contentctl 4.0.5__tar.gz → 4.1.0__tar.gz

{contentctl-4.0.5 → contentctl-4.1.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: contentctl
-Version: 4.0.5
+Version: 4.1.0
 Summary: Splunk Content Control Tool
 License: Apache 2.0
 Author: STRT
@@ -10,25 +10,24 @@ Classifier: License :: Other/Proprietary License
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
-Requires-Dist: Jinja2 (>=3.1.2,<4.0.0)
+Requires-Dist: Jinja2 (>=3.1.4,<4.0.0)
 Requires-Dist: PyYAML (>=6.0.1,<7.0.0)
 Requires-Dist: attackcti (>=0.3.7,<0.4.0)
 Requires-Dist: bottle (>=0.12.25,<0.13.0)
 Requires-Dist: docker (>=7.1.0,<8.0.0)
 Requires-Dist: gitpython (>=3.1.43,<4.0.0)
 Requires-Dist: pycvesearch (>=1.2,<2.0)
-Requires-Dist: pydantic (>=2.5.1,<3.0.0)
+Requires-Dist: pydantic (>=2.7.1,<3.0.0)
 Requires-Dist: pygit2 (>=1.14.1,<2.0.0)
-Requires-Dist: pysigma (>=0.10.8,<0.11.0)
-Requires-Dist: pysigma-backend-splunk (>=1.0.3,<2.0.0)
+Requires-Dist: pysigma (>=0.11.5,<0.12.0)
+Requires-Dist: pysigma-backend-splunk (>=1.1.0,<2.0.0)
 Requires-Dist: questionary (>=2.0.1,<3.0.0)
 Requires-Dist: requests (>=2.32.2,<2.33.0)
 Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: setuptools (>=69.5.1,<70.0.0)
+Requires-Dist: setuptools (>=69.5.1,<71.0.0)
 Requires-Dist: splunk-sdk (>=2.0.1,<3.0.0)
-Requires-Dist: tqdm (>=4.66.1,<5.0.0)
+Requires-Dist: tqdm (>=4.66.4,<5.0.0)
 Requires-Dist: tyro (>=0.8.3,<0.9.0)
-Requires-Dist: validators (>=0.22.0,<0.23.0)
 Requires-Dist: xmltodict (>=0.13.0,<0.14.0)
 Description-Content-Type: text/markdown
 

{contentctl-4.0.5 → contentctl-4.1.0}/contentctl/actions/inspect.py

@@ -61,7 +61,7 @@ class Inspect:
         if not package_path.is_file():
             raise Exception(f"Cannot run Appinspect API on App '{config.app.title}' - "
                             f"no package exists as expected path '{package_path}'.\nAre you "
-                            "trying to 'contentctl acs_deploy' the package BEFORE running 'contentctl build'?")
+                            "trying to 'contentctl deploy_acs' the package BEFORE running 'contentctl build'?")
         
         files = {
             "app_package": open(package_path,"rb"),

{contentctl-4.0.5 → contentctl-4.1.0}/contentctl/actions/new_content.py

@@ -25,7 +25,8 @@ class NewContent:
         answers['date'] = datetime.today().strftime('%Y-%m-%d')
         answers['author'] = answers['detection_author']
         del answers['detection_author']
-        answers['data_source'] = answers['data_source']
+        answers['data_sources'] = answers['data_source']
+        del answers['data_source']
         answers['type'] = answers['detection_type']
         del answers['detection_type']
         answers['status'] = "production" #start everything as production since that's what we INTEND the content to become   
@@ -49,6 +50,7 @@ class NewContent:
         answers['tags']['required_fields'] = ['UPDATE']
         answers['tags']['risk_score'] = 'UPDATE (impact * confidence)/100'
         answers['tags']['security_domain'] = answers['security_domain']
+        del answers["security_domain"]
         answers['tags']['cve'] = ['UPDATE WITH CVE(S) IF APPLICABLE']
         
         #generate the tests section
@@ -64,6 +66,7 @@ class NewContent:
                 ]
             }
         ]
+        del answers["mitre_attack_ids"]
         return answers
 
     def buildStory(self)->dict[str,Any]:
@@ -111,12 +114,12 @@ class NewContent:
             #make sure the output folder exists for this detection
             output_folder.mkdir(exist_ok=True)
 
