contentctl 4.2.1__py3-none-any.whl → 4.2.4__py3-none-any.whl

contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py

@@ -85,7 +85,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
     hec_channel: str = ""
     _conn: client.Service = PrivateAttr()
     pbar: tqdm.tqdm = None
-    start_time: float = None
+    start_time: Optional[float] = None
 
     class Config:
         arbitrary_types_allowed = True
@@ -136,7 +136,6 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     TestReportingType.SETUP,
                     self.get_name(),
                     msg,
-                    self.start_time,
                     update_sync_status=True,
                 )
                 func()
@@ -147,7 +146,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             self.finish()
             return
 
-        self.format_pbar_string(TestReportingType.SETUP, self.get_name(), "Finished Setup!", self.start_time)
+        self.format_pbar_string(TestReportingType.SETUP, self.get_name(), "Finished Setup!")
 
     def wait_for_ui_ready(self):
         self.get_conn()
@@ -216,7 +215,6 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                         TestReportingType.SETUP,
                         self.get_name(),
                         "Waiting for reboot",
-                        self.start_time,
                         update_sync_status=True,
                     )
                 else:
@@ -236,18 +234,12 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 self.pbar.write(
                     f"Error getting API connection (not quitting) '{type(e).__name__}': {str(e)}"
                 )
-                print("wow")
-                # self.pbar.write(
-                #     f"Unhandled exception getting connection to splunk server: {str(e)}"
-                # )
-                # self.sync_obj.terminate = True
 
             for _ in range(sleep_seconds):
                 self.format_pbar_string(
                     TestReportingType.SETUP,
                     self.get_name(),
                     "Getting API Connection",
-                    self.start_time,
                     update_sync_status=True,
                 )
                 time.sleep(1)
@@ -318,7 +310,6 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     TestReportingType.SETUP,
                     self.get_name(),
                     "Configuring Datamodels",
-                    self.start_time,
                 )
 
     def configure_conf_file_datamodels(self, APP_NAME: str = "Splunk_SA_CIM"):
@@ -424,7 +415,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                         TestReportingType.GROUP,
                         test_group.name,
                         FinalTestingStates.SKIP.value,
-                        time.time(),
+                        start_time=time.time(),
                         set_pbar=False,
                     )
                 )
@@ -465,7 +456,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     TestReportingType.GROUP,
                     test_group.name,
                     TestingStates.DONE_GROUP.value,
-                    setup_results.start_time,
+                    start_time=setup_results.start_time,
                     set_pbar=False,
                 )
             )
@@ -486,7 +477,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             TestReportingType.GROUP,
             test_group.name,
             TestingStates.BEGINNING_GROUP.value,
-            setup_start_time
+            start_time=setup_start_time
         )
         # https://github.com/WoLpH/python-progressbar/issues/164
         # Use NullBar if there is more than 1 container or we are running
@@ -526,7 +517,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             TestReportingType.GROUP,
             test_group.name,
             TestingStates.DELETING.value,
-            test_group_start_time,
+            start_time=test_group_start_time,
         )
 
         # TODO: do we want to clean up even if replay failed? Could have been partial failure?
@@ -544,7 +535,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
         test_reporting_type: TestReportingType,
         test_name: str,
         state: str,
-        start_time: Union[float, None],
+        start_time: Optional[float] = None,
         set_pbar: bool = True,
         update_sync_status: bool = False,
     ) -> str:
@@ -559,8 +550,13 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
         :param update_sync_status: bool indicating whether a sync status update should be queued
         :returns: a formatted string for use w/ pbar
         """
-        # set start time id not provided
+        # set start time if not provided
         if start_time is None:
+            # if self.start_time is still None, something went wrong
+            if self.start_time is None:
+                raise ValueError(
+                    "self.start_time is still None; a function may have been called before self.setup()"
+                )
             start_time = self.start_time
 
         # invoke the helper method
@@ -575,7 +571,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
 
         # update sync status if needed
         if update_sync_status:
-            self.sync_obj.currentTestingQueue[self.get_name()] = {
+            self.sync_obj.currentTestingQueue[self.get_name()] = {                                  # type: ignore
                 "name": state,
                 "search": "N/A",
             }
@@ -621,7 +617,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             TestReportingType.UNIT,
             f"{detection.name}:{test.name}",
             TestingStates.BEGINNING_TEST,
-            test_start_time,
+            start_time=test_start_time,
         )
 
