synapse 2.169.0__py311-none-any.whl → 2.170.0__py311-none-any.whl

synapse/lib/view.py

@@ -196,10 +196,6 @@ class View(s_nexus.Pusher):  # type: ignore
     async def _setMergeRequest(self, mergeinfo):
         self.reqParentQuorum()
 
-        if self.hasKids():
-            mesg = 'Cannot add a merge request to a view with children.'
-            raise s_exc.BadState(mesg=mesg)
-
         s_schemas.reqValidMerge(mergeinfo)
         lkey = self.bidn + b'merge:req'
         self.core.slab.put(lkey, s_msgpack.en(mergeinfo), db='view:meta')
@@ -450,8 +446,7 @@ class View(s_nexus.Pusher):  # type: ignore
             await self.core.feedBeholder('view:merge:fini', {'view': self.iden, 'merge': merge, 'merge': merge, 'votes': votes})
 
             # remove the view and top layer
-            await self.core.delView(self.iden)
-            await self.core.delLayer(self.layers[0].iden)
+            await self.core.delViewWithLayer(self.iden)
 
         except Exception as e: # pragma: no cover
             logger.exception(f'Error while merging view: {self.iden}')
@@ -1112,10 +1107,6 @@ class View(s_nexus.Pusher):  # type: ignore
                 mesg = 'Circular dependency of view parents is not supported.'
                 raise s_exc.BadArg(mesg=mesg)
 
-            if parent.getMergeRequest() is not None:
-                mesg = 'You may not set the parent to a view with a pending merge request.'
-                raise s_exc.BadState(mesg=mesg)
-
             if self.parent is not None:
                 if self.parent.iden == parent.iden:
                     return valu
@@ -1254,6 +1245,92 @@ class View(s_nexus.Pusher):  # type: ignore
 
                 todo.append(child)
 
+    async def insertParentFork(self, useriden, name=None):
+        '''
+        Insert a new View between a forked View and its parent.
+
+        Returns:
+            New view definition with the same perms as the current fork.
+        '''
+        if not self.isafork():
+            mesg = f'View ({self.iden}) is not a fork, cannot insert a new fork between it and parent.'
+            raise s_exc.BadState(mesg=mesg)
+
+        ctime = s_common.now()
+        layriden = s_common.guid()
+
+        ldef = {
+            'iden': layriden,
+            'created': ctime,
+            'creator': useriden,
+            'lockmemory': self.core.conf.get('layers:lockmemory'),
+            'logedits': self.core.conf.get('layers:logedits'),
+            'readonly': False
+        }
+
+        vdef = {
+            'iden': s_common.guid(),
+            'created': ctime,
+            'creator': useriden,
+            'parent': self.parent.iden,
+            'layers': [layriden] + [lyr.iden for lyr in self.parent.layers]
+        }
+
+        if name is not None:
+            vdef['name'] = name
+
+        s_layer.reqValidLdef(ldef)
+        s_schemas.reqValidView(vdef)
+
+        return await self._push('view:forkparent', ldef, vdef)
+
+    @s_nexus.Pusher.onPush('view:forkparent', passitem=True)
+    async def _insertParentFork(self, ldef, vdef, nexsitem):
+
+        s_layer.reqValidLdef(ldef)
+        s_schemas.reqValidView(vdef)
+
+        if self.getMergeRequest() is not None:
+            await self._delMergeRequest()
+
+        await self.core._addLayer(ldef, nexsitem)
+        await self.core._addView(vdef)
+
+        forkiden = vdef.get('iden')
+        self.parent = self.core.reqView(forkiden)
+        await self.info.set('parent', forkiden)
+
+        await self._calcForkLayers()
+
+        for view in self.core.views.values():
+            if view.isForkOf(self.iden):
+                await view._calcForkLayers()
+
+        self.core._calcViewsByLayer()
+
+        authgate = await self.core.getAuthGate(self.iden)
+        if authgate is None:  # pragma: no cover
+            return await self.parent.pack()
+
+        for userinfo in authgate.get('users'):
+            useriden = userinfo.get('iden')
+            if (user := self.core.auth.user(useriden)) is None:  # pragma: no cover
+                logger.warning(f'View {self.iden} AuthGate refers to unknown user {useriden}')
+                continue
+
+            await user.setRules(userinfo.get('rules'), gateiden=forkiden, nexs=False)
+            await user.setAdmin(userinfo.get('admin'), gateiden=forkiden, logged=False)
+
+        for roleinfo in authgate.get('roles'):
+            roleiden = roleinfo.get('iden')
+            if (role := self.core.auth.role(roleiden)) is None:  # pragma: no cover
+                logger.warning(f'View {self.iden} AuthGate refers to unknown role {roleiden}')
+                continue
+
+            await role.setRules(roleinfo.get('rules'), gateiden=forkiden, nexs=False)
+
+        return await self.parent.pack()
+
     async def fork(self, ldef=None, vdef=None):
         '''
         Make a new view inheriting from this view with the same layers and a new write layer on top
@@ -1272,10 +1349,6 @@ class View(s_nexus.Pusher):  # type: ignore
         if vdef is None:
             vdef = {}
 
