contentctl
contentctl copied to clipboard
Published
20 hours ago •
splunk
splunk
AttributeError: 'IntegrationTest' object has no attribute 'attack_data'
Hi, when running contentctl build --verbose, I get this weird error:
C:\Users\user\.virtualenvs\something\Scripts\python.exe -m contentctl.contentctl build --verbose
INFO: Common Information Model/CIM (uid: [1621]) is not listed in apps.
contentctl test MUST include Common Information Model.
Please note this message is only informational.
INFO: Common Information Model/CIM (uid: [1621]) is not listed in apps.
contentctl test MUST include Common Information Model.
Please note this message is only informational.
DEPLOYMENTS Progress: [100%]...Done!
LOOKUPS Progress: [ 0%]...Done!
MACROS Progress: [100%]...Done!
STORIES Progress: [100%]...Done!
BASELINES Progress: [ 0%]...Done!
INVESTIGATIONS Progress: [ 0%]...Done!
DATA_SOURCES Progress: [100%]...Done!
PLAYBOOKS Progress: [ 0%]...Done!
Verbose error logging is ENABLED.
The entire stack trace has been provided below (please include it if filing a bug report):
Traceback (most recent call last):
File "C:\something\contentctl\contentctl\contentctl.py", line 203, in main
build_func(config)
File "C:\something\contentctl\contentctl\contentctl.py", line 78, in build_func
director_output_dto = validate_func(config)
^^^^^^^^^^^^^^^^^^^^^
File "C:\something\contentctl\contentctl\contentctl.py", line 63, in validate_func
return validate.execute(config)
^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\something\contentctl\contentctl\actions\validate.py", line 37, in execute
director.execute(input_dto)
File "C:\something\contentctl\contentctl\input\director.py", line 131, in execute
self.createSecurityContent(SecurityContentType.detections)
File "C:\something\contentctl\contentctl\input\director.py", line 210, in createSecurityContent
detection = Detection.model_validate(modelDict,context={"output_dto":self.output_dto, "app":self.input_dto.app})
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\user\.virtualenvs\something\Lib\site-packages\pydantic\main.py", line 551, in model_validate
return cls.__pydantic_validator__.validate_python(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\something\contentctl\contentctl\objects\abstract_security_content_objects\detection_abstract.py", line 147, in validate_test_groups
test_group = TestGroup.derive_from_unit_test(unit_test, info.data.get("name")) # type: ignore
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\something\contentctl\contentctl\objects\test_group.py", line 39, in derive_from_unit_test
attack_data=unit_test.attack_data
^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\user\.virtualenvs\something\Lib\site-packages\pydantic\main.py", line 811, in __getattr__
raise AttributeError(f'{type(self).__name__!r} object has no attribute {item!r}')
AttributeError: 'IntegrationTest' object has no attribute 'attack_data'
Process finished with exit code 1
Example detection yaml:
author: someone
data_sources: []
date: '2024-08-14'
description: "something"
how_to_implement: something
id: 8e7eeb73-69f4-48cf-b1f4-aaaaaaaaaaaa
known_false_positives: something
name: some detection
references: []
search: "whatever"
status: production
tags:
analytic_story: []
asset_type: Account
confidence: 1
cve: []
impact: 60
message: N/A
mitre_attack_id:
- T1555
observable:
- name: ' '
role:
- Victim
type: Unknown
product:
- Splunk Enterprise Security
required_fields:
- nothing
risk_score: N/A
security_domain: access
tests:
- attack_data:
- data: ./something
source: N/A
sourcetype: N/A
name: somethingelse
test_type: unit
type: TTP
version: 1
There seems to be a problem with the parsing in Detection_Abstract.validate_test_groups().
It looks like a logic error, where the code assumes it’s a UnitTest object but receives a IntegrationTest object.
Any idea?
