[backend] fix(securitycoverage): ensure forcible opencti tag in security coverage scenario (#4395)

Signed-off-by: Antoine MAZEAS <[email protected]>

Author: antoinemzs

openaev-api/src/main/java/io/openaev/service/stix/SecurityCoverageService.java

@@ -110,12 +110,19 @@ public SecurityCoverage buildSecurityCoverageFromStix(String stixJson)
 
     // Optional fields
     stixCoverageObj.setIfPresent(STIX_DESCRIPTION, securityCoverage::setDescription);
-    stixCoverageObj.setIfSetPresent(
-        CommonProperties.LABELS.toString(),
-        labels -> {
-          labels.add(OPENCTI_TAG_NAME);
-          securityCoverage.setLabels(labels);
-        });
+
+    // labels
+    Set<String> labels = new HashSet<>();
+    if (stixCoverageObj.hasProperty(CommonProperties.LABELS)
+        && stixCoverageObj.getProperty(CommonProperties.LABELS).getValue() != null) {
+      for (StixString stixString :
+          (List<StixString>) stixCoverageObj.getProperty(CommonProperties.LABELS).getValue()) {
+        labels.add(stixString.getValue());
+      }
+    }
+    // force opencti
+    labels.add(OPENCTI_TAG_NAME);
+    securityCoverage.setLabels(labels);
 
     // Extract Attack Patterns
     securityCoverage.setAttackPatternRefs(

openaev-api/src/test/java/io/openaev/api/stix_process/StixApiTest.java

@@ -18,9 +18,12 @@
 import com.jayway.jsonpath.JsonPath;
 import io.openaev.IntegrationTest;
 import io.openaev.database.model.*;
+import io.openaev.database.model.Tag;
 import io.openaev.database.repository.InjectRepository;
 import io.openaev.database.repository.ScenarioRepository;
 import io.openaev.database.repository.SecurityCoverageRepository;
+import io.openaev.database.repository.TagRepository;
+import io.openaev.service.AssetGroupService;
 import io.openaev.utils.fixtures.*;
 import io.openaev.utils.fixtures.composers.*;
 import io.openaev.utils.fixtures.files.AttackPatternFixture;
@@ -56,19 +59,23 @@ class StixApiTest extends IntegrationTest {
 
   @Autowired private ScenarioRepository scenarioRepository;
   @Autowired private InjectRepository injectRepository;
+  @Autowired private TagRepository tagRepository;
   @Autowired private SecurityCoverageRepository securityCoverageRepository;
+  @Autowired private AssetGroupService assetGroupService;
 
   @Autowired private AttackPatternComposer attackPatternComposer;
   @Autowired private VulnerabilityComposer vulnerabilityComposer;
   @Autowired private TagRuleComposer tagRuleComposer;
   @Autowired private AssetGroupComposer assetGroupComposer;
   @Autowired private EndpointComposer endpointComposer;
+  @Autowired private PayloadComposer payloadComposer;
   @Autowired private InjectorContractComposer injectorContractComposer;
   @Autowired private TagComposer tagComposer;
 
   @Autowired private InjectorFixture injectorFixture;
 
   private String stixSecurityCoverage;
+  private String stixSecurityCoverageNoLabels;
   private String stixSecurityCoverageWithoutTtps;
   private String stixSecurityCoverageWithoutVulns;
   private String stixSecurityCoverageWithoutObjects;
@@ -79,9 +86,21 @@ class StixApiTest extends IntegrationTest {
   @BeforeEach
   void setUp() throws Exception {
     attackPatternComposer.reset();
+    vulnerabilityComposer.reset();
+    tagRuleComposer.reset();
+    endpointComposer.reset();
+    assetGroupComposer.reset();
+    payloadComposer.reset();
+    injectorContractComposer.reset();
+    tagComposer.reset();
+
     stixSecurityCoverage =
         loadJsonWithStixObjectsAsText("src/test/resources/stix-bundles/security-coverage.json");
 
+    stixSecurityCoverageNoLabels =
+        loadJsonWithStixObjectsAsText(
+            "src/test/resources/stix-bundles/security-coverage-no-labels.json");
+
     stixSecurityCoverageWithoutTtps =
         loadJsonWithStixObjectsAsText(
             "src/test/resources/stix-bundles/security-coverage-without-ttps.json");
@@ -98,9 +117,6 @@ void setUp() throws Exception {
         loadJsonWithStixObjectsAsText(
             "src/test/resources/stix-bundles/security-coverage-only-vulns.json");
 
