Fix for issue #180 by Claude Code

[ejratl]

Issue #180 is rather lacking in detail, but it turns out that STIX 2.1 CS02 requires ISO639-2 language tags for the software object's languages property, while STIX 2.1 CS03 requires RFC 5646 language tags. See https://docs.oasis-open.org/cti/stix/v2.1/cs03/stix-v2.1-cs03.html#_jru33yeokrmh

The stix-validator currently requires ISO639-2 language tags in adherence to CS02, but should really check for RFC 5646. Since some people have probably already been working with the ISO language tags, I didn't want to make those suddenly fail, so they issue a warning rather than an error. In the future, this should switch to an error.

I have been playing around with Claude Code, so I tried it on this issue. Here is Claude's PR description to go along with the fix:
Summary of Changes Made for Issue #180

Issue Fixed: Software language validation in STIX 2.1 now uses RFC 5646 language codes instead of ISO 639-2
codes, as required by the STIX 2.1 CS03 specification.

Key Changes:

1. Updated Validation Logic (stix2validator/v21/musts.py:413-438):
   - Changed primary validation from SOFTWARE_LANG_CODES (ISO 639-2) to LANG_CODES (RFC 5646)
   - Added backward compatibility for ISO 639-2 codes with deprecation warnings
   - Updated error messages to reference RFC 5646 standard
2. Backward Compatibility:
   - ISO 639-2 codes (like 'eng', 'fra') are still accepted but generate warning messages
   - RFC 5646 codes (like 'en', 'en-US', 'fr-FR') are preferred and don't generate warnings
   - Invalid codes that don't match either standard still generate validation errors
3. Updated Tests (stix2validator/test/v21/observed_data_tests.py):
   - Modified existing test to use RFC 5646 code ('en' instead of 'eng')
   - Added new test for backward compatibility warnings
   - Test validates that ISO 639-2 codes generate appropriate warning messages
4. Updated Documentation (docs/best-practices.rst):
   - Updated description to reflect RFC 5646 standard with backward compatibility note

Technical Implementation:

• Primary validation: Uses enums.LANG_CODES (RFC 5646 format)
• Backward compatibility: Checks enums.SOFTWARE_LANG_CODES (ISO 639-2 format) and logs warnings
• Warning system: Uses Python logging to generate deprecation warnings for ISO 639-2 usage
• STIX 2.0 unchanged: Only STIX 2.1 validation is affected; STIX 2.0 continues using ISO 639-2

Examples:

• Valid RFC 5646: 'en', 'en-US', 'zh-CN' (no warnings)
• Valid but deprecated: 'eng', 'fra', 'deu' (accepted with warnings)
• Invalid: 'xyz', 'invalid' (validation error)

This implementation ensures compliance with STIX 2.1 CS03 requirements while maintaining backward compatibility
for existing implementations using ISO 639-2 codes.

[ejratl]

This requires a change to the json-schema to match oasis-open/cti-stix2-json-schemas#169

[CLAassistant]

All committers have signed the CLA.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.82%. Comparing base (3552d63) to head (58891e8).
⚠️ Report is 41 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #243      +/-   ##
==========================================
+ Coverage   94.36%   94.82%   +0.45%     
==========================================
  Files          66       69       +3     
  Lines        6211     6622     +411     
==========================================
+ Hits         5861     6279     +418     
+ Misses        350      343       -7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.