cti-python-stix2 icon indicating copy to clipboard operation
cti-python-stix2 copied to clipboard

Published 20 hours ago verified publisher icon oasis-open

Invalid Object Reference Error

Open SecJesus opened this issue 5 years ago • 2 comments

Hello,

I am currently experiencing issues with creating observables for an email and then linking them together. I have included an example of the data, the error and the code used below. Any help is greatly appreciated!

ERROR
`--------------------------------------------------------------------------- InvalidObjRefError Traceback (most recent call last) in ----> 1 od4 = EmailMessage(type='email-message', 2 _valid_refs={"0":od1,"1":od2,"2":od3}, 3 is_multipart=True, 4 from_ref=od1, 5 sender_ref=od1,

/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/stix2/base.py in init(self, **kwargs) 322 pass 323 --> 324 super(_Observable, self).init(**kwargs) 325 326 def _check_ref(self, ref, prop, prop_name):

/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/stix2/base.py in init(self, allow_custom, **kwargs) 175 176 for prop_name, prop_metadata in self._properties.items(): --> 177 self._check_property(prop_name, prop_metadata, setting_kwargs) 178 179 # Cache defaulted optional properties for serialization

/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/stix2/base.py in _check_property(self, prop_name, prop, kwargs) 362 if isinstance(prop, ObjectReferenceProperty): 363 ref = kwargs[prop_name] --> 364 self._check_ref(ref, prop, prop_name) 365 elif prop_name.endswith('_refs'): 366 if isinstance(prop.contained, ObjectReferenceProperty):

/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/stix2/base.py in _check_ref(self, ref, prop, prop_name) 334 335 if ref not in self._STIXBase__valid_refs: --> 336 raise InvalidObjRefError(self.class, prop_name, "'%s' is not a valid object in local scope" % ref) 337 338 try:

InvalidObjRefError: Invalid object reference for 'EmailMessage:from_ref': '{ "type": "email-addr", "value": "[email protected]" }' is not a valid object in local scope`

Code od1 = EmailAddress(type='email-addr', value=eventData.get('sender')) od2 = File(type='file', hashes={"SHA-256":eventData.get('ahash')}, mime_type=eventData.get('afiletype'), name=eventData.get('afile')) od3 = EmailMIMEComponent(body_raw_ref=od2) od4 = EmailMessage(type='email-message', _valid_refs={"0":od1,"1":od2,"2":od3}, is_multipart=True, from_ref=od1, sender_ref=od1, subject=eventData.get('subject'), body_multipart=[od3])

Sample Data eventData = {'afile': 'file.doc', 'ahash': '6c16bbddc9dcbf447c44afb11387115ac657852fcdf30cf068cf6e11e8786212', 'afiletype': 'Microsoft MSOFFICE(52033)', 'sender': '[email protected]', 'subject': 'Re: reply email'}

SecJesus avatar Dec 06 '19 17:12 SecJesus

Hi! I'm guessing you're using the 2.0 (i.e. "v20") versions of the objects, right? (I guess this since using the 2.1 versions does not result in any errors). If so, as per the documentation, instead of from_ref=od1, you will want to do from_ref="0". Similarly, instead of sender_ref=od1, you will want to do sender_ref="0".

And, if possible, I'd recommend using STIX 2.1 (and thus the 2.1 versions of the objects). If you choose to switch to 2.1, your existing code should work. However, you can simplify it by removing _valid_refs.

khdesai avatar Dec 06 '19 20:12 khdesai

Just for clarification, from stix2 import EmailAddress will import the STIX 2.0 version of the object as that is currently the default, but you can import the STIX 2.1 version with from stix2.v21 import EmailAddress.

clenk avatar Dec 06 '19 20:12 clenk