cti-python-stix2 icon indicating copy to clipboard operation
cti-python-stix2 copied to clipboard

Published 20 hours ago verified publisher icon oasis-open

Serialisation issue - string is treated as a year

Open traut opened this issue 6 years ago • 5 comments

For some reason string '682' is treated as a year during serialisation and pattern with invalid syntax is produced:

In [3]: str(stix2.AndObservationExpression([
   ...:     stix2.EqualityComparisonExpression(stix2.ObjectPath('cve', ['value']), '2018-11790'),
   ...:     stix2.EqualityComparisonExpression(stix2.ObjectPath('cwe', ['value']), '682')]))
Out[3]: "cve:value = '2018-11790' AND cwe:value = 0682-02-28 00:00:00+00:00"

stix2 lib version I'm using is 1.1.1

traut avatar Feb 28 '19 17:02 traut

simpler example:

In [3]: str(stix2.EqualityComparisonExpression(stix2.ObjectPath('port', ['value']), '1112'))
Out[3]: 'port:value = 1112-02-28 00:00:00+00:00'

traut avatar Feb 28 '19 17:02 traut

it is happening not only for numbers, I see some IPv4 addresses being converted into datetime string as well

traut avatar Feb 28 '19 17:02 traut

this is the cause - https://github.com/oasis-open/cti-python-stix2/blob/ba2f63f745167ba9919b5a7ef1636460b8ab950d/stix2/patterns.py#L229

traut avatar Feb 28 '19 18:02 traut

A quick fix it to create the constant object before passing it in. Something like:

stix2.EqualityComparisonExpression(stix2.ObjectPath('cve', ['value']), String_Constant('2018-11790')),

rpiazza avatar Feb 28 '19 20:02 rpiazza

See also this comment. As you noted, that function is basically written to assume everything is a datetime unless proven otherwise.

chisholm avatar Feb 28 '19 20:02 chisholm