         # if the replay failed, record the test failure and return
@@ -690,14 +686,14 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 res = "ERROR"
                 link = detection.search
             else:
-                res = test.result.status.value.upper()
+                res = test.result.status.value.upper()                                              # type: ignore
                 link = test.result.get_summary_dict()["sid_link"]
 
             self.format_pbar_string(
                 TestReportingType.UNIT,
                 f"{detection.name}:{test.name}",
                 f"{res} - {link} (CTRL+D to continue)",
-                test_start_time,
+                start_time=test_start_time,
             )
 
             # Wait for user input
@@ -722,7 +718,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
                     FinalTestingStates.PASS.value,
-                    test_start_time,
+                    start_time=test_start_time,
                     set_pbar=False,
                 )
             )
@@ -744,7 +740,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
                     FinalTestingStates.FAIL.value,
-                    test_start_time,
+                    start_time=test_start_time,
                     set_pbar=False,
                 )
             )
@@ -755,7 +751,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
                     FinalTestingStates.ERROR.value,
-                    test_start_time,
+                    start_time=test_start_time,
                     set_pbar=False,
                 )
             )
@@ -770,7 +766,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
         stdout.flush()
         test.result.duration = round(time.time() - test_start_time, 2)
 
-    # TODO (cmcginley): break up the execute routines for integration/unit tests some more to remove
+    # TODO (#227): break up the execute routines for integration/unit tests some more to remove
     #   code w/ similar structure
     def execute_integration_test(
         self,
@@ -837,7 +833,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             TestReportingType.INTEGRATION,
             f"{detection.name}:{test.name}",
             TestingStates.BEGINNING_TEST,
-            test_start_time,
+            start_time=test_start_time,
         )
 
         # if the replay failed, record the test failure and return
@@ -874,15 +870,10 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 start_time=test_start_time
             )
 
-            # TODO (cmcginley): right now, we are creating one CorrelationSearch instance for each
-            #   test case; typically, there is only one unit test, and thus one integration test,
-            #   per detection, so this is not an issue. However, if we start having many test cases
-            #   per detection, we will be duplicating some effort & network calls that we don't need
-            #   to. Consider refactoring in order to re-use CorrelationSearch objects across tests
-            #   in such a case
+            # TODO (#228): consider reusing CorrelationSearch instances across test cases
             # Instantiate the CorrelationSearch
             correlation_search = CorrelationSearch(
-                detection_name=detection.name,
+                detection=detection,
                 service=self.get_conn(),
                 pbar_data=pbar_data,
             )
@@ -892,14 +883,12 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
         except Exception as e:
             # Catch and report and unhandled exceptions in integration testing
             test.result = IntegrationTestResult(
-                message="TEST FAILED: unhandled exception in CorrelationSearch",
+                message="TEST ERROR: unhandled exception in CorrelationSearch",
                 exception=e,
                 status=TestResultStatus.ERROR
             )
 
-        # TODO (cmcginley): when in interactive mode, consider maybe making the cleanup routine in
-        #   correlation_search happen after the user breaks the interactivity; currently
-        #   risk/notable indexes are dumped before the user can inspect
+        # TODO (#229): when in interactive mode, cleanup should happen after user interaction
         # Pause here if the terminate flag has NOT been set AND either of the below are true:
         #   1. the behavior is always_pause
         #   2. the behavior is pause_on_failure and the test failed
@@ -908,7 +897,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             if test.result is None:
                 res = "ERROR"
             else:
-                res = test.result.status.value.upper()
+                res = test.result.status.value.upper()                                              # type: ignore
 
             # Get the link to the saved search in this specific instance
             link = f"https://{self.infrastructure.instance_address}:{self.infrastructure.web_ui_port}"
@@ -917,7 +906,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 TestReportingType.INTEGRATION,
                 f"{detection.name}:{test.name}",
                 f"{res} - {link} (CTRL+D to continue)",
-                test_start_time,
+                start_time=test_start_time,
             )
 
             # Wait for user input
@@ -1036,8 +1025,8 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             search = f"{detection.search} {test.pass_condition}"
 
         # Ensure searches that do not begin with '|' must begin with 'search '
-        if not search.strip().startswith("|"):
-            if not search.strip().startswith("search "):
+        if not search.strip().startswith("|"):                                                      # type: ignore
+            if not search.strip().startswith("search "):                                            # type: ignore
                 search = f"search {search}"
 
