Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Matching re-occuring value within patterns #58

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

muellpanda
Copy link

We propose a solution to evaluate our so called inter-observable patterns described in Issue #57.
I will try to describe what our code changes do:

  • [1772-1782]: Since variables to describe inter-observables can only be defined within regular expressions, we adjusted the exitPropTestRegex-function. Whenever a regex containing a variable is successfully matched against an Observable object, we store the variable name, Observable ID and actual value the variable matched on in a nested dictionary (interobs_group_matches). Example: we have the pattern [file:name MATCHES '(?P<var>[a-z]{3})], a File-Observable with filename 'foo' and one with filename 'bar'. interobs_group_matches will look like this: {'var': {0: ['foo'], 1: ['bar']}}.
  • [2147-2151]: We need to run our checks on all found bindings. Up to this point the actual matching process is unaltered and only those bindings are considered further which fulfill a pattern ignoring any variables.
  • [2190-2209]: Check if any variables were matched, i.e. values exists within the dictionary. If not, return SDOs for bindings (original behaviour). If there are values, iterate over all found bindings. For each binding, only consider the relevant SDOs, i.e. create a copy of interobs_group_matches and remove all values of irrelevant SDOs. Then run the checks on this copy. If a check returns false, remove the current binding from found_bindings -- it does not fulfill the inter-observable pattern.
  • [2165-2189]: The actual checks. If only one SDO is present, it is considered an invalid match if a variable matched on more than one unique value. When multiple SDOs are present, we look for intersections between the values for each variable; if no intersection exist, the variable did not match on the same values for these SDOs.

Our changes to the code are as transparent as possible to the original functionality of the matcher. We also added a small test to evaluate the functionality of inter-observable patterns.

@codecov-io
Copy link

codecov-io commented Jun 17, 2019

Codecov Report

Merging #58 into master will increase coverage by 0.52%.
The diff coverage is 98.33%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #58      +/-   ##
==========================================
+ Coverage   89.43%   89.95%   +0.52%     
==========================================
  Files          13       14       +1     
  Lines         937      996      +59     
==========================================
+ Hits          838      896      +58     
- Misses         99      100       +1
Impacted Files Coverage Δ
stix2matcher/test/test_inter_observable_expr.py 100% <100%> (ø)
stix2matcher/matcher.py 87.62% <98.11%> (+0.71%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fbe7b50...9becc8e. Read the comment docs.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@mdazam1942
Copy link
Contributor

@muellpanda would you please resolve the conflicts. we would like to verify the changes and see if this can be merged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants