search

oasis-open / cti-python-stix2

OASIS TC Open Repository: Python APIs for STIX 2
https://stix2.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
364 stars 119 forks source link

Fails to parse valid TLP2.0 marking object. #569

Open shellcromancer opened 1 year ago

shellcromancer commented 1 year ago

When loading a valid TLP2.0 marking-definition object such as this, the library will error in stix2.exceptions.TLPMarkingDefinitionError. While the STIX 2.1 spec section 7.2.1.4, doesn't explicitly allow other values, this library should likely have an option to loosely load without validating this element rather than requiring users to use the deprecated TLP markings. 

{
            "type": "marking-definition",
            "spec_version": "2.1",
            "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
            "created": "2017-01-20T00:00:00.000Z",
            "definition_type": "tlp",
            "name": "TLP:CLEAR",
            "definition": {
                "tlp": "clear"
            }
}
from stix2 import MemoryStore
import requests

stix_json = requests.get('https://github.com/elastic/labs-releases/raw/main/indicators/rustbucket/stix-bundle.json').json()

src = MemoryStore(stix_data=stix_json["objects"])
$ python ingest.py
Traceback (most recent call last):
  File "/Users/foo/Code/ingest.py", line 8, in <module>
    src = MemoryStore(stix_data=stix_json["objects"])
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/datastore/memory.py", line 119, in __init__
    _add(self, stix_data, allow_custom, version)
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/datastore/memory.py", line 35, in _add
    _add(store, stix_obj, allow_custom, version)
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/datastore/memory.py", line 47, in _add
    stix_obj = parse(stix_data, allow_custom, version)
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/parsing.py", line 40, in parse
    obj = dict_to_stix2(obj, allow_custom, version)
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/parsing.py", line 99, in dict_to_stix2
    return obj_class(allow_custom=allow_custom, **stix_dict)
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/v21/common.py", line 226, in __init__
    super(MarkingDefinition, self).__init__(**kwargs)
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/base.py", line 232, in __init__
    self._check_object_constraints()
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/v21/common.py", line 242, in _check_object_constraints
    check_tlp_marking(self, '2.1')
  File "/Users/foo/Library/Python/3.9/lib/python/site-packages/stix2/markings/utils.py", line 332, in check_tlp_marking
    raise exceptions.TLPMarkingDefinitionError(marking_obj["id"], "Does not match any TLP Marking definition")
stix2.exceptions.TLPMarkingDefinitionError: Marking marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9 does not match spec marking Does not match any TLP Marking definition!

If y'all are OK with loosing validation for new TLP versions in this library I'd be happy to send a PR with the fixes

chisholm commented 1 year ago

The old definition/definition_type marking structure is deprecated anyway. The new way to define markings is via extensions. I believe definitions for those markings have been added to the common object repository. Looks like the "clear" marking is here. The TLP 2.0 extension definition is here.