Skip to content

Commit 45d4b05

Browse files
chrisr3dchrisr3d
committed
fix: [stix2 import] Handling cases where an observable object has multiple indicator references
1 parent 1a2a71d commit 45d4b05

File tree

1 file changed

+22
-30
lines changed

1 file changed

+22
-30
lines changed

misp_stix_converter/stix2misp/external_stix2_to_misp.py

Lines changed: 22 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -349,24 +349,14 @@ def _parse_loaded_features(self):
349349
############################################################################
350350

351351
def _fetch_indicator_reference(
352-
self, observable: _OBSERVABLE_TYPING) -> str | None:
352+
self, observable: _OBSERVABLE_TYPING) -> Iterator[str]:
353353
observable_references = tuple(
354354
self._fetch_observable_references(observable)
355355
)
356-
indicator_references = set()
357356
for indicator_id, patterns in self._indicator_references.items():
358357
if not any(ref in patterns for ref in observable_references):
359358
continue
360-
indicator_references.add(indicator_id)
361-
if not indicator_references:
362-
return
363-
if len(indicator_references) == 1:
364-
return next(iter(indicator_references))
365-
# in case multiple indicators describe values from a single observable
366-
self._add_warning(
367-
f'Multiple indicators matching observable: {observable.id}'
368-
)
369-
return tuple(indicator_references)
359+
yield indicator_id
370360

371361
def _fetch_observable_references(
372362
self, observable: dict | _OBSERVABLE_TYPING) -> Iterator[str]:
@@ -403,34 +393,36 @@ def _set_indicator_references(self):
403393
}
404394
if score in (3, 7):
405395
for observable_id, observable in self._observable.items():
406-
indicator_reference = self._fetch_indicator_reference(
407-
observable['observable']
396+
indicator_references = set(
397+
self._fetch_indicator_reference(observable['observable'])
408398
)
409-
if indicator_reference is None:
399+
if not indicator_references:
410400
continue
411-
indicator = self._indicator[indicator_reference]
412-
self._indicator[indicator_reference] = {
413-
'indicator': indicator,
414-
'observable_ref': observable_id
415-
}
416-
observable['indicator_ref'] = indicator_reference
401+
for indicator_reference in indicator_references:
402+
indicator = self._indicator[indicator_reference]
403+
self._indicator[indicator_reference] = {
404+
'indicator': indicator,
405+
'observable_ref': observable_id
406+
}
407+
observable['indicator_ref'] = indicator_reference
417408
if score >= 5:
418409
for observed_id, observed_data in self._observed_data.items():
419410
if not hasattr(observed_data, 'objects'):
420411
continue
421412
indicator_refs = {}
422413
for observable_id, observable in observed_data.objects.items():
423-
indicator_reference = self._fetch_indicator_reference(
424-
observable['observable']
414+
indicator_references = set(
415+
self._fetch_indicator_reference(observable)
425416
)
426-
if indicator_reference is None:
417+
if not indicator_references:
427418
continue
428-
indicator = self._indicator[indicator_reference]
429-
self._indicator[indicator_reference] = {
430-
'indicator': indicator,
431-
'observable_ref': observed_id
432-
}
433-
indicator_refs[observable_id] = indicator_reference
419+
for indicator_reference in indicator_references:
420+
indicator = self._indicator[indicator_reference]
421+
self._indicator[indicator_reference] = {
422+
'indicator': indicator,
423+
'observable_ref': observed_id
424+
}
425+
indicator_refs[observable_id] = indicator_reference
434426
if indicator_refs:
435427
self._observed_data[observed_id] = {
436428
'indicator_refs': indicator_refs,

0 commit comments

Comments
 (0)