search

muchdogesec / arango_cti_processor

A small script that creates relationships between common CTI knowledge-bases in STIX 2.1 format.
https://www.dogesec.com/
Apache License 2.0
3 stars 0 forks source link

Create new EPSS update mode #22

Closed himynamesdave closed 1 month ago

himynamesdave commented 3 months ago

https://github.com/muchdogesec/arango_cti_processor/blob/embedded-relationship-tests/docs/cve-epss.md

himynamesdave commented 2 months ago

on hold for now, pending further research:

https://dogesec.slack.com/archives/D05L8JEAM1N/p1725893585141609

himynamesdave commented 1 month ago

Have updated the spec to reflect expected behaviour.

himynamesdave commented 1 month ago

Have updated the spec for this ticket

https://github.com/muchdogesec/arango_cti_processor/commit/de66810001f251f7f07f39d6753dad38368b9cec

Needed for changes

https://github.com/muchdogesec/cve2stix/issues/25

himynamesdave commented 1 month ago

2 things

Unsure why test is failing

My test for this currently fails. I am not sure why.

python3 -m unittest tests/test_12_0_cve_epss.py

Unsure why test is failing

My assumption is that the script looks for existing notes, and then updates them. Is this correct.

If so, how does this work: https://github.com/muchdogesec/cve2stix/issues/26#issuecomment-2401362879

fqrious commented 1 month ago

My assumption is that the script looks for existing notes, and then updates them. Is this correct.

No, it doesn't look for existing notes... It just creates a new note if there's an update

If so, how does this work: https://github.com/muchdogesec/cve2stix/issues/26#issuecomment-2401362879

It creates a Note object if and only if the epss data exists

himynamesdave commented 1 month ago

@fqrious so why is the test failing?

fqrious commented 1 month ago

The spec didn't mention creating a relationship for it. I just thought the embedded object_refs would be enough

himynamesdave commented 1 month ago

I think this is the problem

No, it doesn't look for existing notes... It just creates a new note if there's an update

The point of this ticket is that a user can get a historic record of EPSS scores inside the note.

So whenever this update mode is run, the script adds more data for the current day (if it not already present) in the note. This way they can see the changes in EPSS over time

The function to create new notes on updates is also correct, but only half the task.

fqrious commented 1 month ago

from my understanding, that is already how it works. You should probably update the spec if you want something different

himynamesdave commented 1 month ago

but then why aren't the notes in the test being updated?

python3 -m unittest tests/test_12_0_cve_epss.py

fqrious commented 1 month ago

https://github.com/muchdogesec/arango_cti_processor/blob/b856d6d31a61abd794f23207634c7c02f3bac055/tests/test_12_0_cve_epss.py#L68

Because a note is a vertex, so the test is wrong