Merge pull request #91 from center-for-threat-informed-defense/af-obj…

…ect-ref-resolution AF-165: Observed Data & some small changes
center-for-threat-informed-defense · Aug 7, 2023 · c3a34f7 · c3a34f7
2 parents 3ea23b0 + b35a240
commit c3a34f7
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/src/attack_flow_builder/src/assets/builder.config.publisher.ts b/src/attack_flow_builder/src/assets/builder.config.publisher.ts
@@ -252,6 +252,10 @@ class AttackFlowPublisher extends DiagramPublisher {
                     break;
                 default:
                     if(prop.isDefined()) {
+                        if(node.type === "mac-addr") {
+                            node[key] = prop.toRawValue()!.toString().toLowerCase();
+                            break;
+                        }
                         node[key] = prop.toRawValue();
                     }
                     break;
@@ -357,6 +361,9 @@ class AttackFlowPublisher extends DiagramPublisher {
                 case "note":
                     this.tryEmbedInNote(parent, c.obj);
                     break;
+                case "observed-data":
+                    this.tryEmbedInNote(parent, c.obj);
+                    break;
                 case "opinion":
                     this.tryEmbedInNote(parent, c.obj);
                     break;

diff --git a/src/attack_flow_builder/src/assets/builder.config.validator.ts b/src/attack_flow_builder/src/assets/builder.config.validator.ts
@@ -17,6 +17,8 @@ class AttackFlowValidator extends DiagramValidator {
     static IPv6regex = /^((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?(\/(12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))?$/i;
     static MACregex = /^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$/i;
     static Emailregex = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
+    static stixObservables = new Set<string>(["artifact", "directory", "file", "mutex", "process", "software", "user_account", "windows_registry_key", "x509_certificate", "autonomous_system", "domain_name", "email_address", "email_message", "ipv4_addr", "ipv6_addr", "mac_addr", "network_traffic", "url"]);
+
 
     protected graph?: GraphExport;
 
@@ -193,6 +195,18 @@ class AttackFlowValidator extends DiagramValidator {
                     this.addError(id, "A Note must point to at least one object.");
                 }
                 break;
+            case "observed_data":
+                if(node.next.length === 0) {
+                    this.addError(id, "Observed Data must point to at least one stix observable.");
+                } else {
+                    // Check the template.id of every child node
+                    for (let [childId, childNode] of this.getOutboundNodes(node.props.object.id)) {
+                        if(!AttackFlowValidator.stixObservables.has(childNode.template.id)) {
+                            this.addError(childId, "Observed Data can only be linked to Stix Observables.");
+                        }
+                    }
+                }
+                break;
             case "opinion":
                 if(node.next.length === 0) {
                     this.addError(id, "An Opinion must point to at least one object.");

diff --git a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/SemanticAnalyzer/GraphExportTypes.ts b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/SemanticAnalyzer/GraphExportTypes.ts
@@ -59,9 +59,9 @@ export class GraphObjectExport {
      * @param props
      *  The object's properties.
      * @param nextLinkMap
-     *  The object's parent link map.
-     * @param prevLinkMap
      *  The object's child link map.
+     * @param prevLinkMap
+     *  The object's parent link map.
      */
     constructor(
         template: ObjectTemplate,