-    attackPatternComposer
-        .forAttackPattern(AttackPatternFixture.createAttackPatternsWithExternalId(T_1531))
-        .persist();
     attackPatternComposer
         .forAttackPattern(AttackPatternFixture.createAttackPatternsWithExternalId(T_1003))
         .persist();
@@ -170,16 +186,125 @@ void setUp() throws Exception {
         .persist();
   }
 
-  @AfterEach
-  void afterEach() {
-    attackPatternComposer.reset();
-    vulnerabilityComposer.reset();
-  }
-
   @Nested
   @DisplayName("Import STIX Bundles")
   class ImportStixBundles {
 
+    @Test
+    @DisplayName(
+        "When Security Coverage SDO has no labels property, should force adding opencti tag to scenario")
+    void whenSecurityCoverageSDOHasNoLabelsProperty_shouldForceAddingOpenctiTagToScenario()
+        throws Exception {
+      String response =
+          mvc.perform(
+                  post(STIX_URI + "/process-bundle")
+                      .contentType(MediaType.APPLICATION_JSON)
+                      .content(stixSecurityCoverageNoLabels))
+              .andExpect(status().isOk())
+              .andReturn()
+              .getResponse()
+              .getContentAsString();
+
+      assertThat(response).isNotBlank();
+      String scenarioId = JsonPath.read(response, "$.scenarioId");
+      Scenario createdScenario = scenarioRepository.findById(scenarioId).orElseThrow();
+      Tag openctiTag = tagRepository.findByName(OPENCTI_TAG_NAME).get();
+
+      assertThat(createdScenario.getTags()).contains(openctiTag);
+    }
+
+    @Test
+    @DisplayName(
+        "When Security Coverage SDO has labels property but not the opencti value, should force adding opencti tag to scenario")
+    void
+        whenSecurityCoverageSDOHasLabelsPropertyButNotTheOpenctiValue_shouldForceAddingOpenctiTagToScenario()
+            throws Exception {
+      String bundleWithoutOpenctiLabel = stixSecurityCoverage.replace("opencti", "some-label");
+
+      String response =
+          mvc.perform(
+                  post(STIX_URI + "/process-bundle")
+                      .contentType(MediaType.APPLICATION_JSON)
+                      .content(bundleWithoutOpenctiLabel))
+              .andExpect(status().isOk())
+              .andReturn()
+              .getResponse()
+              .getContentAsString();
+
+      assertThat(response).isNotBlank();
+      String scenarioId = JsonPath.read(response, "$.scenarioId");
+      Scenario createdScenario = scenarioRepository.findById(scenarioId).orElseThrow();
+      Tag openctiTag = tagRepository.findByName(OPENCTI_TAG_NAME).get();
+
+      assertThat(createdScenario.getTags()).contains(openctiTag);
+    }
+
+    @Test
+    @DisplayName("Eligible asset groups are assigned by tag rule")
+    void eligibleAssetGroupsAreAssignedByTagRule() throws Exception {
+      String label = "custom-label";
+      tagRuleComposer
+          .forTagRule(TagRuleFixture.createDefaultTagRule())
+          .withTag(tagComposer.forTag(TagFixture.getTagWithText(label)))
+          .withAssetGroup(
+              assetGroupComposer
+                  .forAssetGroup(
+                      AssetGroupFixture.createDefaultAssetGroup("%s asset group".formatted(label)))
+                  .withAsset(endpointComposer.forEndpoint(EndpointFixture.createEndpoint())))
+          .persist();
+
+      AttackPatternComposer.Composer attackPatternWrapper =
+          attackPatternComposer.forAttackPattern(
+              AttackPatternFixture.createAttackPatternsWithExternalId(T_1531));
+      injectorContractComposer
+          .forInjectorContract(
+              InjectorContractFixture.createInjectorContractWithPlatforms(
+                  List.of(Endpoint.PLATFORM_TYPE.Windows).toArray(Endpoint.PLATFORM_TYPE[]::new)))
+          .withAttackPattern(attackPatternWrapper)
+          .withPayload(
+              payloadComposer
+                  .forPayload(PayloadFixture.createDefaultCommand())
+                  .withAttackPattern(attackPatternWrapper))
+          .persist();
+
+      String bundleWithCustomLabel = stixSecurityCoverage.replace(OPENCTI_TAG_NAME, label);
+
+      entityManager.flush();
+      entityManager.clear();
+
+      String response =
+          mvc.perform(
+                  post(STIX_URI + "/process-bundle")
+                      .contentType(MediaType.APPLICATION_JSON)
+                      .content(bundleWithCustomLabel))
+              .andExpect(status().isOk())
+              .andReturn()
+              .getResponse()
+              .getContentAsString();
+
+      entityManager.flush();
+      entityManager.clear();
+
+      assertThat(response).isNotBlank();
+      String scenarioId = JsonPath.read(response, "$.scenarioId");
+      Scenario createdScenario = scenarioRepository.findById(scenarioId).orElseThrow();
+      Tag customTag = tagRepository.findByName(label).get();
+
+      assertThat(createdScenario.getTags()).contains(customTag);
+
+      List<Inject> injects =
+          createdScenario.getInjects().stream()
+              .filter(i -> i.getInjectorContract().get().getPayload() != null)
+              .toList();
+      assertThat(injects.size()).isEqualTo(1);
+
+      Inject inject = injects.getFirst();
+      Set<AssetGroup> desiredAssetGroups =
+          assetGroupService.fetchAssetGroupsFromScenarioTagRules(createdScenario);
+      assertThat(inject.getAssetGroups())
+          .containsExactlyInAnyOrderElementsOf(desiredAssetGroups.stream().toList());
+    }
+
     @Test
     @DisplayName("Should return 400 when STIX bundle has no security coverage")
     void shouldReturnBadRequestWhenNoSecurityCoverage() throws Exception {

