Open
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3467 +/- ##
==========================================
- Coverage 97.73% 96.48% -1.26%
==========================================
Files 299 258 -41
Lines 63157 63344 +187
==========================================
- Hits 61729 61115 -614
- Misses 1428 2229 +801
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
## Summary - Remove the vestigial name string from all `modeldefs` declarations across 27 model modules, converting `(name, dict)` tuples to plain dicts - Rename `addDataModels()` to `addModelDefs()` to accept a list of dicts instead of `(name, dict)` tuples - Rename `getModelDefs()` to `getModelDef()` and return the singular model definition dictionary directly - Update all consumers: `CoreApi`, `Cortex`, `autodoc`, and tests ## Test plan - [x] `test_datamodel.py` — 17 tests pass - [x] `test_tools_cortex_docmodel.py` — 28 tests pass - [x] `test_model_geospace.py` — 7 tests pass - [x] `test_lib_types.py` array test passes - [x] `test_model_syn.py` — 6 tests pass - [x] `test_lib_stormlib_model.py` — 4 tests pass - [x] `test_cortex.py` deprecation test passes - [x] `test_lib_storm.py` model test passes - [x] No remaining references to `getModelDefs` or `addDataModels` in codebase
## Summary - Add `risk:exploitable` interface to `it:software`, `it:host`, `it:hardware`, `inet:server`, `inet:client`, `inet:service:platform`, and `ou:asset` forms - Update `it:sec:vuln:scan:result:asset` polyprop to use `risk:exploitable` instead of the previous broad `(risk:targetable, meta:observable, meta:havable)` union - Add tests for `risk:vulnerable:node` with all 7 exploitable form types ## Test plan - [x] `test_model_risk` - all 4 tests pass - [x] `test_model_inet` - all 40 tests pass - [x] `test_model_orgs` - all 18 tests pass - [x] `test_infotech_vulnscan` - passes with updated `risk:exploitable` polyprop 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
A large part of this is naming cleanup (adjusting virts -> virt)
## Summary - `meta:usable` interface now extends `meta:observable`, inheriting the `:seen` (ival) property - All 6 forms implementing `meta:usable` (`meta:rule`, `meta:technique`, `it:software`, `it:hardware`, `risk:vuln`, `risk:tool:software`) gain a `:seen` property - Removed duplicate edge definitions (`detects`, `used`) that referenced both `meta:usable` and `meta:observable`, keeping the `meta:observable` versions ## Test plan - [x] Added `:seen` test coverage for all 6 `meta:usable` forms - [x] Updated edge assertions in `test_lib_stormlib_model.py` - [x] Full test suite passes (1461 passed) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…into synapse-3xx
…efault (#4894) ## Summary - Remove the ``meta:name`` type and form, replacing all usages with more specific name types (``base:name``, ``entity:name``, ``event:name``, ``geo:name``, ``it:softwarename``) depending on the domain context. - Add ``biz:manufactured`` interface with ``name`` (``base:name``) and ``model`` (``biz:model``) properties for manufactured items. - Add ``biz:model`` type (extends ``base:id``) for model names/numbers. - Add ``pol:candidate:votes`` property. - Restructure ``inet:proto:link`` and ``inet:proto:request`` interfaces: - ``inet:proto:request`` now inherits from ``base:event`` and ``inet:proto:link``. - Move ``:flow`` from ``inet:proto:link`` to ``inet:proto:request``. - ``inet:flow`` now directly implements ``inet:proto:link`` and ``base:activity``. - Rename ``inet:flow`` properties: ``server:cpes`` to ``server:software:cpes``, ``server:softnames`` to ``server:software:names``, ``client:cpes`` to ``client:software:cpes``, ``client:softnames`` to ``client:software:names``. - Remove ``inet:flow:period`` (covered by ``base:activity``). - Add ``it:host`` interfaces: ``entity:creatable``, ``biz:manufactured``. - Restore ``it:hardware:name`` as ``base:name``. - Change ``it:hardware:model`` and transport/telco ``:model`` properties from ``base:name`` to ``biz:model`` (no longer lowercased). - Update ``it:sec:cpe:vendor`` from ``meta:name`` to ``entity:name``. - Update stormlib code (``stix.py``, ``infosec.py``, ``scrape.py``, ``stats.py``) to remove ``meta:name`` references. - Fix mutable list bug in ``_addFormIface`` / ``_delFormIface`` that caused duplicate interface property registrations when an interface had multiple sub-interfaces. - Update all affected tests and regenerate ``docs/datamodel.md``.
…er gate (SYN-10476) (#4893) Currently we have a mix of checking layer.read/write on the layer gate and also checking layer.read.<iden> on the cortex in some places.
