ruby-stix2 0.1.0 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 123ddb57694307c96be2fbdf9a9d9f8c9ac55fbbbf35dc7f71c196aadad728b6
-  data.tar.gz: fff53b71f98c23069d7c3dd0da2a4ca3799f424a162f10629029361b0624800e
+  metadata.gz: 8cd2f086caa5d9a2a071c57ae11abd650797807ca3c87c6a0db54ecc3b327f2e
+  data.tar.gz: 87c05b9b056e4990e24c40f78e5fb1a04e2f5acf31d9931fdd44f37cfab55a86
 SHA512:
-  metadata.gz: e7aae57f5bf2b8415431df88dd2999ed85cfbf56f9f1634e750a0f00a53375c6dff96060ae96a4052eb2efca4471d38ac8244f1824f7f8f03df18ac883430517
-  data.tar.gz: 63a3575a2886265784846dccb94fe8e32f300ca4c3c8006311f27acb19c0dc3a87c792b2aa4530c73b5ce5e1a2fd8064a2bcf50c051778dd743e7f4fa6831d2a
+  metadata.gz: ea1dd38b79bf6012ed112b9b2ab25f21f44a098f3f91de66a84af02c9eee5300f6ff7d4e4cb9a2aa0bcd1f1d844972767b139b99d11ea8cc57fb69452ebb4779
+  data.tar.gz: 1b711607c4544bc3e3e82ae4cc35bac57fe99f4e1a90ed2c32ed94b30a6378d602d7521ddafc3c392debab3c0e24fd89e6ec13f3b641d957a9dfae91d80240c4

data/.github/workflows/build.yml

@@ -10,11 +10,11 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest]
-        ruby: ['2.7', '3.0', '3.1', head]
+        ruby: ['3.0', '3.1', '3.2', '3.3', head]
     runs-on: ${{ matrix.os }}
     permissions: write-all
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
@@ -22,9 +22,10 @@ jobs:
         bundler: latest
     - run: bundle
     - run: bundle exec rake test
+    - run: bundle exec standardrb
     - name: SimpleCov Ruby ${{ matrix.ruby }}
       uses: joshmfrankel/simplecov-check-action@main
-      if: ${{ matrix.os == 'ubuntu-latest' && matrix.ruby == '3.1' }}
+      if: ${{ matrix.os == 'ubuntu-latest' && matrix.ruby == '3.2' }}
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         check_job_name: SimpleCov ${{ matrix.ruby }}

data/Gemfile

@@ -1,4 +1,4 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in ruby-taxii.gemspec
 gemspec

data/Gemfile.lock

@@ -1,43 +1,96 @@
 PATH
   remote: .
   specs:
-    ruby-stix2 (0.1.0)
+    ruby-stix2 (0.1.1)
       hashie (~> 5.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    ast (2.4.2)
     byebug (11.1.3)
     coderay (1.1.3)
     docile (1.4.0)
     hashie (5.0.0)
+    io-console (0.6.0)
+    irb (1.7.0)
+      reline (>= 0.3.0)
+    json (2.7.2)
+    language_server-protocol (3.17.0.3)
+    lint_roller (1.1.0)
     method_source (1.0.0)
     minitest (5.18.1)
+    mutex_m (0.2.0)
+    parallel (1.24.0)
+    parser (3.3.0.5)
+      ast (~> 2.4.1)
+      racc
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     pry-byebug (3.10.1)
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
+    racc (1.7.3)
+    rainbow (3.1.1)
     rake (13.0.6)
+    regexp_parser (2.9.0)
+    reline (0.3.5)
+      io-console (~> 0.5)
+    rexml (3.2.6)
+    rubocop (1.62.1)
+      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.31.2)
+      parser (>= 3.3.0.4)
+    rubocop-performance (1.20.2)
+      rubocop (>= 1.48.1, < 2.0)
+      rubocop-ast (>= 1.30.0, < 2.0)
+    ruby-progressbar (1.13.0)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
+    standard (1.35.1)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.62.0)
+      standard-custom (~> 1.0.0)
+      standard-performance (~> 1.3)
+    standard-custom (1.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.50)
+    standard-performance (1.3.1)
+      lint_roller (~> 1.1)
+      rubocop-performance (~> 1.20.2)
+    standardrb (1.0.1)
+      standard
+    unicode-display_width (2.5.0)
 
 PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
   bundler (~> 2.3)
+  irb (~> 1.7.0)
   minitest (~> 5.18.1)
+  mutex_m
   pry (~> 0.13.0)
   pry-byebug (~> 3.10.1)
   rake (~> 13.0)
   ruby-stix2!
   simplecov (~> 0.22.0)
+  standardrb
 
 BUNDLED WITH
    2.3.26

data/README.md

@@ -12,7 +12,7 @@ gem install ruby-stix2
 or as part of the bundle
 
 ```
-bundle add typhoeus
+bundle add ruby-stix2
 ```
 
 # Usage
@@ -69,7 +69,7 @@ Stix2 message.
 # Storage
 
 The Stix2 standard has several object types, some of which are containers of other objects (like `Bundle`). However we
-may want to save and retrieve Stix2 objects in a fast way. The gem provides a `storage` support for that.
+may want to save and retrieve Stix2 objects in a fast way. The gem provides a `Stix::Storage` support for that.
 
 For any Stix2 attribute that is an `identifier` (`Stix2::Identifier` in the gem) the class gives one more method called
 `_instance` to retrieve the actual instance. If we have a `threat-actor` like this
@@ -98,7 +98,7 @@ we know that this object has been created by an identity `identity--f431f809-377
 retrieve the other object if already seen
 
 ```ruby
-Stix2.storage_activate # Activate the storage
+Stix2::Storage.activate # Activate the storage
 
 identity = Stix2::DomainObject::Identity.new(id: 'identity--f431f809-377b-45e0-aa1c-6a4751cae5ff', ...)
 threat_actor = Stix2::DomainObject::ThreatActor.new(created_by_ref: 'identity--f431f809-377b-45e0-aa1c-6a4751cae5ff', ...)
@@ -107,6 +107,48 @@ threat_actor.created_by_ref # this gives the identifier => identity--f431f809-37
 threat_actor.created_by_ref_instance # this gives the actual object => Stix2::DomainObject::Identity
 ```
 
+# Spec versions
+
+This gem implements the spec version `2.1`. However older version (especially 2.0) can be compatible. To force the gem
+to accept another spec version, just add them to the `SPEC_VERSIONS` variable.
+
+```ruby
+Stix2::SPEC_VERSIONS << '2.0'
+```
+
+# Custom Definitions
+
+The Stix2 standard includes several extensions to base objects. All extensions are widely described in the standard 
+itself, please refer to it. However two of them need more attention for how they are implemented in this gem.
+
+## Extension Definition
+
+This object allows the definition of new properties. One special property is `toplevel-property-extension` that allows
+the definition of properties on the top-level of an object. According to the standard thos properties should be
+defined solely on the object that is actually using the property. However due to the `hashie`-based implementation
+the gem declares the new properties on the class itself. This is a known limitation of the current implementation and
+it may be fixed in the future.
+
+## Custom Object
+
+A `CustomObject` can also be used within the Gem. The standard defines the rules that must be fulfilled for a custom
+object. Since those rules are several, the code stacks all the errors altogether and raises an exception when some
+errors happen. The exception is RuntimeError, that gives the user a string. It is suboptimal to have multiple errors
+in a string, and it may be fixed in the future.
+
+# Confidence
+
+A Stix2 object can have the property `confidence` set. This value can be expressed according to several conficence 
+scales. To make this conversion smooth, an object offers the method `confidence_scale` that is an instance of
+`Stix2::ConfidenceScale`. This class offers method for all the scales the standard includes.
+
+```ruby
+indicator = Stix2::DomainObject::Indicator.new(confidence: i)
+indicator.confidence # This is the raw integer
+indicator.confidence_scale.to_admiralty_credibility # this is a string in this scale
+indicator.confidence_scale.to_admiralty_credibility_stix # this is a string in stix mode
+```
+
 # Contribution
 
 You can contribute to this project in 2 ways:
@@ -114,3 +156,7 @@ You can contribute to this project in 2 ways:
 - with a PR: just follow the standard github workflow
 - by pointing out missing support: open an issue and please provide a json containing the missing support, to simplify
 the development
+
+# See also
+
+Ruby Stix2: https://github.com/crondaemon/ruby-taxii2

data/lib/stix2/base.rb

@@ -0,0 +1,7 @@
+module Stix2
+  class Base < Hashie::Dash
+    include Hashie::Extensions::Dash::PredefinedValues
+    include Hashie::Extensions::IndifferentAccess
+    include Hashie::Extensions::Dash::Coercion
+  end
+end

