cti-stix-validator icon indicating copy to clipboard operation
cti-stix-validator copied to clipboard

Published 20 hours ago verified publisher icon oasis-open

Running the validator from the elevator with different options causes an exception

Open rpiazza opened this issue 6 years ago • 1 comments

From the 2.1-wd05 branch of the elevator, run both of the followiing:

cli.py /Users/rpiazza/git/stix/cti-stix-elevator/idioms-xml/issue62.xml -v 2.1 --validator-args "--version 2.1" cli.py /Users/rpiazza/git/stix/cti-stix-elevator/idioms-xml/issue62.xml -v 2.1

The first will run and generate STIX 2.1. The second one causes this exception:

Traceback (most recent call last):
  File "/Users/rpiazza/py-envs/python3.7/lib/python3.7/site-packages/stix2_patterns-1.1.0-py3.7.egg/stix2patterns/grammars/STIXPatternParser.py", line 1226, in propTest
    la_ = self._interp.adaptivePredict(self._input,15,self._ctx)
  File "/Users/rpiazza/py-envs/python3.7/lib/python3.7/site-packages/antlr4_python3_runtime-4.7.2-py3.7.egg/antlr4/atn/ParserATNSimulator.py", line 342, in adaptivePredict
    alt = self.execATN(dfa, s0, input, index, outerContext)
  File "/Users/rpiazza/py-envs/python3.7/lib/python3.7/site-packages/antlr4_python3_runtime-4.7.2-py3.7.egg/antlr4/atn/ParserATNSimulator.py", line 414, in execATN
    raise e
antlr4.error.Errors.NoViableAltException: None

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/Users/rpiazza/git/stix/cti-stix-elevator/stix2elevator/cli.py", line 200, in <module>
    main()
  File "/Users/rpiazza/git/stix/cti-stix-elevator/stix2elevator/cli.py", line 192, in main
    result = elevate_file(elevator_args.file_)
  File "/Users/rpiazza/git/stix/cti-stix-elevator/stix2elevator/__init__.py", line 82, in elevate_file
    validation_results = validate_stix2_string(json_string, validator_options, fn)
  File "/Users/rpiazza/git/stix/cti-stix-elevator/stix2elevator/__init__.py", line 36, in validate_stix2_string
    results = validate_string(json_string, validator_options)
  File "/Users/rpiazza/git/stix/cti-stix-validator/stix2validator/validator.py", line 486, in validate_string
    return validate(stream, options)
  File "/Users/rpiazza/git/stix/cti-stix-validator/stix2validator/validator.py", line 421, in validate
    results = validate_parsed_json(obj_json, options)
  File "/Users/rpiazza/git/stix/cti-stix-validator/stix2validator/validator.py", line 398, in validate_parsed_json
    results = validate_instance(obj_json, options)
  File "/Users/rpiazza/git/stix/cti-stix-validator/stix2validator/validator.py", line 755, in validate_instance
    warnings = [pretty_error(x, options.verbose) for x in warnings]
  File "/Users/rpiazza/git/stix/cti-stix-validator/stix2validator/validator.py", line 755, in <listcomp>
    warnings = [pretty_error(x, options.verbose) for x in warnings]
  File "/Users/rpiazza/git/stix/cti-stix-validator/stix2validator/validator.py", line 62, in _iter_errors_custom
    for err in _iter_errors_custom(obj, checks, options):
  File "/Users/rpiazza/git/stix/cti-stix-validator/stix2validator/validator.py", line 52, in _iter_errors_custom
    for x in result:
  File "/Users/rpiazza/git/stix/cti-stix-validator/stix2validator/v21/shoulds.py", line 1069, in types_strict
    p = Pattern(pattern)
  File "/Users/rpiazza/py-envs/python3.7/lib/python3.7/site-packages/stix2_patterns-1.1.0-py3.7.egg/stix2patterns/pattern.py", line 34, in __init__
    self.__parse_tree = self.__do_parse(pattern_str)
  File "/Users/rpiazza/py-envs/python3.7/lib/python3.7/site-packages/stix2_patterns-1.1.0-py3.7.egg/stix2patterns/pattern.py", line 117, in __do_parse
    real_exc)
  File "<string>", line 3, in raise_from
stix2patterns.pattern.ParseException: 1:897: no viable alternative at input 'unconverted_term:WinExecutableFileObj.exportsAND'

rpiazza avatar Sep 30 '19 16:09 rpiazza

These two pull requests https://github.com/oasis-open/cti-pattern-validator/pull/63 and https://github.com/oasis-open/cti-pattern-validator/pull/64 seems to be unrelated. Here is the pattern:

"[((file:hashes.MD5 = '5d8129be965fab8115eca34fc84bd7f0' OR file:hashes.'SHA-1' = '2b999e7db890cc77f0098a091de756a1803a3c2b' OR file:hashes.'SHA-256' = '2c5dd8a64437cb2dd4b6747139c61d2d7f53ab3ddedbf22df3cb01bae170715b' OR file:hashes.ssdeep = '768:mvAFYk0IOqi7RKW1RD1ZCrm82+AnbaAOdoOKL70ehP:cDIOqctz2rBmbZoa71hP') AND file:name = 'VirusShare_5d8129be965fab8115eca34fc84bd7f0' AND file:size = 40654 AND (((file:extensions.'windows-pebinary-ext'.section[*].name = '.rdata' AND file:extensions.'windows-pebinary-ext'.section[*].entropy = 7.74202363178) AND (file:extensions.'windows-pebinary-ext'.section[*].name = '.data' AND file:extensions.'windows-pebinary-ext'.section[*].entropy = 7.89204688601) AND (file:extensions.'windows-pebinary-ext'.section[*].name = '.upx' AND file:extensions.'windows-pebinary-ext'.section[*].entropy = 7.31815613066)) AND unconverted_term:WinExecutableFileObj.exports AND unconverted_term:WinExecutableFileObj.imports))]",

The AND is at the end....

rpiazza avatar Oct 02 '19 14:10 rpiazza