Hi Bret,
Do you plan to be validating for x_ in the extra property keys?
From: cti-users@lists.oasis-open.org on behalf of Bret Jordan <jordan2175@gmail.com>
Sent: Friday, January 10, 2020 1:17 AM
To: cti-users@lists.oasis-open.org
Subject: [cti-users] Golang libstix2 updates
All,
I have been working on my libstix2 libraries for Golang (
https://github.com/freetaxii/libstix2) and have added basic support for all of the STIX 2.1 objects. In addition I have been working on adding
support for custom properties. This note explains how they work. Right now I only have it working for Attack Patterns, but I will copy the code across all of the objects soon, unless someone has a better way of solving this problem.
A) First, let’s deal with the decoding of an attack pattern JSON string that has a custom property called “some_custom_property”, where that custom property is of type string.
You may have an attack pattern that looks like this:
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--d62e1eff-eb93-42e2-bd90-dabff3b93427",
"created": "2018-06-05T18:25:15.917Z",
"modified": "2018-06-05T18:25:15.917Z",
"name": "Phishing",
"aliases": ["Banking1", "ATM2"],
"some_custom_property": "some_custom_value"
}
In your code you have consumed this JSON string and stored it in a []byte called “foo”. So you could decode it by doing:
o, _ := attackpattern.Decode(foo)
This will give you an attack pattern object called “o” and all of the custom properties will be stored in a property called “o.Custom” which is a map[string]*json.RawMessage. This means that we will have all of the key names for the custom properties, but all
of their values will be untouched and left as a []byte. So we are not decoding the values at this stage. So if you do not know how to process them, you do not need to worry about it. Just store them as an array of bytes.
If you were to print out o.Custom you would get:
map[some_custom_property:[34 115 111 109 101 95 99 117 115 116 111 109 95 118 97 108 117 101 34]]
Then when you want to process that data in o.Custom, if you know how to, you would just unmarshal those properties, such as:
var data string
json.Unmarshal(o.Custom["some_custom_property"], &data)
If you were to print out value of “data” you would get:
some_custom_value
B) Second, let’s deal with encoding and adding properties to the objects that I have defined in my library. You would create a new type and embed the one from my library in it, like so:
type myCustomAttackPattern struct {
*attackpattern.AttackPattern
SomeCustomProperty string `json:"some_custom_propety,omitempty"`
}
Then in your main program you could do:
o := attackpattern.New()
customAP := myCustomAttackPattern{AttackPattern: o}
or
o := attackpattern.New()
var customAP myCustomAttackPattern
customAP.AttackPattern = o
At this point you can then populate your new custom property with data and encode it like so:
customAP.SomeCustomProperty = "some custom string data"
data, - := json.MarshalIndent(customAP, "", " ")
Now if you print out “data” you will get an attack pattern with your new custom property.
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--2b88c3ff-410d-44c4-9056-2ead668ab13c",
"created": "2020-01-10T05:52:30.494Z",
"modified": "2020-01-10T05:52:30.494Z",
"some_custom_propety": "some custom string data"
}
I have two examples in my examples directory that show this, 06-decode-custom-properties.go and 07-use-custom-properties.go
Bret