data/lib/stix2/bundle.rb

@@ -1,7 +1,6 @@
 module Stix2
   class Bundle < Stix2::Common
     property :type, required: true, coerce: String
-    property :id, coerce: String
-    property :objects, coerce: ->(values){ values.map{ Stix2.parse(_1) } }
+    property :objects, coerce: ->(array) { array.all? { |element| element.is_a?(::Stix2::Common) || raise("Invalid Object") } && array }
   end
 end

data/lib/stix2/common.rb

@@ -1,44 +1,70 @@
+require "securerandom"
+
 module Stix2
-  class Common < Hashie::Dash
-    include Hashie::Extensions::Dash::PredefinedValues
-    include Hashie::Extensions::IndifferentAccess
-    include Hashie::Extensions::Dash::Coercion
+  SPEC_VERSIONS = ["2.1"]
+  UUID_NAMESPACE = "00abedb4-aa42-466c-9c01-fed23315a9b7"
 
+  class Common < Stix2::Base
+    include Hashie::Extensions::Dash::PropertyTranslation
     property :type, required: true, coerce: String
-    property :spec_version, coerce: String, values: ['2.1']
-    property :id, coerce: Identifier
+    property :spec_version, coerce: String, values: Stix2::SPEC_VERSIONS, default: SPEC_VERSIONS.last
+    property :id, coerce: Identifier, required: true
     property :created_by_ref, coerce: Identifier
     property :created, coerce: Time
     property :modified, coerce: Time
-    property :revoked, coerce: Stix2::Boolean
-    property :labels, coerce: Array[String]
-    property :confidence, coerce: Integer
+    property :revoked, coerce: ->(value) { Stix2.to_bool(value) }
+    property :labels, coerce: [String]
+    property :confidence, coerce: ->(value) {
+                                    int = Integer(value)
+                                    [0..100].include?(int)
+                                    int
+                                  }
     property :lang, coerce: String
-    property :external_references, coerce: Array[ExternalReference]
-    property :object_marking_refs, coerce: Array[Stix2::MetaObject::DataMarking::ObjectMarking]
-    property :granular_markings, coerce: Array[MetaObject::DataMarking::GranularMarking]
-    property :defanged, coerce: Stix2::Boolean
+    property :external_references, coerce: [ExternalReference]
+    property :object_marking_refs, coerce: [Stix2::MetaObject::DataMarking::ObjectMarking]
+    property :granular_markings, coerce: [MetaObject::DataMarking::GranularMarking]
+    property :defanged, coerce: ->(value) { Stix2.to_bool(value) }
     property :extensions, coerce: Hash
 
     def initialize(options = {})
       Hashie.symbolize_keys!(options)
-      type = to_dash(self.class.name.split('::').last)
+      type = to_dash(self.class.name.split("::").last)
       if options[:type]
-        raise("Property 'type' must be '#{type}'") if options[:type] != type
+        if !options[:type].start_with?("x-") && options[:type] != type
+          raise("Property 'type' must be '#{type}'")
+        end
       else
         options[:type] = type
       end
+
+      options[:id] ||= "#{type}--#{SecureRandom.uuid}"
+
+      process_toplevel_property_extension(options[:extensions])
       super(options)
-      Stix2.storage_add(self)
+      process_extensions(options)
+      Stix2::Storage.add(self)
     end
 
     def method_missing(m, *args, &block)
-      super(m, args, block) if !m.to_s.end_with?('_instance')
+      if !m.to_s.end_with?("_instance")
+        # :nocov:
+        super(m, args, block)
+        return
+        # :nocov:
+      end
       # Retrieve the original method
-      ref_method = m.to_s.gsub(/_instance$/, '')
+      ref_method = m.to_s.gsub(/_instance$/, "")
       obj = send(ref_method)
       raise("Can't get a Stix2::Identifier from #{ref_method}") if !obj.is_a?(Stix2::Identifier)
-      Stix2.storage_find(obj)
+      Stix2::Storage.find(obj)
+    end
+
+    def respond_to_missing?(method_name, include_private = false)
+      method_name.to_s.start_with?("_instance") || super
+    end
+
+    def confidence_scale
+      Stix2::ConfidenceScale.new(confidence)
     end
 
     private
@@ -48,15 +74,71 @@ module Stix2
     end
 
     def self.validate_array(list, valid_values)
-      excess = (Array(list) - valid_values)
+      excess = (Array(list).map(&:to_s) - valid_values.map(&:to_s))
       excess.empty? || raise("Invalid values: #{excess}")
       list
     end
+    private_class_method :validate_array
 
