oasis-open / cti-stix-visualization

OASIS TC Open Repository: Lightweight visualization for STIX 2.0 objects and relationships
http://oasis-open.github.io/cti-stix-visualization
BSD 3-Clause "New" or "Revised" License
138 stars 43 forks source link

Should email attachments contained in body_multipart be a source of a relationship? #49

Closed dwjohnston closed 2 years ago

dwjohnston commented 2 years ago

For posterity, my code is slightly behind, but I believe this is still an issue with current master. I'm working from this commit.

Example bundle:

[

  {
    id: 'email-addr--ea515a5f-8051-5558-a48c-1828f5dcbf8a',
    spec_version: '2.1',
    type: 'email-addr',
    value: 'example@example.com'
  },
  {
    hashes: {
      MD5: 'e04eec8e96075042cc1b5a9fb6c0df6e',
      'SHA-1': '6021bd62a5d8658e33bc7c26af7f4979963da43e',
      'SHA-256':
        'abd1b33de3e39ae651bbd4bdc6300ba4005029b369c6c9eb67e8bb1392faa8b3'
    },
    id: 'artifact--55fe7d9e-225c-5d4c-a108-8ea587d14b3c',   // <-- The attachment
    mime_type: 'application/pdf',
    spec_version: '2.1',
    type: 'artifact',
    payload_bin:
      'BASE64SHORTPAYLOAD1111111111111111111112111111==',
  },

  {
    body_multipart: [

      {
        body_raw_ref: 'artifact--55fe7d9e-225c-5d4c-a108-8ea587d14b3c', // Should link here
        content_disposition: 'attachment',
        content_type: 'application/pdf'
      },

    ],
    date: '2018-08-21T09:14:39-07:00',
    from_ref: 'email-addr--ea515a5f-8051-5558-a48c-1828f5dcbf8a',
    id: 'email-message--184d0768-b86b-5c94-97eb-00af08aca2de',
    is_multipart: true,
    spec_version: '2.1',
    subject: '0day Research',
    to_refs: ['email-addr--c8c6d744-13ad-59d8-adbd-596c8bed4f6d'],
    type: 'email-message'
  },

  {
    id: 'email-addr--c8c6d744-13ad-59d8-adbd-596c8bed4f6d',
    spec_version: '2.1',
    type: 'email-addr',
    value: 'foo@bar.com'
  }
]

That is, I have an artifact (an email attachment) that I want show the source of (the email).

What I currently get is an orphaned artifact node in the visualisation:

Screen Shot 2022-03-28 at 7 07 37 pm

Whereas I want the relationship to show as an edge:

Screen Shot 2022-03-28 at 7 07 54 pm

I've already got this working, so happy to create a PR, just want to know if this is desirable behaviour.

(As an aside, it would also be nice to make the distance for for attachment relationships shorter than regular relationships).

clenk commented 2 years ago

Yes, that would be desirable behavior - I would love to see a PR!

I also like the idea of making embedded relationships (*_ref/s) use shorter arrows. However, we're currently investigating some other changes to how graphs are displayed. Once those changes are implemented we can revisit this idea. Otherwise we might have to redo it.

ejratl commented 2 years ago

For the purposes of testing the associated PR, I adapted the example above as in the attached email-test-bundle-49.json (txt for GitHub). It tests out correctly. email-test-bundle-49.json.txt

ejratl commented 2 years ago

This issue was fixed via PR #52