From 58ff89f11268350578099f83bd2c96b70700dc90 Mon Sep 17 00:00:00 2001 From: Michael Chisholm Date: Wed, 12 Jun 2019 21:19:50 -0400 Subject: [PATCH 1/2] Update observed-data SDO class, adding the new stix2.1 property "object_refs". Added a couple tests for it. --- stix2/test/v21/test_observed_data.py | 62 ++++++++++++++++++++++++++++ stix2/v21/sdo.py | 7 +++- 2 files changed, 68 insertions(+), 1 deletion(-) diff --git a/stix2/test/v21/test_observed_data.py b/stix2/test/v21/test_observed_data.py index e729f60..8dd4487 100644 --- a/stix2/test/v21/test_observed_data.py +++ b/stix2/test/v21/test_observed_data.py @@ -5,6 +5,7 @@ import pytest import pytz import stix2 +import stix2.exceptions from .constants import OBSERVED_DATA_ID @@ -101,6 +102,67 @@ def test_observed_data_example_with_refs(): assert str(observed_data) == EXPECTED_WITH_REF +EXPECTED_OBJECT_REFS = """{ + "type": "observed-data", + "spec_version": "2.1", + "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2016-04-06T19:58:16.000Z", + "modified": "2016-04-06T19:58:16.000Z", + "first_observed": "2015-12-21T19:00:00Z", + "last_observed": "2015-12-21T19:00:00Z", + "number_observed": 50, + "object_refs": [ + "foo--758bf2c0-a6f1-56d1-872e-6b727467739a", + "bar--d97ed5c4-3f33-46d9-b25b-c3d7b94d1457", + "baz--eca0b3ba-8d76-11e9-a1fd-34415dabec0c" + ] +}""" + + +def test_observed_data_example_with_object_refs(): + observed_data = stix2.v21.ObservedData( + id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf", + created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + created="2016-04-06T19:58:16.000Z", + modified="2016-04-06T19:58:16.000Z", + first_observed="2015-12-21T19:00:00Z", + last_observed="2015-12-21T19:00:00Z", + number_observed=50, + object_refs=[ + "foo--758bf2c0-a6f1-56d1-872e-6b727467739a", + "bar--d97ed5c4-3f33-46d9-b25b-c3d7b94d1457", + "baz--eca0b3ba-8d76-11e9-a1fd-34415dabec0c", + ], + ) + + assert str(observed_data) == EXPECTED_OBJECT_REFS + + +def test_observed_data_object_constraint(): + with pytest.raises(stix2.exceptions.MutuallyExclusivePropertiesError): + stix2.v21.ObservedData( + id="observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf", + created_by_ref="identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + created="2016-04-06T19:58:16.000Z", + modified="2016-04-06T19:58:16.000Z", + first_observed="2015-12-21T19:00:00Z", + last_observed="2015-12-21T19:00:00Z", + number_observed=50, + objects={ + "0": { + "name": "foo.exe", + "type": "file", + }, + }, + object_refs=[ + "foo--758bf2c0-a6f1-56d1-872e-6b727467739a", + "bar--d97ed5c4-3f33-46d9-b25b-c3d7b94d1457", + "baz--eca0b3ba-8d76-11e9-a1fd-34415dabec0c", + ], + ) + + def test_observed_data_example_with_bad_refs(): with pytest.raises(stix2.exceptions.InvalidValueError) as excinfo: stix2.v21.ObservedData( diff --git a/stix2/v21/sdo.py b/stix2/v21/sdo.py index ffdc5e1..70e81e4 100644 --- a/stix2/v21/sdo.py +++ b/stix2/v21/sdo.py @@ -349,7 +349,8 @@ class ObservedData(STIXDomainObject): ('first_observed', TimestampProperty(required=True)), ('last_observed', TimestampProperty(required=True)), ('number_observed', IntegerProperty(min=1, max=999999999, required=True)), - ('objects', ObservableProperty(spec_version='2.1', required=True)), + ('objects', ObservableProperty(spec_version='2.1')), + ('object_refs', ListProperty(ReferenceProperty(spec_version="2.1"))), ('revoked', BooleanProperty(default=lambda: False)), ('labels', ListProperty(StringProperty)), ('confidence', IntegerProperty()), @@ -379,6 +380,10 @@ class ObservedData(STIXDomainObject): msg = "{0.id} 'last_observed' must be greater than or equal to 'first_observed'" raise ValueError(msg.format(self)) + self._check_mutually_exclusive_properties( + ["objects", "object_refs"], + ) + class Opinion(STIXDomainObject): # TODO: Add link From 28ac284b849f1cfb0459c377fbfa6a934dca1164 Mon Sep 17 00:00:00 2001 From: Chris Lenk Date: Wed, 26 Jun 2019 11:18:47 -0400 Subject: [PATCH 2/2] Remove unnecessary ObservedData constraint first_observed and last_observed are both required, so this co-constraint was removed from WD04. --- stix2/v21/sdo.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/stix2/v21/sdo.py b/stix2/v21/sdo.py index 70e81e4..46ce231 100644 --- a/stix2/v21/sdo.py +++ b/stix2/v21/sdo.py @@ -369,10 +369,6 @@ class ObservedData(STIXDomainObject): def _check_object_constraints(self): super(self.__class__, self)._check_object_constraints() - if self.get('number_observed', 1) == 1: - self._check_properties_dependency(['first_observed'], ['last_observed']) - self._check_properties_dependency(['last_observed'], ['first_observed']) - first_observed = self.get('first_observed') last_observed = self.get('last_observed')