ruby-stix2 0.1.1 → 0.1.2

data/lib/stix2/relationship_objects/relationship.rb

@@ -3,10 +3,163 @@ module Stix2
     class Relationship < Base
       property :relationship_type, required: true, coerce: String
       property :description, coerce: String
-      property :source_ref, coerce: String
-      property :target_ref, coerce: String
+      property :source_ref, required: true, coerce: String
+      property :target_ref, required: true, coerce: String
       property :start_time, coerce: Time
       property :stop_time, coerce: Time
+
+      def initialize(args)
+        if !args[:relationship_type] && args[:source_ref] && args[:target_ref]
+          objects = DOMAIN_OBJECTS + CYBEROBSERVABLE_OBJECTS
+          source_type = type_by_id(args[:source_ref])
+          target_type = type_by_id(args[:target_ref])
+          relationships = Array(RELATIONSHIP_TYPES.dig(source_type, target_type))
+          relationships += COMMON_RELATIONSHIPS if objects.include?(source_type) && objects.include?(target_type)
+          args[:relationship_type] = relationships.first unless relationships.empty?
+        end
+
+        super(args)
+      end
+
+      COMMON_RELATIONSHIPS = ["related-to", "derived-from", "duplicate-of"].freeze
+      DOMAIN_OBJECTS = ["attack-pattern", "campaign", "course-of-action", "grouping", "identity", "indicator",
+        "intrusion-set", "location", "malware-analysis", "malware", "note", "observed-data", "opinion", "report",
+        "threat_actor", "tool", "vulnerability"].freeze
+      CYBEROBSERVABLE_OBJECTS = ["artifact", "autonomous-system", "directory", "domain-name", "email-addr",
+        "email-message", "file", "ipv4-addr", "ipv6-addr", "mac-addr", "mutex", "network-traffic", "process",
+        "software", "url", "user-account", "windows-registry-key", "x509-certificate"].freeze
+
+      RELATIONSHIP_TYPES = {
+        "attack-pattern" => {
+          "identity" => "targets",
+          "location" => "targets",
+          "malware" => ["delivers", "uses"],
+          "tool" => "uses",
+          "vulnerability" => "targets"
+        },
+        "campaign" => {
+          "attack-pattern" => "uses",
+          "identity" => "targets",
+          "infrastructure" => ["compromises", "uses"],
+          "intrusion-set" => "attributed-to",
+          "location" => ["originates-from", "targets"],
+          "malware" => "uses",
+          "threat-actor" => "attributed-to",
+          "tool" => "uses",
+          "vulnerability" => "targets"
+        },
+        "course-of-action" => {
+          "attack-pattern" => "mitigates",
+          "indicator" => ["investigates", "mitigates"],
+          "malware" => ["mitigates", "remediates"],
+          "tool" => "mitigates",
+          "vulnerability" => ["mitigates", "remediates"]
+        },
+        "domain-name" => {
+          "domain-name" => "resolves-to",
+          "ipv4-addr" => "resolves-to",
+          "ipv6-addr" => "resolves-to"
+        },
+        "identity" => {
+          "location" => "located-at"
+        },
+        "indicator" => {
+          "attack-pattern" => "indicates",
+          "campaign" => "indicates",
+          "infrastructure" => "indicates",
+          "intrusion-set" => "indicates",
+          "malware" => "indicates",
+          "observed-data" => "based-on",
+          "threat-actor" => "indicates",
+          "tool" => "indicates"
+        },
+        "infrastructure" => {
+          "artifact" => "communicates-with",
+          "autonomous-system" => "communicates-with",
