fix: issue #56 (#57)

frack113 · phantinuss · web-flow · commit 42077f8dfd10 · 2025-11-11T08:49:40.000+01:00
* fix: 🐛 Fix SigmahqTagsTechniquesWithoutTacticsValidator with invalid technique code

56

* style: 💄 Run black

* Apply suggestions from code review

Co-authored-by: phantinuss &lt;79651203+phantinuss@users.noreply.github.com&gt;

---------

Co-authored-by: phantinuss &lt;79651203+phantinuss@users.noreply.github.com&gt;
diff --git a/sigma/validators/sigmahq/tags.py b/sigma/validators/sigmahq/tags.py
@@ -125,6 +125,7 @@ def validate(self, rule: SigmaRuleBase) -> List[SigmaValidationIssue]:
         for technique in technique_tags:
             technique_upper = technique.upper()
 
+            # Check if the technique exists in mapping before accessing it
             if technique_upper in mitre_attack_techniques_tactics_mapping:
                 required_tactics = mitre_attack_techniques_tactics_mapping[technique_upper]
                 missing_tactics.extend(
@@ -133,10 +134,12 @@ def validate(self, rule: SigmaRuleBase) -> List[SigmaValidationIssue]:
 
         if missing_tactics:
             for missing_tactic in set(missing_tactics):
+                # Add safety check to ensure technique exists before accessing mapping
                 techniques = [
                     technique
                     for technique in technique_tags
-                    if missing_tactic in mitre_attack_techniques_tactics_mapping[technique.upper()]
+                    if technique.upper() in mitre_attack_techniques_tactics_mapping
+                    and missing_tactic in mitre_attack_techniques_tactics_mapping[technique.upper()]
                 ]
                 issues.append(
                     SigmahqTagsTechniquesWithoutTacticsIssue(
diff --git a/tests/test_tags.py b/tests/test_tags.py
@@ -275,3 +275,26 @@ def test_validator_SigmahqTagsTechniquesWithoutTactics_valid():
     """
     )
     assert validator.validate(rule) == []
+
+
+def test_validator_SigmahqTagsInvalidTechnique():
+    """Test that invalid MITRE technique codes don't cause KeyError"""
+    validator = SigmahqTagsTechniquesWithoutTacticsValidator()
+    # This rule contains an invalid T123456789 technique code
+    rule = SigmaRule.from_yaml(
+        """
+    title: test
+    status: unsupported
+    tags:
+        - attack.t123456789
+        - tlp.clear
+    logsource:
+        category: test
+    detection:
+        sel:
+            field: path\\*something
+        condition: sel
+    """
+    )
+    # Should not raise KeyError, should return empty list since invalid technique is ignored
+    assert validator.validate(rule) == []
