding the external references handling. [Christian Studer]

• [tests] Fixed tests for vulnerability cluster import following recent changes on the meta fields. [Christian Studer]

• [stix2 import] Fixed vulnerability cluster meta fields parsing. [Christian Studer]

• [tests] Fixed the vulnerability clusters meta tests according to the latest changes on the external id (cve) field parsing. [Christian Studer]

• [stix2 export] Fixed vulnerability clusters meta fields parsing. [Christian Studer]

• [stix2 export] Fixed malware_types fields & added missing method for threat_actor_types parsing. [Christian Studer]

• [stix2 import] Added missing annotation object metadata parsing. [Christian Studer]

• [tests] Removed some results writing in files which were used at some point for debugging purposes and forgotten in the code vastness. [Christian Studer]

• [stix2 import] Shorter obervable types extraction while still including the recent fix to avoid issues with observables that are of dict type. [Christian Studer]

• [stix1 export] Fixed backward compatibility with old object templates. [Christian Studer]

• [stix2 export] Fixed backward compatibility with old object templates. [Christian Studer]

• [stix import] Sanitised the import variables declaration to avoid issue with wrong value format. [Christian Studer]

• [command-line] Fixed results message. [Christian Studer]

• Observable type access for dict type. [Sura De Silva]

• [stix2 import] Typo within the Opinion objects loading method. [Christian Studer]

• [stix2 import] Better handling of MISP Sightings import. [Christian Studer]

  • Storing Sighting & Opinion objects instead
    of converting them to MISP Sightings while
    loading them, because in some cases we need the
    information of the related org, which is not
    always already loaded when the need its info
  • We convert the STIX objects to Sightings at the
    end while we loop over the different references

• [stix2 import] Better Identity object's identity class field handling. [Christian Studer]

• [stix2 import] Using the Galaxy Cluster adding method to add cluster instead of appending it the the list of clusters. [Christian Studer]

Other

• Merge branch 'main' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:misp/misp-stix. [Christian Studer]

• Merge pull request #45 from SYNchroACK/fix/wrong-import. [Christian Studer]

  Fix wrong stix observables import

• Fix wrong stix observables import. [Tomas Lima]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Wip: [stix2 import] Updated the import conversion of internal STIX 2.x Identity objects to better support recent changes on the organization template. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix. [Christian Studer]

• Merge pull request #46 from dragsu/fix-observable-access-dict-type. [Christian Studer]

  fix: type access for dict type Observables

• Merge branch 'main' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Add: [stix2 import] Importing Identity objects with identity_class set to organization as organization object. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Add: [stix2 import] Adding relations between galaxy clusters. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

Contributions

• fix: type access for dict type Observables by @dragsu in #46
• Fix wrong stix observables import by @SYNchroACK in #45

New Contributors

• @dragsu made their first contribution in #46

Full Changelog: v2.4.172...v2.4.174

misp-stix v2.4.172 released with major updates on the command line feature & the helpers used to handle collections of data, as well as some improvement on the Galaxies or distribution value

v2.4.172 (2023-06-09)

Changes

• [poetry] Updated dependencies. [Christian Studer]

• [package] Bumped version. [Christian Studer]

• [misp_stix_converter] Changes on the command line feature. [Christian Studer]

  • Cleaner separation between the 2 main features,
    export & import, as well as cleaner arguments
    in general
  • Better handling of the messages returned by the
    helper methods that are call by the command
    line feature

• [tests] Updated STIX 1 export sample result files. [Christian Studer]

• [tests] Added new tests and changes on the collections export as STIX 2. [Christian Studer]

• [stix2 import] Added the debug argument to the stix_2_to_misp helper. [Christian Studer]

  • We return the error and warning messages only
    when the debug flag is set

• [stix2 import] Added more result details and arguments to the stix_2_to_misp helper that converts a STIX file to MISP format. [Christian Studer]

  • We added all the arguments needed in both the
    declaration of the STIX 2 to MISP parser and the
    stix bundle parsing call
  • We have a more detailed return message that
    gives not only a success message, but also the
    errors and warnings

• [stix1 export] We don't instantiate the MISP to STIX 1 Mappings anymore and use the classmethods directly. [Christian Studer]

• [stix1 export] Turned the MISP to STIX 1 Mapping properties into classmethods and made it usable in an uninstantiated way. [Christian Studer]

• [stix2 export] Using the uninstantiated MISP to STIX 2 mappings classmethods. [Christian Studer]

• [stix2 export] Converted STIX 2 Mappings methods into classmethods. [Christian Studer]

• [stix2 import] Improved the internal STIX 2 to MISP mapping. [Christian Studer]

  • The InternalSTIX2toMISPMapping class is no
    longer instantiated
  • We're using the different classmethod helpers
  • The mapping is then a bit cleaner than before

• [stix2 import] Internal STIX 2 to MISP mapping improved. [Christian Studer]

  • Changes on the pattern & observable objects
    mapping names
  • Reusing mappings that are contained in other ones

• [stix2 import] Changed mapping to not be forced to instantiate them. [Christian Studer]

• [stix export & import] Made the parent parser classes abstract. [Christian Studer]