+          "directory" => "communicates-with",
+          "domain-name" => ["communicates-with", "consists-of"],
+          "email-addr" => "communicates-with",
+          "email-message" => "communicates-with",
+          "file" => "communicates-with",
+          "infrastructure" => ["communicates-with", "consists-of", "controls", "uses"],
+          "ipv4-addr" => ["communicates-with", "consists-of"],
+          "ipv6-addr" => ["communicates-with", "consists-of"],
+          "location" => "located-at",
+          "mac-addr" => "communicates-with",
+          "malware" => ["controls", "delivers", "hosts"],
+          "mutex" => "communicates-with",
+          "network-traffic" => "communicates-with",
+          "observed-data" => "consists-of",
+          "process" => "communicates-with",
+          "software" => "communicates-with",
+          "tool" => "hosts",
+          "url" => ["communicates-with", "consists-of"],
+          "user-account" => "communicates-with",
+          "vulnerability" => "has",
+          "windows registry-key" => "communicates-with",
+          "x509-certificate" => "communicates-with"
+        },
+        "intrusion-set" => {
+          "attack-pattern" => "uses",
+          "identity" => "targets",
+          "infrastructure" => ["compromises", "hosts", "owns", "uses"],
+          "location" => ["originates-from", "targets"],
+          "malware" => "uses",
+          "threat-actor" => "attributed-to",
+          "tool" => "uses",
+          "vulnerability" => "targets"
+        },
+        "ipv4-addr" => {
+          "mac-addr" => "resolves-to",
+          "autonomous-system" => "belongs-to"
+        },
+        "ipv6-addr" => {
+          "mac-addr" => "resolves-to",
+          "autonomous-system" => "belongs-to"
+        },
+        "malware" => {
+          "attack-pattern" => "uses",
+          "domain-name" => "communicates-with",
+          "identity" => "targets",
+          "infrastructure" => ["beacons-to", "exfiltrates-to", "targets", "uses"],
+          "intrusion-set" => "authored-by",
+          "ipv4-addr" => "communicates-with",
+          "ipv6-addr" => "communicates-with",
+          "location" => ["originates-from", "targets"],
+          "malware" => ["controls", "downloads", "drops", "uses", "variant-of"],
+          "threat-actor" => "authored-by",
+          "tool" => ["downloads", "drops", "uses"],
+          "url" => "communicates-with",
+          "vulnerability" => ["exploits", "targets"]
+        },
+        "malware-analysis" => {
+          "malware" => ["characterizes", "av-analysis-of", "static-analysis-of", "dynamic-analysis-of"]
+        },
+        "threat-actor" => {
+          "attack-pattern" => "uses",
+          "identity" => ["attributed-to", "impersonates", "targets"],
+          "infrastructure" => ["compromises", "hosts", "owns", "uses"],
+          "location" => ["located-at", "targets"],
+          "malware" => "uses",
+          "tool" => "uses",
+          "vulnerability" => "targets"
+        },
+        "tool" => {
+          "identity" => "targets",
+          "infrastructure" => ["targets", "uses"],
+          "location" => "targets",
+          "malware" => ["delivers", "drops"],
+          "vulnerability" => ["has", "targets"]
+        }
+      }.freeze
+
+      private_constant :COMMON_RELATIONSHIPS, :DOMAIN_OBJECTS, :CYBEROBSERVABLE_OBJECTS, :RELATIONSHIP_TYPES
+
+      private
+
+      def type_by_id(id)
+        id.split("--").first
+      end
     end
   end
 end