-            YmlWriter.writeYmlFile(file_path, object)
+            YmlWriter.writeDetection(file_path, object)
             print("Successfully created detection " + file_path)
         
         elif type == NewContentType.story:
             file_path = os.path.join(self.output_path, 'stories', self.convertNameToFileName(object['name'], object['tags']['product']))
-            YmlWriter.writeYmlFile(file_path, object)
+            YmlWriter.writeStory(file_path, object)
             print("Successfully created story " + file_path)        
         
         else:

{contentctl-4.0.5 → contentctl-4.1.0}/contentctl/actions/validate.py

@@ -23,6 +23,7 @@ class Validate:
         director_output_dto = DirectorOutputDto(AtomicTest.getAtomicTestsFromArtRepo(repo_path=input_dto.getAtomicRedTeamRepoPath(), 
                                                                                      enabled=input_dto.enrichments),
                                                 AttackEnrichment.getAttackEnrichment(input_dto),
+                                                CveEnrichment.getCveEnrichment(input_dto),
                                                 [],[],[],[],[],[],[],[],[])
 
         

contentctl-4.1.0/contentctl/api.py

@@ -0,0 +1,137 @@
+from pathlib import Path
+from typing import Any, Union, Type
+from contentctl.input.yml_reader import YmlReader
+from contentctl.objects.config import test_common, test, test_servers
+from contentctl.objects.security_content_object import SecurityContentObject
+from contentctl.input.director import DirectorOutputDto
+
+def config_from_file(path:Path=Path("contentctl.yml"), config: dict[str,Any]={}, 
+                   configType:Type[Union[test,test_servers]]=test)->test_common:
+    
+    """
+    Fetch a configuration object that can be used for a number of different contentctl
+    operations including validate, build, inspect, test, and test_servers. A file will 
+    be used as the basis for constructing the configuration.
+
+    Args:
+        path (Path, optional): Relative or absolute path to a contentctl config file. 
+        Defaults to Path("contentctl.yml"), which is the default name and location (in the current directory)
+        of the configuration files which are automatically generated for contentctl.
+        config (dict[], optional): Dictionary of values to override values read from the YML
+        path passed as the first argument. Defaults to {}, an empty dict meaning that nothing
+        will be overwritten 
+        configType (Type[Union[test,test_servers]], optional): The Config Class to instantiate. 
+        This may be a test or test_servers object. Note that this is NOT an instance of the class. Defaults to test.
+    Returns:
+        test_common: Returns a complete contentctl test_common configuration. Note that this configuration
+        will have all applicable field for validate and build as well, but can also be used for easily
+        construction a test or test_servers object.  
+    """    
+
+    try:
+        yml_dict = YmlReader.load_file(path, add_fields=False)
+        
+        
+    except Exception as e:
+        raise Exception(f"Failed to load contentctl configuration from file '{path}': {str(e)}")
+    
+    # Apply settings that have been overridden from the ones in the file
+    try:
+        yml_dict.update(config)
+    except Exception as e:
+        raise Exception(f"Failed updating dictionary of values read from file '{path}'"
+                        f" with the dictionary of arguments passed: {str(e)}")
+
+    # The function below will throw its own descriptive exception if it fails
+    configObject = config_from_dict(yml_dict, configType=configType)
+
+    return configObject
+
+
+
+
+def config_from_dict(config: dict[str,Any]={}, 
+                   configType:Type[Union[test,test_servers]]=test)->test_common:
+    """
+    Fetch a configuration object that can be used for a number of different contentctl
+    operations including validate, build, inspect, test, and test_servers. A dict will 
+    be used as the basis for constructing the configuration.
+
+    Args:
+        config (dict[str,Any],Optional): If a dictionary is not explicitly passed, then
+        an empty dict will be used to create a configuration, if possible, from default
+        values.  Note that based on default values in the contentctl/objects/config.py
+        file, this may raise an exception.  If so, please set appropriate default values
+        in the file above or supply those values via this argument.
+        configType (Type[Union[test,test_servers]], optional): The Config Class to instantiate. 
+        This may be a test or test_servers object. Note that this is NOT an instance of the class. Defaults to test.
+    Returns:
+        test_common: Returns a complete contentctl test_common configuration. Note that this configuration
+        will have all applicable field for validate and build as well, but can also be used for easily
+        construction a test or test_servers object.  
+    """    
+    try:
+        test_object = configType.model_validate(config)
+    except Exception as e:
+        raise Exception(f"Failed to load contentctl configuration from dict:\n{str(e)}")
+    
+    return test_object
+
+
+def update_config(config:Union[test,test_servers], **key_value_updates:dict[str,Any])->test_common:
+    
+    """Update any relevant keys in a config file with the specified values.
+    Full validation will be performed after this update and descriptive errors
+    will be produced
+
+    Args:
+        config (test_common): A previously-constructed test_common object.  This can be 
+        build using the configFromDict or configFromFile functions.
+        key_value_updates (kwargs, optional): Additional keyword/argument pairs to update
+        arbitrary fields in the configuration.
+
+    Returns:
+        test_common: A validated object which has had the relevant fields updated.
+        Note that descriptive Exceptions will be generated if updated values are either
+        invalid (have the wrong type, or disallowed values) or you attempt to update
+        fields that do not exist
+    """
+    # Create a copy so we don't change the underlying model
+    config_copy = config.model_copy(deep=True)
+
+    # Force validation of assignment since doing so via arbitrary dict can be error prone
+    # Also, ensure that we do not try to add fields that are not part of the model
+    config_copy.model_config.update({'validate_assignment': True, 'extra': 'forbid'})
+
+    
+    
+    # Collect any errors that may occur
+    errors:list[Exception] = []
+    
+    # We need to do this one by one because the extra:forbid argument does not appear to 
+    # be respected at this time.
+    for key, value in key_value_updates.items():
+        try:
+            setattr(config_copy,key,value)
+        except Exception as e:
+            errors.append(e)
+    if len(errors) > 0:
+        errors_string = '\n'.join([str(e) for e in errors])
+        raise Exception(f"Error(s) updaitng configuration:\n{errors_string}")
+    
+    return config_copy
+    
+
+
+def content_to_dict(director:DirectorOutputDto)->dict[str,list[dict[str,Any]]]:
+    output_dict:dict[str,list[dict[str,Any]]] = {}
+    for contentType in ['detections','stories','baselines','investigations',
+                        'playbooks','macros','lookups','deployments','ssa_detections']:
+        
+        output_dict[contentType] = []
+        t:list[SecurityContentObject] = getattr(director,contentType)
+        
+        for item in t:
+            output_dict[contentType].append(item.model_dump())
+    return output_dict
+            

