Failed to parse STIX file because hash value is empty
According to the following schema, hash value is allowed to be empty because there is no 'minLength' setting.
<xs:complexType name="HexBinaryObjectPropertyType"> <xs:annotation> <xs:documentation>The HexBinaryObjectPropertyType is a type (extended from BaseObjectPropertyType) representing the specification of a single Object property whose core value is of type HexBinary. This type will be assigned to any property of a CybOX object that should contain content of type HexBinary and enables the use of relevant metadata for the property.</xs:documentation> <xs:documentation>Properties that use this type can express multiple values by providing them using a delimiter-separated list. The default delimiter is '##comma##' (no quotes) but can be overridden through use of the delimiter field. Note that whitespace is preserved and so, when specifying a list of values, do not include a space following the delimiter in a list unless the first character of the next list item should, in fact, be a space.</xs:documentation> </xs:annotation> <xs:simpleContent> <xs:restriction base="cyboxCommon:BaseObjectPropertyType"> <xs:simpleType> <xs:union memberTypes="xs:string"/> </xs:simpleType> <xs:attribute name="datatype" type="cyboxCommon:DatatypeEnum" default="hexBinary"> <xs:annotation> <xs:documentation>This attribute is optional and specifies the type of the value of the specified property. If a type different than the default is used, it MUST be specified here.</xs:documentation> </xs:annotation> </xs:attribute> </xs:restriction> </xs:simpleContent> </xs:complexType>
But I got an error when I parsed the following STIX file.
<stix:STIX_Package xmlns:stix="http://stix.mitre.org/stix-1" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject-2" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ihstix="http://www.qcert.org" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:stixCommon="http://stix.mitre.org/common-1" xmlns:cyboxCommon="http://cybox.mitre.org/common-2" xmlns:xlink="http://www.w3.org/1999/xlink" id="ihstix:Package-0c5ca78f-ae58-4d30-96b8-c056d62ac0b1" version="1.1.1"> <stix:STIX_Header> <stix:Description>Email- link to malicious Powershell, malicious Alfa Web Shell developed since a long time </stix:Description> </stix:STIX_Header> <stix:Indicators> <stix:Indicator id="ihstix:indicator-c341725d-e11e-4908-806a-93fb80f2bacc" timestamp="2019-03-29T09:05:07.870837+00:00" xsi:type="indicator:IndicatorType"> <indicator:Title>: hashes</indicator:Title> <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.1">File Hash Watchlist</indicator:Type> <indicator:Description/> <indicator:Observable id="ihstix:Observable-9df9c7d2-5cab-4bea-9451-467654028f01"> <cybox:Object id="ihstix:IhFile-c56f3632-c762-4f20-b344-37ea24dd4a0b"> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:File_Name condition="Equals"/> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value condition="Equals">09ffd414668ee6cf12e30fad2f0799cb</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> <cyboxCommon:Hash> <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA256</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value condition="Equals"/> </cyboxCommon:Hash> <cyboxCommon:Hash> <cyboxCommon:Type condition="Equals" xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value condition="Equals"/> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </indicator:Observable> <indicator:Confidence timestamp="2019-03-29T09:05:07.871038+00:00"> <stixCommon:Value>Low</stixCommon:Value> </indicator:Confidence> </stix:Indicator> </stix:Indicators> </stix:STIX_Package>
Error
Traceback (most recent call last):
File "script.py", line 13, in <module>
main(sys.argv[1])
File "script.py", line 8, in main
package = parser.parse_xml(f, check_version=False)
File "/usr/lib/python2.7/site-packages/mixbox/parser.py", line 187, in parse_xml
entity = self.get_entity_class(xml_root_node.tag).from_obj(entity_obj)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 375, in from_obj
val = [transformer.from_obj(x) for x in val]
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 185, in from_obj
return klass.from_obj(cls_obj)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 377, in from_obj
val = transformer.from_obj(val)
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 375, in from_obj
val = [transformer.from_obj(x) for x in val]
File "/usr/lib/python2.7/site-packages/mixbox/entities.py", line 379, in from_obj
field.__set__(entity, val)
File "/usr/lib/python2.7/site-packages/mixbox/fields.py", line 218, in __set__
self.postset_hook(instance, value)
File "/usr/lib/python2.7/site-packages/cybox/common/hashes.py", line 30, in _set_hash_type
hashlen = len(value.value)
TypeError: object of type 'NoneType' has no len()
script.py
from stix.core import STIXPackage from stix.utils.parser import EntityParser def main(file_path): with open(file_path) as f: parser = EntityParser() package = parser.parse_xml(f, check_version=False) if __name__ == "__main__": import sys main(sys.argv[1])