     def self.hash_dict(hsh)
-      invalids = hsh.keys.map(&:to_s) - HASH_ALGORITHM_OV
-      invalids.empty? || raise("Invalid values: #{invalids}")
+      validate_array(hsh.keys, HASH_ALGORITHM_OV)
       hsh
     end
+    private_class_method :hash_dict
+
+    def process_toplevel_property_extension(extensions)
+      extension_definition = extensions&.find { |key, val| key.to_s.start_with?("extension-definition") }
+      return if !extension_definition
+
+      id = extension_definition.first
+      type = extension_definition.last[:extension_type]
+      if type == "toplevel-property-extension"
+        Stix2::Storage.active? || raise("Stix.storage must be active to use toplevel-property-extension")
+        ext = Stix2::Storage.find(id)
+        ext.extension_properties.each do |prop|
+          self.class.class_eval do
+            property prop
+          end
+        end
+      end
+    end
+
+    def process_extensions(options)
+      options[:extensions]&.each do |id, value|
+        case id.to_s
+        when /[A-Z]/
+          raise("Invalid extension name format.")
+        when "archive-ext"
+          extensions[id] = Stix2::Extensions::ArchiveFile.new(value)
+        when /^extension-definition/
+          # Ignore it, already processes
+        when "socket-ext"
+          extensions[id] = Stix2::Extensions::Socket.new(value)
+        when "icmp-ext"
+          extensions[id] = Stix2::Extensions::Icmp.new(value)
+        when "http-request-ext"
+          extensions[id] = Stix2::Extensions::HttpRequest.new(value)
+        when "ntfs-ext"
+          extensions[id] = Stix2::Extensions::Ntfs.new(value)
+        when "tcp-ext"
+          extensions[id] = Stix2::Extensions::Tcp.new(value)
+        when "windows-process-ext"
+          extensions[id] = Stix2::Extensions::WindowsProcess.new(value)
+        when "windows-service-ext"
+          extensions[id] = Stix2::Extensions::WindowsService.new(value)
+        when "unix-account-ext"
+          extensions[id] = Stix2::Extensions::UnixAccount.new(value)
+        when "pdf-ext"
+          extensions[id] = Stix2::Extensions::Pdf.new(value)
+        when "raster-image-ext"
+          extensions[id] = Stix2::Extensions::RasterImage.new(value)
+        when "windows-pebinary-ext"
+          extensions[id] = Stix2::Extensions::WindowsPebinary.new(value)
+        else
+          # Ensure we have a hash
+          value.is_a?(Hash) || raise("Custom extension must be Hash: #{value}")
+        end
+      end
+    end
   end
 end

