search

CybOXProject / python-cybox

A Python library for parsing, manipulating, and generating CybOX content.
http://cybox.readthedocs.org/
BSD 3-Clause "New" or "Revised" License
77 stars 42 forks source link

Inconsistent dictionary representations for vocabulary terms compared to python-stix #201

Open marlontaylor opened 10 years ago

marlontaylor commented 10 years ago

Specific Case: 'package_intents' ( STIX_Package/STIX_Header/Package_Intent) vs 'type' (STIX_Package/STIX_Header/Information_Source/Tools/Tool/Type)

'package_intents' is a list of objects containing a 'value' and 'xsi:type'

'package_intents': [{'value': 'Indicators',
                                      'xsi:type': 'stixVocabs:PackageIntentVocab-1.0'},
                                     {'value': 'Indicators - Phishing',
                                      'xsi:type': 'stixVocabs:PackageIntentVocab-1.0'},
                                     {'value': 'Indicators - Watchlist',
                                      'xsi:type': 'stixVocabs:PackageIntentVocab-1.0'},
                                     {'value': 'Indicators - Malware Artifacts',
                                      'xsi:type': 'stixVocabs:PackageIntentVocab-1.0'},
                                     {'value': 'Indicators - Network Activity',
                                      'xsi:type': 'stixVocabs:PackageIntentVocab-1.0'},
                                     {'value': 'Indicators - Endpoint Characteristics',
                                      'xsi:type': 'stixVocabs:PackageIntentVocab-1.0'}]

where as 'type' is a list of strings.

'type': ['NIDS',
           'NIPS',
           'HIDS',
           'HIPS'],

Personally, I prefer the list of objects (makes things easier for other developers).

marlontaylor commented 10 years ago

I don't think python-cybox should try to validate the strings. I do think python-cybox should pass the xsi:type along into the dictionary/JSON and object structures so developers can decide how to handle them.

In #203, the error was by only relying on hard coded xsi:type it was later fixed by commit https://github.com/CybOXProject/python-cybox/commit/37cfe419ce83c3b4670f43a4fa7683cad50c79fe.

The new version handles this case; however, addressing #201 would fix the general case. Since python-cybox only uses the vocab terms it 'knows', developers will have to wait for an update in python-cybox to correctly round-trip (and/or slightly modify) a STIX document which uses the latest schema.