{contentctl-4.0.5 → contentctl-4.1.0}/contentctl/contentctl.py

@@ -1,6 +1,11 @@
-from contentctl.actions.initialize import Initialize
+import traceback
+import sys
+import warnings
+import pathlib
 import tyro
-from contentctl.objects.config import init, validate, build,  new, deploy_acs, deploy_rest, test, test_servers, inspect, report, test_common, release_notes
+
+from contentctl.actions.initialize import Initialize
+from contentctl.objects.config import init, validate, build,  new, deploy_acs, test, test_servers, inspect, report, test_common, release_notes
 from contentctl.actions.validate import Validate
 from contentctl.actions.new_content import NewContent
 from contentctl.actions.detection_testing.GitService import GitService
@@ -9,14 +14,10 @@ from contentctl.actions.build import (
      DirectorOutputDto,
      Build,
 )
-
 from contentctl.actions.test import Test
 from contentctl.actions.test import TestInputDto
 from contentctl.actions.reporting import ReportingInputDto, Reporting
 from contentctl.actions.inspect import Inspect
-import sys
-import warnings
-import pathlib
 from contentctl.input.yml_reader import YmlReader
 from contentctl.actions.release_notes import ReleaseNotes
 
@@ -95,13 +96,14 @@ def new_func(config:new):
 
 def deploy_acs_func(config:deploy_acs):
     #This is a bit challenging to get to work with the default values.
-    raise Exception("deploy acs not yet implemented")
-
-def deploy_rest_func(config:deploy_rest):
-    raise Exception("deploy rest not yet implemented")
-    
+    raise Exception("deploy acs not yet implemented") 
 
 def test_common_func(config:test_common):
+    if type(config) == test:
+        #construct the container Infrastructure objects
+        config.getContainerInfrastructureObjects()
+        #otherwise, they have already been passed as servers
+
     director_output_dto = build_func(config)
     gitServer = GitService(director=director_output_dto,config=config)
     detections_to_test = gitServer.getContent()
@@ -175,15 +177,14 @@ def main():
             "test":test.model_validate(config_obj),
             "test_servers":test_servers.model_construct(**t.__dict__),
             "release_notes": release_notes.model_construct(**config_obj),
-            "deploy_acs": deploy_acs.model_construct(**t.__dict__),
-            #"deploy_rest":deploy_rest()
+            "deploy_acs": deploy_acs.model_construct(**t.__dict__)
         }
     )
     
