Merge branch 'release/3.5.25'

Author: nusantara-self

.github/workflows/build.yml

@@ -149,12 +149,15 @@ jobs:
 
           if [ ! -f "$dockerfile_path" ]; then
             echo "Dockerfile not found in $dockerfile_path. Creating one..."
-            echo "FROM python:3-alpine" > "$dockerfile_path"
-            echo "RUN apk add --no-cache openssl ca-certificates" >> "$dockerfile_path"
+            #echo "FROM python:3-alpine" > "$dockerfile_path"
+            #echo "RUN apk add --no-cache openssl ca-certificates" >> "$dockerfile_path"
+            echo "FROM python:3-slim" > "$dockerfile_path"
+            # echo "RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*" >> "$dockerfile_path"
 
             # Check if current worker is among special alpine workers
             if echo "$special_alpine_workers" | grep -qw "$matrix_directory"; then
-              echo "RUN apk add --no-cache file-dev && rm -rf /var/cache/apk/*" >> "$dockerfile_path"
+            #  echo "RUN apk add --no-cache file-dev && rm -rf /var/cache/apk/*" >> "$dockerfile_path"
+              echo "RUN apt-get update && apt-get install -y --no-install-recommends libmagic1 && rm -rf /var/lib/apt/lists/*" >> "$dockerfile_path"
             fi
 
             echo "WORKDIR /worker" >> "$dockerfile_path"
@@ -272,6 +275,16 @@ jobs:
             org.opencontainers.image.url=https://thehive-project.org
             org.opencontainers.image.version=${{ env.VERSION }}
 
+      - name: Scan image for vulnerabilities (Trivy)
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: ghcr.io/${{ env.LOWER_REPO_OWNER }}/${{ env.LOWERCASE_NAME }}:${{ env.IMAGE_TAG }}
+          format: table
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          exit-code: 0
+          ignore-unfixed: true
+
       - name: Test imports in the container (amd64)
         if: ${{ steps.check-rebuild.outputs.rebuild == 'true' && contains(env.PLATFORMS, 'linux/amd64') }}
         run: |
@@ -557,13 +570,14 @@ jobs:
 
           if [ ! -f "$dockerfile_path" ]; then
             echo "Dockerfile not found in $dockerfile_path. Creating one..."
-            echo "FROM python:3-alpine" > "$dockerfile_path"
-            echo "RUN apk add --no-cache openssl ca-certificates" >> "$dockerfile_path"
-
+            # echo "FROM python:3-alpine" > "$dockerfile_path"
+            # echo "RUN apk add --no-cache openssl ca-certificates bind-tools" >> "$dockerfile_path"
+            echo "FROM python:3-slim" > "$dockerfile_path"
 
             # Check if current worker is among special alpine workers
             if echo "$special_alpine_workers" | grep -qw "$matrix_directory"; then
-              echo "RUN apk add --no-cache file-dev && rm -rf /var/cache/apk/*" >> "$dockerfile_path"
+            #  echo "RUN apk add --no-cache file-dev && rm -rf /var/cache/apk/*" >> "$dockerfile_path"
+              echo "RUN apt-get update && apt-get install -y --no-install-recommends libmagic1 && rm -rf /var/lib/apt/lists/*" >> "$dockerfile_path"
             fi
 
             echo "WORKDIR /worker" >> "$dockerfile_path"
@@ -682,6 +696,16 @@ jobs:
             org.opencontainers.image.url=https://thehive-project.org
             org.opencontainers.image.version=${{ env.VERSION }}
 
+      - name: Scan image for vulnerabilities (Trivy)
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: ghcr.io/${{ env.LOWER_REPO_OWNER }}/${{ env.LOWERCASE_NAME }}:${{ env.IMAGE_TAG }}
+          format: table
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          exit-code: 0
+          ignore-unfixed: true
+
       - name: Test imports in the container (amd64)
         if: ${{ steps.check-rebuild.outputs.rebuild == 'true' && contains(env.PLATFORMS, 'linux/amd64') }}
         run: |

