Stix Export results in invalid xml

[sinloft]

Hi,

we recently upgraded to Misp Version 2.4.23. I tried export our data in the STIX format, and I ran into errors running the exported data through the STIX validator from https://github.com/STIXProject/stix-validator (version 2.4.0). To reproduce the problem I created an event that contains one "Targeting data" "target-email" attribute:

misp.stix.event115.xml.txt

This is the output I get from the stix-validator.py

stix-validator.py misp.stix.event115.xml

[-] Performing xml schema validation on misp.stix.event115.xml

[-] Results: misp.stix.event115.xml

[!] XML Schema: False

[!] misp.stix.event115.xml:82:0:ERROR:SCHEMASV:SCHEMAV_CVC_DATATYPE_VALID_1_2_1: Element '{http://stix.mitre.org/Incident-1}Victim', attribute '{http://www.w3.org/2001/XMLSchema-instance}type': The QName value 'ciqIdentity:CIQIdentity3.0InstanceType' has no corresponding namespace declaration in scope.

[!] misp.stix.event115.xml:82:0:ERROR:SCHEMASV:SCHEMAV_CVC_DATATYPE_VALID_1_2_1: Element '{http://stix.mitre.org/Incident-1}Victim', attribute 'id': The QName value 'example:Identity-56cdc447-61c0-4dd1-8459-1e8c0a0164ca' has no corresponding namespace declaration in scope.

[!] misp.stix.event115.xml:82:0:ERROR:SCHEMASV:SCHEMAV_CVC_DATATYPE_VALID_1_2_1: Element '{http://stix.mitre.org/Incident-1}Victim', attribute 'id': 'example:Identity-56cdc447-61c0-4dd1-8459-1e8c0a0164ca' is not a valid value of the atomic type 'xs:QName'.

[!] misp.stix.event115.xml:82:0:ERROR:SCHEMASV:SCHEMAV_CVC_IDC: Element '{http://stix.mitre.org/Incident-1}Victim', attribute 'id': Warning: No precomputed value available, the value was either invalid or something strange happend.

[!] misp.stix.event115.xml:84:0:ERROR:SCHEMASV:SCHEMAV_ELEMENT_CONTENT: Element '{http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1}Specification': This element is not expected. Expected is ( {http://stix.mitre.org/common-1}Related_Identities ).

Is this a known issue?

Regards
Chris

[iglocska]

Thanks for letting us know, definitely not a known issue so far. I'll look
into it and will let you know here once it's fixed.

On Wed, Feb 24, 2016 at 4:15 PM, sinloft notifications@github.com wrote:

Hi,

we recently upgraded to Misp Version 2.4.23. I tried export our data in
the STIX format, and I ran into errors running the exported data through
the STIX validator from https://github.com/STIXProject/stix-validator
(version 2.4.0). To reproduce the problem I created an event that contains
one "Targeting data" "target-email" attribute:

[image: capture]
https://cloud.githubusercontent.com/assets/1282666/13289565/ae72e198-db10-11e5-996c-0f8417ed3665.PNG

misp.stix.event115.xml.txt
https://github.com/MISP/MISP/files/144818/misp.stix.event115.xml.txt

This is the output I get from the stix-validator.py

stix-validator.py misp.stix.event115.xml

[-] Performing xml schema validation on misp.stix.event115.xml

[-] Results: misp.stix.event115.xml

[!] XML Schema: False

[!] misp.stix.event115.xml:82:0:ERROR:SCHEMASV:SCHEMAV_CVC_DATATYPE_VALID_1_2_1: Element '{http://stix.mitre.org/Incident-1}Victim', attribute '{http://www.w3.org/2001/XMLSchema-instance}type': The QName value 'ciqIdentity:CIQIdentity3.0InstanceType' has no corresponding namespace declaration in scope.

[!] misp.stix.event115.xml:82:0:ERROR:SCHEMASV:SCHEMAV_CVC_DATATYPE_VALID_1_2_1: Element '{http://stix.mitre.org/Incident-1}Victim', attribute 'id': The QName value 'example:Identity-56cdc447-61c0-4dd1-8459-1e8c0a0164ca' has no corresponding namespace declaration in scope.

[!] misp.stix.event115.xml:82:0:ERROR:SCHEMASV:SCHEMAV_CVC_DATATYPE_VALID_1_2_1: Element '{http://stix.mitre.org/Incident-1}Victim', attribute 'id': 'example:Identity-56cdc447-61c0-4dd1-8459-1e8c0a0164ca' is not a valid value of the atomic type 'xs:QName'.

[!] misp.stix.event115.xml:82:0:ERROR:SCHEMASV:SCHEMAV_CVC_IDC: Element '{http://stix.mitre.org/Incident-1}Victim', attribute 'id': Warning: No precomputed value available, the value was either invalid or something strange happend.

[!] misp.stix.event115.xml:84:0:ERROR:SCHEMASV:SCHEMAV_ELEMENT_CONTENT: Element '{http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1}Specification': This element is not expected. Expected is ( {http://stix.mitre.org/common-1}Related_Identities ).

Is this a known issue?

Regards
Chris

—
Reply to this email directly or view it on GitHub
#975.

[adulau]

I think this bug was previously fixed. Don't hesitate to re-open the issue if you think that this issue is not fixed.