data/lib/stix2/confidence_scale.rb

@@ -0,0 +1,106 @@
+module Stix2
+  class ConfidenceScale
+    SCALE_NONE_LOW_MED_HIGH = {
+      0..0 => {scale: "None", stix: 0},
+      1..29 => {scale: "Low", stix: 15},
+      30..69 => {scale: "Med", stix: 50},
+      70..100 => {scale: "High", stix: 85}
+    }.freeze
+
+    SCALE_0_10 = {
+      0..4 => {scale: 0, stix: 0},
+      5..14 => {scale: 1, stix: 10},
+      15..24 => {scale: 2, stix: 20},
+      25..34 => {scale: 3, stix: 30},
+      35..44 => {scale: 4, stix: 40},
+      45..54 => {scale: 5, stix: 50},
+      55..64 => {scale: 6, stix: 60},
+      65..74 => {scale: 7, stix: 70},
+      75..84 => {scale: 8, stix: 80},
+      85..94 => {scale: 9, stix: 90},
+      95..100 => {scale: 10, stix: 100}
+    }.freeze
+
+    SCALE_ADMIRALTY_CREDIBILITY = {
+      0..19 => {scale: 5, stix: 10},
+      20..39 => {scale: 4, stix: 30},
+      40..59 => {scale: 3, stix: 50},
+      60..79 => {scale: 2, stix: 70},
+      80..100 => {scale: 1, stix: 90}
+    }.freeze
+
+    SCALE_WEP = {
+      0..0 => {scale: "Impossible", stix: 0},
+      1..19 => {scale: "Highly Unlikely/Almost Certainly Not", stix: 10},
+      20..39 => {scale: "Unlikely/Probably Not", stix: 30},
+      40..59 => {scale: "Even Chance", stix: 50},
+      60..79 => {scale: "Likely/Probable", stix: 70},
+      80..99 => {scale: "Highly likely/Almost Certain", stix: 90},
+      100..100 => {scale: "Certain", stix: 100}
+    }.freeze
+
+    SCALE_DNI = {
+      0..9 => {scale: "Almost No Chance / Remote", stix: 5},
+      10..19 => {scale: "Very Unlikely / Highly Improbable", stix: 15},
+      20..39 => {scale: "Unlikely / Improbable", stix: 30},
+      40..59 => {scale: "Roughly Even Chance / Roughly Even Odds", stix: 50},
+      60..79 => {scale: "Likely / Probable", stix: 70},
+      80..89 => {scale: "Very Likely / Highly Probable", stix: 85},
+      90..100 => {scale: "Almost Certain / Nearly Certain", stix: 95}
+    }.freeze
+
+    def initialize(value = nil)
+      @value = value
+    end
+
+    def to_none_low_med_high
+      !@value && "Not Specified"
+      find_range(SCALE_NONE_LOW_MED_HIGH, :scale)
+    end
+
+    def to_none_low_med_high_stix
+      !@value && "Not Specified"
+      find_range(SCALE_NONE_LOW_MED_HIGH, :stix)
+    end
+
+    def to_0_10
+      !@value && 6
+      find_range(SCALE_0_10, :scale)
+    end
+
+    def to_0_10_stix
+      find_range(SCALE_0_10, :stix)
+    end
+
+    def to_admiralty_credibility
+      find_range(SCALE_ADMIRALTY_CREDIBILITY, :scale)
+    end
+
+    def to_admiralty_credibility_stix
+      find_range(SCALE_ADMIRALTY_CREDIBILITY, :stix)
+    end
+
+    def to_wep
+      find_range(SCALE_WEP, :scale)
+    end
+
+    def to_wep_stix
+      find_range(SCALE_WEP, :stix)
+    end
+
+    def to_dni_scale
+      find_range(SCALE_DNI, :scale)
+    end
+
+    def to_dni_scale_stix
+      find_range(SCALE_DNI, :stix)
+    end
+
+    private
+
+    def find_range(constant, type)
+      !@value || "Not Specified"
+      constant.find { |k, v| k.cover?(@value) }.last[type]
+    end
+  end
+end

data/lib/stix2/custom_object.rb

@@ -0,0 +1,20 @@
+module Stix2
+  class CustomObject < Stix2::Common
+    include Hashie::Extensions::IgnoreUndeclared
+
+    property :id, coerce: Identifier
+
+    def initialize(options)
+      Hashie.symbolize_keys!(options)
+      raise("A CustomObject must have at least one property") if options[:type] && options.count == 1
+      errors = Hash.new { |k, v| k[v] = [] }
+      options.each do |key, value|
+        errors["Too short"] << key if key != :id && key.size < 3
+        errors["Invalid name"] << key if !key.match?(/^[a-z0-9_]*$/)
+        errors["Too long"] << key if key.size > 250
+      end
+      raise("Error creating CustomObject: #{errors}") if !errors.empty?
+      super(options)
+    end
+  end
+end

data/lib/stix2/cyberobservable_objects/artifact.rb

@@ -4,7 +4,7 @@ module Stix2
       property :mime_type, coerce: String
       property :payload_bin, coerce: String
       property :url, coerce: String
-      property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
+      property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
       property :encryption_algorithm, values: ENCRYPTION_ALGORITHM_ENUM
       property :decryption_key, coerce: String
     end

data/lib/stix2/cyberobservable_objects/directory.rb

@@ -6,7 +6,7 @@ module Stix2
       property :ctime, coerce: Time
       property :mtime, coerce: Time
       property :atime, coerce: Time
-      property :contains_refs, coerce: Array[Identifier]
+      property :contains_refs, coerce: [Identifier]
     end
   end
 end

data/lib/stix2/cyberobservable_objects/domain_name.rb

@@ -2,7 +2,7 @@ module Stix2
   module CyberobservableObject
     class DomainName < Base
       property :value, required: true, coerce: String
-      property :resolves_to_refs, coerce: Array[Identifier]
+      property :resolves_to_refs, coerce: [Identifier]
     end
   end
 end

