search

muchdogesec / stix2arango

stix2arango is a command line tool that takes a group of STIX 2.1 objects in a bundle and inserts them into ArangoDB. It can also handle updates to existing objects in ArangoDB imported in a bundle.
https://www.dogesec.com/
Apache License 2.0
4 stars 0 forks source link

Strange behaviour for embedded relationships on updates where stix objects remain the same, but stix2arango_note changes #10

Closed himynamesdave closed 3 months ago

himynamesdave commented 3 months ago

Test case 4

https://github.com/muchdogesec/stix2arango/blob/optimizations/tests/4-import-detected-because-of-stix2arango-note.md

RETURN LENGTH(
  FOR doc IN test4_edge_collection
    FILTER doc._is_latest == true
    AND doc._is_ref == true
    AND doc.created_by_ref == "identity--72e906ce-ca1b-5d73-adcd-9ea9eb66a1b4"
    AND doc._stix2arango_note == "test4C"
      RETURN doc
)

Should return 

[
  15032
]

(the number of embedded relationships in the bundle)

Which it does.

RETURN LENGTH(
  FOR doc IN test4_edge_collection
    FILTER doc._is_latest == false
    AND doc._is_ref == true
    AND doc.created_by_ref == "identity--72e906ce-ca1b-5d73-adcd-9ea9eb66a1b4"
    AND doc._stix2arango_note == "test4A"
    OR doc._stix2arango_note == "test4B"
      RETURN doc
)

Should return

[
  30064
]

b/c two updates have happened to ( 15032x2)

but it actually returns

[
  30978
]
fqrious commented 3 months ago

https://github.com/muchdogesec/stix2arango/blob/optimizations/tests/4-import-detected-because-of-stix2arango-note.md

Link shows 404

himynamesdave commented 3 months ago

@fqrious sorry, here: https://github.com/muchdogesec/stix2arango/blob/optimizations/tests/4-update-detected-because-of-stix2arango-note.md