         # exponential backoff for wait time
@@ -1054,7 +1043,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     TestReportingType.UNIT,
                     f"{detection.name}:{test.name}",
                     TestingStates.PROCESSING.value,
-                    start_time
+                    start_time=start_time
                 )
 
                 time.sleep(1)
@@ -1063,7 +1052,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 TestReportingType.UNIT,
                 f"{detection.name}:{test.name}",
                 TestingStates.SEARCHING.value,
-                start_time,
+                start_time=start_time,
             )
 
             # Execute the search and read the results
@@ -1079,7 +1068,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                 test.result = UnitTestResult()
 
                 # Initialize the collection of fields that are empty that shouldn't be
-                empty_fields = set()
+                empty_fields: set[str] = set()
 
                 # Filter out any messages in the results
                 for result in results:
@@ -1194,10 +1183,15 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
     ):
         tempfile = mktemp(dir=tmp_dir)
 
+
         if not (str(attack_data_file.data).startswith("http://") or 
                 str(attack_data_file.data).startswith("https://")) :
             if pathlib.Path(str(attack_data_file.data)).is_file():
-                self.format_pbar_string(TestReportingType.GROUP, test_group.name, "Copying Data", test_group_start_time)
+                self.format_pbar_string(TestReportingType.GROUP, 
+                                        test_group.name, 
+                                        "Copying Data", 
+                                        test_group_start_time)
+
                 try:
                     copyfile(str(attack_data_file.data), tempfile)
                 except Exception as e:
@@ -1221,7 +1215,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
                     TestReportingType.GROUP,
                     test_group.name,
                     TestingStates.DOWNLOADING.value,
-                    test_group_start_time
+                    start_time=test_group_start_time
                 )
 
                 Utils.download_file_from_http(
@@ -1240,7 +1234,7 @@ class DetectionTestingInfrastructure(BaseModel, abc.ABC):
             TestReportingType.GROUP,
             test_group.name,
             TestingStates.REPLAYING.value,
-            test_group_start_time
+            start_time=test_group_start_time
         )
 
         self.hec_raw_replay(tempfile, attack_data_file)

contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructureContainer.py

@@ -75,7 +75,7 @@ class DetectionTestingInfrastructureContainer(DetectionTestingInfrastructure):
         mounts = [
             docker.types.Mount(
                 source=str(self.global_config.getLocalAppDir()),
-                target=str(self.global_config.getContainerAppDir()),
+                target=(self.global_config.getContainerAppDir()).as_posix(),
                 type="bind",
                 read_only=True,
             )

contentctl/actions/detection_testing/views/DetectionTestingView.py

@@ -152,10 +152,7 @@ class DetectionTestingView(BaseModel, abc.ABC):
             total_pass, total_detections-total_skipped, 1
         )
 
-        # TODO (cmcginley): add stats around total test cases and unit/integration test
-        #   sucess/failure? maybe configurable reporting? add section to summary called
-        #   "testwise_summary" listing per test metrics (e.g. total test, total tests passed, ...);
-        #   also list num skipped at both detection and test level
+        # TODO (#230): expand testing metrics reported
         # Construct and return the larger results dict
         result_dict = {
             "summary": {

contentctl/actions/validate.py

@@ -1,11 +1,14 @@
 
 import pathlib
+
 from contentctl.input.director import Director, DirectorOutputDto
 from contentctl.objects.config import validate
 from contentctl.enrichments.attack_enrichment import AttackEnrichment
 from contentctl.enrichments.cve_enrichment import CveEnrichment
 from contentctl.objects.atomic import AtomicTest
 from contentctl.helper.utils import Utils
+from contentctl.objects.data_source import DataSource
+from contentctl.helper.splunk_app import SplunkApp
 
 
 class Validate:
@@ -33,6 +36,9 @@ class Validate:
         director = Director(director_output_dto)
         director.execute(input_dto)
         self.ensure_no_orphaned_files_in_lookups(input_dto.path, director_output_dto)
+        if input_dto.data_source_TA_validation:
+            self.validate_latest_TA_information(director_output_dto.data_sources)
+            
         return director_output_dto
 