  • As the children classes should be called anyways

• [poetry] Changed pymisp dependency back to the pypi version. [Christian Studer]

• [misp-galaxy] Bumped latest version. [Christian Studer]

• [package] Latest version aligned with MISP. [Christian Studer]

• [poetry] Updated dependencies. [Christian Studer]

• [misp-galaxy] Bumped latest version. [Christian Studer]

• [stix2 import] Changed the Marking Definition loading process. [Christian Studer]

Fix

• [import] added missing import. [iglocska]

• [tests] Removed unused imports. [Christian Studer]

• [tests] Fixed STIX 1 export result samples. [Christian Studer]

• [misp_stix_converter] Fixed helpers import - using the method names recently changed. [Christian Studer]

• [stix export] Fixed arguments to give from the command line feature to the STIX export helpers. [Christian Studer]

• [stix2 export] Fixed footer for collections export as STIX 2. [Christian Studer]

• [tests] Updated tests for STIX 1 export helpers. [Christian Studer]

• [stix1 export] Fixed Package header writting for methods used to replicate the MISP pagination - used with collections export helpers. [Christian Studer]

• [stix1 export] Reusing methods from the framing to generate packages (& handling namespaces) [Christian Studer]

• [stix1 export] Handling cases when there is no STIX header. [Christian Studer]

  • In this specific case, the STIX package in XML
    format is a single xml tag with the included
    / closing character... so we remove it
  • ( JSON >>>>> XML definitely :) )

• [stix1 export] Added option to generate a Package with no header. [Christian Studer]

• [stix1 export] Fixed the creation process of the STIX package used to serve as container for related packages. [Christian Studer]

• [stix export] Made STIX framing methods more modular. [Christian Studer]

• [stix2 export] Returning the result files in a traceback message as list. [Christian Studer]

• [stix2 export] Fixed some statements in the MISP collections export to STIX 2 helper. [Christian Studer]

  • Including fixes on:
    • the single file handling (regarding the single
      file name)
    • the default directory for collections export
      results
    • the input files argument of the function

• [stix1 export] Fixed arguments passed to the MISP collections export to STIX 1. [Christian Studer]

• [stix1 export] Added a use case to support the use of the events collection export even with a single file. [Christian Studer]

• [stix1 export] Fixed name for the result STIX 1 event collections export & added a missing traceback. [Christian Studer]

• [stix1 export] Making sure we avoid exceptions with the fails catching on traceback messages. [Christian Studer]

• [stix2 import] Better handling of the single_event variable inside of the STIX 2 to MISP parser. [Christian Studer]

• [stix2 import] Fixed external STIX 2 email-message observable & pattern mapping. [Christian Studer]

• [stix2 import] Added missing campaign type in the list of STIX object types to look for. [Christian Studer]

• [stix2 import] Fixed the observable registry key values parsing in case of a single key imported as regkey|value attribute. [Christian Studer]

• [stix2 import] Catching parsing issues that appear while the STIX file is loaded. [Christian Studer]

• [stix export] Galaxies mapping are now also using the uninstantiated mapping classmethods. [Christian Studer]

• [tests] Using the uninstantiated mapping classes with their classmethods. [Christian Studer]

• [stix2 import] Fixed the from_misp test that defines whether a STIX file has been generated with the MISP to STIX conversion feature or not. [Christian Studer]

• [stix2 import] Fixed the email or IP address observable objects from internal STIX content parsing. [Christian Studer]

  • Could fail previously with some content generated
    from a previous version of the MISP to STIX
    conversion feature

• [stix2 import] Fixed marking definition parsing, as we store the tag and not the marking definition object. [Christian Studer]

• [tests] Fixed tests to avoid issues with STIX 2 to MISP mappings, following the recent changes on them. [Christian Studer]

• [stix2 import] Revert change to fix the pattern assertion operator check. [Christian Studer]

  • Revert of a part of the code that was staged for
    a previous commit while it should not have been
  • For now the pattern assertion check will remain
    as is even tough there is an ongoing work to
    improve it.

• [stix2 import] Fixed missing variable name change. [Christian Studer]

• [stix2 import] Using non instantiated external STIX 2 to MISP mapping. [Christian Studer]

  • Same changes as for the internal mapping

• [stix2 import] Removed unused variables & mapping fields. [Christian Studer]

• [stix2 import] Properly transformed the external STIX 2 to MISP mapping methods into classmethods. [Christian Studer]

  • Followed the model used in the internal mapping
    to have pattern mappings that are waiting for a
    field to return the associate value in the
    mapping, or observable object mappings that we
    loop on in order to check each field

• [stix2 import] Removed unused mapping method. [Christian Studer]

• [stix2 import] Removed unused imports. [Christian Studer]

• [stix2 import] Fixed some mapping dictionary names. [Christian Studer]

• [stix2 export] Fixed fail on copy pasting the generic galaxy mapping update for STIX 2.0. [Christian Studer]

• [stix2 export] Parsing stix2-pattern objects. [Christian Studer]

  • As they were missing in the export mapping, they
    were exported as custom objects, but we simply
    have to take the pattern and export it as is,
    like we do for sigma or yara patterns for
    instance in STIX 2.1
  • In this case, it applies to both STIX 2.0 & 2.1

