search

muchdogesec / stix2arango

stix2arango is a command line tool that takes a group of STIX 2.1 objects in a bundle and inserts them into ArangoDB. It can also handle updates to existing objects in ArangoDB imported in a bundle.
GNU Affero General Public License v3.0
1 stars 0 forks source link

Strange behaviour for relationships on updates where stix objects remain the same, but stix2arango_note changes #9

Closed himynamesdave closed 3 weeks ago

himynamesdave commented 3 weeks ago

Test case 4

https://github.com/muchdogesec/stix2arango/blob/optimizations/tests/4-import-detected-because-of-stix2arango-note.md

The updates to objects in the vertex collection work as expected.

However for relationships errors are occurring 

RETURN LENGTH(
  FOR doc IN test4_edge_collection
    FILTER doc._is_latest == false
    AND doc._is_ref == false
    AND doc._stix2arango_note == "test4A"
    OR doc._stix2arango_note == "test4B"
      RETURN doc
)

Should return:

[
  1828
]

(old relationships x 2 = 914 x 2 = 1828)

but actually returns

[
  16860
]

It seems the objects are updated correctly e.g.

```json
[
  {
    "_stix2arango_note": "test4C",
    "_is_latest": true,
    "id": "relationship--3089bdec-3d25-5d1b-a6ac-9d152ab14e35"
  },
  {
    "_stix2arango_note": "test4B",
    "_is_latest": false,
    "id": "relationship--3089bdec-3d25-5d1b-a6ac-9d152ab14e35"
  },
  {
    "_stix2arango_note": "test4A",
    "_is_latest": false,
    "id": "relationship--3089bdec-3d25-5d1b-a6ac-9d152ab14e35"
  }
]

I am not sure where the 14000 extra objects are coming from ( 16860 - 1828)