Merge pull request #87 from center-for-threat-informed-defense/af150-…

…malware-analysis

Af150 malware analysis

src/attack_flow_builder/src/assets/builder.config.publisher.ts

@@ -332,6 +332,9 @@ class AttackFlowPublisher extends DiagramPublisher {
                 case "grouping":
                     this.tryEmbedInNote(parent, c.obj);
                     break;
+                case "malware-analysis":
+                    this.tryEmbedInMalwareAnalysis(parent, c.obj);
+                    break;
                 case "network-traffic":
                     sro = this.tryEmbedInNetworkTraffic(parent, c.obj);
                     break;
@@ -540,6 +543,23 @@ class AttackFlowPublisher extends DiagramPublisher {
         parent.object_refs.push(child.id);
     }
 
+    /**
+     * Embed a reference to the child in the malware analysis. If the child cannot be
+     * embedded, return a new SRO.
+     * @param parent
+     *  A STIX malware analysis node.
+     * @param child
+     *  A STIX child node.
+     * @returns
+     *  An SRO, if one was created.
+     */
+    private tryEmbedInMalwareAnalysis(parent: Sdo, child: Sdo): void {
+        if (!parent.analysis_sco_refs) {
+            parent.analysis_sco_refs = [];
+        }
+        parent.analysis_sco_refs.push(child.id);
+    }
+
     /**
      * Embed a reference to the child in the parent. If the child cannot be
      * embedded, return a new SRO.

src/attack_flow_builder/src/assets/builder.config.ts

@@ -410,7 +410,20 @@ const config: AppConfiguration = {
                     submitted                    : { type: PropertyType.Date },
                     analysis_started             : { type: PropertyType.Date },
                     analysis_ended               : { type: PropertyType.Date },
-                    av_result                    : { type: PropertyType.String},
+                    result                       : {
+                        type: PropertyType.Enum,
+                        options: {
+                            type: PropertyType.List,
+                            form: { type: PropertyType.String },
+                            value: [
+                                ["malicious", "Malicious"],
+                                ["suspicious", "Suspicious"],
+                                ["benign", "Benign"],
+                                ["unknown", "Unknown"]
+                            ]
+                        },
+                        value: null
+                    },
                 },
                 anchor_template: "@__builtin__anchor",
                 style: DarkTheme.DictionaryBlock({ head: { ...Colors.Gray }})

src/attack_flow_builder/src/assets/builder.config.validator.ts

@@ -177,6 +177,14 @@ class AttackFlowValidator extends DiagramValidator {
                     this.addError(id, "Latitude and Longitude must be supplied together.");
                 }
                 break;
+            case "malware_analysis":
+                if(!node.props.value.get("result")?.isDefined()) {
+                    // If "result" is empty, check for "analysis_sco_refs"
+                    if(node.next.length === 0) {
+                        this.addError(id, "A Malware Analysis must have the Result field filled out or point to at least one object captured during analysis.")
+                    }
+                }
+                break;
             case "network_traffic":
                 this.validateNetworkTrafficLinks(id, node);
                 break;

stix/oasis-open/sdos/malware-analysis.json

@@ -146,7 +146,7 @@
     {"required": ["analysis_sco_refs"]}
   ],
   "definitions": {
-    "malware-av-result-ov": {
+    "malware-result-ov": {
       "type": "string",
       "enum": [
         "malicious",