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [3.5.24](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.24) (2025-08-18)
+
+[Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.23...3.5.24)
+
+**Merged pull requests:**
+
+- Elasticsearch Analyzer: Fix deprecated timeout constructor argument [\#1374](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1374) ([bytinbit](https://github.com/bytinbit))
+
 ## [3.5.23](https://github.com/TheHive-Project/Cortex-Analyzers/tree/3.5.23) (2025-08-12)
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.22...3.5.23)
@@ -104,6 +112,10 @@
 
 [Full Changelog](https://github.com/TheHive-Project/Cortex-Analyzers/compare/3.5.12...3.5.13)
 
+**Closed issues:**
+
+- MISP Analyzer \(misp:2 image\) fails with 'input: null' and 'worker didn't generate output file' on Python 3.13.3 [\#1355](https://github.com/TheHive-Project/Cortex-Analyzers/issues/1355)
+
 **Merged pull requests:**
 
 - Fix analyzer: incompatible ctx.io api \[Malwares\] [\#1350](https://github.com/TheHive-Project/Cortex-Analyzers/pull/1350) ([Ignatella](https://github.com/Ignatella))

analyzers/EmlParser/Dockerfile

@@ -12,11 +12,11 @@
 #
 # 
 
-FROM python:3-slim
+FROM python:3-slim-bookworm
 WORKDIR /worker
 RUN apt update
 RUN apt install -y wkhtmltopdf python3-magic
 COPY requirements.txt EmlParser/
 RUN test ! -e EmlParser/requirements.txt || pip install --no-cache-dir -r EmlParser/requirements.txt
 COPY . EmlParser/
-ENTRYPOINT ["python", "EmlParser/parse.py"]
+ENTRYPOINT ["python", "EmlParser/parse.py"]

analyzers/MalwareBazaar/MalwareBazaar_analyzer.py

@@ -17,17 +17,17 @@ def run(self):
         results = {}
         if self.data_type == 'hash':
             if len(data) in [32, 40, 64]:
-                headers = { 'API-KEY': self.api_key }
+                headers = { 'Auth-Key': self.api_key }
                 data = {
                     'query': 'get_info',
                     'hash': data,
                 }
                 results = requests.post(BASEURL, data=data, timeout=15, headers=headers)
 
-                if results.status_code == 200:
+                if 200 <= results.status_code < 300:
                     results = results.json()
                     if results['query_status'] in ['http_post_expected', 'illegal_hash', 'no_hash_provided']:
-                        self.error('MalwareBazaar returned error: %s' % results['query_status'])
+                        self.error(f'MalwareBazaar returned error: {results["query_status"]}')
                     elif results['query_status'] != 'hash_not_found':
                         results['data'] = results['data'][0]
             else:

analyzers/TestAnalyzer/DevTools_Echo.json

@@ -0,0 +1,68 @@
+{
+  "name": "DevTools_Echo",
+  "version": "1.0",
+  "author": "Fabien Bloume, StrangeBee",
+  "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+  "license": "AGPL-V3",
+  "description": "Development utility that simply echoes the (available) input received by the analyzer.",
+  "dataTypeList": [
+    "ip",
+    "domain",
+    "url",
+    "fqdn",
+    "mail",
+    "file",
+    "hash",
+    "filename",
+    "uri_path",
+    "user-agent",
+    "mail-subject"
+  ],
+  "baseConfig": "TestAnalyzer",
+  "command": "TestAnalyzer/testing.py",
+  "config": {
+    "service": "echo"
+  },
+  "configurationItems": [
+    {
+      "name": "some_string",
+      "description": "placeholder string",
+      "type": "string",
+      "multi": false,
+      "required": false,
+      "defaultValue": "some string.."
+    },
+    {
+      "name": "some_list",
+      "description": "placeholder list",
+      "type": "string",
+      "multi": true,
+      "required": false,
+      "defaultValue": [
+        "item1",
+        "item2",
+        "item3"
+      ]
+    },
+    {
+      "name": "some_number",
+      "description": "placeholder number",
+      "type": "number",
+      "multi": false,
+      "required": false,
+      "defaultValue": 1
+    },
+    {
+      "name": "throw_error",
+      "description": "throw an error!",
+      "type": "boolean",
+      "multi": false,
+      "required": true,
+      "defaultValue": false
+    }
+  ],
+  "registration_required": false,
+  "subscription_required": false,
+  "free_subscription": false,
+  "serviceHomepage": "None"
+}