data/lib/stix2/relationship_objects/sighting.rb

@@ -6,9 +6,9 @@ module Stix2
       property :last_seen, required: true, coerce: Time
       property :count, coerce: Integer
       property :sighting_of_ref, required: true, coerce: String
-      property :observed_data_refs, coerce: Array[String]
-      property :where_sighted_refs, coerce: Array[String]
-      property :summary, coerce: ->(v){ Stix2.to_bool(v) }
+      property :observed_data_refs, coerce: [String]
+      property :where_sighted_refs, coerce: [String]
+      property :summary, coerce: ->(v) { Stix2.to_bool(v) }
     end
   end
 end

data/lib/stix2/version.rb

@@ -1,3 +1,3 @@
 module Stix2
-  VERSION = '0.1.1'
+  VERSION = "0.1.2"
 end

data/lib/stix2.rb

@@ -1,118 +1,118 @@
-require 'hashie'
-require 'json'
-require 'time'
+require "hashie"
+require "json"
+require "time"
 
-require 'stix2/version'
-require 'stix2/ov'
-require 'stix2/enum'
-require 'stix2/base'
-require 'stix2/languages'
-require 'stix2/external_reference'
-require 'stix2/identifier'
-require 'stix2/kill_chain_phase'
+require "stix2/version"
+require "stix2/ov"
+require "stix2/enum"
+require "stix2/base"
+require "stix2/languages"
+require "stix2/external_reference"
+require "stix2/identifier"
+require "stix2/kill_chain_phase"
 
-require 'stix2/meta_objects/data_markings/granular_marking'
-require 'stix2/meta_objects/data_markings/object_marking'
+require "stix2/meta_objects/data_markings/granular_marking"
+require "stix2/meta_objects/data_markings/object_marking"
 
-require 'stix2/common'
-require 'stix2/domain_objects/base'
-require 'stix2/domain_objects/attack_pattern'
-require 'stix2/domain_objects/campaign'
-require 'stix2/domain_objects/course_of_action'
-require 'stix2/domain_objects/grouping'
-require 'stix2/domain_objects/identity'
-require 'stix2/domain_objects/indicator'
-require 'stix2/domain_objects/infrastructure'
-require 'stix2/domain_objects/intrusion-set'
-require 'stix2/domain_objects/location'
-require 'stix2/domain_objects/malware'
-require 'stix2/domain_objects/malware_analysis'
-require 'stix2/domain_objects/note'
-require 'stix2/domain_objects/observed_data'
-require 'stix2/domain_objects/opinion'
-require 'stix2/domain_objects/report'
-require 'stix2/domain_objects/threat_actor'
-require 'stix2/domain_objects/tool'
-require 'stix2/domain_objects/vulnerability'
+require "stix2/common"
+require "stix2/domain_objects/base"
+require "stix2/domain_objects/attack_pattern"
+require "stix2/domain_objects/campaign"
+require "stix2/domain_objects/course_of_action"
+require "stix2/domain_objects/grouping"
+require "stix2/domain_objects/identity"
+require "stix2/domain_objects/indicator"
+require "stix2/domain_objects/infrastructure"
+require "stix2/domain_objects/intrusion-set"
+require "stix2/domain_objects/location"
+require "stix2/domain_objects/malware"
+require "stix2/domain_objects/malware_analysis"
+require "stix2/domain_objects/note"
+require "stix2/domain_objects/observed_data"
+require "stix2/domain_objects/opinion"
+require "stix2/domain_objects/report"
+require "stix2/domain_objects/threat_actor"
+require "stix2/domain_objects/tool"
+require "stix2/domain_objects/vulnerability"
 
-require 'stix2/relationship_objects/base'
-require 'stix2/relationship_objects/relationship'
-require 'stix2/relationship_objects/sighting'
+require "stix2/relationship_objects/base"
+require "stix2/relationship_objects/relationship"
+require "stix2/relationship_objects/sighting"
 
