2018-07-03 13:00:18 +02:00
|
|
|
import json
|
|
|
|
|
|
|
|
import pytest
|
|
|
|
|
|
|
|
import stix2
|
|
|
|
|
Improved the exception class hierarchy:
- Removed all plain python base classes (e.g. ValueError, TypeError)
- Renamed InvalidPropertyConfigurationError -> PropertyPresenceError,
since incorrect values could be considered a property config error, and
I really just wanted this class to apply to presence (co-)constraint
violations.
- Added ObjectConfigurationError as a superclass of InvalidValueError,
PropertyPresenceError, and any other exception that could be raised
during _STIXBase object init, which is when the spec compliance
checks happen. This class is intended to represent general spec
violations.
- Did some class reordering in exceptions.py, so all the
ObjectConfigurationError subclasses were together.
Changed how property "cleaning" errors were handled:
- Previous docs said they should all be ValueErrors, but that would require
extra exception check-and-replace complexity in the property
implementations, so that requirement is removed. Doc is changed to just
say that cleaning problems should cause exceptions to be raised.
_STIXBase._check_property() now handles most exception types, not just
ValueError.
- Decided to try chaining the original clean error to the InvalidValueError,
in case the extra diagnostics would be helpful in the future. This is
done via 'six' adapter function and only works on python3.
- A small amount of testing was removed, since it was looking at custom
exception properties which became unavailable once the exception was
replaced with InvalidValueError.
Did another pass through unit tests to fix breakage caused by the changed
exception class hierarchy.
Removed unnecessary observable extension handling code from
parse_observable(), since it was all duplicated in ExtensionsProperty.
The redundant code in parse_observable() had different exception behavior
than ExtensionsProperty, which makes the API inconsistent and unit tests
more complicated. (Problems in ExtensionsProperty get replaced with
InvalidValueError, but extensions problems handled directly in
parse_observable() don't get the same replacement, and so the exception
type is different.)
Redid the workbench monkeypatching. The old way was impossible to make
work, and had caused ugly ripple effect hackage in other parts of the
codebase. Now, it replaces the global object maps with factory functions
which behave the same way when called, as real classes. Had to fix up a
few unit tests to get them all passing with this monkeypatching in place.
Also remove all the xfail markings in the workbench test suite, since all
tests now pass.
Since workbench monkeypatching isn't currently affecting any unit tests,
tox.ini was simplified to remove the special-casing for running the
workbench tests.
Removed the v20 workbench test suite, since the workbench currently only
works with the latest stix object version.
2019-07-19 20:50:11 +02:00
|
|
|
from ...exceptions import InvalidValueError
|
2019-01-29 16:52:59 +01:00
|
|
|
from .constants import IDENTITY_ID
|
|
|
|
|
2018-07-03 13:00:18 +02:00
|
|
|
EXPECTED_BUNDLE = """{
|
|
|
|
"type": "bundle",
|
2018-07-11 15:43:37 +02:00
|
|
|
"id": "bundle--00000000-0000-4000-8000-000000000007",
|
2018-07-03 13:00:18 +02:00
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
2018-07-11 15:43:37 +02:00
|
|
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
2018-07-03 13:00:18 +02:00
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
2018-07-12 20:33:00 +02:00
|
|
|
"indicator_types": [
|
2018-07-03 13:00:18 +02:00
|
|
|
"malicious-activity"
|
2018-07-12 20:33:00 +02:00
|
|
|
],
|
|
|
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
2019-07-16 22:10:25 +02:00
|
|
|
"pattern_type": "stix",
|
2018-07-12 20:33:00 +02:00
|
|
|
