81 lines
2.3 KiB
Python
81 lines
2.3 KiB
Python
|
import json
|
||
|
import pytest
|
||
|
|
||
|
import stix2.exceptions
|
||
|
import stix2.utils
|
||
|
import stix2.v21
|
||
|
|
||
|
|
||
|
MALWARE_ANALYSIS_JSON = """{
|
||
|
"type": "malware-analysis",
|
||
|
"spec_version": "2.1",
|
||
|
"id": "malware-analysis--f8afc020-f92f-4906-a971-88ee5882eb46",
|
||
|
"created": "2017-11-28T09:44:58.418Z",
|
||
|
"modified": "2017-12-31T21:27:49.754Z",
|
||
|
"created_by_ref": "identity--e0353ed3-991e-4f71-a332-114c2f10b84f",
|
||
|
"labels": [
|
||
|
"label1",
|
||
|
"label2"
|
||
|
],
|
||
|
"product": "Acme Malware Analyzer",
|
||
|
"version": "2.5",
|
||
|
"host_vm_ref": "software--1bda7336-fe67-469f-a8ca-ab6268b0449b",
|
||
|
"operating_system_ref": "software--c96bfaef-861b-408b-b0f1-b685881725ef",
|
||
|
"installed_software_refs": [
|
||
|
"software--7325bf2d-de9e-441e-b3b3-63df43149897",
|
||
|
"software--46a6a91d-1160-4867-a4d1-b14e080e4e5b"
|
||
|
],
|
||
|
"configuration_version": "1.7",
|
||
|
"module": "Super Analyzer",
|
||
|
"analysis_engine_version": "1.2",
|
||
|
"analysis_definition_version": "3.4",
|
||
|
"submitted": "2018-11-23T06:45:55.747Z",
|
||
|
"analysis_started": "2018-11-29T07:30:03.895Z",
|
||
|
"analysis_ended": "2018-11-29T08:30:03.895Z",
|
||
|
"av_result": "malicious",
|
||
|
"analysis_sco_refs": [
|
||
|
"file--fc27e371-6c88-4c5c-868a-4dda0e60b167",
|
||
|
"url--6f7a74cd-8eb2-4b88-a4da-aa878e50ac2e"
|
||
|
]
|
||
|
}"""
|
||
|
|
||
|
|
||
|
MALWARE_ANALYSIS_DICT = json.loads(MALWARE_ANALYSIS_JSON)
|
||
|
|
||
|
|
||
|
def test_malware_analysis_example():
|
||
|
ma = stix2.v21.MalwareAnalysis(**MALWARE_ANALYSIS_DICT)
|
||
|
|
||
|
assert str(ma) == MALWARE_ANALYSIS_JSON
|
||
|
|
||
|
|
||
|
@pytest.mark.parametrize("data", [
|
||
|
MALWARE_ANALYSIS_JSON,
|
||
|
MALWARE_ANALYSIS_DICT
|
||
|
])
|
||
|
def test_parse_malware_analysis(data):
|
||
|
ma = stix2.parse(data, version="2.1")
|
||
|
|
||
|
# timestamp-valued attributes whose values (from JSON) can't be compared
|
||
|
# directly, since stix2 internally converts them to datetime objects.
|
||
|
ts_attrs = {
|
||
|
"created",
|
||
|
"modified",
|
||
|
"submitted",
|
||
|
"analysis_started",
|
||
|
"analysis_ended",
|
||
|
}
|
||
|
|
||
|
for attr_name, attr_value in MALWARE_ANALYSIS_DICT.items():
|
||
|
cmp_value = stix2.utils.parse_into_datetime(attr_value) \
|
||
|
if attr_name in ts_attrs else attr_value
|
||
|
|
||
|
assert getattr(ma, attr_name) == cmp_value
|
||
|
|
||
|
|
||
|
def test_malware_analysis_constraint():
|
||
|
with pytest.raises(stix2.exceptions.AtLeastOnePropertyError):
|
||
|
stix2.v21.MalwareAnalysis(
|
||
|
product="Acme Malware Analyzer"
|
||
|
)
|