-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve and fix enum declarations #1111
Conversation
fb1bc86
to
61790a2
Compare
I wasn't sure what to do with |
61790a2
to
e36a0a6
Compare
I talked over
|
e36a0a6
to
258b050
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgfm
3060d29
to
da94142
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those changes make sense for current version of enum. We will need to consider introducing different types of enums in our dictionary as a data types in next release. An issue will be opened to start discussion.
I have a minor suggestion: for the enums with only the nominal values (0/99 or 99) we should include the 'See specific usage` phrase in the descriptions, which the compiler will enforce to make sure a class or object defines the specific values. This usually is done for more generic attributes that can be overridden per class, but for specific attribute names, even though they are targeted for a single usage, the actual values must be defined in the class or object if they aren't defined in the dictionary. |
da94142
to
168cc51
Compare
Adding in the "See specific usage" phrase cracked open a new can of worms.
Some of these warnings existed previously and have nothing to do with this PR (
I started down this path and I suspect some of them will need conversation / debate. I suggest that we hold off on the "See specific usage" change, and I'll start an additional PR to address those issues. |
`classification_ids` now declared in dictionary with default "0" and "99" values and descriptions "0" and "99" already existed without description through override in its only use (objects/malware.json) `data_lifecycle_state_id` mistakenly had the "Other" description applied to "0"/"Unknown" A "99"/"Other" value was missing `flag_ids` now declared in dictionary with default "0" and "99" values and descriptions "0" and "99" already existed without description through override in its only use (objects/dns_answer.json) `integrity` mistakenly referenced the `direction_id` enum in its description `integrity_id` now declared in dictionary with default "0" and "99" values and descriptions "0" and "99" already existed without description through override in its only use (objects/process.json) `load_type_id` now declared in dictionary with default "0" and "99" values and decsriptions "0" and "99" already existed without description through override in its only use (objects/module.json) `opcode_id` now points to RFC5395 to explain why "0" does not correspond to "Unknown" A "99"/"Unmapped" value is added to match other RFC based enums `protocol_ver_id` now declared in dictionary with default "0" and "99" values and descriptions "0" and "99" already existed without description through override in its only use (objects/network_connection_info.json) `run_state_id` now declared in dictionary with default "0" and "99" values and descriptions "0" and "99" already existed without description through override in its only use (objects/job.json) `risk_level` description is fixed to reflect the absence of "99"/"Other" in `risk_level_id`. `risk_level_id` does not have a "99" in any of its usages and "0" does not correspond to "Unknown". Therefore the situation did not justify adding "99"/"Other" Analytic `type_id` mistakenly had "4"/"Learning (ML/DL)" removed in 1.2.0 with commit b44120e This was a breaking change as "4" is now absent. A description of this analytic type is added to match the other enum entries. Signed-off-by: Mitchell Wasson <[email protected]>
168cc51
to
6f91dea
Compare
…ee specific usage' in the description (#1146) This change was a suggestion from @pagbabian-splunk in #1111 After this PR, all enums that are defined in `dictionary.json` with only the nominal values (0/99 or 99) also have 'See specific usage' in the description. The effect is that a warning will be generated by the OCSF server if these attributes are used without overriding the description. The process for these changes was: - Decide if the attribute name is general enough to have other uses or not. - If the name is general enough, the definition in `dictionary.json` only has 0/99 and 'See specific usage' is in description. The use of the enum has the additional enum values and a description override. - If the name is very specific, then the whole enum definition is now in `dictionary.json` and the use of it only specifies optionality. Signed-off-by: Mitchell Wasson <[email protected]> Co-authored-by: Rajas <[email protected]>
Changes were tested on a local OCSF server and are error free.
Description of changes:
classification_ids
now declared in dictionary with default "0" and "99" values and descriptions"0" and "99" already existed without description through override in its only use (objects/malware.json)
data_lifecycle_state_id
mistakenly had the "Other" description applied to "0"/"Unknown"A "99"/"Other" value was missing
flag_ids
now declared in dictionary with default "0" and "99" values and descriptions"0" and "99" already existed without description through override in its only use (objects/dns_answer.json)
integrity
mistakenly referenced thedirection_id
enum in its descriptionintegrity_id
now declared in dictionary with default "0" and "99" values and descriptions"0" and "99" already existed without description through override in its only use (objects/process.json)
load_type_id
now declared in dictionary with default "0" and "99" values and decsriptions"0" and "99" already existed without description through override in its only use (objects/module.json)
opcode_id
now points to RFC5395 to explain why "0" does not correspond to "Unknown"A "99"/"Unmapped" value is added to match other RFC based enums
protocol_ver_id
now declared in dictionary with default "0" and "99" values and descriptions"0" and "99" already existed without description through override in its only use (objects/network_connection_info.json)
run_state_id
now declared in dictionary with default "0" and "99" values and descriptions"0" and "99" already existed without description through override in its only use (objects/job.json)