Comments (7)
gtback
commented on June 12, 2024
Thanks, @rpatterson!
cti-stix-validator defers to cti-pattern-validator to validate the patterns, so it would probably be best to fix this in the pattern validator. Both cti-pattern-matcher and cti-pattern-validator use the same ANTLR grammar, but it's possible the pattern matcher does more restrictive checks when actually matching the patterns than the validator does when validating it; if so, that should be fixed.
Do you have some example data that demonstrates this?
from cti-stix-validator.
chisholm
commented on June 12, 2024
I may misunderstand, but the validator merely validates patterns. It doesn't do anything with observed data. So that phrase "that same observed data doesn't show up as a validation error" doesn't really make sense. I don't think the validator is intended to "pre-check" observed data against a pattern to determine whether an attempted pattern match would cause an error.
But if I am misunderstanding, a concrete example would help!
from cti-stix-validator.
rpatterson
commented on June 12, 2024
The issue I'm describing isn't that the pattern is invalid, but that the observed data is invalid. I only mention running the pattern matcher to demonstrate that the values I'm talking about are invalid. So I'll start over and try to state it more simply.
If a STIX observed data's objects property contains an artifact object with a payload_bin property, it's contents should be base64 encoded and so such an observed data artifact should fail validation if the value is not base64 encoded. Currently such values do not fail validation. For example...
{
"type": "artifact",
"mime_type": "application/octet-stream",
"payload_bin": "I am not base64 encoded"
}
...should fail validation but currently it succeeds.
I stated it more broadly above because cti-pattern-matcher decodes all properties whose names end with _bin or _hex. So on that count it seems like either cti-pattern-matcher should be more explicit in which properties it decodes, or the this validator should be more broad in which properties it requires to be encoded.
from cti-stix-validator.
gtback
commented on June 12, 2024
Oh, I misread the original comment. I assumed it was the pattern with unencoded data that was causing an error, not the observed-data. Sorry.
from cti-stix-validator.
gtback
commented on June 12, 2024
@rpatterson: your comment above was seconds before my comment where I realized my mistake (so now I feel extra bad about it!). It does make sense for the cti-stix-validator to check that the values of any property ending in _bin is valid Base64 data. I think @clenk is already working on fixing this (despite me sending everyone down the wrong trail with my first comment).
from cti-stix-validator.
clenk
commented on June 12, 2024
The JSON schemas used by the STIX validator were not correctly checking for Base64 encoded strings, but I have submitted a fix. Thank you for finding the bug!
from cti-stix-validator.
gtback
commented on June 12, 2024
Thanks, @clenk. I'm going to leave this open until we incorporate the schema changes into the validator.
from cti-stix-validator.
Related Issues (20)
- windows-registry-key SCO doesn't have to start with a hive portion
- STIX Cyber-observable Objects SHOULD use UUIDv5. It is not a MUST. HOT 1
- SCOs are allowed in Observable Containers as per Section 2.13 of the spec - so the validator must allow it HOT 1
- KeyError Exceptions in validate_instance HOT 3
- Get string representation of validation results the way print_results() displays HOT 1
- UUIDv5 validation HOT 2
- draft7_format_checker is deprecated HOT 13
- 3.1.0 missing schemas HOT 3
- Better warning messages for open vocabs and relationship types
- Enhanced Interoperability Support
- TAXII Support?
- HTTPSConnectionPool Fatal Error HOT 1
- RefResolver deprecated HOT 17
- Outdated validation for Marking Definition HOT 2
- Validation fails if artifact.mime_type is not IANA registered mime-type
- Validator reports error for .zip domains
- Proposal: Remove requests / requests cache / appdirs HOT 4
- The validator should default to generating an error or warning if a extension-definition does not have a jsonschema associated with it
- Relax jsonschema dependency HOT 5
- Duplicate log entries when using stix2elevator as library (as it imports stix2validator) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cti-stix-validator.