analyzers/TestAnalyzer/testing.py

@@ -3,69 +3,121 @@
 
 from cortexutils.analyzer import Analyzer
 
+
 class TestAnalyzer(Analyzer):
     def __init__(self):
         Analyzer.__init__(self)
-        self.some_string = self.get_param(
-            "config.some_string", None, "some_string parameter is missing"
-        )
-        self.some_list = self.get_param(
-            "config.some_list", ["item1", "item2", "item3"], "some_list parameter is missing"
-        )
-        self.some_number = self.get_param(
-            "config.some_number", 1, "some_number parameter is missing"
-        )
+        self.some_string = self.get_param("config.some_string", None)
+        self.some_list = self.get_param("config.some_list", ["item1", "item2", "item3"])
+        self.some_number = self.get_param("config.some_number", 1)
         self.throw_error = self.get_param(
             "config.throw_error", False, "throw_error parameter is missing"
         )
-        
+        self.service = self.get_param(
+            "config.service", None, "Service parameter is missing"
+        )
+
     def run(self):
-        if self.throw_error:
-            error_message = "this is an error string: throw_error boolean is set to True in Cortex"
-            self.error(error_message)
-        data = self.get_data()
-        #data = self.get_param("data", None, "Data is missing")
-        datatype = self.data_type
-
-        #result = {"data": data, "dataType": datatype, "arrayExample": ["A", "B", "C"], "tableExample": {"colA": "row A value", "colB": "row B value", "colC": "row C value",}}
-    
-        # Unicode test data
-        unicode_test_string = "こんにちは, 你好, 안녕하세요, 😀, 💻, π, ∑, ∞, « Bonjour, comment ça va ? »"
-        unicode_table_example = {
-            "colA": "Row A: こんにちは (Hello in Japanese)", 
-            "colB": "Row B: 你好 (Hello in Chinese)", 
-            "colC": "Row C: 😀 (Smiley emoji)",
-            "colD": "«Row D: Bonjour, comment ça va ? Très bien. » (Hello, how are you? Doing very well. in French)"
-        }
-    
-        result = {
-            "data": data, 
-            "dataType": datatype, 
-            "arrayExample": ["A", "B", "C", "Δ", "Ж", "Ω", "💡"],
-            "tableExample": unicode_table_example,
-            "unicodeTest": unicode_test_string
-        }
-    
-        self.report(result)
-        
+        try:
+            if self.throw_error:
+                error_message = "this is an error string: throw_error boolean is set to True in Cortex"
+                self.error(error_message)
+            data = self.get_data()
+            # data = self.get_param("data", None, "Data is missing")
+            datatype = self.data_type
+
+            if self.service == "echo":
+                everything = {
+                    # Observable metadata
+                    # "_id": self.get_param("_id", None),               ## Not supported / Not in input
+                    # "_type": self.get_param("_type", None),           ## Not supported / Not in input
+                    # "_createdBy": self.get_param("_createdBy", None), ## Not supported / Not in input
+                    # "_updatedBy": self.get_param("_updatedBy", None), ## Not supported / Not in input
+                    # "_createdAt": self.get_param("_createdAt", None), ## Not supported / Not in input
+                    # "_updatedAt": self.get_param("_updatedAt", None), ## Not supported / Not in input
+
+                    # Core observable
+                    "dataType": self.get_param("dataType", None),
+                    "data": self.get_param("data", None),
+
+                    # Dates
+                    # "startDate": self.get_param("startDate", None),   ## Not supported / Not in input
+
+                    # TLP / PAP
+                    "tlp": self.get_param("tlp", None),
+                    # "tlpLabel": self.get_param("tlpLabel", None),    ## Not supported / Not in input
+                    "pap": self.get_param("pap", None),
+                    # "papLabel": self.get_param("papLabel", None),    ## Not supported / Not in input
+
+                    # Tags / IOC / Sighted
+                    # "tags": self.get_param("tags", None),            ## Not supported / Not in input
+                    # "ioc": self.get_param("ioc", None),              ## Not supported / Not in input
+                    # "sighted": self.get_param("sighted", None),      ## Not supported / Not in input
