OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix

I believe our team has uncovered a bug in STIX Patterning WRT lack of clarify around qualifiers.

Currently the specification

a) does not appear to limit the number of times a qualifier can be used after an observation _expression_
b) does not appear to define how qualifiers should be evaluated against an observation _expression_ (are they left-associative, or right associative, are they greedy or non-greedy *)

This means you can have a legal patterns like this:

[ipv4-addr:value = ''] REPEATS 5 TIMES REPEATS 10 TIMES


.... any of which would result in an undefined behaviour in the spec.

I would like to be proposed we make some changes here in 2.1.

1) I would suggest we make change to the spec to disallow (a) outright, so that any given qualifier can be used at most once in an observation _expression_ (IE, you can use REPEATS only once, START / STOP only once, etc). However, I am unsure exactly where in the spec it would be best to make this change, as we discuss qualifiers in a few places.

2) I would suggest that we define that qualifiers should be evaluated as left-associative and non-greedy.  

* we actually say in an example in 4.1.2 that they are supposed to be non-greedy, but we don't say it normatively anywhere.

Jason Keirstead
Lead Architect - IBM Security Cloud

"Things may come to those who wait, but only the things left by those who hustle." - Unknown

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]