Fix: HybridAnalysis hash search: switch POST to GET + add overview fallback (#2934)

[PranavShukla7]

Description

Fixes #2934

This PR updates the HybridAnalysis analyzer to support API changes introduced in
API v2.35.0, where the POST /search/hash endpoint was deprecated and replaced by a GET version.

The new GET endpoint returns a minimal response instead of a full SampleSummary.
To maintain backward compatibility, this PR adds a fallback request to
/overview/ to restore the previous output structure.

Type of change

• [✓] Bug fix (non-breaking change which fixes an issue).
• New feature (non-breaking change which adds functionality).
• Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

• [✓] I have read and understood the rules about how to Contribute to this project
• [✓] The pull request is for the branch develop
• A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
  • [✓] I strictly followed the documentation "How to create a Plugin"
  • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
  • Advanced-Usage was updated (in case the plugin provides additional optional configuration). A link to the PR to the docs repo has been added as a comment here.
  • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
  • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
  • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
  • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
  • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks (HEAD HTTP requests).
  • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
  • I have added that raw JSON sample to the MockUpResponse of the _monkeypatch() method. This serves us to provide a valid sample for testing.
  • I have created the corresponding DataModel for the new analyzer following the documentation
• [✓] I have inserted the copyright banner at the start of the file: # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.
• [✓] Please avoid adding new libraries as requirements whenever it is possible. Use new libraries only if strictly needed to solve the issue you are working for. In case of doubt, ask a maintainer permission to use a specific library.
• If external libraries/packages with restrictive licenses were added, they were added in the Legal Notice section.
• [✓] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.
• [✓] After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

[PranavShukla7]

Hey @mlodic ,
I’ve updated the analyzer to use the GET version of /search/hash as required by the recent Hybrid Analysis changes, and added a fallback to the overview/{sha256} endpoint to preserve full results when only minimal hashes are returned.

I’ve also refactored the logic into smaller helper functions to make the flow cleaner and easier to maintain.
Could you please review the changes and let me know if anything needs adjustment?

[mlodic]

can you please show us the output from this analyzer from the GUI?

[mlodic]

it seems fine, can you please provide 3 examples of execution with real data:

• 1 with hash and minimal result
• 1 with hash and full result
• 1 for a domain
  This fasten our review because we need to have proof that this works in this platform too and not only in the unitests

[mlodic]

we are not using monkeypatch anymore, you can change the related test here: https://github.com/intelowlproject/IntelOwl/blob/develop/tests/api_app/analyzers_manager/unit_tests/observable_analyzers/test_ha_get.py

[fgibertoni]

I do like the general approach of using functions.
If you're performing more than one call to APIs per analyzer run I think it would be better to use a Session object, just to make things more clear. Let me know what you think :)

[fgibertoni]

I think this can be left as pass. Have you changed it for any particular reason?