Loading...
Loading...
Loading...
This document details the STIX 2.1 specification compliance status of the Whisper STIX Java library.
# STIX 2.1 Compliance Report
## Library Version: 1.2.0
This document details the STIX 2.1 specification compliance status of the Whisper STIX Java library.
## Compliance Summary
| Feature | Status | Version | Notes |
|---------|--------|---------|-------|
| STIX Domain Objects (SDOs) | ✅ Full | 1.0.0+ | All 18 SDO types implemented |
| STIX Cyber Observable Objects (SCOs) | ✅ Full | 1.0.0+ | All 18 SCO types implemented |
| STIX Relationship Objects (SROs) | ✅ Full | 1.1.0+ | Relationship and Sighting objects |
| COO Relationships | ✅ Full | 1.1.0+ | SCO-to-SDO and SCO-to-SCO relationships |
| STIX Patterns | ✅ Full | 1.2.0+ | Full ANTLR4-based pattern parser |
| Bundle Support | ✅ Full | 1.0.0+ | Complete bundle functionality |
| Custom Objects | ✅ Full | 1.0.0+ | x- prefix custom objects supported |
| Marking Definitions | ✅ Full | 1.0.0+ | TLP and custom markings |
| Vocabularies | ✅ Full | 1.0.0+ | All STIX vocabularies implemented |
## Recent Enhancements
### Version 1.2.0 - Full Pattern Parser ✅
**Previous Limitation:** Basic pattern parsing with limited operator support
**Current Status:** Full STIX 2.1 pattern language implementation using ANTLR4
**Implementation Details:**
- Integrated official OASIS STIX pattern grammar
- Full ANTLR4-based lexer and parser
- Pattern compilation and validation
- Pattern evaluation engine
- Support for all STIX pattern operators
**Supported Features:**
- ✅ All observation expressions
- ✅ All comparison operators: `=`, `!=`, `>`, `<`, `>=`, `<=`, `IN`, `LIKE`, `MATCHES`, `ISSUBSET`, `ISSUPERSET`, `EXISTS`
- ✅ All logical operators: `AND`, `OR`, `NOT`
- ✅ Temporal operators: `FOLLOWEDBY`
- ✅ All qualifiers: `WITHIN`, `REPEATS`, `START`, `STOP`
- ✅ Complex nested expressions
- ✅ Array indexing and wildcards
**Example:**
```java
StixPatternCompiler compiler = new StixPatternCompiler();
// Validate complex patterns
boolean isValid = compiler.isValid(
"[file:hashes.MD5 = 'abc123'] AND " +
"[network-traffic:dst_port = 443] " +
"WITHIN 300 SECONDS"
);
// Evaluate patterns against objects
StixPatternEvaluator evaluator = new StixPatternEvaluator();
boolean matches = evaluator.evaluate(pattern, stixObject);
```
### Version 1.1.0 - COO Relationships
### COO Relationship Support ✅
**Previous Limitation:** Relationships could only connect Domain Objects (SDOs)
**Current Status:** Full support for all STIX 2.1 relationship types:
- SDO to SDO relationships
- SDO to SCO relationships
- SCO to SCO relationships
**Implementation Details:**
- Added `StixObject` interface as common base for relationships
- Updated `RelationshipSro` to accept any `StixObject` type
- Added `StixObjectConverter` for proper deserialization
- Validated common COO relationship patterns
**Example:**
```java
// File (SCO) related to Malware (SDO)
FileCoo file = FileCoo.builder()
.name("malware.exe")
.addHashes("MD5", "abc123")
.build();
MalwareSdo malware = MalwareSdo.builder()
.name("TrojanRAT")
.addLabel("trojan")
.build();
RelationshipSro rel = Relationship.builder()
.relationshipType("related-to")
.sourceRef(file) // SCO as source
.targetRef(malware) // SDO as target
.build();
```
## Known Limitations
None - The library now provides full STIX 2.1 specification compliance including complete pattern parsing support.
## STIX 2.1 Object Coverage
### Domain Objects (SDOs) - 18/18 ✅
- ✅ Attack Pattern
- ✅ Campaign
- ✅ Course of Action
- ✅ Grouping
- ✅ Identity
- ✅ Incident
- ✅ Indicator
- ✅ Infrastructure
- ✅ Intrusion Set
- ✅ Location
- ✅ Malware
- ✅ Malware Analysis
- ✅ Note
- ✅ Observed Data
- ✅ Opinion
- ✅ Report
- ✅ Threat Actor
- ✅ Tool
- ✅ Vulnerability
### Cyber Observable Objects (SCOs) - 18/18 ✅
- ✅ Artifact
- ✅ Autonomous System
- ✅ Directory
- ✅ Domain Name
- ✅ Email Address
- ✅ Email Message
- ✅ File
- ✅ IPv4 Address
- ✅ IPv6 Address
- ✅ MAC Address
- ✅ Mutex
- ✅ Network Traffic
- ✅ Process
- ✅ Software
- ✅ URL
- ✅ User Account
- ✅ Windows Registry Key
- ✅ X.509 Certificate
### Relationship Objects (SROs) - 2/2 ✅
- ✅ Relationship
- ✅ Sighting
### Meta Objects - 4/4 ✅
- ✅ Bundle
- ✅ Extension Definition
- ✅ Language Content
- ✅ Marking Definition
## Validation and Constraints
### Implemented Validations ✅
- Required property validation
- Property format validation (IDs, timestamps, etc.)
- Vocabulary validation
- Relationship type constraints
- Custom property naming (x- prefix)
- Confidence value ranges (0-100)
### Relationship Constraints ✅
The library enforces STIX-defined relationship constraints:
- Valid source and target types for each relationship
- Relationship type vocabulary validation
- Object type compatibility
## JSON Serialization
### Supported Features ✅
- Full JSON serialization/deserialization
- Proper timestamp handling (RFC 3339)
- ID reference resolution
- Dehydrated object support
- Custom property preservation
### Serialization Options
- Compact JSON output
- Pretty-printed JSON
- Redaction support for sensitive data
- Bundle aggregation
## Testing Coverage
- Unit tests for all object types
- Serialization/deserialization tests
- Validation tests
- COO relationship tests (NEW in v1.1.0)
- Bundle composition tests
- Pattern parsing tests (basic)
## Migration Guide (v1.0.0 to v1.1.0)
### Breaking Changes
None - v1.1.0 is fully backward compatible.
### New Features
1. COO relationships now supported
2. `StixObject` interface available for generic object handling
### Recommended Updates
```java
// Old way (still works)
DomainObject source = getMalware();
DomainObject target = getIdentity();
// New way (supports COOs)
StixObject source = getAnyStixObject(); // Can be SDO or SCO
StixObject target = getAnyStixObject(); // Can be SDO or SCO
Relationship rel = Relationship.builder()
.relationshipType("related-to")
.sourceRef(source)
.targetRef(target)
.build();
```
## Roadmap
### Version 1.3.0 (Planned)
- Performance optimizations
- Graph traversal utilities
- Additional helper methods
- SLF4J logging improvements
### Version 2.0.0 (Future)
- TAXII 2.1 client integration
- Threat intelligence enrichment APIs
- Advanced pattern matching optimizations
- GraphQL API support
## Compliance Verification
To verify compliance, run the test suite:
```bash
mvn test -Dtest=CooRelationshipTest
mvn test -Dtest=StixComplianceTest
```
## References
- [STIX 2.1 Specification](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html)
- [STIX 2.1 JSON Schemas](https://github.com/oasis-open/cti-stix2-json-schemas)
- [OASIS CTI TC](https://www.oasis-open.org/committees/cti/)
## Support
For compliance questions or issues:
- GitHub Issues: https://github.com/whisper-security/STIX/issues
- Email: [email protected]
---
*Last updated: January 2025*
*Library version: 1.2.0*You are an autonomous senior full-stack engineer responsible for building and maintaining a complete SaaS product. You operate with minimal supervision, making independent decisions while consulting on major strategic changes.
<author>blefnk/rules</author>
trigger: model_decision
description: Authoritative guide for all software-writing agents in this repository