[Bug] Custom Field Order ignored

[s-knauer]

The Sequence of the Custom Fields is ignored when using TheHive4py to create new alerts.

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian 10
OS version (client)	Debian 10
TheHive version	4
Package Type	DEB
Browser type & version	Firefox 68

Problem Description

The sequence of custom fields is still not preserved in alert and case creation for TH4.

I set the order in the case template and checked the (equivalent) order being in the CustomFieldhelper.fields dictionary when using thehive4py for uploading a new alert (which should be imported as a case via the case template.)

The dictionary shows: {'fieldname' : {'order': 0, 'string': 'ABCD'}, 'fieldname2': {'order': 1, 'string': 'EFGH'} .... }.
The template also states the correct sorting for Custom Fields: Fieldname, then fieldname2 and so on.
But the display in the webinterface is randomised. In the alert as well as in the case.

When i create an empty case via the webinterface, the fields have the right order. But when using real data for creating an alert, the ordering is ignored.

Steps to Reproduce

1. Create a Casetemplate "CT1" with CustomFields "A" and "B" in the Order A before B
2. Create an Alert via TH4Py using the CustomFieldHelper to create Custom Fields A and B in that order:

alert = Alert(title="title", tpl=2, tags="[tag"], description="description", type="type", source="source", sourceRef=str(uuid.uuid4())[0:6], artifacts=[list of predefined artifacts], caseTemplate= "CT1", customFields=CustomFieldHelper().add_string(name='A', value='xyz').add_string(name='B', value='zyx').build())

response = TheHiveAPI(url, apikey).create_alert(alert)

You can check the resulting dictionary before uploading showing: {'A':{ 'order':0, 'string':'xyz'}, 'B':{'order':1, 'string':'zyx'}}

3. Look at the alert in the webinterface. Now sometimes Field A comes before B and sometimes it does not.

4. Making a Case from that alert using the template does not fix the error. The sequence from the alert is preserved.

5. When creating an empty case via the webinterface, A always comes before B.

Complementary information

I already read some similar complaints from people using curl instead of th4py and the hints given by the deps, that naming custom fields during creation overwrites the fields preconfigured via the template. This maybe explaines why the ordering works when creating an empty case. But the ordering (which is clearly seen in the dictionary during upload) seemes to be discarded at some point.

Thanks for your attention and great work!

[nadouani]

Reopening the issue because I can still see the issue:

• Patching a case with a body like {"customFields.csirts":{"integer":null,"order":1}} returns a case where customFields attribute has all the order fields set to null
• Getting the case object, returns customFields attribute with order:0

I don't know if the issue is related to saving the order correctly or getting is correctly.

[nadouani]

To reproduce:

• open a new case or and existing one
• add custom fields to it (the front end computes the order based on the number of the existing custom fields in the case: max(order)+1 )
• refresh the page
• check the order of custom fields