openaev-api/src/test/java/io/openaev/utils/fixtures/TagRuleFixture.java

@@ -51,6 +51,10 @@ public static TagRule createTagRule(String tagRuleId, List<AssetGroup> assetGrou
     return rule;
   }
 
+  public static TagRule createDefaultTagRule() {
+    return new TagRule();
+  }
+
   public static TagRuleOutput createTagRuleOutput() {
     return TagRuleOutput.builder()
         .tagName(TAG_NAME)

openaev-api/src/test/java/io/openaev/utils/fixtures/composers/PayloadComposer.java

@@ -21,6 +21,7 @@ public class Composer extends InnerComposerBase<Payload> {
     private final List<OutputParserComposer.Composer> outputParserComposers = new ArrayList<>();
     private final List<DetectionRemediationComposer.Composer> detectionRemediationComposers =
         new ArrayList<>();
+    private final List<AttackPatternComposer.Composer> attackPatternComposers = new ArrayList<>();
 
     public Composer(Payload payload) {
       this.payload = payload;
@@ -61,6 +62,14 @@ public Composer withExecutable(DocumentComposer.Composer newDocumentComposer) {
       return this;
     }
 
+    public Composer withAttackPattern(AttackPatternComposer.Composer attackPatternWrapper) {
+      attackPatternComposers.add(attackPatternWrapper);
+      List<AttackPattern> tempList = new ArrayList<>(payload.getAttackPatterns());
+      tempList.add(attackPatternWrapper.get());
+      payload.setAttackPatterns(tempList);
+      return this;
+    }
+
     public Composer withOutputParser(OutputParserComposer.Composer outputParserComposer) {
       outputParserComposers.add(outputParserComposer);
       Set<OutputParser> outputParsers = payload.getOutputParsers();
@@ -74,6 +83,7 @@ public Composer persist() {
       documentComposer.ifPresent(DocumentComposer.Composer::persist);
       tagComposers.forEach(TagComposer.Composer::persist);
       detectionRemediationComposers.forEach(DetectionRemediationComposer.Composer::persist);
+      attackPatternComposers.forEach(AttackPatternComposer.Composer::persist);
       payload.setId(null);
       payloadRepository.save(payload);
       return this;
@@ -85,6 +95,7 @@ public Composer delete() {
       tagComposers.forEach(TagComposer.Composer::delete);
       payloadRepository.delete(payload);
       detectionRemediationComposers.forEach(DetectionRemediationComposer.Composer::delete);
+      attackPatternComposers.forEach(AttackPatternComposer.Composer::delete);
       return this;
     }