-
Notifications
You must be signed in to change notification settings - Fork 21
Non Schema Compliance Requirements (1.0.1)
Not all of STIX is testable in XML Schema. The following requirements exist when creating STIX documents but are not enforced by the STIX schema.
When using the
@idref
attribute to create a reference, the target of the reference MUST be of the same type or a descendent type of the source of the reference.
<indicator:Indicator id="example:1" />
<indicator:Indicator idref="example:1" />
This is valid because the reference points to an element of the same type.
<indicator:Indicator id="example:2" />
<stixCommon:Indicator idref="example:2" />
This is valid because stixCommon:Indicator
is of type stixCommon:IndicatorBaseType
and references indicator:Indicator
, which is of type indicator:IndicatorType
, which is a descendent of stixCommon:IndicatorBaseType
.
<ttp:TTP id="example:3" />
<stixCommon:Indicator idref="example:3" />
This is not valid because stixCommon:Indicator
is of type stixCommon:IndicatorBaseType
and references ttp:TTP
, which is of type ttp:TTPType
, which is not the same type or a descendant type of stixCommon:IndicatorBaseType
.
When an element contains an
@idref
to create a reference, it SHALL NOT contain an@id
attribute or any other content except the@idref
and an optional@version
.
<indicator:Indicator idref="example:1" />
This is valid because there is no other content besides the @idref
.
<ttp:TTP idref="example:2" id="example:3" />
This is not valid because the element contains both an @idref
as well as an @id
.
<incident:Incident idref="example:4">
<incident:Title>This is an incident</incident:Title>
</incident:Incident>
This is not valid because the element contains both an @idref
as well as content.
In STIX 1.1, the @version attribute MUST be present and set to "1.1" on the STIX_Package construct. The version MAY be specified on individual components if they are the default version of that component for version 1.1 of STIX, however MUST be specified on individual components if they are a different version than the default for version 1.1 of STIX.