New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should raise error when STIX object's identifier doesn't follow the form object-type--UUIDv4 #188
Comments
A lot of our tests use the not-actually-a-valid-v4-UUID strings to make them more predicatable and readable. Any solution should (for instance) allow IDs that match |
I believe our tests could use predictable and valid IDs by merely setting two additional digits (the 4 and the 8): |
There is no basis for requiring UUIDv4 in the specification. Any well formed UUID should be acceptable from a functional perspective. The functional requirement is the uniqueness of the UUID. There are some of us who are using UUIDv5 -- Why can't uuid.UUID() suffice? Besides the requirement to change the language to remove the arbitrary v4 constraint? |
This library aims to implement the spec as written, which requires UUID version 4. If the specification drops this requirement we can change it here. |
I started to fix this and ran into an interesting question. Our general approach is to "coerce" invalid values into correct values. That means that you can do something like this: >>> print(stix2.Campaign(name="test", created="20180601", modified="20180602"))
{
"type": "campaign",
"id": "campaign--8ba0438a-0e56-4125-ae9e-bd816a0337e8",
"created": "2018-06-01T00:00:00.000Z",
"modified": "2018-06-02T00:00:00.000Z",
"name": "test"
} In fact, you can even parse "invalid" dates in this way. bundle = """{
"type": "campaign",
"id": "campaign--8ba0438a-0e56-4125-ae9e-bd816a0337e8",
"created": "20180601",
"modified": "20180602",
"name": "test"
} """
print(stix2.parse(bundle)) and this should return the same thing as the first snippet (with timestamps in the correct ISO format). More generally, it's not necessarily the case that We are violating this in the example that @win911 provided, though. However, if we use I started to write code that looks like this, which also prevents you from using IDs like
But then came the question of what "clean" should do. Theoretically, we could rewrite |
Seems like in this case, "version conversion" changes the uuid in an unacceptable way. So I'd say, create the UUID object in a way that does not modify it. To be spec-compliant, if its variant is not uuid.RFC_4122 or version is not 4, produce an error. Otherwise, treat as compliant and return its stringification. Does that make sense? |
There's potential issues with both options for clean(), but I think I like raising an error better than rewriting it. Coercing was easier for timestamps because there's already a pretty robust library for parsing them. But for IDs we'd have to guess how to parse whatever values the user might pass in to a UUID. |
@chisholm . I agree. My concern is that:
Obviously, it makes more sense to construct it without passing in the version (which could potentially modify it), and then checking the I think I'm ok with rewriting |
According to 2.5 Identifier, STIX object's identifier MUST follow the form object-type--UUIDv4.
The regular expression about UUIDv4 should be [0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}.
The following example should raise error but it didn't.
The text was updated successfully, but these errors were encountered: