Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I believe our team has uncovered a bug
in STIX Patterning WRT lack of clarify around qualifiers.

Currently the specification 

a) does not appear to limit the number
of times a qualifier can be used after an observation _expression_
b) does not appear to define how qualifiers
should be evaluated against an observation _expression_ (are they left-associative,
or right associative, are they greedy or non-greedy *)

This means you can have a legal patterns
like this:

[ipv4-addr:value = '198.51.100.1/32']
REPEATS 5 TIMES REPEATS 10 TIMES

[ipv4-addr:value = '198.51.100.1/32']
WITHIN 5 SECONDS REPEATS 5 TIMES WITHIN 10 SECONDS REPEATS 15 TIMES

.... any of which would result in an
undefined behaviour in the spec.

I would like to be proposed we make
some changes here in 2.1.

1) I would suggest we make change to
the spec to disallow (a) outright, so that any given qualifier can be used
at most once in an observation _expression_ (IE, you can use REPEATS only
once, START / STOP only once, etc). However, I am unsure exactly where
in the spec it would be best to make this change, as we discuss qualifiers
in a few places. 

2) I would suggest that we define that
qualifiers should be evaluated as left-associative and non-greedy.  

* we actually say in an example in 4.1.2
that they are supposed to be non-greedy, but we don't say it normatively
anywhere.

-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security

"Things may come to those who wait, but only the things left by those
who hustle." - Unknown