search

carbonblack / cbfeeds

Carbon Black Feeds
Other
70 stars 31 forks source link

Documentation for deleting report is inconsistent with validation #21

Open edeca opened 6 years ago

edeca commented 6 years ago

The documentation says:

For reports to be deleted, remove all IOCs from the report and update the timestamp rather than removing the report.

However, a report with removed IOCs does not validate:

    {
      "title": "Deleted item",
      "id": "63abcefe6f851464002510074f3da6a22d9072173e0daa1522468b22c62109d9",
      "timestamp": 1539089424,
      "score": 100,
      "link": "https://example.com",
      "iocs": {}
    }

The output from validate_feed.py is:

-> % python validate_feed.py -f output.json
-> Validated that file exists and is readable
-> Validated that feed file is valid JSON
-> Unable to validate that the file is a valid CB feed
-> Details:

Report with no IOCs in report 63abcefe6f851464002510074f3da6a22d9072173e0daa1522468b22c62109d9

Errors also occur if the iocs key is completely removed:

-> % python validate_feed.py -f output.json
-> Validated that file exists and is readable
-> Validated that feed file is valid JSON
-> Unable to validate that the file is a valid CB feed
-> Details:

Report missing required field(s): iocs
yellowdepot commented 5 years ago

Hello,

just stumbled upon the same problem. The only workaround I found is using a query which can never match but that's bad because it costs performance. Any better ideas?

Best solution would probably to issue a warning on empty iocs but not make it required.