 
 
    
-    
+    config = None
     try:
         # Since some model(s) were constructed and not model_validated, we have to catch
         # warnings again when creating the cli
@@ -209,20 +210,23 @@ def main():
         elif type(config) == deploy_acs:
             updated_config = deploy_acs.model_validate(config)
             deploy_acs_func(updated_config)
-        elif type(config) == deploy_rest:
-            deploy_rest_func(config)
         elif type(config) == test or type(config) == test_servers:
-            if type(config) == test:
-                #construct the container Infrastructure objects
-                config.getContainerInfrastructureObjects()
-                #otherwise, they have already been passed as servers
             test_common_func(config)
         else:
             raise Exception(f"Unknown command line type '{type(config).__name__}'")
     except Exception as e:
-        import traceback
-        traceback.print_exc()
-        traceback.print_stack()
-        #print(e)
+        if config is None:
+            print("There was a serious issue where the config file could not be created.\n"
+                  "The entire stack trace is provided below (please include it if filing a bug report).\n")
+            traceback.print_exc()
+        elif config.verbose:
+            print("Verbose error logging is ENABLED.\n"
+                  "The entire stack trace has been provided below (please include it if filing a bug report):\n")
+            traceback.print_exc()
+        else:
+            print("Verbose error logging is DISABLED.\n"
+                  "Please use the --verbose command line argument if you need more context for your error or file a bug report.")
+            print(e)
+            
         sys.exit(1)
     

contentctl-4.1.0/contentctl/enrichments/cve_enrichment.py

@@ -0,0 +1,65 @@
+from __future__ import annotations
+from pycvesearch import CVESearch
+import functools
+import os
+import shelve
+import time
+from typing import Annotated, Any, Union, TYPE_CHECKING
+from pydantic import BaseModel,Field, computed_field
+from decimal import Decimal
+from requests.exceptions import ReadTimeout
+
+if TYPE_CHECKING:
+    from contentctl.objects.config import validate
+
+
+
+CVESSEARCH_API_URL = 'https://cve.circl.lu'
+
+
+class CveEnrichmentObj(BaseModel):
+    id:Annotated[str, "^CVE-[1|2][0-9]{3}-[0-9]+$"]
+    cvss:Annotated[Decimal, Field(ge=.1, le=10, decimal_places=1)]
+    summary:str
+    
+    @computed_field
+    @property
+    def url(self)->str:
+        BASE_NVD_URL = "https://nvd.nist.gov/vuln/detail/"
+        return f"{BASE_NVD_URL}{self.id}"
+
+
+class CveEnrichment(BaseModel):
+    use_enrichment: bool = True
+    cve_api_obj: Union[CVESearch,None] = None
+    
+
+    class Config:
+        # Arbitrary_types are allowed to let us use the CVESearch Object
+        arbitrary_types_allowed = True
+        frozen = True
+        
+
+    @staticmethod
+    def getCveEnrichment(config:validate, timeout_seconds:int=10, force_disable_enrichment:bool=True)->CveEnrichment:
+        if force_disable_enrichment:
+            return CveEnrichment(use_enrichment=False, cve_api_obj=None)    
+        
+        if config.enrichments:
+            try:
+                cve_api_obj = CVESearch(CVESSEARCH_API_URL, timeout=timeout_seconds)
+                return CveEnrichment(use_enrichment=True, cve_api_obj=cve_api_obj)
+            except Exception as e:
+                raise Exception(f"Error setting CVE_SEARCH API to: {CVESSEARCH_API_URL}: {str(e)}")
+        
+        return CveEnrichment(use_enrichment=False, cve_api_obj=None)
+
+
+    def enrich_cve(self, cve_id:str, raise_exception_on_failure:bool=True)->CveEnrichmentObj:
+
+        if not self.use_enrichment:
+            return CveEnrichmentObj(id=cve_id,cvss=Decimal(5.0),summary="SUMMARY NOT AVAILABLE! ONLY THE LINK WILL BE USED AT THIS TIME")
+        else:
+            print("WARNING - Dynamic enrichment not supported at this time.")
+            return CveEnrichmentObj(id=cve_id,cvss=Decimal(5.0),summary="SUMMARY NOT AVAILABLE! ONLY THE LINK WILL BE USED AT THIS TIME")
+        # Depending on needs, we may add dynamic enrichment functionality back to the tool

