@mitre-attack/attack-data-model
Version:
A TypeScript API for the MITRE ATT&CK data model
342 lines (335 loc) • 12 kB
JavaScript
;
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __export = (target, all) => {
for (var name in all)
__defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
if (from && typeof from === "object" || typeof from === "function") {
for (let key of __getOwnPropNames(from))
if (!__hasOwnProp.call(to, key) && key !== except)
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
}
return to;
};
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
// src/schemas/common/misc.ts
var misc_exports = {};
__export(misc_exports, {
createAttackExternalReferencesSchema: () => createAttackExternalReferencesSchema,
externalReferenceSchema: () => externalReferenceSchema,
externalReferencesSchema: () => externalReferencesSchema,
granularMarkingSchema: () => granularMarkingSchema,
stixCreatedByRefSchema: () => stixCreatedByRefSchema
});
module.exports = __toCommonJS(misc_exports);
var import_v44 = require("zod/v4");
// src/schemas/common/stix-identifier.ts
var import_v42 = require("zod/v4");
// src/schemas/common/stix-type.ts
var import_v4 = require("zod/v4");
var stixTypeToTypeName = {
"attack-pattern": "Technique",
bundle: "StixBundle",
campaign: "Campaign",
"course-of-action": "Mitigation",
"extension-definition": null,
identity: "Identity",
"intrusion-set": "Group",
malware: "Malware",
tool: "Tool",
"marking-definition": "MarkingDefinition",
"x-mitre-analytic": "Analytic",
"x-mitre-data-component": "DataComponent",
"x-mitre-detection-strategy": "DetectionStrategy",
"x-mitre-data-source": "DataSource",
"x-mitre-log-source": "LogSource",
"x-mitre-tactic": "Tactic",
"x-mitre-asset": "Asset",
"x-mitre-matrix": "Matrix",
"x-mitre-collection": "Collection",
relationship: "Relationship",
file: "",
// not used in ATT&CK but used in sample_refs for Malware
artifact: ""
// not used in ATT&CK but used in sample_refs for Malware
// 'observed-data': 'ObservedData', // not used in ATT&CK
// 'report': 'Report', // not used in ATT&CK
// 'threat-actor': 'ThreatActor', // not used in ATT&CK
// 'vulnerability': 'Vulnerability', // not used in ATT&CK
};
var supportedStixTypes = [
"attack-pattern",
"bundle",
"campaign",
"course-of-action",
"extension-definition",
"identity",
"intrusion-set",
"malware",
"tool",
"marking-definition",
"x-mitre-analytic",
"x-mitre-data-component",
"x-mitre-detection-strategy",
"x-mitre-tactic",
"x-mitre-asset",
"x-mitre-data-source",
"x-mitre-log-source",
"x-mitre-matrix",
"x-mitre-collection",
"relationship",
"file",
// not used in ATT&CK but used in sample_refs for Malware
"artifact"
// not used in ATT&CK but used in sample_refs for Malware
// "indicator", // not used in ATT&CK
// "observed-data", // not used in ATT&CK
// "report", // not used in ATT&CK
// "threat-actor", // not used in ATT&CK
// "vulnerability", // not used in ATT&CK
];
var stixTypeSchema = import_v4.z.enum(supportedStixTypes, {
error: (issue) => {
if (issue.code === "invalid_value") {
const received = typeof issue.input === "string" ? issue.input : String(issue.input);
return `Invalid STIX type '${received}'. Expected one of the supported STIX types.`;
}
return void 0;
}
}).meta({
description: "The type property identifies the type of STIX Object (SDO, Relationship Object, etc). The value of the type field MUST be one of the types defined by a STIX Object (e.g., indicator)."
});
// src/schemas/common/stix-identifier.ts
var stixIdentifierSchema = import_v42.z.string().refine((val) => val.includes("--") && val.split("--").length === 2, {
error: (issue) => ({
code: "custom",
message: "Invalid STIX Identifier: must comply with format 'type--UUIDv4'",
input: issue.input,
path: []
})
}).refine(
(val) => {
const [type] = val.split("--");
return stixTypeSchema.safeParse(type).success;
},
{
error: (issue) => {
const val = issue.input;
const [type] = val.split("--");
const typeName = type in stixTypeToTypeName ? stixTypeToTypeName[type] : "STIX";
return {
code: "custom",
message: `Invalid STIX Identifier for ${typeName} object: contains invalid STIX type '${type}'`,
input: issue.input,
path: []
};
}
}
).refine(
(val) => {
const [, uuid] = val.split("--");
return import_v42.z.uuid().safeParse(uuid).success;
},
{
error: (issue) => {
const val = issue.input;
const [type] = val.split("--");
const typeName = type in stixTypeToTypeName ? stixTypeToTypeName[type] : "STIX";
return {
code: "custom",
message: `Invalid STIX Identifier for ${typeName} object: contains invalid UUIDv4 format`,
input: issue.input,
path: []
};
}
}
).meta({
description: "Represents identifiers across the CTI specifications. The format consists of the name of the top-level object being identified, followed by two dashes (--), followed by a UUIDv4."
});
function createStixIdValidator(expectedType) {
return stixIdentifierSchema.refine(
(val) => val.startsWith(`${expectedType}--`),
{
error: () => ({
code: "custom",
message: `Invalid STIX Identifier: must start with '${expectedType}--'`,
input: expectedType,
path: []
})
}
);
}
// src/schemas/common/attack-id.ts
var import_v43 = require("zod/v4");
var attackIdConfig = {
tactic: {
pattern: /^TA\d{4}$/,
message: "Must match ATT&CK Tactic ID format (TA####)",
example: "TA####",
stixTypes: ["x-mitre-tactic"]
},
technique: {
pattern: /^T\d{4}$/,
message: "Must match ATT&CK Technique ID format (T####)",
example: "T####",
stixTypes: ["attack-pattern"]
// Note: attack-pattern can be technique or subtechnique
},
subtechnique: {
pattern: /^T\d{4}\.\d{3}$/,
message: "Must match ATT&CK Sub-technique ID format (T####.###)",
example: "T####.###",
stixTypes: ["attack-pattern"]
// Note: attack-pattern can be technique or subtechnique
},
group: {
pattern: /^G\d{4}$/,
message: "Must match ATT&CK Group ID format (G####)",
example: "G####",
stixTypes: ["intrusion-set"]
},
software: {
pattern: /^S\d{4}$/,
message: "Must match ATT&CK Software ID format (S####)",
example: "S####",
stixTypes: ["malware", "tool"]
},
mitigation: {
pattern: /^M\d{4}$/,
message: "Must match ATT&CK Mitigation ID format (M####)",
example: "M####",
stixTypes: ["course-of-action"]
},
asset: {
pattern: /^A\d{4}$/,
message: "Must match ATT&CK Asset ID format (A####)",
example: "A####",
stixTypes: ["x-mitre-asset"]
},
"data-source": {
pattern: /^DS\d{4}$/,
message: "Must match ATT&CK Data Source ID format (DS####)",
example: "DS####",
stixTypes: ["x-mitre-data-source"]
},
"log-source": {
pattern: /^LS\d{4}$/,
message: "Must match ATT&CK Log Source ID format (DS####)",
example: "LS####",
stixTypes: ["x-mitre-log-source"]
},
campaign: {
pattern: /^C\d{4}$/,
message: "Must match ATT&CK Campaign ID format (C####)",
example: "C####",
stixTypes: ["campaign"]
},
"data-component": {
pattern: /^DC\d{4}$/,
message: "Must match ATT&CK Data Component Source ID format (DC####)",
example: "DC####",
stixTypes: ["x-mitre-data-component"]
},
"detection-strategy": {
pattern: /^DET\d{4}$/,
message: "Must match ATT&CK Detection Strategy Source ID format (DET####)",