-require 'stix2/cyberobservable_objects/base'
-require 'stix2/cyberobservable_objects/artifact'
-require 'stix2/cyberobservable_objects/autonomous_system'
-require 'stix2/cyberobservable_objects/directory'
-require 'stix2/cyberobservable_objects/domain_name'
-require 'stix2/cyberobservable_objects/email_addr'
-require 'stix2/cyberobservable_objects/email_mime_part_type'
-require 'stix2/cyberobservable_objects/email_message'
-require 'stix2/cyberobservable_objects/file'
-require 'stix2/cyberobservable_objects/ipv4_addr'
-require 'stix2/cyberobservable_objects/ipv6_addr'
-require 'stix2/cyberobservable_objects/mac_addr'
-require 'stix2/cyberobservable_objects/mutex'
-require 'stix2/cyberobservable_objects/network_traffic'
-require 'stix2/cyberobservable_objects/process'
-require 'stix2/cyberobservable_objects/software'
-require 'stix2/cyberobservable_objects/url'
-require 'stix2/cyberobservable_objects/user_account'
-require 'stix2/cyberobservable_objects/windows_registry_value'
-require 'stix2/cyberobservable_objects/windows_registry_key'
-require 'stix2/cyberobservable_objects/x509_certificate'
+require "stix2/cyberobservable_objects/base"
+require "stix2/cyberobservable_objects/artifact"
+require "stix2/cyberobservable_objects/autonomous_system"
+require "stix2/cyberobservable_objects/directory"
+require "stix2/cyberobservable_objects/domain_name"
+require "stix2/cyberobservable_objects/email_addr"
+require "stix2/cyberobservable_objects/email_mime_part_type"
+require "stix2/cyberobservable_objects/email_message"
+require "stix2/cyberobservable_objects/file"
+require "stix2/cyberobservable_objects/ipv4_addr"
+require "stix2/cyberobservable_objects/ipv6_addr"
+require "stix2/cyberobservable_objects/mac_addr"
+require "stix2/cyberobservable_objects/mutex"
+require "stix2/cyberobservable_objects/network_traffic"
+require "stix2/cyberobservable_objects/process"
+require "stix2/cyberobservable_objects/software"
+require "stix2/cyberobservable_objects/url"
+require "stix2/cyberobservable_objects/user_account"
+require "stix2/cyberobservable_objects/windows_registry_value"
+require "stix2/cyberobservable_objects/windows_registry_key"
+require "stix2/cyberobservable_objects/x509_certificate"
 
-require 'stix2/meta_objects/base'
-require 'stix2/meta_objects/language_content'
+require "stix2/meta_objects/base"
+require "stix2/meta_objects/language_content"
 
-require 'stix2/meta_objects/data_markings/base'
-require 'stix2/meta_objects/data_markings/marking_definition'
+require "stix2/meta_objects/data_markings/base"
+require "stix2/meta_objects/data_markings/marking_definition"
 
-require 'stix2/extension_definition'
-require 'stix2/extensions/archive_file'
-require 'stix2/extensions/socket'
-require 'stix2/extensions/icmp'
-require 'stix2/extensions/http_request'
-require 'stix2/extensions/ntfs'
-require 'stix2/extensions/tcp'
-require 'stix2/extensions/windows_process'
-require 'stix2/extensions/windows_service'
-require 'stix2/extensions/unix_account'
-require 'stix2/extensions/pdf'
-require 'stix2/extensions/raster_image'
-require 'stix2/extensions/windows_pebinary'
+require "stix2/extension_definition"
+require "stix2/extensions/archive_file"
+require "stix2/extensions/socket"
+require "stix2/extensions/icmp"
+require "stix2/extensions/http_request"
+require "stix2/extensions/ntfs"
+require "stix2/extensions/tcp"
+require "stix2/extensions/windows_process"
+require "stix2/extensions/windows_service"
+require "stix2/extensions/unix_account"
+require "stix2/extensions/pdf"
+require "stix2/extensions/raster_image"
+require "stix2/extensions/windows_pebinary"
 
-require 'stix2/custom_object'
-require 'stix2/bundle'
-require 'stix2/confidence_scale'
+require "stix2/custom_object"
+require "stix2/bundle"
+require "stix2/confidence_scale"
 
-require 'stix2/storage'
+require "stix2/storage"
 
 class Time
-  class <<self
-    alias :coerce :parse
+  class << self
+    alias_method :coerce, :parse
   end
 end
 
 module Stix2
   def self.parse(options)
-    case options
+    options_ = case options
     when String
-      options_ = JSON.parse(options)
+      JSON.parse(options)
     when Hash
-      options_ = options.clone
+      options.clone
     else
-      options_ = JSON.parse(options.to_s)
+      JSON.parse(options.to_s)
     end
     Hashie.symbolize_keys!(options_)
     type = options_[:type]
     raise("Property 'type' is missing") if !type
     # Let's try to guess the domain of the object, among the known ones
-    [nil, 'DomainObject', 'RelationshipObject', 'CyberobservableObject', 'MetaObject',
-      'MetaObject::DataMarking'].each do |family|
-      if type.start_with?('x-')
-        class_name = 'Stix2::CustomObject'
+    [nil, "DomainObject", "RelationshipObject", "CyberobservableObject", "MetaObject",
+      "MetaObject::DataMarking"].each do |family|
+      class_name = if type.start_with?("x-")
+        "Stix2::CustomObject"
       else
-        class_name = ['Stix2', family, type.split('-').map(&:capitalize).join].compact.join('::')
+        ["Stix2", family, type.split("-").map(&:capitalize).join].compact.join("::")
       end
       return Module.const_get(class_name).new(options_) if Module.const_defined?(class_name)
     end
@@ -120,7 +120,7 @@ module Stix2
   end
 
   def self.to_bool(value)
-    (value == true) || (value == 'true')
+    (value == true) || (value == "true")
   end
 
   def self.is_hex?(value)

data/ruby-stix2.gemspec

@@ -1,31 +1,31 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'stix2/version'
+require "stix2/version"
 
 Gem::Specification.new do |spec|
-  spec.name        = "ruby-stix2"
-  spec.version     = Stix2::VERSION
-  spec.summary     = "Ruby implementation for the STIX protocol version 2.1"
+  spec.name = "ruby-stix2"
+  spec.version = Stix2::VERSION
+  spec.summary = "Ruby implementation for the STIX protocol version 2.1"
   spec.description = "Ruby implementation for the STIX protocol version 2.1. Full specs: https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html"
-  spec.authors     = ["Dario Lombardo"]
-  spec.email       = "lomato@gmail.com"
+  spec.authors = ["Dario Lombardo"]
+  spec.email = "lomato@gmail.com"
 
-  spec.require_paths = ['lib']
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  spec.homepage      = "https://rubygemspec.org/gems/stix2"
-  spec.license       = "GPL-2.0-or-later"
-  spec.require_paths = ['lib']
+  spec.require_paths = ["lib"]
+  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.homepage = "https://github.com/crondaemon/ruby-stix2"
+  spec.license = "GPL-2.0-or-later"
 
-  spec.required_ruby_version = '>= 2.7'
+  spec.required_ruby_version = ">= 2.7"
 
-  spec.add_dependency 'hashie', '~> 5.0.0'
+  spec.add_dependency "hashie", "~> 5.0.0"
 
-  spec.add_development_dependency 'bundler', '~> 2.3'
-  spec.add_development_dependency 'rake', '~> 13.0'
-  spec.add_development_dependency 'pry', '~> 0.13.0'
-  spec.add_development_dependency 'pry-byebug', '~> 3.10.1'
-  spec.add_development_dependency 'minitest', '~> 5.18.1'
-  spec.add_development_dependency 'simplecov', '~> 0.22.0'
-  spec.add_development_dependency 'irb', '~> 1.7.0'
-end
+  spec.add_development_dependency "bundler", "~> 2.3"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "pry", "~> 0.13.0"
+  spec.add_development_dependency "pry-byebug", "~> 3.10.1"
+  spec.add_development_dependency "minitest", "~> 5.18.1"
+  spec.add_development_dependency "simplecov", "~> 0.22.0"
+  spec.add_development_dependency "irb", "~> 1.7.0"
+  spec.add_development_dependency "mutex_m"
+  spec.add_development_dependency "standardrb"
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby-stix2
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Dario Lombardo
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-06-26 00:00:00.000000000 Z
+date: 2024-09-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hashie
@@ -122,6 +122,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.7.0
+- !ruby/object:Gem::Dependency
+  name: mutex_m
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: standardrb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 'Ruby implementation for the STIX protocol version 2.1. Full specs: https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html'
 email: lomato@gmail.com
 executables: []
@@ -216,11 +244,11 @@ files:
 - lib/stix2/storage.rb
 - lib/stix2/version.rb
 - ruby-stix2.gemspec
-homepage: https://rubygemspec.org/gems/stix2
+homepage: https://github.com/crondaemon/ruby-stix2
 licenses:
 - GPL-2.0-or-later
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -235,8 +263,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
-signing_key:
+rubygems_version: 3.4.19
+signing_key: 
 specification_version: 4
 summary: Ruby implementation for the STIX protocol version 2.1
 test_files: []