-        if self.getMergeRequest() is not None:
-            mesg = 'Cannot fork a view which has a merge request.'
-            raise s_exc.BadState(mesg=mesg)
-
         ldef = await self.core.addLayer(ldef)
         layriden = ldef.get('iden')
 

synapse/models/files.py

@@ -408,6 +408,9 @@ class FileModule(s_module.CoreModule):
                     'doc': 'A section inside a Mach-O binary denoting a named region of bytes inside a segment.',
                 }),
 
+                ('file:mime:lnk', ('guid', {}), {
+                    'doc': 'The GUID of the metadata pulled from a Windows shortcut or LNK file.',
+                }),
             ),
 
             'forms': (
@@ -699,6 +702,43 @@ class FileModule(s_module.CoreModule):
                         'doc': 'The file offset to the beginning of the section'}),
                 )),
 
+                ('file:mime:lnk', {}, (
+                    ('flags', ('int', {}), {
+                        'doc': 'The flags specified by the LNK header that control the structure of the LNK file.'}),
+                    ('entry:primary', ('file:path', {}), {
+                        'doc': 'The primary file path contained within the FileEntry structure of the LNK file.'}),
+                    ('entry:secondary', ('file:path', {}), {
+                        'doc': 'The secondary file path contained within the FileEntry structure of the LNK file.'}),
+                    ('entry:extended', ('file:path', {}), {
+                        'doc': 'The extended file path contained within the extended FileEntry structure of the LNK file.'}),
+                    ('entry:localized', ('file:path', {}), {
+                        'doc': 'The localized file path contained within the extended FileEntry structure of the LNK file.'}),
+                    ('entry:icon', ('file:path', {}), {
+                        'doc': 'The icon file path contained within the StringData structure of the LNK file.'}),
+                    ('environment:path', ('file:path', {}), {
+                        'doc': 'The target file path contained within the EnvironmentVariableDataBlock structure of the LNK file.'}),
+                    ('environment:icon', ('file:path', {}), {
+                        'doc': 'The icon file path contained within the IconEnvironmentDataBlock structure of the LNK file.'}),
+                    ('working', ('file:path', {}), {
+                        'doc': 'The working directory used when activating the link target.'}),
+                    ('relative', ('str', {'strip': True}), {
+                        'doc': 'The relative target path string contained within the StringData structure of the LNK file.'}),
+                    ('arguments', ('it:cmd', {}), {
+                        'doc': 'The command line arguments passed to the target file when the LNK file is activated.'}),
+                    ('desc', ('str', {}), {
+                        'disp': {'hint': 'text'},
+                        'doc': 'The description of the LNK file contained within the StringData section of the LNK file.'}),
+                    ('target:attrs', ('int', {}), {
+                        'doc': 'The attributes of the target file according to the LNK header.'}),
+                    ('target:size', ('int', {}), {
+                        'doc': 'The size of the target file according to the LNK header. The LNK format specifies that this is only the lower 32 bits of the target file size.'}),
+                    ('target:created', ('time', {}), {
+                        'doc': 'The creation time of the target file according to the LNK header.'}),
+                    ('target:accessed', ('time', {}), {
+                        'doc': 'The access time of the target file according to the LNK header.'}),
+                    ('target:written', ('time', {}), {
+                        'doc': 'The write time of the target file according to the LNK header.'}),
+                )),
             ),
 
         }

synapse/models/inet.py

@@ -23,7 +23,7 @@ import synapse.lookup.iana as s_l_iana
 logger = logging.getLogger(__name__)
 drivre = regex.compile(r'^\w[:|]')
 fqdnre = regex.compile(r'^[\w._-]+$', regex.U)
-srv6re = regex.compile(r'^\[([a-f0-9\.:]+)\]:(\d+)$')
+srv6re = regex.compile(r'^\[([a-f0-9\.:]+)\](?::(\d+))?$', regex.IGNORECASE)
 
 udots = regex.compile(r'[\u3002\uff0e\uff61]')
 
@@ -142,11 +142,15 @@ class Addr(s_types.Str):
                     if v6v4addr is not None:
                         subs['ipv4'] = v6v4addr
 
-                port = self.modl.type('inet:port').norm(port)[0]
                 subs['ipv6'] = ipv6
-                subs['port'] = port
 
-                return f'{proto}://[{ipv6}]:{port}', {'subs': subs}
+                portstr = ''
+                if port is not None:
+                    port = self.modl.type('inet:port').norm(port)[0]
+                    subs['port'] = port
+                    portstr = f':{port}'
+
+                return f'{proto}://[{ipv6}]{portstr}', {'subs': subs}
 
             mesg = f'Invalid IPv6 w/port ({orig})'
             raise s_exc.BadTypeValu(valu=orig, name=self.name, mesg=mesg)

synapse/models/infotech.py

@@ -1,6 +1,10 @@
+import copy
+import string
 import asyncio
 import logging
 
+import regex
+
 import synapse.exc as s_exc
 import synapse.data as s_data
 
@@ -9,10 +13,53 @@ import synapse.common as s_common
 import synapse.lib.chop as s_chop
 import synapse.lib.types as s_types
 import synapse.lib.module as s_module
+import synapse.lib.scrape as s_scrape
 import synapse.lib.version as s_version
 
 logger = logging.getLogger(__name__)
 
+# This is the regular expression pattern for CPE2.2. It's kind of a hybrid
+# between compatible binding and preferred binding. Differences are here:
+# - Use only the list of percent encoded values specified by preferred binding.
+#   This is to ensure it converts properly to CPE2.3.
+# - Add tilde (~) to the UNRESERVED list which removes the need to specify the
+#   PACKED encoding specifically.
+ALPHA = '[A-Za-z]'
+DIGIT = '[0-9]'
+UNRESERVED = r'[A-Za-z0-9\-\.\_~]'
+SPEC1 = '%01'
+SPEC2 = '%02'
+# This is defined in the ABNF but not actually referenced
+# SPECIAL = f'(?:{SPEC1}|{SPEC2})'
+SPEC_CHRS = f'(?:{SPEC1}+|{SPEC2})'
+PCT_ENCODED = '%(?:21|22|23|24|25|26|27|28|28|29|2a|2b|2c|2f|3a|3b|3c|3d|3e|3f|40|5b|5c|5d|5e|60|7b|7c|7d|7e)'
+STR_WO_SPECIAL = f'(?:{UNRESERVED}|{PCT_ENCODED})*'
+STR_W_SPECIAL = f'{SPEC_CHRS}? (?:{UNRESERVED}|{PCT_ENCODED})+ {SPEC_CHRS}?'
+STRING = f'(?:{STR_W_SPECIAL}|{STR_WO_SPECIAL})'
+REGION = f'(?:{ALPHA}{{2}}|{DIGIT}{{3}})'
+LANGTAG = rf'(?:{ALPHA}{{2,3}}(?:\-{REGION})?)'
+PART = '[hoa]?'
+VENDOR = STRING
+PRODUCT = STRING
+VERSION = STRING
+UPDATE = STRING
+EDITION = STRING
+LANG = f'{LANGTAG}?'
+COMPONENT_LIST = f'''
+    (?:
+        {PART}:{VENDOR}:{PRODUCT}:{VERSION}:{UPDATE}:{EDITION}:{LANG} |
+        {PART}:{VENDOR}:{PRODUCT}:{VERSION}:{UPDATE}:{EDITION} |
+        {PART}:{VENDOR}:{PRODUCT}:{VERSION}:{UPDATE} |
+        {PART}:{VENDOR}:{PRODUCT}:{VERSION} |
+        {PART}:{VENDOR}:{PRODUCT} |
+        {PART}:{VENDOR} |
+        {PART}
+    )
+'''
+
+cpe22_regex = regex.compile(f'cpe:/{COMPONENT_LIST}', regex.VERBOSE | regex.IGNORECASE)
+cpe23_regex = regex.compile(s_scrape._cpe23_regex, regex.VERBOSE | regex.IGNORECASE)
+
 def cpesplit(text):
     part = ''
     parts = []
@@ -36,7 +83,160 @@ def cpesplit(text):
     except StopIteration:
         parts.append(part)
 
-    return parts
+    return [part.strip() for part in parts]
+
+# Formatted String Binding characters that need to be escaped
+FSB_ESCAPE_CHARS = [
+    '!', '"', '#', '$', '%', '&', "'", '(', ')',
+    '+', ',', '/', ':', ';', '<', '=', '>', '@',
+    '[', ']', '^', '`', '{', '|', '}', '~',
+    '\\', '?', '*'
+]
+
+FSB_VALID_CHARS = ['-', '.', '_']
+FSB_VALID_CHARS.extend(string.ascii_letters)
+FSB_VALID_CHARS.extend(string.digits)
+FSB_VALID_CHARS.extend(FSB_ESCAPE_CHARS)
+
+def fsb_escape(text):
+    ret = ''
+    if text in ('*', '-'):
+        return text
+
+    # Check validity of text first
+    if (invalid := [char for char in text if char not in FSB_VALID_CHARS]):
+        badchars = ', '.join(invalid)
+        mesg = f'Invalid CPE 2.3 character(s) ({badchars}) detected.'
+        raise s_exc.BadTypeValu(mesg=mesg, valu=text)
+
+    textlen = len(text)
+
+    for idx, char in enumerate(text):
+        if char not in FSB_ESCAPE_CHARS:
+            ret += char
+            continue
+
+        escchar = f'\\{char}'
+
+        # The only character in the string
+        if idx == 0 and idx == textlen - 1:
+            ret += escchar
+            continue
+
+        # Handle the backslash as a special case
+        if char == '\\':
+            if idx == 0:
+                # Its the first character and escaping another special character
+                if text[idx + 1] in FSB_ESCAPE_CHARS:
+                    ret += char
+                else:
+                    ret += escchar
+
+                continue
+
+            if idx == textlen - 1:
+                # Its the last character and being escaped
+                if text[idx - 1] == '\\':
+                    ret += char
+                else:
+                    ret += escchar
+
+                continue
+
+            # The backslash is in the middle somewhere
+
+            # It's already escaped or it's escaping a special char
+            if text[idx - 1] == '\\' or text[idx + 1] in FSB_ESCAPE_CHARS:
+                ret += char
+                continue
+
+            # Lone backslash, escape it and move on
+            ret += escchar
+            continue
+
+        # First char, no look behind
+        if idx == 0:
+            # Escape the first character and go around
+            ret += escchar
+            continue
+
+        escaped = text[idx - 1] == '\\'
+
+        if not escaped:
+            ret += escchar
+            continue
+
+        ret += char
+
+    return ret
+
+def fsb_unescape(text):
+    ret = ''
+    textlen = len(text)
+
+    for idx, char in enumerate(text):
+        # The last character so we can't look ahead
+        if idx == textlen - 1:
+            ret += char
+            continue
+
+        if char == '\\' and text[idx + 1] in FSB_ESCAPE_CHARS:
+            continue
+
+        ret += char
+
+    return ret
+
+# URI Binding characters that can be encoded in percent format
+URI_PERCENT_CHARS = [
+    # Do the percent first so we don't double encode by accident
+    ('%25', '%'),
+    ('%21', '!'), ('%22', '"'), ('%23', '#'), ('%24', '$'), ('%26', '&'), ('%27', "'"),
+    ('%28', '('), ('%29', ')'), ('%2a', '*'), ('%2b', '+'), ('%2c', ','), ('%2f', '/'), ('%3a', ':'),
+    ('%3b', ';'), ('%3c', '<'), ('%3d', '='), ('%3e', '>'), ('%3f', '?'), ('%40', '@'), ('%5b', '['),
+    ('%5c', '\\'), ('%5d', ']'), ('%5e', '^'), ('%60', '`'), ('%7b', '{'), ('%7c', '|'), ('%7d', '}'),
+    ('%7e', '~'),
+]
+
+def uri_quote(text):
+    ret = ''
+    for (pct, char) in URI_PERCENT_CHARS:
+        text = text.replace(char, pct)
+    return text
+
+def uri_unquote(text):
+    # iterate backwards so we do the % last to avoid double unquoting
+    # example: "%2521" would turn into "%21" which would then replace into "!"
+    for (pct, char) in URI_PERCENT_CHARS[::-1]:
+        text = text.replace(pct, char)
+    return text
+
+UNSPECIFIED = ('', '*')
+def uri_pack(edition, sw_edition, target_sw, target_hw, other):
+    # If the four extended attributes are unspecified, only return the edition value
+    if (sw_edition in UNSPECIFIED and target_sw in UNSPECIFIED and target_hw in UNSPECIFIED and other in UNSPECIFIED):
+        return edition
+
+    ret = [edition, '', '', '', '']
+
+    if sw_edition not in UNSPECIFIED:
+        ret[1] = sw_edition
+
+    if target_sw not in UNSPECIFIED:
+        ret[2] = target_sw
+
+    if target_hw not in UNSPECIFIED:
+        ret[3] = target_hw
+
+    if other not in UNSPECIFIED:
+        ret[4] = other
+
+    return '~' + '~'.join(ret)
+
+def uri_unpack(edition):
+    if edition.startswith('~') and edition.count('~') == 5:
+        return edition[1:].split('~', 5)
+    return None
 
