Web Gui for 'Needs Review - Analyze' doesn't render (Comes up blank)

[threathunternotebook]

Please Describe The Bug

Any relevant information regarding the bug, such as error messages and the steps taken to produce the error. After submitting the URL and the "Needs Review" box appears, clicking on the 'Analyze' button renders a blank page even though the database is populated with hits ( After clicking the "Add Technique" button, a list of 'Confirmed Techniques' appears The generated pdf shows a list of techniques found from the page.

So, the problem appears to be the rendering of the Analyze page. It never populates.

[ghost]

Same problem here, any news on this? @threathunternotebook have you found a solution?

[ghost]

I thought I found a solution for this problems, but I didn't. After following the steps I was able to analyze a few reports, but some others are just empty even if there is content in the database. For example I am not able to analyze this APT28 report with tram: https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/

Tried this, but didn't help:

I used the requirements.txt of this package to install all the modules and remembered that I had some errors. So I checked all installed module versions with pip freeze and there were some newer versions of the following modules:

antlr4-python3-runtime==4.7.2 numpy==1.17.4 Pillow==6.2.1 pytz==2019.3 PyYAML==5.2
scikit-learn==0.22 scipy==1.3.3 simplejson==3.17.0
stix2==1.2.1 stix2-patterns==1.2.1

I uninstalled them with pip and then installed the exact required version via pip install -Iv numpy==1.17.4 etc I also removed the taxii2-client and installed it again (newest compatible version via pip install taxii2-client because the older ones had problems importing v20).

[jecarr]

This occurs because the local attack-dictionary file (attack_dict.json) is out of sync with the data retrieved from STIX/TAXII on startup.

For example, attack T1003 is 'OS Credential Dumping' (at time of writing, you can verify this here). The local json file has this attack stored as 'Credential Dumping'.

A KeyError silently is raised (silent because this is via background tasks) when the attack entry in the database for 'Credential Dumping' is attempted to be retrieved but nothing is returned.

If you want to use my linked PR, it's advised to delete (or move to be safe) the local database file - database/tram.db - and the models file - models/model_dict.p - to trigger a rebuild of these (so be prepared for a long startup).

My PR hasn't captured all outdated attack names but should log any that can't be found. You can then update attack_dict.json (and rebuild the 2 specified local files above) when you find what the name should be:

• See log statement for attack that could not be retrieved from the database
• Search the attack's name in attack_dict.json; note the attack ID
• Go to https://attack.mitre.org/techniques/T1003/ -> replace last part of URL with attack ID
• OR In a terminal:
  • cd tram/database
  • sqlite3 (opens database shell)
  • .open tram.db
  • SELECT name FROM attack_uids WHERE tid IS 'T1003'; (replace with attack ID)
• Update attack_dict.json with new attack name
• Rebuild database and models pickle file on tram startup

Finally, a screenshot of this fix working for the URL @timoliciouz specified. @threathunternotebook, I'm happy to test my code with your URL.

[MarkDavidson]

Hello @threathunternotebook and thank you for the bug report. TRAM has moved to https://github.com/center-for-threat-informed-defense/tram and this issue is no longer present in that repository so I am closing this issue. Thank you!