From 84b088e3a44a80adc49f18c15a1fd19e2e5b1a3f Mon Sep 17 00:00:00 2001 From: Samuel Hassine Date: Tue, 17 Jun 2025 11:01:04 +0200 Subject: [PATCH 1/3] [client] Implement new vulnerability data model (#916) --- pycti/entities/opencti_stix_core_object.py | 82 ++- pycti/entities/opencti_stix_domain_object.py | 80 +++ ...pencti_stix_object_or_stix_relationship.py | 40 ++ pycti/entities/opencti_vulnerability.py | 659 +++++++++++++++++- 4 files changed, 823 insertions(+), 38 deletions(-) diff --git a/pycti/entities/opencti_stix_core_object.py b/pycti/entities/opencti_stix_core_object.py index 31a600650..4d5493f16 100644 --- a/pycti/entities/opencti_stix_core_object.py +++ b/pycti/entities/opencti_stix_core_object.py @@ -352,16 +352,54 @@ def __init__(self, opencti, file): } } ... on Vulnerability { - name - description + x_opencti_aliases + x_opencti_cvss_vector x_opencti_cvss_base_score x_opencti_cvss_base_severity x_opencti_cvss_attack_vector + x_opencti_cvss_attack_complexity + x_opencti_cvss_privileges_required + x_opencti_cvss_user_interaction + x_opencti_cvss_scope + x_opencti_cvss_confidentiality_impact x_opencti_cvss_integrity_impact x_opencti_cvss_availability_impact + x_opencti_cvss_exploit_code_maturity + x_opencti_cvss_remediation_level + x_opencti_cvss_report_confidence + x_opencti_cvss_temporal_score + x_opencti_cvss_v2_vector + x_opencti_cvss_v2_base_score + x_opencti_cvss_v2_access_vector + x_opencti_cvss_v2_access_complexity + x_opencti_cvss_v2_authentication + x_opencti_cvss_v2_confidentiality_impact + x_opencti_cvss_v2_integrity_impact + x_opencti_cvss_v2_availability_impact + x_opencti_cvss_v2_exploitability + x_opencti_cvss_v2_remediation_level + x_opencti_cvss_v2_report_confidence + x_opencti_cvss_v2_temporal_score + x_opencti_cvss_v4_vector + x_opencti_cvss_v4_base_score + x_opencti_cvss_v4_base_severity + x_opencti_cvss_v4_attack_vector + x_opencti_cvss_v4_attack_complexity + x_opencti_cvss_v4_attack_requirements + x_opencti_cvss_v4_privileges_required + x_opencti_cvss_v4_user_interaction + x_opencti_cvss_v4_confidentiality_impact_v + x_opencti_cvss_v4_confidentiality_impact_s + x_opencti_cvss_v4_integrity_impact_v + x_opencti_cvss_v4_integrity_impact_s + x_opencti_cvss_v4_availability_impact_v + x_opencti_cvss_v4_availability_impact_s + x_opencti_cvss_v4_exploit_maturity + x_opencti_cwe x_opencti_cisa_kev x_opencti_epss_score x_opencti_epss_percentile + x_opencti_score } ... on Incident { name @@ -1025,14 +1063,54 @@ def __init__(self, opencti, file): ... on Vulnerability { name description + x_opencti_aliases + x_opencti_cvss_vector x_opencti_cvss_base_score x_opencti_cvss_base_severity x_opencti_cvss_attack_vector + x_opencti_cvss_attack_complexity + x_opencti_cvss_privileges_required + x_opencti_cvss_user_interaction + x_opencti_cvss_scope + x_opencti_cvss_confidentiality_impact x_opencti_cvss_integrity_impact x_opencti_cvss_availability_impact + x_opencti_cvss_exploit_code_maturity + x_opencti_cvss_remediation_level + x_opencti_cvss_report_confidence + x_opencti_cvss_temporal_score + x_opencti_cvss_v2_vector + x_opencti_cvss_v2_base_score + x_opencti_cvss_v2_access_vector + x_opencti_cvss_v2_access_complexity + x_opencti_cvss_v2_authentication + x_opencti_cvss_v2_confidentiality_impact + x_opencti_cvss_v2_integrity_impact + x_opencti_cvss_v2_availability_impact + x_opencti_cvss_v2_exploitability + x_opencti_cvss_v2_remediation_level + x_opencti_cvss_v2_report_confidence + x_opencti_cvss_v2_temporal_score + x_opencti_cvss_v4_vector + x_opencti_cvss_v4_base_score + x_opencti_cvss_v4_base_severity + x_opencti_cvss_v4_attack_vector + x_opencti_cvss_v4_attack_complexity + x_opencti_cvss_v4_attack_requirements + x_opencti_cvss_v4_privileges_required + x_opencti_cvss_v4_user_interaction + x_opencti_cvss_v4_confidentiality_impact_v + x_opencti_cvss_v4_confidentiality_impact_s + x_opencti_cvss_v4_integrity_impact_v + x_opencti_cvss_v4_integrity_impact_s + x_opencti_cvss_v4_availability_impact_v + x_opencti_cvss_v4_availability_impact_s + x_opencti_cvss_v4_exploit_maturity + x_opencti_cwe x_opencti_cisa_kev x_opencti_epss_score x_opencti_epss_percentile + x_opencti_score } ... on Incident { name diff --git a/pycti/entities/opencti_stix_domain_object.py b/pycti/entities/opencti_stix_domain_object.py index 0797ae0c3..41877ec68 100644 --- a/pycti/entities/opencti_stix_domain_object.py +++ b/pycti/entities/opencti_stix_domain_object.py @@ -477,14 +477,54 @@ def __init__(self, opencti, file): ... on Vulnerability { name description + x_opencti_aliases + x_opencti_cvss_vector x_opencti_cvss_base_score x_opencti_cvss_base_severity x_opencti_cvss_attack_vector + x_opencti_cvss_attack_complexity + x_opencti_cvss_privileges_required + x_opencti_cvss_user_interaction + x_opencti_cvss_scope + x_opencti_cvss_confidentiality_impact x_opencti_cvss_integrity_impact x_opencti_cvss_availability_impact + x_opencti_cvss_exploit_code_maturity + x_opencti_cvss_remediation_level + x_opencti_cvss_report_confidence + x_opencti_cvss_temporal_score + x_opencti_cvss_v2_vector + x_opencti_cvss_v2_base_score + x_opencti_cvss_v2_access_vector + x_opencti_cvss_v2_access_complexity + x_opencti_cvss_v2_authentication + x_opencti_cvss_v2_confidentiality_impact + x_opencti_cvss_v2_integrity_impact + x_opencti_cvss_v2_availability_impact + x_opencti_cvss_v2_exploitability + x_opencti_cvss_v2_remediation_level + x_opencti_cvss_v2_report_confidence + x_opencti_cvss_v2_temporal_score + x_opencti_cvss_v4_vector + x_opencti_cvss_v4_base_score + x_opencti_cvss_v4_base_severity + x_opencti_cvss_v4_attack_vector + x_opencti_cvss_v4_attack_complexity + x_opencti_cvss_v4_attack_requirements + x_opencti_cvss_v4_privileges_required + x_opencti_cvss_v4_user_interaction + x_opencti_cvss_v4_confidentiality_impact_v + x_opencti_cvss_v4_confidentiality_impact_s + x_opencti_cvss_v4_integrity_impact_v + x_opencti_cvss_v4_integrity_impact_s + x_opencti_cvss_v4_availability_impact_v + x_opencti_cvss_v4_availability_impact_s + x_opencti_cvss_v4_exploit_maturity + x_opencti_cwe x_opencti_cisa_kev x_opencti_epss_score x_opencti_epss_percentile + x_opencti_score } ... on Incident { name @@ -975,14 +1015,54 @@ def __init__(self, opencti, file): ... on Vulnerability { name description + x_opencti_aliases + x_opencti_cvss_vector x_opencti_cvss_base_score x_opencti_cvss_base_severity x_opencti_cvss_attack_vector + x_opencti_cvss_attack_complexity + x_opencti_cvss_privileges_required + x_opencti_cvss_user_interaction + x_opencti_cvss_scope + x_opencti_cvss_confidentiality_impact x_opencti_cvss_integrity_impact x_opencti_cvss_availability_impact + x_opencti_cvss_exploit_code_maturity + x_opencti_cvss_remediation_level + x_opencti_cvss_report_confidence + x_opencti_cvss_temporal_score + x_opencti_cvss_v2_vector + x_opencti_cvss_v2_base_score + x_opencti_cvss_v2_access_vector + x_opencti_cvss_v2_access_complexity + x_opencti_cvss_v2_authentication + x_opencti_cvss_v2_confidentiality_impact + x_opencti_cvss_v2_integrity_impact + x_opencti_cvss_v2_availability_impact + x_opencti_cvss_v2_exploitability + x_opencti_cvss_v2_remediation_level + x_opencti_cvss_v2_report_confidence + x_opencti_cvss_v2_temporal_score + x_opencti_cvss_v4_vector + x_opencti_cvss_v4_base_score + x_opencti_cvss_v4_base_severity + x_opencti_cvss_v4_attack_vector + x_opencti_cvss_v4_attack_complexity + x_opencti_cvss_v4_attack_requirements + x_opencti_cvss_v4_privileges_required + x_opencti_cvss_v4_user_interaction + x_opencti_cvss_v4_confidentiality_impact_v + x_opencti_cvss_v4_confidentiality_impact_s + x_opencti_cvss_v4_integrity_impact_v + x_opencti_cvss_v4_integrity_impact_s + x_opencti_cvss_v4_availability_impact_v + x_opencti_cvss_v4_availability_impact_s + x_opencti_cvss_v4_exploit_maturity + x_opencti_cwe x_opencti_cisa_kev x_opencti_epss_score x_opencti_epss_percentile + x_opencti_score } ... on Incident { name diff --git a/pycti/entities/opencti_stix_object_or_stix_relationship.py b/pycti/entities/opencti_stix_object_or_stix_relationship.py index 5c0903cf8..95545bcb6 100644 --- a/pycti/entities/opencti_stix_object_or_stix_relationship.py +++ b/pycti/entities/opencti_stix_object_or_stix_relationship.py @@ -293,14 +293,54 @@ def __init__(self, opencti): ... on Vulnerability { name description + x_opencti_aliases + x_opencti_cvss_vector x_opencti_cvss_base_score x_opencti_cvss_base_severity x_opencti_cvss_attack_vector + x_opencti_cvss_attack_complexity + x_opencti_cvss_privileges_required + x_opencti_cvss_user_interaction + x_opencti_cvss_scope + x_opencti_cvss_confidentiality_impact x_opencti_cvss_integrity_impact x_opencti_cvss_availability_impact + x_opencti_cvss_exploit_code_maturity + x_opencti_cvss_remediation_level + x_opencti_cvss_report_confidence + x_opencti_cvss_temporal_score + x_opencti_cvss_v2_vector + x_opencti_cvss_v2_base_score + x_opencti_cvss_v2_access_vector + x_opencti_cvss_v2_access_complexity + x_opencti_cvss_v2_authentication + x_opencti_cvss_v2_confidentiality_impact + x_opencti_cvss_v2_integrity_impact + x_opencti_cvss_v2_availability_impact + x_opencti_cvss_v2_exploitability + x_opencti_cvss_v2_remediation_level + x_opencti_cvss_v2_report_confidence + x_opencti_cvss_v2_temporal_score + x_opencti_cvss_v4_vector + x_opencti_cvss_v4_base_score + x_opencti_cvss_v4_base_severity + x_opencti_cvss_v4_attack_vector + x_opencti_cvss_v4_attack_complexity + x_opencti_cvss_v4_attack_requirements + x_opencti_cvss_v4_privileges_required + x_opencti_cvss_v4_user_interaction + x_opencti_cvss_v4_confidentiality_impact_v + x_opencti_cvss_v4_confidentiality_impact_s + x_opencti_cvss_v4_integrity_impact_v + x_opencti_cvss_v4_integrity_impact_s + x_opencti_cvss_v4_availability_impact_v + x_opencti_cvss_v4_availability_impact_s + x_opencti_cvss_v4_exploit_maturity + x_opencti_cwe x_opencti_cisa_kev x_opencti_epss_score x_opencti_epss_percentile + x_opencti_score } ... on Incident { name diff --git