search

center-for-threat-informed-defense / mappings-explorer

Mappings Explorer enables cyber defenders to understand how security controls and capabilities map onto the adversary behaviors catalogued in the MITRE ATT&CK® knowledge base. These mappings form a bridge between the threat-informed approach to cybersecurity and the traditional security controls perspective.
https://ctid.io/mappings-explorer
Apache License 2.0
25 stars 6 forks source link

Cannot load NIST mappings stix bundle using the python stix2 library #96

Open WesleySoftware opened 4 days ago

WesleySoftware commented 4 days ago

Describe the bug

When trying to import the NIST Mappings as a custom extension into the python stix2 library, I got an error about the id for the "attack-pattern" objects 

raise InvalidValueError(
stix2.exceptions.InvalidValueError: Invalid value for AttackPattern 'id': must start with 'attack-pattern--'.

My python script is as follows:

from stix2 import CustomObject, properties

@CustomObject(
    "x-infrastructure",
    [
        ("type", properties.StringProperty(required=True)),
        ("spec_version", properties.StringProperty(required=True)),
        ("id", properties.IDProperty(type="infrastructure")),
        ("name", properties.StringProperty()),
        ("created", properties.TimestampProperty(required=True)),
        ("modified", properties.TimestampProperty(required=True)),
    ],
)
class Infrastructure:
    pass

@CustomObject(
    "x-relationship",
    [
        ("type", properties.StringProperty(required=True)),
        ("spec_version", properties.StringProperty(required=True)),
        ("id", properties.IDProperty(type="relationship")),
        ("created", properties.TimestampProperty(required=True)),
        ("modified", properties.TimestampProperty(required=True)),
        ("relationship_type", properties.StringProperty(required=True)),
        (
            "source_ref",
            properties.ReferenceProperty(
                required=True, valid_types=["x-infrastructure"]
            ),
        ),
        (
            "target_ref",
            properties.ReferenceProperty(
                required=True, valid_types=["x-infrastructure"]
            ),
        ),
    ],
)
class Relationship:
    pass

from stix2 import parse
from collections import defaultdict

# Parse the STIX 2.1 bundle
with open(
    "nist_800_53-rev5_attack-14.1-enterprise_stix.json", "r", encoding="utf8"
) as file:
    parse(file.read(), allow_custom=True)

I used the stix2 bundle available at https://center-for-threat-informed-defense.github.io/mappings-explorer/data/nist_800_53/attack-14.1/nist_800_53-rev5/enterprise/nist_800_53-rev5_attack-14.1-enterprise_stix.json

To Reproduce Here are the instructions to reproduce on linux:

  1. Download the stix bundle
  2. Create a virtual environment python3 -m venv .venv
  3. Activate the virtual environment source .venv/bin/activate
  4. Install stix2 python3 -m pip install stix2
  5. Paste the content above into a file (test.py as an example)
  6. Run the script

Expected behavior Nothing, script exits with happy exit code.

Desktop (please complete the following information):

Thanks for taking the time to look at this

mehaase commented 3 days ago

Thank you for pointing this out. We'll look into it and I'll post here when we have a fix in place.