search

oasis-tcs / cti-stix2

OASIS CTI TC: Provides issue tracking and wiki pages for the STIX 2.x Work Products
https://github.com/oasis-tcs/cti-stix2
Other
22 stars 9 forks source link

Is the resolved-to SRO for ipv4, ipv6 and domain name objects redundant? #297

Open rpiazza opened 1 year ago

rpiazza commented 1 year ago

From: Brett Forbes brett@cloudaccelerator.co:

I have found a small error on the Stix 2.1 specification page, which caught me out.

Basically the "resolves-to" SRO is described on the ipv4, ipv6 and domain name objects, but is not included in Appendix B, the relationship summary table. This actually caught me out because i built the schema based on Appendix B and one of my tests discovered this error (i.e. i couldn't import the relationship).

I also note that generally this relationship is redundant, and hence bad form, since its values are already carried in the "resolves_to_ref" field. We already materialise these embedded id's as actual relations, so now i need two different relations:

  1. A "resolves" relation to match the embedded id's, with roles "from" and "to"
  2. A "resolves-to" SRO, with roles "resolves-from" and "resolves-to"

There seems to be some unecessary reedundancy here leading users to be unsure which one to mark.

priamai commented 1 year ago

Totally agree, btw this is the example it's in the docs:

from stix2 import MACAddress

mac_addr_a = MACAddress(value="a1:b2:c3:d4:e5:f6")
mac_addr_b = MACAddress(value="a7:b8:c9:d0:e1:f2")

ip4_valid_refs = IPv4Address(
    value="177.60.40.7",
    resolves_to_refs=[mac_addr_a.id, mac_addr_b.id]
)

print(ip4_valid_refs.serialize(pretty=True))
ejratl commented 1 year ago

Related to #281

SYNchroACK commented 3 months ago

Related to #320