 class Cpe22Str(s_types.Str):
     '''
@@ -60,7 +260,14 @@ class Cpe22Str(s_types.Str):
             mesg = 'CPE 2.2 string is expected to start with "cpe:/"'
             raise s_exc.BadTypeValu(valu=valu, mesg=mesg)
 
-        return zipCpe22(parts), {}
+        v2_2 = zipCpe22(parts)
+
+        rgx = cpe22_regex.match(v2_2)
+        if rgx is None or rgx.group() != v2_2:
+            mesg = 'CPE 2.2 string appears to be invalid.'
+            raise s_exc.BadTypeValu(mesg=mesg, valu=valu)
+
+        return v2_2, {}
 
     def _normPyList(self, parts):
         return zipCpe22(parts), {}
@@ -77,7 +284,7 @@ def chopCpe22(text):
     CPE 2.2 Formatted String
     https://cpe.mitre.org/files/cpe-specification_2.2.pdf
     '''
-    if not text.startswith('cpe:/'):
+    if not text.startswith('cpe:/'): # pragma: no cover
         mesg = 'CPE 2.2 string is expected to start with "cpe:/"'
         raise s_exc.BadTypeValu(valu=text, mesg=mesg)
 
@@ -89,6 +296,18 @@ def chopCpe22(text):
 
     return parts
 
+PART_IDX_PART = 0
+PART_IDX_VENDOR = 1
+PART_IDX_PRODUCT = 2
+PART_IDX_VERSION = 3
+PART_IDX_UPDATE = 4
+PART_IDX_EDITION = 5
+PART_IDX_LANG = 6
+PART_IDX_SW_EDITION = 7
+PART_IDX_TARGET_SW = 8
+PART_IDX_TARGET_HW = 9
+PART_IDX_OTHER = 10
+
 class Cpe23Str(s_types.Str):
     '''
     CPE 2.3 Formatted String
@@ -119,31 +338,113 @@ class Cpe23Str(s_types.Str):
 