• [stix2 export] Made the created & modified fields in custom galaxy objects optional. [Christian Studer]

• [stix2 export] Using the property for identity_id instead of the 'private' variable. [Christian Studer]

• [stix2 export] Same as the previous commit, for standalone attributes from feeds. [Christian Studer]

• [stix2 export] Fixed the orgc parsing for attributes collections. [Christian Studer]

  • The created_by_ref values were missing on all
    objects because the statement used to wait for
    a value where the recent changes made the
    related method return nothing anymore

• [stix2 export] Better Orgc & info handling for instance when they are empty. [Christian Studer]

• [stix2 export] Avoiding issues with unset timestamp value in MISP Event. [Christian Studer]

• [stix2 export] Checking Orgc fields before trying to generate the Identity object which will be used as created_by_ref object reference. [Christian Studer]

• [stix2 import, tests] Fixed the galaxy & cluster version. [Christian Studer]

  • Forgot that strip works only at the beginning
    and the end of the string............

• [tests] Removed unused import. [Christian Studer]

• [stix2 import] To avoid any possible issue in MISP with float version, we just made the generic Galaxies & Clusters version int. [Christian Studer]

• [tests] Fixed Galaxies & Clusters tests following all the recent changes on generic conversion from STIX 2.0 & 2.1. [Christian Studer]

• [stix2 import] Fixed the galaxy creation method for external STIX content to avoid issues with region and country galaxies. [Christian Stud...

v2.4.170

v2.4.170 (2023-04-13)

Changes

• [misp_stix_converter] Added quick comments & made the _from_misp utility available to import from the library. [Christian Studer]

• [misp_stix_converter] Moved the command line feature to misp_stix_converter.py to avoid all the related utility functions to be exposed while importing the python library. [Christian Studer]

• [stix2 import] Using the from_dict method as much as possible to populate the different MISP Object or Event fields. [Christian Studer]

  • It introduces some changes on the format of the
    datetime fields which are now properly defined
    as datetime with the right format and the
    timezone info

• [stix2 import] Extracted the object case handling to make it callable. [Christian Studer]

• [stix2 import] Better STIX objects as Galaxy import handling. [Christian Studer]

  • Instead of testing if we have to import the
    tag names or the full Galaxy object each time
    we parse a single STIX object, we set a variable
    from the beginning to redirect to the related
    parsing function

Fix

• [stix2 export] Export the source of a sighting as x_misp_source as defined in the Custom STIX 2.0 object. [Christian Studer]

  • Fixes #28

• [stix2 import] Fixed Galaxy parsing as tag names variable typo. [Christian Studer]

• [misp_stix_converter] Removed unused import. [Christian Studer]

• [misp_stix_converter] Better output names handling. [Christian Studer]

• [misp_stix_converter] Some clean-up. [Christian Studer]

• [stix2 import] Added the missing entrypoin-address attribute. [Christian Studer]

• [stix2 import] Making sure we won't have MISP objects rejected for having the same UUID. [Christian Studer]

  • pe & pe-section objects are converted from
    the same observable object or pattern as the
    file object that contains them.
    If we create the different MISP objects the same
    way we do for the file, they will all have the
    same UUID and MISP will reject them

• [tests] Updated tests to handle the recent changes on the datetime values format. [Christian Studer]

• [tests] Fixed tests for internal file with pe & sections objects following recent changes on the related parsing functions. [Christian Studer]

• [stix2 import] Fixed _add_misp_attribute function called names. [Christian Studer]

• [stix2 import] Updated the process object attributes used to force the MISP content being an object to align with the requiredOneOf field of the template. [Christian Studer]

• [stix2 import] Fixed STIX 2 Observable objects to MISP mapping for Domain Name with Network Traffic objects. [Christian Studer]

• [stix2 import] Fixed wrong object attribute mapping. [Christian Studer]

  • The PID attribute is not part of the Registry Key
    object mapping but Process

• [stix2 import] Cleaner unknown pattern mapping warning handling. [Christian Studer]

• [stix2 import] Quick clean-up on the error & warning messages handling. [Christian Studer]

• [stix2 import] Quick clean-up. [Christian Studer]

• [stix2 import] Fixed the x509 import from pattern parsing. [Christian Studer]

• [stix2 import] Fixed the Identity object parsing. [Christian Studer]

• [tests] Added the missing sector galaxy checking function. [Christian Studer]

• [stix2 import] Fixed the internal STIX 2 objects conversion as MISP Galaxy. [Christian Studer]

  • We have to check whether the description field
    does contain the | as separation caracter,
    because it is not the case for internal
    Identity objects with the identity_class
    field set to 'class' imported as sector galaxy

• [tests] Fixed the galaxies export tests to avoid issues with potential missing description & meta fields within the cluster definition. [Christian Studer]

• [stix2 export] Fixed the sector galaxy parsing to avoid issues with the description field within the galaxy cluster definition. [Christian Studer]

• [stix2 export] Making the sector galaxy export available for both STIX 2.0 & 2.1. [Christian Studer]

Other

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Wip: [stix2 import] Better File and its pe extensions parsing from patterns. [Christian Studer]

