-
Notifications
You must be signed in to change notification settings - Fork 21
Non Schema Compliance Requirements (1.0.1)
Not all of STIX is testable in XML Schema. The following requirements exist when creating STIX documents but are not enforced by the STIX schema.
When using the
@idrefattribute to create a reference, the target of the reference MUST be of the same type or a descendent type of the source of the reference.
<indicator:Indicator id="example:1" />
<indicator:Indicator idref="example:1" />This is valid because the reference points to an element of the same type.
<indicator:Indicator id="example:2" />
<stixCommon:Indicator idref="example:2" />This is valid because stixCommon:Indicator is of type stixCommon:IndicatorBaseType and references indicator:Indicator, which is of type indicator:IndicatorType, which is a descendent of stixCommon:IndicatorBaseType.
<ttp:TTP id="example:3" />
<stixCommon:Indicator idref="example:3" />This is not valid because stixCommon:Indicator is of type stixCommon:IndicatorBaseType and references ttp:TTP, which is of type ttp:TTPType, which is not the same type or a descendant type of stixCommon:IndicatorBaseType.
When an element contains an
@idrefto create a reference, it SHALL NOT contain an@idattribute or any other content except the@idrefand an optional@version.
<indicator:Indicator idref="example:1" />This is valid because there is no other content besides the @idref.
<ttp:TTP idref="example:2" id="example:3" />This is not valid because the element contains both an @idref as well as an @id.
<incident:Incident idref="example:4">
<incident:Title>This is an incident</incident:Title>
</incident:Incident>This is not valid because the element contains both an @idref as well as content.
In STIX 1.1, the @version attribute MUST be present and set to "1.1" on the STIX_Package construct. The version MAY be specified on individual components if they are the default version of that component for version 1.1 of STIX, however MUST be specified on individual components if they are a different version than the default for version 1.1 of STIX.