STIX-Java icon indicating copy to clipboard operation
STIX-Java copied to clipboard

Published 20 hours ago verified publisher icon StephenOTT

Is it possible to disable validation, or allow additional labels?

Open sean-scott-lr opened this issue 4 years ago • 4 comments

Hello, I am trying to use this project to parse stix2.0 from a variety of taxii endpoints. Initially I am testing with an anomali feed.

The issue is that with this feed:

https://limo.anomali.com/api/v1/taxii2/feeds/collections/107/objects/ ( You need to set the Authorization header for a basic auth credential user and pass are both "guest" )

Anyway, it returns some objects that look like this

        {
            "created": "2016-02-26T18:11:48.479Z",
            "description": "TS ID: 37323558; iType: phish_url; State: active; Org: Web Werks; Source: Phish Tank",
            "id": "indicator--1ac4d2b1-4f88-4960-b109-2180fa9bf144",
            "labels": [
                "malicious-activity",
                "threatstream-severity-very-high",
                "threatstream-confidence-85"
            ],
            "modified": "2016-02-26T18:11:48.479Z",
            "name": "phish_url: http://www.srbiohealth.com/London1/Eruku/nD/index.php",
            "object_marking_refs": [
                "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"
            ],
            "pattern": "[url:value = 'http://www.srbiohealth.com/London1/Eruku/nD/index.php']",
            "type": "indicator",
            "valid_from": "2016-02-26T18:11:48.479Z"
        },

And I end up. with a validation error of

Caused by: javax.validation.ConstraintViolationException: labels: Items: [threatstream-confidence-85, threatstream-severity-very-high] are not found in class io.digitalstate.stix.vocabulary.vocabularies.IndicatorLabels
	at io.digitalstate.stix.validation.SdoDefaultValidator.validate(SdoDefaultValidator.java:19)
	at io.digitalstate.stix.common.StixCommonProperties.checkHydrationValidation(StixCommonProperties.java:116)
	at io.digitalstate.stix.sdo.objects.Indicator.validate(Indicator.java:1530)
	at io.digitalstate.stix.sdo.objects.Indicator.access$2700(Indicator.java:56)
	at io.digitalstate.stix.sdo.objects.Indicator$Builder.build(Indicator.java:2319)

Ideas?

sean-scott-lr avatar Aug 29 '21 21:08 sean-scott-lr

Are you using the 2.0 or 2.1 version of the library?

StephenOTT avatar Aug 29 '21 22:08 StephenOTT

I built from master yesterday.

I couldn't find a built version in maven repos, did I miss that?

sean-scott-lr avatar Aug 30 '21 13:08 sean-scott-lr

There is a 2.1 branch in the repo which was a major refactor.

The validations in the master (stix 2) uses https://immutables.github.io/ for the validation annotations. Would have to leverage that lib to disable (if it is possible). The 2.1 branch gives you many more config options for things like vocabs.

Given you have the code downloaded for 2.0, a quick fix is to just modify the content of the vocabs as needed: https://github.com/StephenOTT/STIX-Java/tree/master/src/main/java/io/digitalstate/stix/vocabulary/vocabularies

StephenOTT avatar Aug 30 '21 14:08 StephenOTT

Ok, Thanks for the feedback @StephenOTT .

sean-scott-lr avatar Aug 30 '21 22:08 sean-scott-lr