a/pycti/entities/opencti_vulnerability.py b/pycti/entities/opencti_vulnerability.py index 273d91edf..0a1d5281e 100644 --- a/pycti/entities/opencti_vulnerability.py +++ b/pycti/entities/opencti_vulnerability.py @@ -107,15 +107,53 @@ def __init__(self, opencti): name description x_opencti_aliases + x_opencti_cvss_vector x_opencti_cvss_base_score x_opencti_cvss_base_severity x_opencti_cvss_attack_vector + x_opencti_cvss_attack_complexity + x_opencti_cvss_privileges_required + x_opencti_cvss_user_interaction + x_opencti_cvss_scope + x_opencti_cvss_confidentiality_impact x_opencti_cvss_integrity_impact x_opencti_cvss_availability_impact - x_opencti_cvss_confidentiality_impact + x_opencti_cvss_exploit_code_maturity + x_opencti_cvss_remediation_level + x_opencti_cvss_report_confidence + x_opencti_cvss_temporal_score + x_opencti_cvss_v2_vector + x_opencti_cvss_v2_base_score + x_opencti_cvss_v2_access_vector + x_opencti_cvss_v2_access_complexity + x_opencti_cvss_v2_authentication + x_opencti_cvss_v2_confidentiality_impact + x_opencti_cvss_v2_integrity_impact + x_opencti_cvss_v2_availability_impact + x_opencti_cvss_v2_exploitability + x_opencti_cvss_v2_remediation_level + x_opencti_cvss_v2_report_confidence + x_opencti_cvss_v2_temporal_score + x_opencti_cvss_v4_vector + x_opencti_cvss_v4_base_score + x_opencti_cvss_v4_base_severity + x_opencti_cvss_v4_attack_vector + x_opencti_cvss_v4_attack_complexity + x_opencti_cvss_v4_attack_requirements + x_opencti_cvss_v4_privileges_required + x_opencti_cvss_v4_user_interaction + x_opencti_cvss_v4_confidentiality_impact_v + x_opencti_cvss_v4_confidentiality_impact_s + x_opencti_cvss_v4_integrity_impact_v + x_opencti_cvss_v4_integrity_impact_s + x_opencti_cvss_v4_availability_impact_v + x_opencti_cvss_v4_availability_impact_s + x_opencti_cvss_v4_exploit_maturity + x_opencti_cwe x_opencti_cisa_kev x_opencti_epss_score x_opencti_epss_percentile + x_opencti_score importFiles { edges { node { @@ -293,21 +331,123 @@ def create(self, **kwargs): name = kwargs.get("name", None) description = kwargs.get("description", None) x_opencti_aliases = kwargs.get("x_opencti_aliases", None) + # CVSS3 + x_opencti_cvss_vector = kwargs.get("x_opencti_cvss_vector", None) x_opencti_cvss_base_score = kwargs.get("x_opencti_cvss_base_score", None) x_opencti_cvss_base_severity = kwargs.get("x_opencti_cvss_base_severity", None) x_opencti_cvss_attack_vector = kwargs.get("x_opencti_cvss_attack_vector", None) - x_opencti_cisa_kev = kwargs.get("x_opencti_cisa_kev", None) - x_opencti_epss_score = kwargs.get("x_opencti_epss_score", None) - x_opencti_epss_percentile = kwargs.get("x_opencti_epss_percentile", None) + x_opencti_cvss_attack_complexity = kwargs.get( + "x_opencti_cvss_attack_complexity", None + ) + x_opencti_cvss_privileges_required = kwargs.get( + "x_opencti_cvss_privileges_required", None + ) + x_opencti_cvss_user_interaction = kwargs.get( + "x_opencti_cvss_user_interaction", None + ) + x_opencti_cvss_scope = kwargs.get("x_opencti_cvss_scope", None) + x_opencti_cvss_confidentiality_impact = kwargs.get( + "x_opencti_cvss_confidentiality_impact", None + ) x_opencti_cvss_integrity_impact = kwargs.get( "x_opencti_cvss_integrity_impact", None ) x_opencti_cvss_availability_impact = kwargs.get( "x_opencti_cvss_availability_impact", None ) - x_opencti_cvss_confidentiality_impact = kwargs.get( - "x_opencti_cvss_confidentiality_impact", None + x_opencti_cvss_exploit_code_maturity = kwargs.get( + "x_opencti_cvss_exploit_code_maturity", None + ) + x_opencti_cvss_remediation_level = kwargs.get( + "x_opencti_cvss_remediation_level", None + ) + x_opencti_cvss_report_confidence = kwargs.get( + "x_opencti_cvss_report_confidence", None + ) + x_opencti_cvss_temporal_score = kwargs.get( + "x_opencti_cvss_temporal_score", None + ) + # CVSS2 + x_opencti_cvss_v2_vector = kwargs.get("x_opencti_cvss_v2_vector", None) + x_opencti_cvss_v2_base_score = kwargs.get("x_opencti_cvss_v2_base_score", None) + x_opencti_cvss_v2_access_vector = kwargs.get( + "x_opencti_cvss_v2_access_vector", None + ) + x_opencti_cvss_v2_access_complexity = kwargs.get( + "x_opencti_cvss_v2_access_complexity", None + ) + x_opencti_cvss_v2_authentication = kwargs.get( + "x_opencti_cvss_v2_authentication", None + ) + x_opencti_cvss_v2_confidentiality_impact = kwargs.get( + "x_opencti_cvss_v2_confidentiality_impact", None + ) + x_opencti_cvss_v2_integrity_impact = kwargs.get( + "x_opencti_cvss_v2_integrity_impact", None + ) + x_opencti_cvss_v2_availability_impact = kwargs.get( + "x_opencti_cvss_v2_availability_impact", None + ) + x_opencti_cvss_v2_exploitability = kwargs.get( + "x_opencti_cvss_v2_exploitability", None + ) + x_opencti_cvss_v2_remediation_level = kwargs.get( + "x_opencti_cvss_v2_remediation_level", None + ) + x_opencti_cvss_v2_report_confidence = kwargs.get( + "x_opencti_cvss_v2_report_confidence", None + ) + x_opencti_cvss_v2_temporal_score = kwargs.get( + "x_opencti_cvss_v2_temporal_score", None + ) + # CVSS4 + x_opencti_cvss_v4_vector = kwargs.get("x_opencti_cvss_v4_vector", None) + x_opencti_cvss_v4_base_score = kwargs.get("x_opencti_cvss_v4_base_score", None) + x_opencti_cvss_v4_base_severity = kwargs.get( + "x_opencti_cvss_v4_base_severity", None + ) + x_opencti_cvss_v4_attack_vector = kwargs.get( + "x_opencti_cvss_v4_attack_vector", None + ) + x_opencti_cvss_v4_attack_complexity = kwargs.get( + "x_opencti_cvss_v4_attack_complexity", None + ) + x_opencti_cvss_v4_attack_requirements = kwargs.get( + "x_opencti_cvss_v4_attack_requirements", None + ) + x_opencti_cvss_v4_privileges_required = kwargs.get( + "x_opencti_cvss_v4_privileges_required", None + ) + x_opencti_cvss_v4_user_interaction = kwargs.get( + "x_opencti_cvss_v4_user_interaction", None ) + x_opencti_cvss_v4_confidentiality_impact_v = kwargs.get( + "x_opencti_cvss_v4_confidentiality_impact_v", None + ) + x_opencti_cvss_v4_confidentiality_impact_s = kwargs.get( + "x_opencti_cvss_v4_confidentiality_impact_s", None + ) + x_opencti_cvss_v4_integrity_impact_v = kwargs.get( + "x_opencti_cvss_v4_integrity_impact_v", None + ) + x_opencti_cvss_v4_integrity_impact_s = kwargs.get( + "x_opencti_cvss_v4_integrity_impact_s", None + ) + x_opencti_cvss_v4_availability_impact_v = kwargs.get( + "x_opencti_cvss_v4_availability_impact_v", None + ) + x_opencti_cvss_v4_availability_impact_s = kwargs.get( + "x_opencti_cvss_v4_availability_impact_s", None + ) + x_opencti_cvss_v4_exploit_maturity = kwargs.get( + "x_opencti_cvss_v4_exploit_maturity", None + ) + # Others + x_opencti_cwe = kwargs.get("x_opencti_cwe", None) + x_opencti_cisa_kev = kwargs.get("x_opencti_cisa_kev", None) + x_opencti_epss_score = kwargs.get("x_opencti_epss_score", None) + x_opencti_epss_percentile = kwargs.get("x_opencti_epss_percentile", None) + x_opencti_score = kwargs.get("x_opencti_score", None) x_opencti_stix_ids = kwargs.get("x_opencti_stix_ids", None) granted_refs = kwargs.get("objectOrganization", None) x_opencti_workflow_id = kwargs.get("x_opencti_workflow_id", None) @@ -343,15 +483,57 @@ def create(self, **kwargs): "name": name, "description": description, "x_opencti_aliases": x_opencti_aliases, + # CVSS3 + "x_opencti_cvss_vector": x_opencti_cvss_vector, "x_opencti_cvss_base_score": x_opencti_cvss_base_score, "x_opencti_cvss_base_severity": x_opencti_cvss_base_severity, "x_opencti_cvss_attack_vector": x_opencti_cvss_attack_vector, + "x_opencti_cvss_attack_complexity": x_opencti_cvss_attack_complexity, + "x_opencti_cvss_privileges_required": x_opencti_cvss_privileges_required, + "x_opencti_cvss_user_interaction": x_opencti_cvss_user_interaction, + "x_opencti_cvss_scope": x_opencti_cvss_scope, + "x_opencti_cvss_confidentiality_impact": x_opencti_cvss_confidentiality_impact, "x_opencti_cvss_integrity_impact": x_opencti_cvss_integrity_impact, "x_opencti_cvss_availability_impact": x_opencti_cvss_availability_impact, - "x_opencti_cvss_confidentiality_impact": x_opencti_cvss_confidentiality_impact, + "x_opencti_cvss_exploit_code_maturity": x_opencti_cvss_exploit_code_maturity, + "x_opencti_cvss_remediation_level": x_opencti_cvss_remediation_level, + "x_opencti_cvss_report_confidence": x_opencti_cvss_report_confidence, + "x_opencti_cvss_temporal_score": x_opencti_cvss_temporal_score, + # CVSS2 + "x_opencti_cvss_v2_vector": x_opencti_cvss_v2_vector, + "x_opencti_cvss_v2_base_score": x_opencti_cvss_v2_base_score, + "x_opencti_cvss_v2_access_vector": x_opencti_cvss_v2_access_vector, + "x_opencti_cvss_v2_access_complexity": x_opencti_cvss_v2_access_complexity, + "x_opencti_cvss_v2_authentication": x_opencti_cvss_v2_authentication, + "x_opencti_cvss_v2_confidentiality_impact": x_opencti_cvss_v2_confidentiality_impact, + "x_opencti_cvss_v2_integrity_impact": x_opencti_cvss_v2_integrity_impact, + "x_opencti_cvss_v2_availability_impact": x_opencti_cvss_v2_availability_impact, + "x_opencti_cvss_v2_exploitability": x_opencti_cvss_v2_exploitability, + "x_opencti_cvss_v2_remediation_level": x_opencti_cvss_v2_remediation_level, + "x_opencti_cvss_v2_report_confidence": x_opencti_cvss_v2_report_confidence, + "x_opencti_cvss_v2_temporal_score": x_opencti_cvss_v2_temporal_score, + # CVSS 4 + "x_opencti_cvss_v4_vector": x_opencti_cvss_v4_vector, + "x_opencti_cvss_v4_base_score": x_opencti_cvss_v4_base_score, + "x_opencti_cvss_v4_base_severity": x_opencti_cvss_v4_base_severity, + "x_opencti_cvss_v4_attack_vector": x_opencti_cvss_v4_attack_vector, + "x_opencti_cvss_v4_attack_complexity": x_opencti_cvss_v4_attack_complexity, + "x_opencti_cvss_v4_attack_requirements": x_opencti_cvss_v4_attack_requirements, + "x_opencti_cvss_v4_privileges_required": x_opencti_cvss_v4_privileges_required, + "x_opencti_cvss_v4_user_interaction": x_opencti_cvss_v4_user_interaction, + "x_opencti_cvss_v4_confidentiality_impact_v": x_opencti_cvss_v4_confidentiality_impact_v, + "x_opencti_cvss_v4_confidentiality_impact_s": x_opencti_cvss_v4_confidentiality_impact_s, + "x_opencti_cvss_v4_integrity_impact_v": x_opencti_cvss_v4_integrity_impact_v, + "x_opencti_cvss_v4_integrity_impact_s": x_opencti_cvss_v4_integrity_impact_s, + "x_opencti_cvss_v4_availability_impact_v": x_opencti_cvss_v4_availability_impact_v, + "x_opencti_cvss_v4_availability_impact_s": x_opencti_cvss_v4_availability_impact_s, + "x_opencti_cvss_v4_exploit_maturity": x_opencti_cvss_v4_exploit_maturity, + # Others + "x_opencti_cwe": x_opencti_cwe, "x_opencti_cisa_kev": x_opencti_cisa_kev, "x_opencti_epss_score": x_opencti_epss_score, "x_opencti_epss_percentile": x_opencti_epss_percentile, + "x_opencti_score": x_opencti_score, "x_opencti_stix_ids": x_opencti_stix_ids, "x_opencti_workflow_id": x_opencti_workflow_id, "update": update, @@ -410,51 +592,258 @@ def import_from_stix2(self, **kwargs): stix_object["x_opencti_aliases"] = ( self.opencti.get_attribute_in_extension("aliases", stix_object) ) + # CVSS3 + if "x_opencti_cvss_vector" not in stix_object: + stix_object["x_opencti_cvss_vector"] = ( + self.opencti.get_attribute_in_extension("cvss_vector", stix_object) + ) if "x_opencti_cvss_base_score" not in stix_object: stix_object["x_opencti_cvss_base_score"] = ( - self.opencti.get_attribute_in_extension("base_score", stix_object) + self.opencti.get_attribute_in_extension( + "cvss_base_score", stix_object + ) ) if "x_opencti_cvss_base_severity" not in stix_object: stix_object["x_opencti_cvss_base_severity"] = ( self.opencti.get_attribute_in_extension( - "base_severity", stix_object + "cvss_base_severity", stix_object ) ) if "x_opencti_cvss_attack_vector" not in stix_object: stix_object["x_opencti_cvss_attack_vector"] = ( self.opencti.get_attribute_in_extension( - "attack_vector", stix_object + "cvss_attack_vector", stix_object + ) + ) + if "x_opencti_cvss_attack_complexity" not in stix_object: + stix_object["x_opencti_cvss_attack_complexity"] = ( + self.opencti.get_attribute_in_extension( + "cvss_attack_complexity", stix_object + ) + ) + if "x_opencti_cvss_privileges_required" not in stix_object: + stix_object["x_opencti_cvss_privileges_required"] = ( + self.opencti.get_attribute_in_extension( + "cvss_privileges_required", stix_object + ) + ) + if "x_opencti_cvss_user_interaction" not in stix_object: + stix_object["x_opencti_cvss_user_interaction"] = ( + self.opencti.get_attribute_in_extension( + "cvss_user_interaction", stix_object + ) + ) + if "x_opencti_cvss_scope" not in stix_object: + stix_object["x_opencti_cvss_scope"] = ( + self.opencti.get_attribute_in_extension("cvss_scope", stix_object) + ) + if "x_opencti_cvss_confidentiality_impact" not in stix_object: + stix_object["x_opencti_cvss_confidentiality_impact"] = ( + self.opencti.get_attribute_in_extension( + "cvss_confidentiality_impact", stix_object ) ) if "x_opencti_cvss_integrity_impact" not in stix_object: stix_object["x_opencti_cvss_integrity_impact"] = ( self.opencti.get_attribute_in_extension( - "integrity_impact", stix_object + "cvss_integrity_impact", stix_object ) ) if "x_opencti_cvss_availability_impact" not in stix_object: stix_object["x_opencti_cvss_availability_impact"] = ( self.opencti.get_attribute_in_extension( - "availability_impact", stix_object + "cvss_availability_impact", stix_object ) ) - if "x_opencti_cvss_confidentiality_impact" not in stix_object: - stix_object["x_opencti_cvss_confidentiality_impact"] = ( + if "x_opencti_cvss_exploit_code_maturity" not in stix_object: + stix_object["x_opencti_cvss_exploit_code_maturity"] = ( self.opencti.get_attribute_in_extension( - "confidentiality_impact", stix_object + "cvss_exploit_code_maturity", stix_object ) ) - if "x_opencti_stix_ids" not in stix_object: - stix_object["x_opencti_stix_ids"] = ( - self.opencti.get_attribute_in_extension("stix_ids", stix_object) + if "x_opencti_cvss_remediation_level" not in stix_object: + stix_object["x_opencti_cvss_remediation_level"] = ( + self.opencti.get_attribute_in_extension( + "cvss_remediation_level", stix_object + ) + ) + if "x_opencti_cvss_report_confidence" not in stix_object: + stix_object["x_opencti_cvss_report_confidence"] = ( + self.opencti.get_attribute_in_extension( + "cvss_report_confidence", stix_object + ) + ) + if "x_opencti_cvss_temporal_score" not in stix_object: + stix_object["x_opencti_cvss_temporal_score"] = ( + self.opencti.get_attribute_in_extension( + "cvss_temporal_score", stix_object + ) + ) + + # CVSS2 + if "x_opencti_cvss_v2_vector" not in stix_object: + stix_object["x_opencti_cvss_v2_vector"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_vector", stix_object + ) + ) + if "x_opencti_cvss_v2_base_score" not in stix_object: + stix_object["x_opencti_cvss_v2_base_score"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_base_score", stix_object + ) + ) + if "x_opencti_cvss_v2_access_vector" not in stix_object: + stix_object["x_opencti_cvss_v2_access_vector"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_access_vector", stix_object + ) + ) + if "x_opencti_cvss_v2_access_complexity" not in