Using the STIX pattern grammar

Hi,

I looked into the STIX pattern grammar (see relevant parts below). I think what is needed for CACAO is different enough that it shouldn’t be tied to this grammar.

Issues:

$s are not acceptable identifier characters
The left-side of a STIX _expression_ is an “objectPath”, which is how properties of SCOs are specified. From what I understand, object paths are not what will be used in CACAO.

The STIX pattern grammar can certainly be used as a starting point for a CACAO _expression_ grammar, but they should be discussed and maintained separately.

Rich

Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation

781-271-3760

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World™

From the pattern grammar

propTest
	: objectPath NOT? (EQ\|NEQ) primitiveLiteral # propTestEqual
	\| objectPath NOT? (GT\|LT\|GE\|LE) orderableLiteral # propTestOrder
	\| objectPath NOT? IN setLiteral # propTestSet
	\| objectPath NOT? LIKE StringLiteral # propTestLike
	\| objectPath NOT? MATCHES StringLiteral # propTestRegex
	\| objectPath NOT? ISSUBSET StringLiteral # propTestIsSubset
	\| objectPath NOT? ISSUPERSET StringLiteral # propTestIsSuperset
	\| LPAREN comparisonExpression RPAREN # propTestParen
	\| EXISTS objectPath # propTestExists
	;

objectPath
	: objectType COLON firstPathComponent objectPathComponent?
	;

	objectType
	: IdentifierWithoutHyphen
	\| IdentifierWithHyphen
	;

	firstPathComponent
	: IdentifierWithoutHyphen
	\| StringLiteral
	;

	objectPathComponent
	: <assoc=left> objectPathComponent objectPathComponent # pathStep
	\| '.' (IdentifierWithoutHyphen \| StringLiteral) # keyPathStep
	\| LBRACK (IntPosLiteral\|IntNegLiteral\|ASTERISK) RBRACK # indexPathStep
	;

// After keywords, so the lexer doesn't tokenize them as identifiers.
	// Object types may have unquoted hyphens, but property names
	// (in object paths) cannot.
	IdentifierWithoutHyphen :
	[a-zA-Z_] [a-zA-Z0-9_]*
	;

	IdentifierWithHyphen :
	[a-zA-Z_] [a-zA-Z0-9_-]*
	;

cacao message