• Wip: [stix2 import] Simplified the patterns mapping. [Christian Studer]

• Wip: [stix2 import] Importing directory objects from stix patterns. [Christian Studer]

• Wip: [stix2 import] Network socket parsing improved. [Christian Studer]

• Wip: [stix2 import] Parsing PE optional headers. [Christian Studer]

  • Currently only the entry point address supported

• Wip: [stix2 import] Using from_dict to update MISPObjects instead of update [Christian Studer]

• Wip: [stix2 import] Improved the Network Traffic pattern parsing. [Christian Studer]

• Wip: [stix2 import] Replaced more dict update by dict merge. [Christian Studer]

• Wip: [stix2 import] Better and more generic Attributes & Objects add handling. [Christian Studer]

  • The confidence and object_marking_refs STIX
    fields are properly handled in one place and
    added as single Attribute or each object
    Attribute tags

• Wip: [stix2 import] Better attributes dictionaries creation. [Christian Studer]

• Wip: [stix2 import] Added ip-src & ip-dst attribute definition to be reused in different places. [Christian Studer]

• Wip: [stix2 import] Importing Software objects with the software object template. [Christian Studer]

• Wip: [stix2 import] Importing user-account objects from STIX 2 User Account objects. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Wip: [stix2 import] Converting Mutex patterns into mutex objects. [Christian Studer]

• Wip: [stix2 import] Handling the exceptions with non existing protocols. [Christian Studer]

• Wip: [stix2 import] Converting network-traffic pattern values into network-connection objects. [Christian Studer]

  • Need to handle the src & dst refs

• Wip: [stix2 import] Converting pattern with autonomous-system values as asn object. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Wip: [stix2 import] Better import case handling. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge branch 'dev' of github.com:MISP/misp-stix. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix. [Christian Studer]

• Wip: [documentation] Auto-generated documetation for sector galaxies export. [Christian Studer]

• Wip: [stix2 import] Importing sector Galaxies from external Identity objects with identity_class field set to 'class' [Christian Studer]

• Wip: [tests] Tests for STIX 2 Identity objects converson as sector galaxies. [Christian Studer]

• Wip: [stix2 import] STIX 2 Identity objects conversion as sector Galaxy import. [Christian Studer]

• Add: [tests] Tests for sector galaxies export to STIX 2.0 & 2.1. [Christian Studer]

• Merge branch 'main' of github.com:MISP/misp-stix into dev. [Christian Studer]

• Merge pull request #36 from SYNchroACK/new/sectors-galaxy. [Christian Studer]

  Handle sectors galaxy

• Add: [stix2 export] Handle sectors galaxy. [Tomas Lima]

What's Changed

• Handle sectors galaxy by @SYNchroACK in #36

Full Changelog: v2.4.169...v2.4.170

misp-stix v2.4.169 released with major improvement on the STIX 2.0 & 2.1 Observable objects parsing

Overview

• Introducing the first version of a more generic way of parsing Observable objects from different sources.
  • as the maintenance and extension of the Observable objects conversion to MISP mapping is a continuous task, some content might be missed in the conversion. Feel free to report any issue using the github issues system.
• Merged pull requests:
  • Use MISP event UUID for bundle ID by @coolacid in #26
  • Fix naive timestamp by @SYNchroACK in #35
• Work in Progress to be released soon: STIX 2.0 & 2.1 patterning expressions parsing

Detailed changelog

Changes

• [poetry] Bumped latest dependencies versions. [Christian Studer]

• [package] Updated poetry & pymisp requirement. [Christian Studer]

  • In order to better support git dependencies, we
    updated poetry because it is required in order
    to use git dependencies.
  • With the change on poetry we can then use the
    git dependency for pymisp - for now

• [package] Bumped version. [Christian Studer]

• [submodules] Bumped latest versions. [Christian Studer]

• [documentation] Regenerated the documentation. [Christian Studer]

• [stix2 export] A quick reuse of an existing SDO creation function. [Christian Studer]

• [documentation] Regenerated the MISP -> STIX documentation with the recent mapping updates. [Christian Studer]

• [documentation] Updated mapping documentation following some recent changes. [Christian Studer]

• [github] Enabling github actions on dev branch. [Christian Studer]

• [poetry, package] Updated python & the library versions. [Christian Studer]

• [github, python] Removing support for 3.7 and added 3.11. [Christian Studer]

Fix

• [stix2 import] Fixed missing imports removed by mistake. [Christian Studer]

• [stix2 import] Some cleanup. [Christian Studer]

  • Better readability when possible
  • Fixed typing
  • Simplified some parts using getattr instead of
    hasattr when possible

• [stix2 import] Fixed duplicate property that was causing issues with the parent class property. [Christian Studer]

• [tests] Fixed the remaining latest datetime/timestamp values that were possibly missing. [Christian Studer]

  • Testing datetime values - i.e from the
    datetime python library - instead of str

• [stix2 import] Fixed Marking definition objects handling. [Christian Studer]

  • There are still some Marking definition we don't
    parse yet - the ones with no definition_type
    value - and we now properly handle the exception
    that appear when we try to look at the ones that
    are not loaded

• [stix2 import] Fixed wrong variable name. [Christian Studer]

• [stix2 import] Removed unused variable. [Christian Studer]

• [documentation] Fixed datetime/timestamp values in the ampping documentation. [Christian Studer]

• [tests] Fixed unittests on datetime/timestamp fields/values. [Christian Studer]

• [tests] Made sure all the datetime/timestamp fields/values are properly set in test samples. [Christian Studer]

• [stix2 export] Properly exporting datetime/timestamp fields/values. [Christian Studer]

• [tests] Made some datetime values UTC. [Christian Studer]

• [stix2 export] Fix naive timestamp. [Tomas Lima]

• [tests] Fixed relationships tests to match the recent changes on the default relationship types. [Christian Studer]

• [stix2 export] Typo. [Christian Studer]

  • Fixes e918f69 and thus #33 for good this time

• [stix2 export] Fixed default relationships used between SDOs. [Christian Studer]

  • The relationship_specs mapping dictionary now
    only conains default relationships that are
    unique between 2 SDOs, if there are at least 2
    possible default relationships between 2 SDOs,
    we do not know which one to choose
  • In that case, or in the case there is no
    default relationship known between 2 SDOs, we
    us the related-to common relationship instead
    of has
  • As a result, this should fix #33

• [stix2 export] Variable name typo. [Christian Studer]

• [tests] Fixed tests for country galaxies export as STIX 2.1 Location objects. [Christian Studer]

• [stix2 export] Better country galaxy clusters parsing. [Christian Studer]

  • We use the description (capitalised) to define
    the Location name field of the country, and
    the value (lower case) as a description, which
    should fix #34

• [stix2 import] Avoiding warnings about empty object attribute values while converting Observable objects to MISP. [Christian Studer]

• [stix2 import] Fixed the unix extension parsing from User Account patterns. [Christian Studer]

• [stix2 import] Fixed recently renamed unix extension mapping. [Christian Studer]

• [stix2 import] Trying to fix a python 3.7 syntax issue for the remaining time it is still supported. [Christian Studer]

  • 3.8 and above don't complain with the
    *(generator) statement

• [stix2 import] Fixed the email object parsing. [Christian Studer]

• [tests] Fixed tests for the datetime attribute in STIX 2.0 File objects imported as lnk MISP objects. [Christian Studer]

• [tests] Fixed tests for STIX 2.0 File objects imported as lnk objects. [Christian Studer]

• [tests] Made the datetime fields in the File object - to be imported as lnk object - acceptable for STIX 2. [Christian Studer]

• [tests] Fixed the internal STIX 2.0 test samples for lnk object import. [Christian Studer]

• [stix2 import] Fixed wrongly set self variable. [Christian Studer]

• [stix2 import] Better separation of exceptions during observable objects parsing. [Christian Studer]

• [stix2 import] Some clean-up. [Christian Studer]

  • Including:
    • a wrong function name fixed
    • a better naming for some SDOs parsing
    • some unused methods removed

• [stix2 import] Fixed imports. [Christian Studer]

• [stix2 import] A very quick fix on observable mapping error message. [Christian Studer]

• [stix2 import] Fixed imports. [Christian Studer]

• [stix2 import] Fixed the Email Address observable object parsing. [Christian Studer]

• [stix2 import] Avoiding issue while parsing IP addresses patterns with empty list of attributes mapped. [Christian Studer]

• [stix2 import] Reusing the object_marking_refs fields parsing in a function. [Christian Studer]

• [stix2 import] Fixed the Location object parsing. [Christian Studer]

• [stix2 import] Correctly handling issues with observable object mapping. [Christian Studer]

• [stix2 import] Fixed the Location object parsing. [Christian Studer]

• [stix2 import] Fixed the pattern & observable types extraction. [Christian Studer]

• [stix2 import] Fixed the MarkingDefinition objects parsing function. [Christian Studer]

• [stix2 import] Made the MISP Attributes dict creation more generic and including the object_marking_ref field parsing. [Christian Studer]

• [stix2 import] Avoiding issues with Marking-Definition objects with no definition_type field. [Christian Studer]

• [stix2 import] Avoiding issues with Report or Grouping object that has no name field. [Christian Studer]

Other

• Wip: [stix2 import] Parsing Network Traffic objects. [Christian Studer]

• Wip: [stix2 import] Simplified the email observable objects parsing. [Christian Studer]

• Wip: [stix2 import] Parsing Observed Data with domain & ip observable objects. [Christian Studer]

• Wip: [stix2 import] Importing Software observable objects with the software object template. [Christian Studer]

• Merge pull request #35 from SYNchroACK/fix/naive-timestamp. [Christian Studer]

  Fix naive timestamp

• Wip: [stix2 import] Converting WindowsRegistryKey objects as registry-key & registry-key-value objects or regkey attributes. [Christian Studer]

• Wip: [stix2 import] Parsing User Account Observable objects. [Christian Studer]

• Wip: [stix2 import] Parsing X509 Certificate Observable objects. [Christian Studer]

  • Reusing some stuff that is similar as the x509
    pattern parsing

• Wip: [stix2 import] Parsing Process observable objects. [Christian Studer]

• Wip: [stix2 import] Made the Observable objects parsing more generic. [Christian Studer]

  • Reducing the amount of variables by putting all
    the observable objects in one single dictionary.
    Instead of using multiple dictionaries for
    different object types, we use one and added
    generic selection methods instead

• Wip: [stix2 import] Updated the File & Directory observable objects parsing to better support the references between objects. [Christian Studer]

• Revert "fix: [stix2 import] Trying to fix a python 3.7 syntax issue for the remaining time it is still supported" [Christian Studer]

  This reverts commit 556c433.

• Wip: [stix2 import] Converting Directory observable objects as the recently added directory object template. [Christian Studer]

  • Also fixed the observable objects mapping to
    MISP for lnk objects import

• Wip: [stix2 import] Simplifying the Observable objects conversion with fewer function calls. [Christian Studer]

• Wip: [stix2 import] Properly handling filtering on multiple observable object types. [Christian Studer]

• Wip: [stix2 import] Yield-ing observable objects instead of returning them in a list. [Christian Studer]

• Wip: [stix2 import] Importing EmailMessage Observable objects. [Christian Studer]

• Wip: [stix2 import] Importing File Observable objects in the case of a single field value imported as MISP Attribute. [Christian Studer]

• Wip: [stix2 import] Better "attribute or object" determination for File observable objects, searching for the extensions field. [Christian Studer]

• Wip: [stix2 import] Importing MISP file objects from File Observable objects. [Christian Studer]

  • Also includes the modification of some parsing
    ...

misp-stix 2.4.168 released with major improvements including STIX 2 import

misp-stix 2.4.168 released with major improvements including STIX 2 import

Changes

• [stix2 import] Reintroduced the ability to import MISP Galaxies as tag_names [Christian Studer]

  • Using most of the features that were removed
    with 43a3a8a & 3b178eb, with improvements
  • Using a parameter to define whether the related
    STIX objects should be imported as tag_names.
    They are parsed as MISP Galaxy objects otherwise
  • The reason to import tag names only is to have
    at least some information validated by MISP
    using the tag names which in fact are the galaxy
    cluster names, since MISP is not able for now to
    handle all the different cases for new Galaxy
    Clusters: is it a new clusters or an update to
    an existing one?
    We'll be able to give MISP the Galaxies and
    Clusters in standard MISP JSON format when it is
    able to fully handle it

• [misp-stix] Updated some aspects of the command line script. [Christian Studer]

  • Some parameters are required now
  • Introducing the import & export difference (it
    is still export only for now since we will
    add the required content in the import function)

• [package] Bumped version. [Christian Studer]

• [submodules] Bumped latest submodule versions. [Christian Studer]

• [poetry] Bumped latest locak file. [Christian Studer]

• [stix2 import] Differenciating galaxies parsing between external and internal STIX 2 content. [Christian Studer]

• [stix2 import] Removed some additional data structure layer on the loaded STIX objects. [Christian Studer]

• [stix2 export] Added a meta dictionary field to the Custom Galaxy object. [Christian Studer]

  • We can now export the meta field from a custom
    cluster, as it is, in the related field within
    the custom STIX object

• [tests] Updated tests for STIX 2 objects imported as MISP Galaxies. [Christian Studer]

• [tests] Updated the samples of STIX 2 objects that are converted as MISP galaxies. [Christian Studer]

  • Added some fields to extend the tests
  • Removed the unrelevant kill_chain_phases fields

• [stix2 import] Properly parsing the different galaxy & cluster fields. [Christian Studer]

• [tests] MISP galaxy types are now documented from the mapping itself. [Christian Studer]

• [stix2 export] Making the mapping classes reachable. [Christian Studer]

  • And in that case for example also the galaxy types

• [tests] Updated tests for internal STIX 2 import to prepare the apparition of tests for external STIX 2 import. [Christian Studer]

• [stix2 export] Enhanced the MISP Galaxies to STIX 2 conversion. [Christian Studer]

  • More meta fields are now supported
  • The STIX 2 external_references field now
    supports the url refs in addition to the
    external IDs which were already supported

• [stix2 export] Extended the MISP Galaxies to STIX 2 mapping. [Christian Studer]

• [documentation] Regenerated documentation with the recent changes on mappings. [Christian Studer]

• [documentation] Updated mapping documentation. [Christian Studer]

• [documentation] Regenerated documentation with the recent changes on mappings. [Christian Studer]

• [documentation] Updated mapping documentation. [Christian Studer]

• [stix2 export] Added missing person object to the mapping of MISP objects export as STIX 2.0 & 2.1. [Christian Studer]

  • This object template was supposed to be supported
    for a while...
  • It is then now not exported as custom object as
    it was before

• [stix2 export] Added missing person object to the mapping of MISP objects export as STIX 2.0 & 2.1. [Christian Studer]

  • This object template was supposed to be supported
    for a while...
  • It is then now not exported as custom object as
    it was before

Fix

• [misp-galaxy] Bumped latest version. [Christian Studer]

• [stix2 import] Fixed wrong _create_cluster_args parameters in some cases. [Christian Studer]

• [stix2 import] Fixed the tests for region galaxies import from STIX 2.1 Location objects. [Christian Studer]

