minor corrections

oasis-open · Feb 2, 2022 · 0580a23 · 0580a23
1 parent f46545c
commit 0580a23
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 13 deletions.
diff --git a/docs/stix-mappings.rst b/docs/stix-mappings.rst
@@ -167,11 +167,11 @@ In STIX 1.x, an ``id`` contained a "namespace".  This was deemed unnecessary in
 - Kill Chains
 
     In STIX 1.x, kill chains, with their phases, were defined using the ``KillChainType``, which is found in the ``Kill_Chains`` property of
-    a ``TTP``.  These kill chains phases were refered to in the ``TTP`` and ``Indicator`` ``Kill_Chain_Phases`` properties.  In
+    a ``TTP``.  These kill chains phases were referred to in the ``TTP`` and ``Indicator`` ``Kill_Chain_Phases`` properties.  In
     STIX 2.x, kill chains and their phases are not explicitly defined, but are referenced using their common names.
 
     If the Lockheed Martin Cyber Kill Chain™ is used the ``kill_chain_name`` property must be ``lockheed-martin-cyber-kill-chain``,
-    according to the specification.
+    according to the specification and the STIX 1.x ids used should be the ones defined in  https://stix.mitre.org/language/version1.2/stix_v1.2_lmco_killchain.xml
 
 
 **STIX 1.x Properties Mapped Using STIX 2.x Relationships**

diff --git a/docs/warnings.rst b/docs/warnings.rst
@@ -177,6 +177,7 @@ Required property *property* is not provided for ACS data marking
 ACS identifier *identifier* is not valid                                                                                                    643     warn
 Observable object from pattern cannot be an observed_data_ref of a sighting. See *id*                                                       644     warn
 Only one of the properties: Hostname and IP_Address  is allowed.  Dropping Hostname *name*                                                  645     warn
+Exploit targets are part of STIX 1x TTP *id*.  Assuming they are related                                                                    646     warn
 =========================================================================================================================================== ====    =====
 
 STIX Elevator conversion based on assumptions

diff --git a/stix2elevator/convert_stix.py b/stix2elevator/convert_stix.py
@@ -733,20 +733,20 @@ def handle_existing_ref(stix1_relationship, ref1, ref2, env, default_verb, to_di
     )
 
 
-def handle_existing_refs(ref, id, env, verb, to_direction, marking_refs):
+def handle_existing_refs(ref, id_, env, verb, to_direction, marking_refs):
     for ref_id in get_id_value(ref.item.idref):
-        handle_existing_ref(ref, ref_id, id, env, verb, to_direction, marking_refs)
+        handle_existing_ref(ref, ref_id, id_, env, verb, to_direction, marking_refs)
 
 
-def handle_relationship_ref(ref, item, id, env, default_verb, to_direction=True, marking_refs=None):
+def handle_relationship_ref(ref, item, id_, env, default_verb, to_direction=True, marking_refs=None):
     if item.idref is None:
-        handle_embedded_ref(ref, item, id, env, default_verb, to_direction, marking_refs)
+        handle_embedded_ref(ref, item, id_, env, default_verb, to_direction, marking_refs)
     elif exists_id_key(item.idref):
-        handle_existing_refs(ref, id, env, default_verb, to_direction, marking_refs)
+        handle_existing_refs(ref, id_, env, default_verb, to_direction, marking_refs)
     else:
         # a forward reference, fix later
-        source_id = id if to_direction else item.idref
-        target_id = str(item.idref) if to_direction else id
+        source_id = id_ if to_direction else item.idref
+        target_id = str(item.idref) if to_direction else id_
         rel_obj = create_relationship(source_id, target_id, env, default_verb, item, marking_refs)
         if hasattr(ref, "relationship") and ref.relationship is not None:
             rel_obj["description"] = ref.relationship.value
@@ -2266,6 +2266,9 @@ def process_ttp_properties(sdo_instance, ttp, env, kill_chains_in_sdo=True, mark
     ttp_created_by_ref = process_information_source(ttp.information_source, sdo_instance, env)
     env.add_to_env(created_by_ref=ttp_created_by_ref)
     if ttp.exploit_targets is not None:
+        warn("Exploit targets are part of STIX 1x %s.  Assuming they are related.",
+             646,
+             "TTP" + (" " + ttp.id_ if hasattr(ttp,"id_") else ""))
         handle_relationship_to_refs(ttp.exploit_targets, sdo_instance["id"], env,
                                     "targets", marking_refs=marking_refs)
     if ttp.related_ttps:
@@ -2360,9 +2363,9 @@ def convert_malware_instance(mal, ttp, env, ttp_id_used):
                      malware_instance_instance["id"],
                      malware_instance_instance["name"],
                      alias_name)
-    if mal.title is not None:
-        if "name" not in malware_instance_instance:
-            malware_instance_instance["name"] = mal.title
+    elif mal.title is not None:
+        malware_instance_instance["name"] = mal.title
+    # name is optional in STIX 2.x, so don't try to generate a placeholder
     if aliases:
         malware_instance_instance["aliases"] = aliases
     process_description_and_short_description(malware_instance_instance, mal)

diff --git a/stix2elevator/options.py b/stix2elevator/options.py
@@ -336,7 +336,7 @@ def msg_id_enabled(msg_id):
                601, 602, 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, 613,
                614, 615, 616, 617, 618, 619, 620, 621, 622, 623, 624, 625, 626,
                627, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639,
-               640, 641, 642, 643, 644, 645,
+               640, 641, 642, 643, 644, 645, 646,
 
                701, 702, 703, 704, 705, 706, 707, 708, 709, 710, 711, 712, 713,
                714, 715, 716, 717, 718, 719, 720, 721, 722, 723, 724, 725, 726,