{contentctl-4.0.5 → contentctl-4.1.0}/contentctl/input/director.py

@@ -5,9 +5,8 @@ from dataclasses import dataclass, field
 from pydantic import ValidationError
 from uuid import UUID
 from contentctl.input.yml_reader import YmlReader
-    
-    
-    
+
+
 from contentctl.objects.detection import Detection
 from contentctl.objects.story import Story
 
@@ -28,29 +27,69 @@ from contentctl.enrichments.cve_enrichment import CveEnrichment
 from contentctl.objects.config import validate
 
 
-
-@dataclass()
+@dataclass
 class DirectorOutputDto:
-     # Atomic Tests are first because parsing them 
-     # is far quicker than attack_enrichment
-     atomic_tests: Union[list[AtomicTest],None]
-     attack_enrichment: AttackEnrichment
-     detections: list[Detection]
-     stories: list[Story]
-     baselines: list[Baseline]
-     investigations: list[Investigation]
-     playbooks: list[Playbook]
-     macros: list[Macro]
-     lookups: list[Lookup]
-     deployments: list[Deployment]
-     ssa_detections: list[SSADetection]
-     #cve_enrichment: CveEnrichment
-
-     name_to_content_map: dict[str, SecurityContentObject] = field(default_factory=dict)
-     uuid_to_content_map: dict[UUID, SecurityContentObject] = field(default_factory=dict)
-     
+    # Atomic Tests are first because parsing them 
+    # is far quicker than attack_enrichment
+    atomic_tests: Union[list[AtomicTest],None]
+    attack_enrichment: AttackEnrichment
+    cve_enrichment: CveEnrichment
+    detections: list[Detection]
+    stories: list[Story]
+    baselines: list[Baseline]
+    investigations: list[Investigation]
+    playbooks: list[Playbook]
+    macros: list[Macro]
+    lookups: list[Lookup]
+    deployments: list[Deployment]
+    ssa_detections: list[SSADetection]
+
+    name_to_content_map: dict[str, SecurityContentObject] = field(default_factory=dict)
+    uuid_to_content_map: dict[UUID, SecurityContentObject] = field(default_factory=dict)
+
+    def addContentToDictMappings(self, content: SecurityContentObject):
+        content_name = content.name
+        if isinstance(content, SSADetection):
+            # Since SSA detections may have the same name as ESCU detection,
+            # for this function we prepend 'SSA ' to the name.
+            content_name = f"SSA {content_name}"
+        if content_name in self.name_to_content_map:
+            raise ValueError(
+                f"Duplicate name '{content_name}' with paths:\n"
+                f" - {content.file_path}\n"
+                f" - {self.name_to_content_map[content_name].file_path}"
+            )
+        elif content.id in self.uuid_to_content_map:
+            raise ValueError(
+                f"Duplicate id '{content.id}' with paths:\n"
+                f" - {content.file_path}\n"
+                f" - {self.name_to_content_map[content_name].file_path}"
+            )
+
+        if isinstance(content, Lookup):
+            self.lookups.append(content)
+        elif isinstance(content, Macro):
+            self.macros.append(content)
+        elif isinstance(content, Deployment):
+            self.deployments.append(content)
+        elif isinstance(content, Playbook):
+            self.playbooks.append(content)
+        elif isinstance(content, Baseline):
+            self.baselines.append(content)
+        elif isinstance(content, Investigation):
+            self.investigations.append(content)
+        elif isinstance(content, Story):
+            self.stories.append(content)
+        elif isinstance(content, Detection):
+            self.detections.append(content)
+        elif isinstance(content, SSADetection):
+            self.ssa_detections.append(content)
+        else:
+             raise Exception(f"Unknown security content type: {type(content)}")
 
 
+        self.name_to_content_map[content_name] = content
+        self.uuid_to_content_map[content.id] = content
 
 
 from contentctl.input.ssa_detection_builder import SSADetectionBuilder
@@ -60,13 +99,6 @@ from contentctl.objects.enums import DetectionStatus
 from contentctl.helper.utils import Utils
 