     
@@ -72,4 +78,37 @@ class Validate:
         if len(unusedLookupFiles) > 0:
             raise Exception(f"The following .csv or .mlmodel files exist in '{lookupsDirectory}', but are not referenced by a lookup file: {[str(path) for path in unusedLookupFiles]}")
         return
-    
+    
+
+    def validate_latest_TA_information(self, data_sources: list[DataSource]) -> None:
+        validated_TAs: list[tuple[str, str]] = []
+        errors:list[str] = []
+        print("----------------------")
+        print("Validating latest TA:")
+        print("----------------------")
+        for data_source in data_sources:
+            for supported_TA in data_source.supported_TA:
+                ta_identifier = (supported_TA.name, supported_TA.version)
+                if ta_identifier in validated_TAs:
+                    continue
+                if supported_TA.url is not None:
+                    validated_TAs.append(ta_identifier)
+                    uid = int(str(supported_TA.url).rstrip('/').split("/")[-1])
+                    try:
+                        splunk_app = SplunkApp(app_uid=uid)
+                        if splunk_app.latest_version != supported_TA.version:
+                            errors.append(f"Version mismatch in '{data_source.file_path}' supported TA '{supported_TA.name}'"
+                                          f"\n  Latest version on Splunkbase    : {splunk_app.latest_version}"
+                                          f"\n  Version specified in data source: {supported_TA.version}")
+                    except Exception as e:
+                        errors.append(f"Error processing checking version of TA {supported_TA.name}: {str(e)}")
+                            
+        if len(errors) > 0:
+            errorString = '\n\n'.join(errors)
+            raise Exception(f"[{len(errors)}] or more TA versions are out of date or have other errors."
+                            f"Please update the following data sources with the latest versions of "
+                            f"their supported tas:\n\n{errorString}")
+        print("All TA versions are up to date.")
+        
+
+

contentctl/enrichments/attack_enrichment.py

@@ -2,14 +2,12 @@
 from __future__ import annotations
 import csv
 import os
-from posixpath import split
-from typing import Optional
 import sys
 from attackcti import attack_client
 import logging
 from pydantic import BaseModel, Field
 from dataclasses import field
-from typing import Union,Annotated
+from typing import Annotated
 from contentctl.objects.mitre_attack_enrichment import MitreAttackEnrichment
 from contentctl.objects.config import validate
 logging.getLogger('taxii2client').setLevel(logging.CRITICAL)
@@ -25,15 +23,15 @@ class AttackEnrichment(BaseModel):
         _ = enrichment.get_attack_lookup(str(config.path))
         return enrichment
     
-    def getEnrichmentByMitreID(self, mitre_id:Annotated[str, Field(pattern="^T\d{4}(.\d{3})?$")])->Union[MitreAttackEnrichment,None]:
+    def getEnrichmentByMitreID(self, mitre_id:Annotated[str, Field(pattern=r"^T\d{4}(.\d{3})?$")])->MitreAttackEnrichment:
         if not self.use_enrichment:
-            return None
+            raise Exception(f"Error, trying to add Mitre Enrichment, but use_enrichment was set to False")
         
         enrichment = self.data.get(mitre_id, None)
         if enrichment is not None:
             return enrichment
         else:
-            raise ValueError(f"Error, Unable to find Mitre Enrichment for MitreID {mitre_id}")
+            raise Exception(f"Error, Unable to find Mitre Enrichment for MitreID {mitre_id}")
         
 
     def addMitreID(self, technique:dict, tactics:list[str], groups:list[str])->None:
@@ -44,7 +42,7 @@ class AttackEnrichment(BaseModel):
         groups.sort()
 
         if technique_id in self.data:
-            raise ValueError(f"Error, trying to redefine MITRE ID '{technique_id}'")
+            raise Exception(f"Error, trying to redefine MITRE ID '{technique_id}'")
         
         self.data[technique_id] = MitreAttackEnrichment(mitre_attack_id=technique_id, 
                                                         mitre_attack_technique=technique_obj, 
@@ -53,7 +51,7 @@ class AttackEnrichment(BaseModel):
 
     
     def get_attack_lookup(self, input_path: str, store_csv: bool = False, force_cached_or_offline: bool = False, skip_enrichment:bool = False) -> dict:
-        if self.use_enrichment is False:
+        if not self.use_enrichment:
             return {}
         print("Getting MITRE Attack Enrichment Data. This may take some time...")
         attack_lookup = dict()

contentctl/enrichments/cve_enrichment.py

@@ -18,9 +18,9 @@ CVESSEARCH_API_URL = 'https://cve.circl.lu'
 
 
 class CveEnrichmentObj(BaseModel):
-    id:Annotated[str, "^CVE-[1|2][0-9]{3}-[0-9]+$"]
-    cvss:Annotated[Decimal, Field(ge=.1, le=10, decimal_places=1)]
-    summary:str
+    id: Annotated[str, r"^CVE-[1|2]\d{3}-\d+$"]
+    cvss: Annotated[Decimal, Field(ge=.1, le=10, decimal_places=1)]
+    summary: str
     
     @computed_field
     @property