stix_object: + stix_object["x_opencti_cvss_v2_access_complexity"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_access_complexity", stix_object + ) + ) + if "x_opencti_cvss_v2_authentication" not in stix_object: + stix_object["x_opencti_cvss_v2_authentication"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_authentication", stix_object + ) ) - if "x_opencti_granted_refs" not in stix_object: - stix_object["x_opencti_granted_refs"] = ( - self.opencti.get_attribute_in_extension("granted_refs", stix_object) + if "x_opencti_cvss_v2_confidentiality_impact" not in stix_object: + stix_object["x_opencti_cvss_v2_confidentiality_impact"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_confidentiality_impact", stix_object + ) + ) + if "x_opencti_cvss_v2_integrity_impact" not in stix_object: + stix_object["x_opencti_cvss_v2_integrity_impact"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_integrity_impact", stix_object + ) ) - if "x_opencti_workflow_id" not in stix_object: - stix_object["x_opencti_workflow_id"] = ( - self.opencti.get_attribute_in_extension("workflow_id", stix_object) + if "x_opencti_cvss_v2_availability_impact" not in stix_object: + stix_object["x_opencti_cvss_v2_availability_impact"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_availability_impact", stix_object + ) + ) + if "x_opencti_cvss_v2_exploitability" not in stix_object: + stix_object["x_opencti_cvss_v2_exploitability"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_exploitability", stix_object + ) + ) + if "x_opencti_cvss_v2_remediation_level" not in stix_object: + stix_object["x_opencti_cvss_v2_remediation_level"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_remediation_level", stix_object + ) + ) + if "x_opencti_cvss_v2_report_confidence" not in stix_object: + stix_object["x_opencti_cvss_v2_report_confidence"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_report_confidence", stix_object + ) + ) + if "x_opencti_cvss_v2_temporal_score" not in stix_object: + stix_object["x_opencti_cvss_v2_temporal_score"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v2_temporal_score", stix_object + ) + ) + + # CVSS4 + if "x_opencti_cvss_v4_vector" not in stix_object: + stix_object["x_opencti_cvss_v4_vector"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_vector", stix_object + ) + ) + if "x_opencti_cvss_v4_base_score" not in stix_object: + stix_object["x_opencti_cvss_v4_base_score"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_base_score", stix_object + ) + ) + if "x_opencti_cvss_v4_base_severity" not in stix_object: + stix_object["x_opencti_cvss_v4_base_severity"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_base_severity", stix_object + ) + ) + if "x_opencti_cvss_v4_attack_vector" not in stix_object: + stix_object["x_opencti_cvss_v4_attack_vector"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_attack_vector", stix_object + ) + ) + if "x_opencti_cvss_v4_attack_complexity" not in stix_object: + stix_object["x_opencti_cvss_v4_attack_complexity"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_attack_complexity", stix_object + ) + ) + if "x_opencti_cvss_v4_attack_requirements" not in stix_object: + stix_object["x_opencti_cvss_v4_attack_requirements"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_attack_requirements", stix_object + ) + ) + if "x_opencti_cvss_v4_privileges_required" not in stix_object: + stix_object["x_opencti_cvss_v4_privileges_required"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_privileges_required", stix_object + ) + ) + if "x_opencti_cvss_v4_user_interaction" not in stix_object: + stix_object["x_opencti_cvss_v4_user_interaction"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_user_interaction", stix_object + ) + ) + if "x_opencti_cvss_v4_confidentiality_impact_v" not in stix_object: + stix_object["x_opencti_cvss_v4_confidentiality_impact_v"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_confidentiality_impact_v", stix_object + ) + ) + if "x_opencti_cvss_v4_confidentiality_impact_s" not in stix_object: + stix_object["x_opencti_cvss_v4_confidentiality_impact_s"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_confidentiality_impact_s", stix_object + ) + ) + if "x_opencti_cvss_v4_integrity_impact_v" not in stix_object: + stix_object["x_opencti_cvss_v4_integrity_impact_v"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_integrity_impact_v", stix_object + ) + ) + if "x_opencti_cvss_v4_integrity_impact_s" not in stix_object: + stix_object["x_opencti_cvss_v4_integrity_impact_s"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_integrity_impact_s", stix_object + ) + ) + if "x_opencti_cvss_v4_availability_impact_v" not in stix_object: + stix_object["x_opencti_cvss_v4_availability_impact_v"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_availability_impact_v", stix_object + ) + ) + if "x_opencti_cvss_v4_exploit_maturity" not in stix_object: + stix_object["x_opencti_cvss_v4_exploit_maturity"] = ( + self.opencti.get_attribute_in_extension( + "cvss_v4_exploit_maturity", stix_object + ) + ) + + # Others + if "x_opencti_cwe" not in stix_object: + stix_object["x_opencti_cwe"] = self.opencti.get_attribute_in_extension( + "cwe", stix_object ) if "x_opencti_cisa_kev" not in stix_object: stix_object["x_opencti_cisa_kev"] = ( @@ -470,6 +859,10 @@ def import_from_stix2(self, **kwargs): "epss_percentile", stix_object ) ) + if "x_opencti_score" not in stix_object: + stix_object["x_opencti_score"] = ( + self.opencti.get_attribute_in_extension("score", stix_object) + ) return self.create( stix_id=stix_object["id"], @@ -507,6 +900,27 @@ def import_from_stix2(self, **kwargs): if "x_opencti_aliases" in stix_object else None ), + x_opencti_stix_ids=( + stix_object["x_opencti_stix_ids"] + if "x_opencti_stix_ids" in stix_object + else None + ), + objectOrganization=( + stix_object["x_opencti_granted_refs"] + if "x_opencti_granted_refs" in stix_object + else None + ), + x_opencti_workflow_id=( + stix_object["x_opencti_workflow_id"] + if "x_opencti_workflow_id" in stix_object + else None + ), + # CVSS3 + x_opencti_cvss_vector=( + stix_object["x_opencti_cvss_vector"] + if "x_opencti_cvss_vector" in stix_object + else None + ), x_opencti_cvss_base_score=( stix_object["x_opencti_cvss_base_score"] if "x_opencti_cvss_base_score" in stix_object @@ -522,6 +936,31 @@ def import_from_stix2(self, **kwargs): if "x_opencti_cvss_attack_vector" in stix_object else None ), + x_opencti_cvss_attack_complexity=( + stix_object["x_opencti_cvss_attack_complexity"] + if "x_opencti_cvss_attack_complexity" in stix_object + else None + ), + x_opencti_cvss_privileges_required=( + stix_object["x_opencti_cvss_privileges_required"] + if "x_opencti_cvss_privileges_required" in stix_object + else None + ), + x_opencti_cvss_user_interaction=( + stix_object["x_opencti_cvss_user_interaction"] + if "x_opencti_cvss_user_interaction" in stix_object + else None + ), + x_opencti_cvss_scope=( + stix_object["x_opencti_cvss_scope"] + if "x_opencti_cvss_scope" in stix_object + else None + ), + x_opencti_cvss_confidentiality_impact=( + stix_object["x_opencti_cvss_confidentiality_impact"] + if "x_opencti_cvss_confidentiality_impact" in stix_object + else None + ), x_opencti_cvss_integrity_impact=( stix_object["x_opencti_cvss_integrity_impact"] if "x_opencti_cvss_integrity_impact" in stix_object @@ -532,24 +971,167 @@ def import_from_stix2(self, **kwargs): if "x_opencti_cvss_availability_impact" in stix_object else None ), - x_opencti_cvss_confidentiality_impact=( - stix_object["x_opencti_cvss_confidentiality_impact"] - if "x_opencti_cvss_confidentiality_impact" in stix_object + x_opencti_cvss_exploit_code_maturity=( + stix_object["x_opencti_cvss_exploit_code_maturity"] + if "x_opencti_cvss_exploit_code_maturity" in stix_object else None ), - x_opencti_stix_ids=( - stix_object["x_opencti_stix_ids"] - if "x_opencti_stix_ids" in stix_object + x_opencti_cvss_remediation_level=( + stix_object["x_opencti_cvss_remediation_level"] + if "x_opencti_cvss_remediation_level" in stix_object else None ), - objectOrganization=( - stix_object["x_opencti_granted_refs"] - if "x_opencti_granted_refs" in stix_object + x_opencti_cvss_report_confidence=( + stix_object["x_opencti_cvss_report_confidence"] + if "x_opencti_cvss_report_confidence" in stix_object else None ), - x_opencti_workflow_id=( - stix_object["x_opencti_workflow_id"] - if "x_opencti_workflow_id" in stix_object + x_opencti_cvss_temporal_score=( + stix_object["x_opencti_cvss_temporal_score"] + if "x_opencti_cvss_temporal_score" in stix_object + else None + ), + # CVSS2 + x_opencti_cvss_v2_vector=( + stix_object["x_opencti_cvss_v2_vector"] + if "x_opencti_cvss_v2_vector" in stix_object + else None + ), + x_opencti_cvss_v2_base_score=( + stix_object["x_opencti_cvss_v2_base_score"] + if "x_opencti_cvss_v2_base_score" in stix_object + else None + ), + x_opencti_cvss_v2_access_vector=( + stix_object["x_opencti_cvss_v2_access_vector"] + if "x_opencti_cvss_v2_access_vector" in stix_object + else None + ), + x_opencti_cvss_v2_access_complexity=( + stix_object["x_opencti_cvss_v2_access_complexity"] + if "x_opencti_cvss_v2_access_complexity" in stix_object + else None + ), + x_opencti_cvss_v2_authentication=( + stix_object["x_opencti_cvss_v2_authentication"] + if "x_opencti_cvss_v2_authentication" in stix_object + else None + ), + x_opencti_cvss_v2_confidentiality_impact=( + stix_object["x_opencti_cvss_v2_confidentiality_impact"] + if "x_opencti_cvss_v2_confidentiality_impact" in stix_object + else None + ), + x_opencti_cvss_v2_integrity_impact=( + stix_object["x_opencti_cvss_v2_integrity_impact"] + if "x_opencti_cvss_v2_integrity_impact" in stix_object + else None + ), + x_opencti_cvss_v2_availability_impact=( + stix_object["x_opencti_cvss_v2_availability_impact"] + if "x_opencti_cvss_v2_availability_impact" in stix_object + else None + ), + x_opencti_cvss_v2_exploitability=( + stix_object["x_opencti_cvss_v2_exploitability"] + if "x_opencti_cvss_v2_exploitability" in stix_object + else None + ), + x_opencti_cvss_v2_remediation_level=( + stix_object["x_opencti_cvss_v2_remediation_level"] + if "x_opencti_cvss_v2_remediation_level" in stix_object + else None + ), + x_opencti_cvss_v2_report_confidence=( + stix_object["x_opencti_cvss_v2_report_confidence"] + if "x_opencti_cvss_v2_report_confidence" in stix_object + else None + ), + x_opencti_cvss_v2_temporal_score=( + stix_object["x_opencti_cvss_v2_temporal_score"] + if "x_opencti_cvss_v2_temporal_score" in stix_object + else None + ), + # CVSS4 + x_opencti_cvss_v4_vector=( + stix_object["x_opencti_cvss_v4_vector"] + if "x_opencti_cvss_v4_vector" in stix_object + else None + ), + x_opencti_cvss_v4_base_score=( + stix_object["x_opencti_cvss_v4_base_score"] + if "x_opencti_cvss_v4_base_score" in stix_object + else None + ), + x_opencti_cvss_v4_base_severity=( + stix_object["x_opencti_cvss_v4_base_severity"] + if "x_opencti_cvss_v4_base_severity" in stix_object + else None + ), + x_opencti_cvss_v4_attack_vector=( + stix_object["x_opencti_cvss_v4_attack_vector"] + if "x_opencti_cvss_v4_attack_vector" in stix_object + else None + ), + x_opencti_cvss_v4_attack_complexity=( + stix_object["x_opencti_cvss_v4_attack_complexity"] + if "x_opencti_cvss_v4_attack_complexity" in stix_object + else None + ), + x_opencti_cvss_v4_attack_requirements=( + stix_object["x_opencti_cvss_v4_attack_requirements"] + if "x_opencti_cvss_v4_attack_requirements" in stix_object + else None + ), + x_opencti_cvss_v4_privileges_required=( + stix_object["x_opencti_cvss_v4_privileges_required"] + if "x_opencti_cvss_v4_privileges_required" in stix_object + else None + ), + x_opencti_cvss_v4_user_interaction=( + stix_object["x_opencti_cvss_v4_user_interaction"] + if "x_opencti_cvss_v4_user_interaction" in stix_object + else None + ), + x_opencti_cvss_v4_confidentiality_impact_v=( + stix_object["x_opencti_cvss_v4_confidentiality_impact_v"] + if "x_opencti_cvss_v4_confidentiality_impact_v" in stix_object + else None + ), + x_opencti_cvss_v4_confidentiality_impact_s=( + stix_object["x_opencti_cvss_v4_confidentiality_impact_s"] + if "x_opencti_cvss_v4_confidentiality_impact_s" in stix_object + else None + ), + x_opencti_cvss_v4_integrity_impact_v=( + stix_object["x_opencti_cvss_v4_integrity_impact_v"] + if "x_opencti_cvss_v4_integrity_impact_v" in stix_object + else None + ), + x_opencti_cvss_v4_integrity_impact_s=( + stix_object["x_opencti_cvss_v4_integrity_impact_s"] + if "x_opencti_cvss_v4_integrity_impact_s" in stix_object + else None + ), + x_opencti_cvss_v4_availability_impact_v=( + stix_object["x_opencti_cvss_v4_availability_impact_v"] + if "x_opencti_cvss_v4_availability_impact_v" in stix_object + else None + ), + x_opencti_cvss_v4_availability_impact_s=( + stix_object["x_opencti_cvss_v4_availability_impact_s"] + if "x_opencti_cvss_v4_availability_impact_s" in stix_object + else None + ), + x_opencti_cvss_v4_exploit_maturity=( + stix_object["x_opencti_cvss_v4_exploit_maturity"] + if "x_opencti_cvss_v4_exploit_maturity" in stix_object + else None + ), + # Others + x_opencti_cwe=( + stix_object["x_opencti_cwe"] + if "x_opencti_cwe" in stix_object else None ), x_opencti_cisa_kev=( @@ -567,6 +1149,11 @@ def import_from_stix2(self, **kwargs): if "x_opencti_epss_percentile" in stix_object else None ), + x_opencti_score=( + stix_object["x_opencti_score"] + if "x_opencti_score" in stix_object + else None + ), update=update, ) else: From 7da44234a730c97bf17b7fa73959c2adb6167e64 Mon Sep 17 00:00:00 2001 From: Samuel Hassine Date: Tue, 17 Jun 2025 11:02:28 +0200 Subject: [PATCH 2/3] [client] Implement new vulnerability data model (#916) --- pycti/entities/opencti_stix_core_object.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pycti/entities/opencti_stix_core_object.py b/pycti/entities/opencti_stix_core_object.py index 4d5493f16..dd252aac9 100644 --- a/pycti/entities/opencti_stix_core_object.py +++ b/pycti/entities/opencti_stix_core_object.py @@ -352,6 +352,8 @@ def __init__(self, opencti, file): } } ... on Vulnerability { + name + description x_opencti_aliases x_opencti_cvss_vector x_opencti_cvss_base_score From a27f6d3fc1ab0245536c60b53617bdaac7df0b7f Mon Sep 17 00:00:00 2001 From: Samuel Hassine Date: Tue, 17 Jun 2025 11:03:36 +0200 Subject: [PATCH 3/3] [client] Implement new vulnerability data model (#916) --- pycti/entities/opencti_stix_domain_object.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pycti/entities/opencti_stix_domain_object.py b/pycti/entities/opencti_stix_domain_object.py index 41877ec68..3c6d737e5 100644 --- a/pycti/entities/opencti_stix_domain_object.py +++ b/pycti/entities/opencti_stix_domain_object.py @@ -1015,7 +1015,7 @@ def __init__(self, opencti, file): ... on Vulnerability { name description - x_opencti_aliases + x_opencti_aliases x_opencti_cvss_vector x_opencti_cvss_base_score x_opencti_cvss_base_severity