"valid_from": "2017-01-01T12:34:56Z"
|
2018-07-03 13:00:18 +02:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "malware",
|
|
|
|
"spec_version": "2.1",
|
2018-07-11 15:43:37 +02:00
|
|
|
"id": "malware--00000000-0000-4000-8000-000000000003",
|
2018-07-03 13:00:18 +02:00
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
|
|
|
"name": "Cryptolocker",
|
2018-07-12 20:33:00 +02:00
|
|
|
"malware_types": [
|
2018-07-03 13:00:18 +02:00
|
|
|
"ransomware"
|
2019-07-01 21:26:30 +02:00
|
|
|
],
|
2019-07-02 19:17:43 +02:00
|
|
|
"is_family": false
|
2018-07-03 13:00:18 +02:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "relationship",
|
|
|
|
"spec_version": "2.1",
|
2018-07-11 15:43:37 +02:00
|
|
|
"id": "relationship--00000000-0000-4000-8000-000000000005",
|
2018-07-03 13:00:18 +02:00
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
|
|
|
"relationship_type": "indicates",
|
2018-07-11 15:43:37 +02:00
|
|
|
"source_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
|
|
|
"target_ref": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e"
|
2018-07-03 13:00:18 +02:00
|
|
|
}
|
|
|
|
]
|
|
|
|
}"""
|
|
|
|
|
|
|
|
EXPECTED_BUNDLE_DICT = {
|
|
|
|
"type": "bundle",
|
2018-07-11 15:43:37 +02:00
|
|
|
"id": "bundle--00000000-0000-4000-8000-000000000007",
|
2018-07-03 13:00:18 +02:00
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
2018-07-11 15:43:37 +02:00
|
|
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
2018-07-03 13:00:18 +02:00
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
|
|
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
2019-07-16 22:10:25 +02:00
|
|
|
"pattern_type": "stix",
|
2018-07-03 13:00:18 +02:00
|
|
|
"valid_from": "2017-01-01T12:34:56Z",
|
2018-07-12 20:33:00 +02:00
|
|
|
"indicator_types": [
|
2018-07-13 17:10:05 +02:00
|
|
|
"malicious-activity",
|
|
|
|
],
|
2018-07-03 13:00:18 +02:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "malware",
|
|
|
|
"spec_version": "2.1",
|
2018-07-11 15:43:37 +02:00
|
|
|
"id": "malware--00000000-0000-4000-8000-000000000003",
|
2018-07-03 13:00:18 +02:00
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
|
|
|
"name": "Cryptolocker",
|
2018-07-12 20:33:00 +02:00
|
|
|
"malware_types": [
|
2018-07-13 17:10:05 +02:00
|
|
|
"ransomware",
|
2018-07-03 13:00:18 +02:00
|
|
|
],
|
2019-07-01 21:26:30 +02:00
|
|
|
"is_family": False,
|
2018-07-03 13:00:18 +02:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "relationship",
|
|
|
|
"spec_version": "2.1",
|
2018-07-11 15:43:37 +02:00
|
|
|
"id": "relationship--00000000-0000-4000-8000-000000000005",
|
2018-07-03 13:00:18 +02:00
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
|
|
|
"relationship_type": "indicates",
|
2018-07-11 15:43:37 +02:00
|
|
|
"source_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
2018-07-13 17:10:05 +02:00
|
|
|
"target_ref": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
|
|
|
|
},
|
|
|
|
],
|
2018-07-03 13:00:18 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
def test_empty_bundle():
|
2018-07-03 15:40:51 +02:00
|
|
|
bundle = stix2.v21.Bundle()
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert bundle.type == "bundle"
|
|
|
|
assert bundle.id.startswith("bundle--")
|
|
|
|
with pytest.raises(AttributeError):
|
|
|
|
assert bundle.objects
|
|
|
|
|
|
|
|
|
|
|
|
def test_bundle_with_wrong_type():
|
|
|
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
2018-07-03 15:40:51 +02:00
|
|
|
stix2.v21.Bundle(type="not-a-bundle")
|
2018-07-03 13:00:18 +02:00
|
|
|
|
2018-07-05 21:21:09 +02:00
|
|
|
assert excinfo.value.cls == stix2.v21.Bundle
|
2018-07-03 13:00:18 +02:00
|
|
|
assert excinfo.value.prop_name == "type"
|
|
|
|
assert excinfo.value.reason == "must equal 'bundle'."
|
|
|
|
assert str(excinfo.value) == "Invalid value for Bundle 'type': must equal 'bundle'."
|
|
|
|
|
|
|
|
|
|
|
|
def test_bundle_id_must_start_with_bundle():
|
|
|
|
with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo:
|
2018-07-03 15:40:51 +02:00
|
|
|
stix2.v21.Bundle(id='my-prefix--')
|
2018-07-03 13:00:18 +02:00
|
|
|
|
2018-07-05 21:21:09 +02:00
|
|
|
assert excinfo.value.cls == stix2.v21.Bundle
|
2018-07-03 13:00:18 +02:00
|
|
|
assert excinfo.value.prop_name == "id"
|
|
|
|
assert excinfo.value.reason == "must start with 'bundle--'."
|
|
|
|
assert str(excinfo.value) == "Invalid value for Bundle 'id': must start with 'bundle--'."
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_bundle1(indicator, malware, relationship):
|
2018-07-03 15:40:51 +02:00
|
|
|
bundle = stix2.v21.Bundle(objects=[indicator, malware, relationship])
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert str(bundle) == EXPECTED_BUNDLE
|
|
|
|
assert bundle.serialize(pretty=True) == EXPECTED_BUNDLE
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_bundle2(indicator, malware, relationship):
|
2018-07-03 15:40:51 +02:00
|
|
|
bundle = stix2.v21.Bundle(objects=[indicator, malware, relationship])
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert json.loads(bundle.serialize()) == EXPECTED_BUNDLE_DICT
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_bundle_with_positional_args(indicator, malware, relationship):
|
2018-07-03 15:40:51 +02:00
|
|
|
bundle = stix2.v21.Bundle(indicator, malware, relationship)
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert str(bundle) == EXPECTED_BUNDLE
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_bundle_with_positional_listarg(indicator, malware, relationship):
|
2018-07-03 15:40:51 +02:00
|
|
|
bundle = stix2.v21.Bundle([indicator, malware, relationship])
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert str(bundle) == EXPECTED_BUNDLE
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_bundle_with_listarg_and_positional_arg(indicator, malware, relationship):
|
2018-07-03 15:40:51 +02:00
|
|
|
bundle = stix2.v21.Bundle([indicator, malware], relationship)
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert str(bundle) == EXPECTED_BUNDLE
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_bundle_with_listarg_and_kwarg(indicator, malware, relationship):
|
2018-07-03 15:40:51 +02:00
|
|
|
bundle = stix2.v21.Bundle([indicator, malware], objects=[relationship])
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert str(bundle) == EXPECTED_BUNDLE
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_bundle_with_arg_listarg_and_kwarg(indicator, malware, relationship):
|
2018-07-03 15:40:51 +02:00
|
|
|
bundle = stix2.v21.Bundle([indicator], malware, objects=[relationship])
|
2018-07-03 13:00:18 +02:00
|
|
|
|
|
|
|
assert str(bundle) == EXPECTED_BUNDLE
|
|
|
|
|
|
|
|
|
|
|
|
def test_create_bundle_invalid(indicator, malware, relationship):
|
Improved the exception class hierarchy:
- Removed all plain python base classes (e.g. ValueError, TypeError)
- Renamed InvalidPropertyConfigurationError -> PropertyPresenceError,
since incorrect values could be considered a property config error, and
I really just wanted this class to apply to presence (co-)constraint
violations.
- Added ObjectConfigurationError as a superclass of InvalidValueError,
PropertyPresenceError, and any other exception that could be raised
during _STIXBase object init, which is when the spec compliance
checks happen. This class is intended to represent general spec
violations.
- Did some class reordering in exceptions.py, so all the
ObjectConfigurationError subclasses were together.
Changed how property "cleaning" errors were handled:
- Previous docs said they should all be ValueErrors, but that would require
extra exception check-and-replace complexity in the property
implementations, so that requirement is removed. Doc is changed to just
say that cleaning problems should cause exceptions to be raised.
_STIXBase._check_property() now handles most exception types, not just
ValueError.
- Decided to try chaining the original clean error to the InvalidValueError,
in case the extra diagnostics would be helpful in the future. This is
done via 'six' adapter function and only works on python3.
- A small amount of testing was removed, since it was looking at custom
exception properties which became unavailable once the exception was
replaced with InvalidValueError.