data/lib/stix2/cyberobservable_objects/email_message.rb

@@ -1,20 +1,20 @@
 module Stix2
   module CyberobservableObject
     class EmailMessage < Base
-      property :is_multipart, required: true, coerce: Stix2::Boolean
+      property :is_multipart, required: true, coerce: ->(value) { Stix2.to_bool(value) }
       property :date, coerce: Time
       property :content_type, coerce: String
       property :from_ref, coerce: Identifier
       property :sender_ref, coerce: Identifier
-      property :to_refs, coerce: Array[Identifier]
-      property :cc_refs, coerce: Array[Identifier]
-      property :bcc_refs, coerce: Array[Identifier]
+      property :to_refs, coerce: [Identifier]
+      property :cc_refs, coerce: [Identifier]
+      property :bcc_refs, coerce: [Identifier]
       property :message_id, coerce: String
       property :subject, coerce: String
-      property :received_lines, coerce: Array[String]
-      property :additional_header_fields, coerce: Hash[String => String]
+      property :received_lines, coerce: [String]
+      property :additional_header_fields, coerce: {String => String}
       property :body, coerce: String
-      property :body_multipart, coerce: Array[EmailMimePartType]
+      property :body_multipart, coerce: [EmailMimePartType]
       property :raw_email_ref, coerce: Identifier
     end
   end

data/lib/stix2/cyberobservable_objects/file.rb

@@ -1,7 +1,7 @@
 module Stix2
   module CyberobservableObject
     class File < Base
-      property :hashes, coerce: ->(hsh){ hash_dict(hsh) }
+      property :hashes, coerce: ->(hsh) { hash_dict(hsh) }
       property :size, coerce: Integer
       property :name, coerce: String
       property :name_enc, coerce: String
@@ -11,7 +11,7 @@ module Stix2
       property :mtime, coerce: String
       property :atime, coerce: String
       property :parent_directory_ref, coerce: Identifier
-      property :contains_refs, coerce: Array[Identifier]
+      property :contains_refs, coerce: [Identifier]
       property :content_ref, coerce: Identifier
     end
   end

data/lib/stix2/cyberobservable_objects/ipv4_addr.rb

@@ -1,11 +1,11 @@
-require 'ipaddr'
+require "ipaddr"
 
 module Stix2
   module CyberobservableObject
     class Ipv4Addr < Base
-      property :value, required: true, coerce: ->(v){ IPAddr.new(v, Socket::AF_INET).to_s }
-      property :resolves_to_refs, coerce: Array[Identifier]
-      property :resolves_to_refs, coerce: Array[Identifier]
+      property :value, required: true, coerce: ->(v) { IPAddr.new(v, Socket::AF_INET).to_s }
+      property :resolves_to_refs, coerce: [Identifier]
+      property :resolves_to_refs, coerce: [Identifier]
     end
   end
 end

data/lib/stix2/cyberobservable_objects/ipv6_addr.rb

@@ -1,11 +1,11 @@
-require 'ipaddr'
+require "ipaddr"
 
 module Stix2
   module CyberobservableObject
     class Ipv6Addr < Base
-      property :value, required: true, coerce: ->(v){ IPAddr.new(v, Socket::AF_INET6).to_s }
-      property :resolves_to_refs, coerce: Array[Identifier]
-      property :resolves_to_refs, coerce: Array[Identifier]
+      property :value, required: true, coerce: ->(v) { IPAddr.new(v, Socket::AF_INET6).to_s }
+      property :resolves_to_refs, coerce: [Identifier]
+      property :resolves_to_refs, coerce: [Identifier]
     end
   end
 end

data/lib/stix2/cyberobservable_objects/network_traffic.rb

@@ -3,12 +3,12 @@ module Stix2
     class NetworkTraffic < Base
       property :start, coerce: Time
       property :end, coerce: Time
-      property :is_active, coerce: ->(v){ boolean(v) }
+      property :is_active, coerce: ->(v) { Stix2.to_bool(v) }
       property :src_ref, coerce: Identifier
       property :dst_ref, coerce: Identifier
       property :src_port, coerce: Integer
       property :dst_port, coerce: Integer
-      property :protocols, required: true, coerce: Array[String]
+      property :protocols, required: true, coerce: [String]
       property :src_byte_count, coerce: Integer
       property :dst_byte_count, coerce: Integer
       property :src_packets, coerce: Integer
@@ -16,7 +16,7 @@ module Stix2
       property :ipfix, coerce: Hash
       property :src_payload_ref, coerce: Identifier
       property :dst_payload_ref, coerce: Identifier
-      property :encapsulates_refs, coerce: Array[Identifier]
+      property :encapsulates_refs, coerce: [Identifier]
       property :encapsulated_by_ref, coerce: Identifier
     end
   end