• [stix2 import] Fixed the region Galaxy Cluster value conversion. [Christian Studer]

  • In MISP, the region galaxy cluster values use
    the actual UN M49 names with the area codes. The
    codes were not supported before in the STIX 2 to
    MISP conversion

• [stix2 import] Fixed issues with meta fields in clusters. [Christian Studer]

  • We were not able to know whether a meta field
    initially contained a - or an _ since we
    have to use underscore for STIX 2 fields in any
    case. We now have a list of meta fields which
    should have a - to avoid the related issues

• [stix2 import] Fixed the meta fields parsing to avoid issues with some undefined (and unnecessary) meta fields mappings. [Christian Studer]

• [stix2 import] Fixed the accuracy-radius object attribute mapping. [Christian Studer]

• [stix2 import] Added missing STIX 2 to MISP mapping. [Christian Studer]

• [stix2 export] Using the STIX objects adding function instead of dealing with the private variable. [Christian Studer]

• [stix2 import] STIX 2 import mapping classes renames for more clarity. [Christian Studer]

• [tests] Fixed the tags test to go with the recent changes on some galaxy test samples. [Christian Studer]

• [tests] Added specific testing methods for clusters meta fields. [Christian Studer]

• [tests] Fixed tests for MISP galaxies export as STIX 2, following the recent updates and improvements on their parsing. [Christian Studer]

• [stix2 export] Fixed the kill_chain parsing in clusters meta fields. [Christian Studer]

• [stix2 export] Fixed one of the missing attack-pattern object creation that was missed and still using the previous creation function. [Christian Studer]

• [stix2 export] Removed no longer necessary argument of some STIX 2 object creation function. [Christian Studer]

  • Which also made unnecessary some of thoses
    functions being no longer specific to galaxies

• [stix2 import] Avoiding Custom Objects converted as Attributes to be modified while they are parsed. [Christian Studer]

• [stix2 import] Removed unused Galaxies parsing case. [Christian Studer]

• [stix2 import] Some pycodestyle clean-up. [Christian Studer]

• [stix2 export] Tiny improvement to avoid unused variable in the case of STIX 2.1 export with no Event report. [Christian Studer]

  • And a few long lines cleaned up

• [stix2 import] Making sure we cover all the cases while checking if an attribute UUID is valid. [Christian Studer]

  • This fixes the object attributes handling in the
    case of MISP objects exported as Custom STIX
    objects, with invalid UUIDs which were not
    correctly handled when we convert the content
    back to MISP format

• [stix2 import] Better invalid UUIDs parsing for Custom STIX objects converted as MISP objects. [Christian Studer]

• [tests] Fixed tests for STIX 2.0 registry-key objects import. [Christian Studer]

• [stix2 import] Fixed some loading definitions. [Christian Studer]

• [stix2 import] Fixed variable that should not be self. [Christian Studer]

• [tests] Simply avoiding issues with the custom galaxies not exported in STIX 1 (for now at least) [Christian Studer]

• [tests] Added tests to make sure custom galaxies are correctly exported when embedded in attributes or object attributes. [Christian Studer]

• [stix2 export] Added the missing custom galaxies handler for attributes galaxies. [Christian Studer]

• [stix2 export] Reverted some try/catch bypass used for debugging purposes. [Christian Studer]

• [stix2 export] Clarification on some incomplete MISP Galaxies typing. [Christian Studer]

• [stix2 export] Quick fix & improvement on the custom galaxies export. [Christian Studer]

• [stix2 export] Simply a quick clean-up. [Christian Studer]

• [stix2 export] Fixing the EventReport references handling. [Christian Studer]

  • When there is no actual reference to a MISP
    attribute, object or galaxy in the Event report,
    the object_refs field is empty, which is not
    allowed, so we add a reference to the report or
    grouping to avoid raising an exception

• [stix2 export] Fixing the EventReport references handling. [Christian Studer]

  • When there is no actual reference to a MISP
    attribute, object or galaxy in the Event report,
    the object_refs field is empty, which is not
    allowed, so we add a reference to the report or
    grouping to avoid raising an exception

• [tests] Fixed tests for registry-key objects export as STIX 2.0 following the recent mapping change on the last-modified attribute. [Christian Studer]

• [stix2 export] Removed unused import. [Christian Studer]

• [stix2 export] Fixed the registry-key object mapping regarding the last-modified attribute export as STIX 2.0. [Christian Studer]

• [tests] Fixed tests for registry-key objects export as STIX 2.0 following the recent mapping change on the last-modified attribute. [Christian Studer]

• [stix2 export] Removed unused import. [Christian Studer]

• [stix2 export] Fixed the registry-key object mapping regarding the last-modified attribute export as STIX 2.0. [Christian Studer]

• [stix2 import] Avoiding issues with identifiers in compiled patterns. [Christian Studer]

  • When [*] is part of a pattern,the related
    identifiers contain a non str element which
    used to break the related exception handling

• [stix2 import] Fixed the hash types handling while parsing patterns. [Christian Studer]

• [tests] Removed the person object from the tests for custom objects export as STIX 1. [Christian Studer]

  • Following changes on the person object export
    and its removal from the tests samples for
    custom objects

• [tests] Added tests for `...

misp-stix 2.4.163 released

v2.4.163 (2022-09-26)

Changes

• [package] New version. [Christian Studer]

Fix

• [stix2 export] Avoiding variables to be referenced before they are declared. [Christian Studer]

• [stix2 export] Fixed the Hash values checking. [Christian Studer]

  • STIX 2 allows some custom Hash types so we don't
    need to consider invalid a hash that is not
    in the list of common supported types

• [stix2 export] Some details fixed on errors handling functions. [Christian Studer]

Other

• Fix; [stix2 export] Added missing check for data fields from attachment attributes. [Christian Studer]

• Wip: [stix2 export] Checking Hash values for object attributes. [Christian Studer]

• Wip: [stix2 export] More Hash values checking. [Christian Studer]

  • We also check now Hash values in the case of a
    conversion as Observable objects

• Wip: [stix2 export] Introducing a hash value checking function to avoid issues with invalid hashes. [Christian Studer]

• Wip: [stix2 import] Added some helpers to parse content in STIX 2 patterns. [Christian Studer]

  • Loading patterns for now

misp-stix 2.4.162 released

v2.4.162 (2022-09-19)

Changes

• [package] Updated to latest version to publish. [Christian Studer]

• [stix2 export] Returning warning as a dictionary of lists instead of sets. [Christian Studer]

• [setup, poetry] Aligning with the package features that are actually used on pypi. [Christian Studer]

• [tests] Ported all STIX 1 export tests to support both JSON & MISP inputs. [Christian Studer]

• [stix2 export] Made the timestamp values checking common to all export classes and moved the test is the values are datetime to this common function. [Christian Studer]

• [tests] Duplicated tests for attributes, objects & galaxies export as STIX 2 to support both JSON & MISP input. [Christian Studer]

• [tests] Tests for interoperability & feeds now support both JSON and MISP inputs. [Christian Studer]

• [stix2 export] Added correct typing to functions receiving attributes, objects or events. [Christian Studer]

  • When the library is used in a python script, we
    can pass directly MISPEvent, MISPAttribute or
    MISPObject objects instead of their JSON format
    It is already working, here we simply fixed the
    functions header with the correct typing

• [doc] add PyPI references. [Alexandre Dulaunoy]

Fix

• [readme] Updated description. [Christian Studer]

• [stix2 export] Added missing use case making available Attributes parsing in some situations while giving the input as file instead of as loaded dict. [Christian Studer]

  • It avoids for instance issues with the command
    line script when giving a file containing an
    attributes collection

• [stix2 export] Fixed edge case when the send-date attribute within an email object is not a correctly formatted datetime value. [Christian Studer]

• [tests] Fixed tests for composite attributes exported as STIX 2 indicator that received a tiny change. [Christian Studer]

• [stix1 export] Fixed composite attribute values parsing to avoid issues with values not formatted the right way. [Christian Studer]

• [stix2 export] Fixed parsing of composite attributes which require some attribute type handling. [Christian Studer]

  • The composite attribute type will indeed always
    have the standard | as separator

• [stix2 export] Handling composite attribute values when they are not formatted as they should be with a | [Christian Studer]

• [stix2 export] Added the missing interoperability parameter in the Relationship object arguments. [Christian Studer]

• [stix2 export] Fixed annotation object export as STIX 2.1 when there is no object reference. [Christian Studer]

• [clean up] Removed debugging print statements. [Christian Studer]

• [tests] Making the datetime to str utility function common to all STIX testing classes. [Christian Studer]

• [stix1 export] Handling the data field while creating an Artifact object. [Christian Studer]

• [stix1 export] Handling some datetime values. [Christian Studer]

• [documentation] Fixed documentation following changes on the lnk objects export to STIX 2.0. [Christian Studer]

• [tests] Fixing some tests triggered by a lot of unit tests to make them work with a MISP input. [Christian Studer]

• [tests] Avoiding issues with the geolocation object & the to_ids value of some asn object attributes. [Christian Studer]

• [stix2 export] Added missing import. [Christian Studer]

• [tests] Better handling of timeline value & the data field. [Christian Studer]

• [stix2 export] Better lnk objects parsing including the timeline attributes export as STIX 2.0 that were missing. [Christian Studer]

• [stix2 export] Correctly handling the timestamp fields and values. [Christian Studer]

• [stix2 export] Handling properly data fields in attributes and object attributes. [Christian Studer]

• [stix2 export] Handling some timestamp values depending whether they are datetime or str. [Christian Studer]

• [requirements] Regenerated the requirements files. [Christian Studer]

• [requirements] Fixed requirements regarding the STIX 2 dependency. [Christian Studer]

• [stix2 export] Fixed timestamp handling when they are already datetime. [Christian Studer]

  • Happens if we give the STIX Parser a MISPEvent
    type input instead of the JSON format that is
    the standard case when used in MISP core

• [stix2 export] Fixed pattern validation to avoid sanitisation for strings to be executed on non string values. [Christian Studer]

• [stix2 export] Fixed custom objects parsing for standalone pe-section objects parsing. [Christian Studer]

Other

• Merge branch 'main' of github.com:MISP/misp-stix. [Christian Studer]