opencti icon indicating copy to clipboard operation
opencti copied to clipboard
verified publisher icon OpenCTI-Platform

Mechanisms inconsistency when "enforce reference" is activated

Open Lhorus6 opened this issue 1 year ago • 6 comments

Description

Starting point : "enforce reference" is activated on Report.

If I want to add an object to my report (from the Knowledge view, or entities, or observables), I get a "Validation error" because I haven't validated my change with a reference. I can't do this because the pop-up doesn't appear. To understand what pop-up I'm talking about, try modifying the report description and this time the pop-up will appear.

Additional information

  • If I try this time to create an entity or relationship to add directly to my report from knowledge graph, I also get this error but note that the object is created (it's just not added to my report because of the lack of reference).
  • If I validate a workbench from the data tab of a report, its execution works (my entities are well created on my platform) but I still get the "Validation error" and my objects are not added to my report, still for the same problem.

Environment

OCTI 5.12.29

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Activate "enforce reference" on Report (settings > customization > report)
  2. Navigate on the "Entities" tab of a Report
  3. Try to add an entity

EDIT: WARNING

If your have the "Bypass all capabilities" or "Bypass mandatory references if any" right, you bypass the "enforce reference" policy and therefore don't reproduce the bug (because it's as if the policy wasn't activated).

Expected Output

Obtain the pop up allowing me to add the reference needed

Lhorus6 avatar Feb 09 '24 17:02 Lhorus6

@Lhorus6 I do not get the same result, but there's definitively something going on:

Activate "enforce reference" on Report (settings > customization > report) Navigate on the "Entities" tab of a Report Try to add an entity -> For me the entity is added, but I do not get the pop up

Activate "enforce reference" on Report (settings > customization > report) Navigate on the "Entities" tab of a Report Update the report (any field) Click on "validate wihtout reference" The screen remains blocked on the drawer component. However, my field is correctly updated.

If I try this time to create an entity or relationship to add directly to my report from knowledge graph, I also get this error but note that the object is created (it's just not added to my report because of the lack of reference). -> I do not get the validation error.

nino-filigran avatar Feb 12 '24 08:02 nino-filigran

@nino-filigran What is your user configuration? If you have the "bypass all" right, you bypass the enforce reference policy. This is something I should have warned about in the issue... I'll add it

Lhorus6 avatar Feb 12 '24 15:02 Lhorus6

After a quick look, it seems related to this : https://github.com/OpenCTI-Platform/opencti/issues/4839

Lhorus6 avatar Feb 13 '24 07:02 Lhorus6

@Lhorus6 I was able to reproduce the bug from your description. We'll look into it

JeremyCloarec avatar Feb 15 '24 11:02 JeremyCloarec

I tested most of the entities with the references enforced to analyze the scope of the bug, here are some of my findings.

  • In all containers (Report/Groupings/Observed Data/Cases), adding observables/entities from anywhere throw a validation error because there is no popup for adding a reference
  • In all entities that can be shared to an orga, the sharing fails for the same reason: we get a validation error because no popup opens
  • Malware analysis can't be created because the form asks for a reference even when one is already entered. They also can't seem to be edited because the external reference is not accepted on validation of an edition
  • Not sure if this is a bug or intented behavior, but external references can always be removed from an entity (even when references are enforced)
  • In malware analysis and malwares, we can't add nested objects: we get a validation error and no popup
  • In Cases, we can't add an origin of the case: we get a validation error and no popup
  • On multiple other entities, we can modify some fields without being asked for a reference, which seems inconsistent with previous behaviors. For exemple: Base on in Indicators, Affected softwares in Vulnerabilites, Course of action in Attack patterns etc...

JeremyCloarec avatar Feb 21 '24 16:02 JeremyCloarec

For now, tackling only thhe issue of the reports as it was the main problem. The other issues will be tackled in this ticket: https://github.com/OpenCTI-Platform/opencti/issues/6074

nino-filigran avatar Feb 22 '24 09:02 nino-filigran