Avoiding issues with analyst data objects #1307
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using the different PyMISP helpers to add for instance an Attribute or an Object was causing issues when the given Attribute or Object was containing at least a Note, Opinion or Relationship. This was caused by the presence of the 'Note', 'Opinion' and 'Relationship' fields in every data layer inheriting from
AnalysDataBehaviorMixin
(including Notes, Opinions or Relationships themselves)On the other hand, a Note, Opinion or Relationship information extracted from MISP is always contained in a 'Note', 'Opinion' or 'Relationship' fields, respectively.
A note extracted from MISP looks for instance like:
This makes the test for the presence of such fields mandatory when we want to use our Analyst Data information from MISP to created the equivalent objects in PyMISP.
With this PR, we reconcile both use cases with an additional
contained
parameter that is only used with thefrom_dict
method of each Analyst Data object, set toTrue
when we useadd_note
,add_opinion
oradd_relationship
, in which case the analyst data information is obviously attached to another data layer.This should fix #1306
UPDATE:
PyMISP is now supporting flat lists. Previously nested Opinions and Notes are now attached to the parent container (Attribute, Event, Object, etc.) and the reference to the object uuid is kept to allow a nested display on MISP UI
Users still can keep the logic of adding notes/opinions to a note or an opinion, but they are added to the list of analyst data objects to the parent container.
For instance:
The Attribute has flat lists of Analyst Data objects: