Closed pcoccoli closed 2 years ago
Describe the bug In 2.1, every SCO has an id property (just like SDOs), so you can't map a native field to <sco_type>.id.
id
<sco_type>.id
To Reproduce In the source tree, run a command like find stix_shifter_modules/ -name "*to_stix_map.json" -exec grep -Hne '\.id"' {} \;
find stix_shifter_modules/ -name "*to_stix_map.json" -exec grep -Hne '\.id"' {} \;
Output should be tested with stix2_validator (https://github.com/oasis-open/cti-stix-validator)
Expected behavior If these native IDs need to be mapped, the modules should either use (deprecated) custom properties (see https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_p2sz1mp7z524) or extension definitions (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_32j232tfvtly)
Screenshots
$ find stix_shifter_modules/ -name "*to_stix_map.json" -exec grep -Hne '\.id"' {} \; stix_shifter_modules/async_dummy/stix_translation/json/to_stix_map.json:111: "key": "process.id" stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:635: "key": "x-oca-event.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:1039: "key": "x-ecs-user.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:1127: "key": "x-ecs-container.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:1328: "key": "x-ecs-error.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:1501: "key": "x-ecs-group.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:1530: "key": "x-oca-asset.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:1928: "key": "x-ecs-organization.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2021: "key": "x-ecs-rule.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2051: "key": "x-ecs-service.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2239: "key": "x-ecs-trace.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2245: "key": "x-ecs-transaction.id", stix_shifter_modules/elastic_ecs/stix_translation/json/stix_2_1/to_stix_map.json:2287: "key": "x-ecs-vulnerability.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:635: "key": "x-oca-event.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:1067: "key": "x-ecs-user.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:1155: "key": "x-ecs-container.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:1356: "key": "x-ecs-error.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:1529: "key": "x-ecs-group.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:1558: "key": "x-oca-asset.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:1956: "key": "x-ecs-organization.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:2049: "key": "x-ecs-rule.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:2079: "key": "x-ecs-service.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:2267: "key": "x-ecs-trace.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:2273: "key": "x-ecs-transaction.id", stix_shifter_modules/elastic_ecs/stix_translation/json/to_stix_map.json:2315: "key": "x-ecs-vulnerability.id", stix_shifter_modules/guardium/stix_translation/json/to_stix_map.json:207: "key": "process.id" stix_shifter_modules/security_advisor/stix_translation/json/to_stix_map.json:50: "key": "x-security-advisor-finding.id", stix_shifter_modules/synchronous_dummy/stix_translation/json/to_stix_map.json:111: "key": "process.id" stix_shifter_modules/infoblox/stix_translation/json/to_stix_map.json:272: "key": "x-infoblox-threat.id",
Desktop (please complete the following information): N/A
Smartphone (please complete the following information): N/A
Additional context N/A
Resolved via https://github.com/opencybersecurityalliance/stix-shifter/pull/819
delliott90
commented
2 years ago
Describe the bug In 2.1, every SCO has an
idproperty (just like SDOs), so you can't map a native field to<sco_type>.id.To Reproduce In the source tree, run a command like
find stix_shifter_modules/ -name "*to_stix_map.json" -exec grep -Hne '\.id"' {} \;Output should be tested with stix2_validator (https://github.com/oasis-open/cti-stix-validator)
Expected behavior If these native IDs need to be mapped, the modules should either use (deprecated) custom properties (see https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_p2sz1mp7z524) or extension definitions (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_32j232tfvtly)
Screenshots
Desktop (please complete the following information): N/A
Smartphone (please complete the following information): N/A
Additional context N/A