             extsize = 11 - len(parts)
             parts.extend(['*' for _ in range(extsize)])
+
+            v2_3 = 'cpe:2.3:' + ':'.join(parts)
+
+            v2_2 = copy.copy(parts)
+            for idx, part in enumerate(v2_2):
+                if part == '*':
+                    v2_2[idx] = ''
+                    continue
+
+                part = fsb_unescape(part)
+                v2_2[idx] = uri_quote(part)
+
+            v2_2[PART_IDX_EDITION] = uri_pack(
+                v2_2[PART_IDX_EDITION],
+                v2_2[PART_IDX_SW_EDITION],
+                v2_2[PART_IDX_TARGET_SW],
+                v2_2[PART_IDX_TARGET_HW],
+                v2_2[PART_IDX_OTHER]
+            )
+
+            v2_2 = v2_2[:7]
+
+            parts = [fsb_unescape(k) for k in parts]
+
         elif text.startswith('cpe:/'):
+
+            v2_2 = text
             # automatically normalize CPE 2.2 format to CPE 2.3
             parts = chopCpe22(text)
+
+            # Account for blank fields
+            for idx, part in enumerate(parts):
+                if not part:
+                    parts[idx] = '*'
+
             extsize = 11 - len(parts)
             parts.extend(['*' for _ in range(extsize)])
+
+            # URI bindings can pack extended attributes into the
+            # edition field, handle that here.
+            unpacked = uri_unpack(parts[PART_IDX_EDITION])
+            if unpacked:
+                (edition, sw_edition, target_sw, target_hw, other) = unpacked
+
+                if edition:
+                    parts[PART_IDX_EDITION] = edition
+                else:
+                    parts[PART_IDX_EDITION] = '*'
+
+                if sw_edition:
+                    parts[PART_IDX_SW_EDITION] = sw_edition
+
+                if target_sw:
+                    parts[PART_IDX_TARGET_SW] = target_sw
+
+                if target_hw:
+                    parts[PART_IDX_TARGET_HW] = target_hw
+
+                if other:
+                    parts[PART_IDX_OTHER] = other
+
+            parts = [uri_unquote(part) for part in parts]
+
+            # This feels a little uninuitive to escape parts for "escaped" and
+            # unescape parts for "parts" but values in parts could be incorrectly
+            # escaped or incorrectly unescaped so just do both.
+            escaped = [fsb_escape(part) for part in parts]
+            parts = [fsb_unescape(part) for part in parts]
+
+            v2_3 = 'cpe:2.3:' + ':'.join(escaped)
+
         else:
             mesg = 'CPE 2.3 string is expected to start with "cpe:2.3:"'
             raise s_exc.BadTypeValu(valu=valu, mesg=mesg)
 
+        rgx = cpe23_regex.match(v2_3)
+        if rgx is None or rgx.group() != v2_3:
+            mesg = 'CPE 2.3 string appears to be invalid.'
+            raise s_exc.BadTypeValu(mesg=mesg, valu=valu)
+
+        if isinstance(v2_2, list):
+            cpe22 = zipCpe22(v2_2)
+        else:
+            cpe22 = v2_2
+
+        rgx = cpe22_regex.match(cpe22)
+        if rgx is None or rgx.group() != cpe22:
+            v2_2 = None
+
         subs = {
-            'v2_2': parts,
-            'part': parts[0],
-            'vendor': parts[1],
-            'product': parts[2],
-            'version': parts[3],
-            'update': parts[4],
-            'edition': parts[5],
-            'language': parts[6],
-            'sw_edition': parts[7],
-            'target_sw': parts[8],
-            'target_hw': parts[9],
-            'other': parts[10],
+            'part': parts[PART_IDX_PART],
+            'vendor': parts[PART_IDX_VENDOR],
+            'product': parts[PART_IDX_PRODUCT],
+            'version': parts[PART_IDX_VERSION],
+            'update': parts[PART_IDX_UPDATE],
+            'edition': parts[PART_IDX_EDITION],
+            'language': parts[PART_IDX_LANG],
+            'sw_edition': parts[PART_IDX_SW_EDITION],
+            'target_sw': parts[PART_IDX_TARGET_SW],
+            'target_hw': parts[PART_IDX_TARGET_HW],
+            'other': parts[PART_IDX_OTHER],
         }
 