## Summary - Removed the `meta:id` type and form from the data model - Types that previously extended `meta:id` now extend `base:id` directly: - MITRE ATT&CK ID types (`it:mitre:attack:group:id`, `tactic:id`, `technique:id`, `mitigation:id`, `software:id`, `campaign:id`) - `it:adid` - Added explicit `entity:identifier` interface to `it:mitre:attack:group:id` (previously inherited via `meta:id`) - Updated poly/union types (`risk:vuln:id`, `pol:country:code`) to reference `base:id` - Updated all properties typed as `meta:id` to `base:id` across 12 model files - Bumped model version to `(0, 2, 36)` - Regenerated `docs/datamodel.md` ## Test plan - [x] Updated `test_datamodel.py` — rewrote form inheritance tests that used `meta:id` form nodes - [x] Updated `test_model_infotech.py` — removed MITRE `meta:id` lift assertions - [x] Updated `test_model_geopol.py` — updated poly type expectations from `meta:id` to `base:id` - [x] Updated `test_model_orgs.py` — replaced `meta:id=Woot99` with `it:adid=Woot99` - [x] Verified zero remaining `meta:id` references in `synapse/` - [x] 170 affected tests pass (model + datamodel + docmodel tests)
) ## Summary Unifies the three separate Storm input modes (\`lookup\`, \`search\`, \`autoadd\`) into a single \`lookup\` mode that combines scraping, lifting, and datamodel hint-based search in one pass. **\`autoadd\` and \`search\` modes are removed.** Passing either to \`parseQuery\` raises \`BadArg\`. \`lookup\` mode now covers all prior use cases. ### Lookup mode behavior Given free-form text input (before an optional \`|\` pipe back to storm mode): 1. **Scrape** - runs the scrape interface over the full input text; de-overlaps matches, preferring longer (more specific) spans; fires \`look:miss\` for any scraped ndef not found in the current view. 2. **Datamodel hint search** - tokens not covered by any scrape span are matched against forms/props that declare \`modes.lookup\` hints in the data model (e.g. \`^=\` prefix match on \`entity:name\`). Tokens that partially overlap a scrape span are excluded entirely to avoid garbage fragments reaching the hints path. ### Data model changes - New \`modes.lookup\` info key on form types and props, containing a list of \`{cmpr: ...}\` hint objects. - \`DataModel.getLookupHints()\` - cached method returning all \`(prop_full_name, cmpr)\` pairs from the model. - \`entity:name\` and \`it:softwarename\` carry \`^=\` hints out of the box. - Model mutation methods (\`addForm\`, \`delForm\`, \`addProp\`, \`delProp\`) invalidate the hints cache. ### Notable implementation details - Scrape de-overlap: sort by \`(offset asc, match_len desc)\`, walk with a \`covered\` pointer - longest match wins on overlap. - Remainder computation uses whitespace-token boundary filtering (not character-level removal) to prevent partial tokens from leaking into the hints path. - Dedup in the hints path uses \`node.nid\` (not \`buid\`) via a spooled set. --------- Co-authored-by: Cisphyx <cisphyx@vertex.link>
## Summary - Define named poly types (`risk:threat:id`, `entity:campaign:id`, `risk:tool:software:id`, `meta:technique:id`, `risk:mitigation:id`, `plan:phase:id`) that include the corresponding MITRE ATT&CK ID form with `base:id` fallback - Override `:id` and `:ids` properties on `risk:threat`, `entity:campaign`, `risk:tool:software`, `meta:technique`, `risk:mitigation`, and `plan:phase` to use the new poly types - Add tests in `test_model_infotech.py` verifying MITRE IDs resolve to the correct forms ## Test plan - [x] Existing tests pass unchanged (`test_model_risk`, `test_model_entity`, `test_model_planning`) - [x] New `test_infotech_mitre` assertions verify each MITRE ID form resolves correctly on its target form's `:id` property 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: vEpiphyte <epiphyte@vertex.link> Co-authored-by: Cisphyx <cisphyx@vertex.link>
## Summary - `$lib.tags.prefix` now treats a `(null)` `names` argument as a no-op and returns an empty list, matching the convention used by `$list.extend()` (`toiter(..., noneok=True)`). - Updated the `_storm_locals` arg description to document the null behavior; autodoc picks this up. - Added a null-input assertion next to the existing `$lib.tags.prefix` tests. ## Test plan - [x] `python -m pytest -n auto synapse/tests/test_lib_stormtypes.py::StormTypesTest::test_storm_lib_base` Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Used by search. Also a small countByPref bugfix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.