Did another pass through unit tests to fix breakage caused by the changed
exception class hierarchy.
Removed unnecessary observable extension handling code from
parse_observable(), since it was all duplicated in ExtensionsProperty.
The redundant code in parse_observable() had different exception behavior
than ExtensionsProperty, which makes the API inconsistent and unit tests
more complicated. (Problems in ExtensionsProperty get replaced with
InvalidValueError, but extensions problems handled directly in
parse_observable() don't get the same replacement, and so the exception
type is different.)
Redid the workbench monkeypatching. The old way was impossible to make
work, and had caused ugly ripple effect hackage in other parts of the
codebase. Now, it replaces the global object maps with factory functions
which behave the same way when called, as real classes. Had to fix up a
few unit tests to get them all passing with this monkeypatching in place.
Also remove all the xfail markings in the workbench test suite, since all
tests now pass.
Since workbench monkeypatching isn't currently affecting any unit tests,
tox.ini was simplified to remove the special-casing for running the
workbench tests.
Removed the v20 workbench test suite, since the workbench currently only
works with the latest stix object version.
2019-07-19 20:50:11 +02:00
|
|
|
with pytest.raises(InvalidValueError) as excinfo:
|
2018-07-03 15:40:51 +02:00
|
|
|
stix2.v21.Bundle(objects=[1])
|
2018-07-03 13:00:18 +02:00
|
|
|
assert excinfo.value.reason == "This property may only contain a dictionary or object"
|
|
|
|
|
Improved the exception class hierarchy:
- Removed all plain python base classes (e.g. ValueError, TypeError)
- Renamed InvalidPropertyConfigurationError -> PropertyPresenceError,
since incorrect values could be considered a property config error, and
I really just wanted this class to apply to presence (co-)constraint
violations.
- Added ObjectConfigurationError as a superclass of InvalidValueError,
PropertyPresenceError, and any other exception that could be raised
during _STIXBase object init, which is when the spec compliance
checks happen. This class is intended to represent general spec
violations.
- Did some class reordering in exceptions.py, so all the
ObjectConfigurationError subclasses were together.
Changed how property "cleaning" errors were handled:
- Previous docs said they should all be ValueErrors, but that would require
extra exception check-and-replace complexity in the property
implementations, so that requirement is removed. Doc is changed to just
say that cleaning problems should cause exceptions to be raised.
_STIXBase._check_property() now handles most exception types, not just
ValueError.
- Decided to try chaining the original clean error to the InvalidValueError,
in case the extra diagnostics would be helpful in the future. This is
done via 'six' adapter function and only works on python3.
- A small amount of testing was removed, since it was looking at custom
exception properties which became unavailable once the exception was
replaced with InvalidValueError.
Did another pass through unit tests to fix breakage caused by the changed
exception class hierarchy.
Removed unnecessary observable extension handling code from
parse_observable(), since it was all duplicated in ExtensionsProperty.
The redundant code in parse_observable() had different exception behavior
than ExtensionsProperty, which makes the API inconsistent and unit tests
more complicated. (Problems in ExtensionsProperty get replaced with
InvalidValueError, but extensions problems handled directly in
parse_observable() don't get the same replacement, and so the exception
type is different.)
Redid the workbench monkeypatching. The old way was impossible to make
work, and had caused ugly ripple effect hackage in other parts of the
codebase. Now, it replaces the global object maps with factory functions
which behave the same way when called, as real classes. Had to fix up a
few unit tests to get them all passing with this monkeypatching in place.
Also remove all the xfail markings in the workbench test suite, since all
tests now pass.
Since workbench monkeypatching isn't currently affecting any unit tests,
tox.ini was simplified to remove the special-casing for running the
workbench tests.
Removed the v20 workbench test suite, since the workbench currently only
works with the latest stix object version.
