TheHive-Project
Incrementing an analyzer version makes it invalid in Cortex
If you edit the version in the json file for an analyzer or responder, when Cortex picks it up, it sees the previous version of the analyzer as invalid. I presume that this is because the version of the analyzer is part of the name.
Request Type
Bug
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | Debian |
| OS version (client) | Macos |
| Cortex version / git hash | 3.0.1-1 |
| Package Type | Docker |
| Browser type & version | N/A |
Problem Description
Changing the version of an analyzer or responder requires additional steps in the UI before the new version is available. It also makes the previous version not work until this step is done.
Steps to Reproduce
- Create a custom analyzer with the version in the json file of
0.1.0. In Cortex, the name contains the version, such asMy_Analyzer_0_1_0 - Create a new version of the analyzer with version
0.1.1, and load it in Cortex. Cortex shows the following on the analyzers page:
You have 1 invalid analyzer
Invalid analyzers have no definition and cannot be run on any observable. You have to remove them.
My_Analyzer_0_1_0
If I search for my analyzer, I see the new version with a completely new title: My_Analyzer_0_1_1
3. You need to disable the invalid analyzer, and then enable the new version before Cortex is able to use it.
Possible Solutions
The name of the analyzer should just be the actual name, as configured in the json file. The version is already a separate piece of metadata, there is no need to have it be part of the module name. If you want to have two versions of the same module, then you can uniquely name them My_Analyzer_1 and My_Analyzer_2, each with their separate actual versions.
