oasis-open / cti-stix-elevator

OASIS Cyber Threat Intelligence (CTI) TC Open Repository: Convert STIX 1.2 XML to STIX 2.x JSON
https://stix2-elevator.readthedocs.io/en/latest/
BSD 3-Clause "New" or "Revised" License
49 stars 23 forks source link

MAEC Module Missing/Error #248

Closed jonkaz closed 3 years ago

jonkaz commented 3 years ago

When converting a MIFR report publicly posted on CISA.gov, I receive a stack trace and notifications that the maec module is missing.

(venv) root@ubuntu:/home/user/Documents/aistest# stix2_elevator --log-level CRITICAL --markings-allowed "ISAMarkingsAssertion,ISAMarkings" --message-log-directory logs/ MIFR-10077745-1.v2.stix.xml > MIFR-10077745-1.v2.stix.json [stixmarx.utils] [WARNING] [2021-02-22 05:49:04,205] No module named 'maec' Traceback (most recent call last): File "/opt/venv/bin/stix2_elevator", line 33, in sys.exit(load_entry_point('stix2-elevator==3.0.1', 'console_scripts', 'stix2_elevator')()) File "/opt/venv/lib/python3.9/site-packages/stix2_elevator-3.0.1-py3.9.egg/stix2elevator/cli.py", line 194, in main result = elevate(elevatorargs.file) File "/opt/venv/lib/python3.9/site-packages/stix2_elevator-3.0.1-py3.9.egg/stix2elevator/init.py", line 101, in elevate container = stixmarx.parse(stix_package) File "/opt/venv/lib/python3.9/site-packages/stixmarx-1.0.8-py3.9.egg/stixmarx/init.py", line 26, in parse stix_package = parser.parse_xml(xml_input, encoding) File "/opt/venv/lib/python3.9/site-packages/stixmarx-1.0.8-py3.9.egg/stixmarx/parser.py", line 295, in parse_xml return parser.parse() File "/opt/venv/lib/python3.9/site-packages/stixmarx-1.0.8-py3.9.egg/stixmarx/parser.py", line 281, in parse package = STIXPackage.from_xml( File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/core/stix_package.py", line 249, in from_xml return entity_parser.parse_xml(xml_file, encoding=encoding) File "/opt/venv/lib/python3.9/site-packages/mixbox-1.0.5-py3.9.egg/mixbox/parser.py", line 180, in parse_xml entity_obj = self.parse_xml_to_obj( File "/opt/venv/lib/python3.9/site-packages/mixbox-1.0.5-py3.9.egg/mixbox/parser.py", line 152, in parse_xml_to_obj entity_obj.build(root) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/stixcore.py", line 171, in build self.buildChildren(child, node, nodeName) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/stixcore.py", line 207, in buildChildren obj.build(child_) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/stixcore.py", line 646, in build self.buildChildren(child, node, nodeName) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/stixcore.py", line 653, in buildChildren obj.build(child) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/ttp.py", line 1425, in build self.buildChildren(child, node, nodeName) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/ttp.py", line 1451, in buildChildren obj.build(child) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/ttp.py", line 1062, in build self.buildChildren(child, node, nodeName) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/ttp.py", line 1072, in buildChildren obj.build(child) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/ttp.py", line 773, in build self.buildChildren(child, node, nodeName) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/ttp.py", line 780, in buildChildren obj.build(child) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/extensions/malware/maec_41.py", line 94, in build self.buildChildren(child, node, nodeName) File "/opt/venv/lib/python3.9/site-packages/stix-1.2.0.11-py3.9.egg/stix/bindings/extensions/malware/maec_4_1.py", line 100, in buildChildren from maec.bindings.maec_package import PackageType ModuleNotFoundError: No module named 'maec' (venv) root@ubuntu:/home/kaz/Documents/aistest# cat MIFR-10077745-1.v2.stix.json Results produced by the stix2-elevator are not for production purposes. (venv) root@ubuntu:/home/user/Documents/aistest#

emmanvg commented 3 years ago

Hi @jonkaz, the reason you are observing this behavior on your deployment is because the maec package is an optional dependency for stix and its only required when parsing STIX that contains MAEC. I will incorporate a change in the elevator to make it required.

To immediately resolve your issue you can run: pip install maec in your environment. Hope this helps!

emmanvg commented 3 years ago

Also, you might need to check your stix installation. The MIFR referenced in this issue is expressed in STIX 1.1.1, but you are using stix 1.2.0.11 based on the traceback - this version is meant for STIX 1.2.0 content. If you want to install the correct version for the content use pip install stix<1.2.0.0