 
-
-
-
-
-     
-
-
 class Director():
     input_dto: validate
     output_dto: DirectorOutputDto
@@ -77,27 +109,7 @@ class Director():
     def __init__(self, output_dto: DirectorOutputDto) -> None:
         self.output_dto = output_dto
         self.ssa_detection_builder = SSADetectionBuilder()
-    
-    def addContentToDictMappings(self, content:SecurityContentObject):
-         content_name = content.name
-         if isinstance(content,SSADetection):
-            # Since SSA detections may have the same name as ESCU detection,
-            # for this function we prepend 'SSA ' to the name.
-            content_name = f"SSA {content_name}"               
-         if content_name in self.output_dto.name_to_content_map:
-            raise ValueError(f"Duplicate name '{content_name}' with paths:\n"
-                             f" - {content.file_path}\n"
-                             f" - {self.output_dto.name_to_content_map[content_name].file_path}")
-         elif content.id in self.output_dto.uuid_to_content_map:
-            raise ValueError(f"Duplicate id '{content.id}' with paths:\n"
-                    f" - {content.file_path}\n"
-                    f" - {self.output_dto.name_to_content_map[content_name].file_path}")
-         
-         self.output_dto.name_to_content_map[content_name] = content 
-         self.output_dto.uuid_to_content_map[content.id] = content 
-    
         
-    
     def execute(self, input_dto: validate) -> None:
         self.input_dto = input_dto
 
@@ -146,50 +158,41 @@ class Director():
 
                 if contentType == SecurityContentType.lookups:
                         lookup = Lookup.model_validate(modelDict,context={"output_dto":self.output_dto, "config":self.input_dto})
-                        self.output_dto.lookups.append(lookup)
-                        self.addContentToDictMappings(lookup)
+                        self.output_dto.addContentToDictMappings(lookup)
                 
                 elif contentType == SecurityContentType.macros:
                         macro = Macro.model_validate(modelDict,context={"output_dto":self.output_dto})
-                        self.output_dto.macros.append(macro)
-                        self.addContentToDictMappings(macro)
+                        self.output_dto.addContentToDictMappings(macro)
                 
                 elif contentType == SecurityContentType.deployments:
                         deployment = Deployment.model_validate(modelDict,context={"output_dto":self.output_dto})
-                        self.output_dto.deployments.append(deployment)
-                        self.addContentToDictMappings(deployment)
+                        self.output_dto.addContentToDictMappings(deployment)
                 
                 elif contentType == SecurityContentType.playbooks:
                         playbook = Playbook.model_validate(modelDict,context={"output_dto":self.output_dto})
-                        self.output_dto.playbooks.append(playbook)  
-                        self.addContentToDictMappings(playbook)                  
+                        self.output_dto.addContentToDictMappings(playbook)                  
                 
                 elif contentType == SecurityContentType.baselines:
                         baseline = Baseline.model_validate(modelDict,context={"output_dto":self.output_dto})
-                        self.output_dto.baselines.append(baseline)
-                        self.addContentToDictMappings(baseline)
+                        self.output_dto.addContentToDictMappings(baseline)
                 
                 elif contentType == SecurityContentType.investigations:
                         investigation = Investigation.model_validate(modelDict,context={"output_dto":self.output_dto})
-                        self.output_dto.investigations.append(investigation)
-                        self.addContentToDictMappings(investigation)
+                        self.output_dto.addContentToDictMappings(investigation)
 
                 elif contentType == SecurityContentType.stories:
                         story = Story.model_validate(modelDict,context={"output_dto":self.output_dto})
-                        self.output_dto.stories.append(story)
-                        self.addContentToDictMappings(story)
+                        self.output_dto.addContentToDictMappings(story)
             
                 elif contentType == SecurityContentType.detections:
-                        detection = Detection.model_validate(modelDict,context={"output_dto":self.output_dto})
-                        self.output_dto.detections.append(detection)
-                        self.addContentToDictMappings(detection)
+                        detection = Detection.model_validate(modelDict,context={"output_dto":self.output_dto, "app":self.input_dto.app})
+                        self.output_dto.addContentToDictMappings(detection)
 
                 elif contentType == SecurityContentType.ssa_detections:
                         self.constructSSADetection(self.ssa_detection_builder, self.output_dto,str(file))
                         ssa_detection = self.ssa_detection_builder.getObject()
                         if ssa_detection.status in [DetectionStatus.production.value, DetectionStatus.validation.value]:
-                            self.output_dto.ssa_detections.append(ssa_detection)
-                            self.addContentToDictMappings(ssa_detection)
+                            self.output_dto.addContentToDictMappings(ssa_detection)
 
                 else:
                         raise Exception(f"Unsupported type: [{contentType}]")
@@ -228,6 +231,3 @@ class Director():
         builder.addMappings()
         builder.addUnitTest()
         builder.addRBA()
-
-
-