-        return 'cpe:2.3:' + ':'.join(parts), {'subs': subs}
+        if v2_2 is not None:
+            subs['v2_2'] = v2_2
+
+        return v2_3, {'subs': subs}
 
 class SemVer(s_types.Int):
     '''
@@ -412,6 +713,13 @@ class ItModule(s_module.CoreModule):
                     'doc': 'A MITRE ATT&CK Campaign ID.',
                     'ex': 'C0028',
                 }),
+                ('it:mitre:attack:datasource', ('str', {'regex': r'^DS[0-9]{4}$'}), {
+                    'doc': 'A MITRE ATT&CK Datasource ID.',
+                    'ex': 'DS0026',
+                }),
+                ('it:mitre:attack:data:component', ('guid', {}), {
+                        'doc': 'A MITRE ATT&CK data component.',
+                }),
                 ('it:mitre:attack:flow', ('guid', {}), {
                     'doc': 'A MITRE ATT&CK Flow diagram.',
                 }),
@@ -1216,6 +1524,10 @@ class ItModule(s_module.CoreModule):
                                            'uniq': True, 'sorted': True, 'split': ','}), {
                         'doc': 'An array of ATT&CK tactics that include this technique.',
                     }),
+                    ('data:components', ('array', {'type': 'it:mitre:attack:data:component',
+                                                   'uniq': True, 'sorted': True}), {
+                        'doc': 'An array of MITRE ATT&CK data components that detect the ATT&CK technique.',
+                    }),
                 )),
                 ('it:mitre:attack:software', {}, (
                     ('software', ('it:prod:soft', {}), {
@@ -1335,6 +1647,27 @@ class ItModule(s_module.CoreModule):
                     ('author:contact', ('ps:contact', {}), {
                         'doc': 'The contact information for the author of the ATT&CK Flow diagram.'}),
                 )),
+                ('it:mitre:attack:datasource', {}, (
+                    ('name', ('str', {'lower': True, 'onespace': True}), {
+                        'doc': 'The name of the datasource.'}),
+                    ('description', ('str', {}), {
+                        'disp': {'hint': 'text'},
+                        'doc': 'A description of the datasource.'}),
+                    ('references', ('array', {'type': 'inet:url', 'uniq': True, 'sorted': True}), {
+                        'doc': 'An array of URLs that document the datasource.',
+                    }),
+                )),
+                ('it:mitre:attack:data:component', {}, (
+                    ('name', ('str', {'lower': True, 'onespace': True}), {
+                        'ro': True,
+                        'doc': 'The name of the data component.'}),
+                    ('description', ('str', {}), {
+                        'disp': {'hint': 'text'},
+                        'doc': 'A description of the data component.'}),
+                    ('datasource', ('it:mitre:attack:datasource', {}), {
+                        'ro': True,
+                        'doc': 'The datasource this data component belongs to.'}),
+                )),
                 ('it:dev:int', {}, ()),
                 ('it:dev:pipe', {}, ()),
                 ('it:dev:mutex', {}, ()),
@@ -1573,8 +1906,13 @@ class ItModule(s_module.CoreModule):
                         'doc': 'A brief description of the hardware.'}),
                     ('cpe', ('it:sec:cpe', {}), {
                         'doc': 'The NIST CPE 2.3 string specifying this hardware.'}),
+                    ('manufacturer', ('ou:org', {}), {
+                        'doc': 'The organization that manufactures this hardware.'}),
+                    ('manufacturer:name', ('ou:name', {}), {
+                        'doc': 'The name of the organization that manufactures this hardware.'}),
                     ('make', ('ou:name', {}), {
-                        'doc': 'The name of the organization which manufactures this hardware.'}),
+                        'deprecated': True,
+                        'doc': 'Deprecated. Please use :manufacturer:name.'}),
                     ('model', ('str', {'lower': True, 'onespace': True}), {
                         'doc': 'The model name or number for this hardware specification.'}),
                     ('version', ('str', {'lower': True, 'onespace': True}), {