eclecticiq
no required modified property with "marking-definition"
According to STIX 2.1 specification "there is no required modified property with Marking Definition objects." https://oasis-open.github.io/cti-documentation/examples/using-marking-definitions
if using OpenTAXII API we send this object it is NOT WORKING (resulting in Server Internal Error):
{"type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": {"tlp": "white"}}
but if we add the field modified, it now WORKS
{"type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "modified": "2022-07-29T13:42:44.472979Z", "name": "TLP:WHITE", "definition": {"tlp": "white"}}
Using stix2_validator from Oasis we can validate that it should not be like this:
https://github.com/oasis-open/cti-stix-validator
(venv) ➜ cti-stix2-validator stix2_validator
Input STIX content, then press Ctrl+D:
{"type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": {"tlp": "white"}}
================================================================================
[-] Results for: stdin
[+] STIX JSON: Valid
(venv) ➜ cti-stix2-validator stix2_validator
Input STIX content, then press Ctrl+D:
{"type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "modified": "2022-07-29T13:42:44.472979Z", "name": "TLP:WHITE", "definition": {"tlp": "white"}}
================================================================================
[-] Results for: stdin
[X] STIX JSON: Invalid
[!] Warning: marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9: {401} Custom property 'modified' should be implemented using an extension with an 'extension_type' of 'property-extension' or 'toplevel-property-extension'.
[X] marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9: TLP marking definitions must match one of those defined in the STIX specification.
The linked server logs are:
{"event": "Exception on /taxii2/bff5e128-a676-4373-9e29-c1fbb082e95b/collections/dd3eecec-d7c9-4261-bd59-5242474908bf/objects/ [POST]", "exc_info": ["<class 'KeyError'>", "KeyError('modified')", "<traceback object at 0x7f8be82f3c40>"], "logger": "opentaxii.middleware", "level": "error", "timestamp": "2022-08-01T14:10:50.846595Z"}
{"event": "Error handling request /taxii2/bff5e128-a676-4373-9e29-c1fbb082e95b/collections/dd3eecec-d7c9-4261-bd59-5242474908bf/objects/", "exc_info": ["<class 'TypeError'>", "TypeError(\"The view function for 'opentaxii_services_view' did not return a valid response. The function either returned None or ended without a return statement.\")", "<traceback object at 0x7f8be44a3b80>"], "logger": "gunicorn.error", "level": "error", "timestamp": "2022-08-01T14:10:50.847833Z"}
I think the error comes from this line: https://github.com/eclecticiq/OpenTAXII/blob/e0da85c1bb77ca88042006e764bef2a9183b9646/opentaxii/persistence/sqldb/api.py#L981
marking-definition don't have the field modified raising the above error.
The modified property is only used by STIX Objects that support versioning and represents the time that this particular version of the object was last modified.
https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_xzbicbtscatx
Unlike other STIX Objects, Marking Definition objects cannot be versioned
https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_k5fndj2c7c1k
Good finding
