Bug: converter fails to convert STIX mutex object name field and fails to give warning

[kwr2]

MISP-STIX usage

Using the misp_stix_converter CLI script to import STIX into MISP

Expected behavior

The converter was expected to generate a MISP file with the information from the STIX file for all required STIX fields.

If the converter failed to process part or all of the file, then in normal mode we hoped we would see a warning about that.

Actual behavior

The conversion of a STIX file reported that it successfully processed the file and gave no warnings or indications that any of the data from the file had problems being successfully processed. The file generated did not have data for a STIX required property (i.e. the name property) that was in the input file.

When run in normal mode, no error or warning is provided and successful conversion is reported. See console output below: The output of the converter is the following: Successfully processed your file. Results available in:

• misp-output/misp_183_from_mutex_diff.20240131_062854.json

And the resultant file contained the following contents (which did not include the STIX-required name property of the mutex). See the misp provided as output below: { "uuid": "a5a9cc35-7b62-4924-ba29-14e9c4d92087", "info": "STIX 2.1 Bundle imported with the MISP-STIX import feature.", "distribution": "0", "published": false }

Steps to reproduce

misp_stix_converter import --version 2 -f ./stix-input/mutex_d1.json --output_name ./misp-output/misp_183_from_mutex_d1.json

where mutex_d1.json contains the following: { "type": "bundle", "id": "bundle--a5a9cc35-7b62-4924-ba29-14e9c4d92087", "objects": [ { "type": "mutex", "spec_version": "2.1", "name": "well", "id": "mutex--548231ca-70ea-4c33-b3ad-0f7985d46587", "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } } ] }

Version

2.4.183

Python version

3.9.9

Relevant log output

When run with the debug flag the following error is displayed: 

Errors encountered during the STIX to MISP conversion process:
 - bundle--a5a9cc35-7b62-4924-ba29-14e9c4d92087
   - Error parsing the Observable object with id mutex--548231ca-70ea-4c33-b3ad-0f7985d46587:   File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/external_stix2_to_misp.py", line 382, in _handle_unparsed_content
    getattr(self.observable_object_parser, to_call)(object_id)
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_objects_converter.py", line 409, in _parse_mutex_observable_object
    self._create_misp_attribute('mutex', mutex), mutex
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/misp_stix_converter/stix2misp/converters/stix2_observable_objects_converter.py", line 47, in _create_misp_attribute
    'value': getattr(observable, feature), 'type': attribute_type,
  File "/var/local/misp/misp-stix/v2.4.183/frompip/venv399misp183/lib/python3.9/site-packages/stix2/base.py", line 278, in __getattr__
    raise AttributeError(
'Mutex' object has no attribute 'value'
Successfully processed your file. Results available in:
 - misp-output/misp_183_from_mutex_diff.json_segment_1.json.20240131_091558.json

Extra attachments

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[kwr2]

Please note that while I created this bug report and another like it, the CIRCL converter v2.4.183 reported that it had errors converting each of the following types of STIX objects:

1. directory
2. email-message
3. mutex
4. network-traffic
5. observed-data
6. windows-registry-key

If desired, I can create a bug for each type if that would be helpful.

[kwr2]

Re-opening after an accidental close when leaving the prior comment.