Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoiding issues with analyst data objects #1307

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

chrisr3d
Copy link
Member

Using the different PyMISP helpers to add for instance an Attribute or an Object was causing issues when the given Attribute or Object was containing at least a Note, Opinion or Relationship. This was caused by the presence of the 'Note', 'Opinion' and 'Relationship' fields in every data layer inheriting from AnalysDataBehaviorMixin (including Notes, Opinions or Relationships themselves)

On the other hand, a Note, Opinion or Relationship information extracted from MISP is always contained in a 'Note', 'Opinion' or 'Relationship' fields, respectively.
A note extracted from MISP looks for instance like:

{
    "Note": {
        "uuid": "848337f8-781c-4998-8575-4fa4661b2a90",
        "object_uuid": "dbb85655-ec62-42b6-b05e-7085ee7af504",
        "object_type": "Attribute",
        "authors": "[email protected]",
        "created": "2024-10-03 14:13:56",
        "modified": "2024-10-03 14:13:56",
        "note": "Some random note",
        "language": "en"
    }
}

This makes the test for the presence of such fields mandatory when we want to use our Analyst Data information from MISP to created the equivalent objects in PyMISP.

With this PR, we reconcile both use cases with an additional contained parameter that is only used with the from_dict method of each Analyst Data object, set to True when we use add_note, add_opinion or add_relationship, in which case the analyst data information is obviously attached to another data layer.

This should fix #1306

…s on MISP standard format

- Adding a note or an opinion will always add the
  new analyst data object to the list of notes or
  opinions at the parent data layer level
- `from_dict` on a JSON blob is also able to parse
  properly analyst data and generate flat lists
  regardless of whether the given data described
  in the new flat or previously nested format
- Additional checks for parent to support both
  the standalone and attached analyst data objects
- Standalone Analyst data objects with nested
  notes or opinions are defined with the nesting
  as they have no parent. When they are added to
  a parent data layer, the nested objects are then
  flattened
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Error when adding a Note, Opinion or Relationship
1 participant