Validator doesn't seem to check whether the observable objects actually exist

oasis-open / cti-pattern-validator

OASIS TC Open Repository: Validate patterns used to express cyber observable content in STIX Indicators

https://stix2-patterns.readthedocs.io/

BSD 3-Clause "New" or "Revised" License

26 stars 23 forks source link

Validator doesn't seem to check whether the observable objects actually exist #38

Closed johnwunder closed 6 years ago

johnwunder commented 6 years ago

I don't know that it should be an error, but maybe the pattern validator should throw a warning if an observable object is referenced that doesn't actually exist in the spec. E.g., the following is showing as valid:

Input:

from stix2patterns.validator import run_validator

pattern = "[domain:value = 'abc.123']"
errors = run_validator(pattern)

print(errors)

Output: []

gtback commented 6 years ago

Thanks, @johnwunder. The pattern validator currently has no knowledge of the STIX or Cyber Observable data model, and it might be best to keep it that way. I believe the cti-stix-validator would flag a warning on that pattern though.

gtback commented 6 years ago

I confirmed that cti-stix-validator will flag this (by using the pattern inspector from this library and knowing the list of observable types), so I'm going to close this issue, but feel free to re-open and discuss if you think it makes sense to have the pattern-validator do this.

cc: @johnwunder @clenk