2019-07-19 20:50:11 +02:00
|
|
|
with pytest.raises(InvalidValueError) as excinfo:
|
2018-07-03 15:40:51 +02:00
|
|
|
stix2.v21.Bundle(objects=[{}])
|
2018-07-03 13:00:18 +02:00
|
|
|
assert excinfo.value.reason == "This property may only contain a non-empty dictionary or object"
|
|
|
|
|
Improved the exception class hierarchy:
- Removed all plain python base classes (e.g. ValueError, TypeError)
- Renamed InvalidPropertyConfigurationError -> PropertyPresenceError,
since incorrect values could be considered a property config error, and
I really just wanted this class to apply to presence (co-)constraint
violations.
- Added ObjectConfigurationError as a superclass of InvalidValueError,
PropertyPresenceError, and any other exception that could be raised
during _STIXBase object init, which is when the spec compliance
checks happen. This class is intended to represent general spec
violations.
- Did some class reordering in exceptions.py, so all the
ObjectConfigurationError subclasses were together.
Changed how property "cleaning" errors were handled:
- Previous docs said they should all be ValueErrors, but that would require
extra exception check-and-replace complexity in the property
implementations, so that requirement is removed. Doc is changed to just
say that cleaning problems should cause exceptions to be raised.
_STIXBase._check_property() now handles most exception types, not just
ValueError.
- Decided to try chaining the original clean error to the InvalidValueError,
in case the extra diagnostics would be helpful in the future. This is
done via 'six' adapter function and only works on python3.
- A small amount of testing was removed, since it was looking at custom
exception properties which became unavailable once the exception was
replaced with InvalidValueError.
Did another pass through unit tests to fix breakage caused by the changed
exception class hierarchy.
Removed unnecessary observable extension handling code from
parse_observable(), since it was all duplicated in ExtensionsProperty.
The redundant code in parse_observable() had different exception behavior
than ExtensionsProperty, which makes the API inconsistent and unit tests
more complicated. (Problems in ExtensionsProperty get replaced with
InvalidValueError, but extensions problems handled directly in
parse_observable() don't get the same replacement, and so the exception
type is different.)
Redid the workbench monkeypatching. The old way was impossible to make
work, and had caused ugly ripple effect hackage in other parts of the
codebase. Now, it replaces the global object maps with factory functions
which behave the same way when called, as real classes. Had to fix up a
few unit tests to get them all passing with this monkeypatching in place.
Also remove all the xfail markings in the workbench test suite, since all
tests now pass.
Since workbench monkeypatching isn't currently affecting any unit tests,
tox.ini was simplified to remove the special-casing for running the
workbench tests.
Removed the v20 workbench test suite, since the workbench currently only
works with the latest stix object version.
2019-07-19 20:50:11 +02:00
|
|
|
with pytest.raises(InvalidValueError) as excinfo:
|
2018-07-03 15:40:51 +02:00
|
|
|
stix2.v21.Bundle(objects=[{'type': 'bundle'}])
|
2018-07-03 13:00:18 +02:00
|
|
|
assert excinfo.value.reason == 'This property may not contain a Bundle object'
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize("version", ["2.1"])
|
|
|
|
def test_parse_bundle(version):
|
|
|
|
bundle = stix2.parse(EXPECTED_BUNDLE, version=version)
|
|
|
|
|
|
|
|
assert bundle.type == "bundle"
|
|
|
|
assert bundle.id.startswith("bundle--")
|
Improved the exception class hierarchy:
- Removed all plain python base classes (e.g. ValueError, TypeError)
- Renamed InvalidPropertyConfigurationError -> PropertyPresenceError,
since incorrect values could be considered a property config error, and
I really just wanted this class to apply to presence (co-)constraint
violations.
- Added ObjectConfigurationError as a superclass of InvalidValueError,
PropertyPresenceError, and any other exception that could be raised
during _STIXBase object init, which is when the spec compliance
checks happen. This class is intended to represent general spec
violations.
- Did some class reordering in exceptions.py, so all the
ObjectConfigurationError subclasses were together.
Changed how property "cleaning" errors were handled:
- Previous docs said they should all be ValueErrors, but that would require
extra exception check-and-replace complexity in the property
implementations, so that requirement is removed. Doc is changed to just
say that cleaning problems should cause exceptions to be raised.
_STIXBase._check_property() now handles most exception types, not just
ValueError.
- Decided to try chaining the original clean error to the InvalidValueError,
in case the extra diagnostics would be helpful in the future. This is
done via 'six' adapter function and only works on python3.
- A small amount of testing was removed, since it was looking at custom
exception properties which became unavailable once the exception was
replaced with InvalidValueError.
Did another pass through unit tests to fix breakage caused by the changed
exception class hierarchy.
Removed unnecessary observable extension handling code from
parse_observable(), since it was all duplicated in ExtensionsProperty.
The redundant code in parse_observable() had different exception behavior
than ExtensionsProperty, which makes the API inconsistent and unit tests
more complicated. (Problems in ExtensionsProperty get replaced with
InvalidValueError, but extensions problems handled directly in
parse_observable() don't get the same replacement, and so the exception
type is different.)
Redid the workbench monkeypatching. The old way was impossible to make
work, and had caused ugly ripple effect hackage in other parts of the
codebase. Now, it replaces the global object maps with factory functions
which behave the same way when called, as real classes. Had to fix up a
few unit tests to get them all passing with this monkeypatching in place.
Also remove all the xfail markings in the workbench test suite, since all
tests now pass.
Since workbench monkeypatching isn't currently affecting any unit tests,
tox.ini was simplified to remove the special-casing for running the
workbench tests.
Removed the v20 workbench test suite, since the workbench currently only
works with the latest stix object version.
2019-07-19 20:50:11 +02:00
|
|
|
assert isinstance(bundle.objects[0], stix2.v21.Indicator)
|
2018-07-03 13:00:18 +02:00
|
|
|
assert bundle.objects[0].type == 'indicator'
|
|
|
|
assert bundle.objects[1].type == 'malware'
|
|
|
|
assert bundle.objects[2].type == 'relationship'
|
|
|
|
|
|
|
|
|
|
|
|
def test_parse_unknown_type():
|
|
|
|
unknown = {
|
|
|
|
"type": "other",
|
2018-07-03 15:40:51 +02:00
|
|
|
"spec_version": "2.1",
|
2018-07-03 13:00:18 +02:00
|
|
|
"id": "other--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
|
|
|
|
"created": "2016-04-06T20:03:00Z",
|
|
|
|
"modified": "2016-04-06T20:03:00Z",
|
2019-01-29 16:52:59 +01:00
|
|
|
"created_by_ref": IDENTITY_ID,
|
2018-07-03 13:00:18 +02:00
|
|
|
"description": "Campaign by Green Group against a series of targets in the financial services sector.",
|
|
|
|
"name": "Green Group Attacks Against Finance",
|
|
|
|
}
|
|
|
|
|
|
|
|
with pytest.raises(stix2.exceptions.ParseError) as excinfo:
|
2018-07-03 15:40:51 +02:00
|
|
|
stix2.parse(unknown, version="2.1")
|
2018-07-03 13:00:18 +02:00
|
|
|
assert str(excinfo.value) == "Can't parse unknown object type 'other'! For custom types, use the CustomObject decorator."
|
|
|
|
|
|
|
|
|
|
|
|
def test_stix_object_property():
|
2018-07-10 22:11:07 +02:00
|
|
|
prop = stix2.properties.STIXObjectProperty(spec_version='2.1')
|
2018-07-03 13:00:18 +02:00
|
|
|
|
2018-07-03 15:40:51 +02:00
|
|
|
identity = stix2.v21.Identity(name="test", identity_class="individual")
|
2018-07-03 13:00:18 +02:00
|
|
|
assert prop.clean(identity) is identity
|
2019-05-20 22:29:01 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_bundle_obj_id_found():
|
|
|
|
bundle = stix2.parse(EXPECTED_BUNDLE)
|
|
|
|
|
|
|
|
mal_list = bundle.get_obj("malware--00000000-0000-4000-8000-000000000003")
|
|
|
|
assert bundle.objects[1] == mal_list[0]
|
|
|
|
assert len(mal_list) == 1
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"bundle_data", [{
|
|
|
|
"type": "bundle",
|
|
|
|
"id": "bundle--00000000-0000-4000-8000-000000000007",
|
|
|
|
"objects": [
|
|
|
|
{
|
|
|
|
"type": "indicator",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "indicator--00000000-0000-4000-8000-000000000001",
|
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
|
|
|
"indicator_types": [
|
|
|
|
"malicious-activity",
|
|
|
|
],
|
|
|
|
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
|
2019-07-16 22:10:25 +02:00
|
|
|
"pattern_type": "stix",
|
2019-05-20 22:29:01 +02:00
|
|
|
"valid_from": "2017-01-01T12:34:56Z",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "malware",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "malware--00000000-0000-4000-8000-000000000003",
|
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
|
|
|
"name": "Cryptolocker1",
|
|
|
|
"malware_types": [
|
|
|
|
"ransomware",
|
|
|
|
],
|
2019-07-01 21:26:30 +02:00
|
|
|
"is_family": False,
|
2019-05-20 22:29:01 +02:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "malware",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "malware--00000000-0000-4000-8000-000000000003",
|
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-12-21T12:34:56.000Z",
|
|
|
|
"name": "CryptolockerOne",
|
|
|
|
"malware_types": [
|
|
|
|
"ransomware",
|
|
|
|
],
|
2019-07-01 21:26:30 +02:00
|
|
|
"is_family": False,
|
2019-05-20 22:29:01 +02:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"type": "relationship",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "relationship--00000000-0000-4000-8000-000000000005",
|
|
|
|
"created": "2017-01-01T12:34:56.000Z",
|
|
|
|
"modified": "2017-01-01T12:34:56.000Z",
|
|
|
|
"relationship_type": "indicates",
|
|
|
|
"source_ref": "indicator--a740531e-63ff-4e49-a9e1-a0a3eed0e3e7",
|
|
|
|
"target_ref": "malware--9c4638ec-f1de-4ddb-abf4-1b760417654e",
|
|
|
|
},
|
|
|
|
],
|
|
|
|
}],
|
|
|
|
)
|
|
|
|
def test_bundle_objs_ids_found(bundle_data):
|
|
|
|
bundle = stix2.parse(bundle_data)
|
|
|
|
|
|
|
|
mal_list = bundle.get_obj("malware--00000000-0000-4000-8000-000000000003")
|
|
|
|
assert bundle.objects[1] == mal_list[0]
|
|
|
|
assert bundle.objects[2] == mal_list[1]
|
|
|
|
assert len(mal_list) == 2
|
|
|
|
|
|
|
|
|
|
|
|
def test_bundle_getitem_overload_property_found():
|
|
|
|
bundle = stix2.parse(EXPECTED_BUNDLE)
|
|
|
|
|
|
|
|
assert bundle.type == "bundle"
|
|
|
|
assert bundle['type'] == "bundle"
|
|
|
|
|
|
|
|
|
|
|
|
def test_bundle_getitem_overload_obj_id_found():
|
|
|
|
bundle = stix2.parse(EXPECTED_BUNDLE)
|
|
|
|
|
|
|
|
mal_list = bundle["malware--00000000-0000-4000-8000-000000000003"]
|
|
|
|
assert bundle.objects[1] == mal_list[0]
|
|
|
|
assert len(mal_list) == 1
|
|
|
|
|
|
|
|
|
|
|
|
def test_bundle_obj_id_not_found():
|
|
|
|
bundle = stix2.parse(EXPECTED_BUNDLE)
|
|
|
|
|
|
|
|
with pytest.raises(KeyError) as excinfo:
|
|
|
|
bundle.get_obj('non existent')
|
|
|
|
assert "does not match the id property of any of the bundle" in str(excinfo.value)
|
|
|
|
|
|
|
|
|
|
|
|
def test_bundle_getitem_overload_obj_id_not_found():
|
|
|
|
bundle = stix2.parse(EXPECTED_BUNDLE)
|
|
|
|
|
|
|
|
with pytest.raises(KeyError) as excinfo:
|
|
|
|
bundle['non existent']
|
2019-05-22 17:05:01 +02:00
|
|
|
assert "neither a property on the bundle nor does it match the id property" in str(excinfo.value)
|