+                    # "sightedAt": self.get_param("sightedAt", None),  ## Not supported / Not in input
+                    # "ignoreSimilarity": self.get_param("ignoreSimilarity", None), ## Not supported / Not in input
+
+                    # Reports
+                    # "reports": self.get_param("reports", None),      ## Not supported / Not in input
+
+                    # Message
+                    "message": self.get_param("message", None), # Represents case ID!
+
+                    # Extra data
+                    # "extraData": self.get_param("extraData", None),  ## Not supported / Not in input
+
+                    # File / attachment (if applicable)
+                    "file": self.get_param("file", None),            ## Not in input (null unless dataType=="file")
+                    "attachment": self.get_param("attachment", None),## Not supported / Not in input
+
+                    # Job parameters & analyzer config blocks
+                    "parameters": self.get_param("parameters", {}),
+                    "config": self.get_param("config", {}),
+
+                    # Proxy (if passed)
+                    "proxy": self.get_param("proxy", {}),
+                }
+                result = everything
+
+            elif self.service == "testing":
+                # result = {"data": data, "dataType": datatype, "arrayExample": ["A", "B", "C"], "tableExample": {"colA": "row A value", "colB": "row B value", "colC": "row C value",}}
+
+                # Unicode test data
+                unicode_test_string = "こんにちは, 你好, 안녕하세요, 😀, 💻, π, ∑, ∞, « Bonjour, comment ça va ? »"
+                unicode_table_example = {
+                    "colA": "Row A: こんにちは (Hello in Japanese)",
+                    "colB": "Row B: 你好 (Hello in Chinese)",
+                    "colC": "Row C: 😀 (Smiley emoji)",
+                    "colD": "«Row D: Bonjour, comment ça va ? Très bien. » (Hello, how are you? Doing very well. in French)",
+                }
+
+                result = {
+                    "data": data,
+                    "dataType": datatype,
+                    "arrayExample": ["A", "B", "C", "Δ", "Ж", "Ω", "💡"],
+                    "tableExample": unicode_table_example,
+                    "unicodeTest": unicode_test_string,
+                }
+
+            self.report(result)
+        except Exception as e:
+            self.error(f"Unhandled exception: {e}")
+
     def summary(self, raw):
         taxonomies = []
         namespace = "testing"
         predicate = self.data_type
         value = "None"
-        
-        # safe, info, suspicious, malicious
-        for level in ["info", "safe", "suspicious", "malicious"]:
-            taxonomies.append(
-                self.build_taxonomy(
-                    level, namespace, predicate, value)
-            )
-        
+
+        if self.service == "testing":
+            # safe, info, suspicious, malicious
+            for level in ["info", "safe", "suspicious", "malicious"]:
+                taxonomies.append(
+                    self.build_taxonomy(level, namespace, predicate, value)
+                )
         return {"taxonomies": taxonomies}
 
     def operations(self, raw):
         operations = []
-        operations.append(self.build_operation('AddTagToArtifact', tag="test"))
         ## For reference only
         # case class AddTagToCase(tag: String)                                  extends ActionOperation
         # case class AddTagToArtifact(tag: String)                              extends ActionOperation
@@ -86,16 +138,17 @@ def operations(self, raw):
         #     tags: Option[Seq[String]]
         # )                                    extends ActionOperation
         # case class AssignCase(owner: String) extends ActionOperation
+        if self.service == "testing":
+            operations.append(self.build_operation("AddTagToArtifact", tag="test"))
         return operations
 
     def artifacts(self, raw):
         artifacts = []
-        data_type = "ip"
-        value = "8.8.8.8"
-        extra_args = {
-            "tags": ["test"]
-        }
-        artifacts.append(self.build_artifact(data_type, value, **extra_args))
+        if self.service == "testing":
+            data_type = "ip"
+            value = "8.8.8.8"
+            extra_args = {"tags": ["test"]}
+            artifacts.append(self.build_artifact(data_type, value, **extra_args))
         return artifacts