STIX import says no version attribute set, but version attribute is set

[bond-alexander]

I'm trying to import a STIX file from IT-ISAC into CRITs, but when I try to import it, it gives the following error:

No version attribute set on xml instance. Unable to determine version compatibility

The problem is that there is a version set on the XML tag, and in the stix:STIX_PACKAGE tag.

<?xml version='1.0' encoding='UTF-8'?>

Why would CRITs be unable to recognize the version tag?

[gtback]

The STIX error is referring to the @version attribute on the STIX_Package element, not the XML version.

EDIT: I just realized you said there is a version on the STIX Package as well. Can you provide that as well?

[bond-alexander]

It's supposed to be @version? That might be the problem, this package just says version. <stix:STIX_Package id="CISCP:IB-14-10492" version="1.0">

[gtback]

Sorry for the confusion; I used the "@" notation to signify that it was an attribute (as opposed to an element).

Based just on what you've pasted, it seems like it should work (or at least give a different error... 1.0 is pretty old and I'm not sure if CRITs still supports it). Unfortunately, I don't have a good way to test at the moment; hopefully someone else will be able to help.

[mgoffin]

CRITs supports STIX 1.1. STIX isn't backwards compatible so we won't be able to support previous versions at this time. On Fri, Nov 7, 2014 at 5:09 PM Greg Back notifications@github.com wrote:

Sorry for the confusion; I used the "@" notation to signify that it was an attribute (as opposed to an element).

Based just on what you've pasted, it seems like it should work (or at least give a different error... 1.0 is pretty old and I'm not sure if CRITs still supports it). Unfortunately, I don't have a good way to test at the moment; hopefully someone else will be able to help.

— Reply to this email directly or view it on GitHub https://github.com/crits/crits/issues/302#issuecomment-62222734.

[bond-alexander]

Makes sense. Could we get a more accurate error message?

[mgoffin]

Iirc you'd have to ask the STIX folks :)

[bond-alexander]

Oh, the "no version attribute" message is created by the STIX library, not CRITs? Guess I need to report it to them.

[MarkDavidson]

I took the liberty of bouncing this over to the STIX library: https://github.com/STIXProject/python-stix/issues/226

[bworrell]

Just a heads up on the STIX backwards compatibility front: though it's in alpha now, the stix-ramrod library can update STIX content and was built with python-stix in mind.

[SyntaxGeek]

I know this is an old issue but I've just recently ran into this, and these IT-ISAC stix files are using a custom header that is not STIX compliant, there is a couple of simple edits that need to be done and they'll import just fine, the consolidated CISCP files are another story and I believe that's what stix-ramrod is for (awesome name btw).

[drakearonhalt]

@SyntaxGeek could you share those edits on the IT-ISAC forum? I'm having the same issue.

[mgoffin]

CybOX/STIX are no longer a part of core. They are a part of the TAXII service and if there are issues now that the code has moved, new ones should be created in the crits_services Issue tracker.