example: "DET####",
stixTypes: ["x-mitre-detection-strategy"]
},
analytic: {
pattern: /^AN\d{4}$/,
message: "Must match ATT&CK Analytic Source ID format (AN####)",
example: "AN####",
stixTypes: ["x-mitre-analytic"]
}
};
var stixTypeToAttackIdMapping = {
"x-mitre-tactic": "tactic",
"attack-pattern": "technique",
// Default to technique; subtechnique handling is done contextually
"intrusion-set": "group",
malware: "software",
tool: "software",
"course-of-action": "mitigation",
"x-mitre-asset": "asset",
"x-mitre-data-source": "data-source",
campaign: "campaign",
"x-mitre-data-component": "data-component",
"x-mitre-log-source": "log-source",
"x-mitre-detection-strategy": "detection-strategy",
"x-mitre-analytic": "analytic"
};
var attackIdPatterns = Object.fromEntries(
Object.entries(attackIdConfig).map(([key, config]) => [key, config.pattern])
);
var attackIdMessages = Object.fromEntries(
Object.entries(attackIdConfig).map(([key, config]) => [key, config.message])
);
var attackIdExamples = Object.fromEntries(
Object.entries(attackIdConfig).map(([key, config]) => [key, config.example])
);
function getAttackIdExample(stixType) {
if (stixType === "attack-pattern") {
return `${attackIdExamples.technique} or ${attackIdExamples.subtechnique}`;
}
const attackIdType = stixTypeToAttackIdMapping[stixType];
return attackIdExamples[attackIdType];
}
// src/schemas/common/misc.ts
var externalReferenceSchema = import_v44.z.object({
source_name: import_v44.z.string({
error: (issue) => issue.input === void 0 ? "Source name is required" : "Source name must be a string"
}),
description: import_v44.z.string({
error: "Description must be a string"
}).optional(),
url: import_v44.z.url({
error: (issue) => issue.input === null ? "URL cannot be null" : "Invalid URL format. Please provide a valid URL"
}).optional(),
external_id: import_v44.z.string({
error: "External ID must be a string"
}).optional()
});
var externalReferencesSchema = import_v44.z.array(externalReferenceSchema).min(1, "At least one external reference is required when 'external_references' is defined").meta({
description: "A list of external references which refers to non-STIX information"
});
var createAttackExternalReferencesSchema = (stixType) => {
return import_v44.z.array(externalReferenceSchema).min(1, "At least one external reference is required").refine((refs) => !!refs[0]?.external_id, {
message: "ATT&CK ID must be defined in the first external_references entry.",
path: [0, "external_id"]
}).refine(
(refs) => {
if (!refs[0]?.external_id) return true;
const attackIdType = stixTypeToAttackIdMapping[stixType];
if (attackIdType === "technique") {
return attackIdPatterns["technique"].test(refs[0].external_id) || attackIdPatterns["subtechnique"].test(refs[0].external_id);
}
return attackIdPatterns[attackIdType].test(refs[0].external_id);
},
{
message: `The first external_reference must match the ATT&CK ID format ${getAttackIdExample(stixType)}.`,
path: [0, "external_id"]
}
).meta({
description: "A list of external references with the first containing a valid ATT&CK ID"
});
};
var stixCreatedByRefSchema = createStixIdValidator("identity").meta({
description: "The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous."
});
var granularMarkingSchema = import_v44.z.object({
marking_ref: stixIdentifierSchema,
selectors: import_v44.z.array(import_v44.z.string())
});
// Annotate the CommonJS export names for ESM import in node:
0 && (module.exports = {
createAttackExternalReferencesSchema,
externalReferenceSchema,
externalReferencesSchema,
granularMarkingSchema,
stixCreatedByRefSchema
});