x-pack/filebeat/module/threatintel/misp: null guard file/hash indication operations

[efd6]

What does this PR do?

It is possible for an empty Event.Attribute list to be passed in. In this case the File/Hash indicator processing will attempt to examine null type fields in attribute. This guards against that.

Why is it important?

This partially addresses a user issue (#26008), preventing an error in cases where an event's attribute is empty.

Note that it does not address the broader problem in that issue where object attributes are dropped.

Checklist

• My code follows the style guidelines of this project
  - [ ] I have commented my code, particularly in hard-to-understand areas
  - [ ] I have made corresponding changes to the documentation
  - [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

No specific recommendations.

How to test this PR locally

Standard testing.

Related issues

• Relates Threat Intel Module | Support for MISP attributes #26008

Use cases

See related issue.

Screenshots

N/A

Logs

N/A

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💔 Tests Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-09-10T03:47:05.699+0000

• Duration: 129 min 7 sec

• Commit: 2f0ef8c

Test stats 🧪

Test	Results
Failed	1
Passed	3278
Skipped	301
Total	3580

Trends 🧪

Test errors

Expand to view the tests failures

Build&Test / x-pack/filebeat-pythonIntegTest / test_fileset_file_022_threatintel – x-pack.filebeat.tests.system.test_xpack_modules.XPackTest

Expand to view the error details

 AssertionError: The following expected object doesn't match:
   Diff:
  {'values_changed': {"root['@timestamp']": {'new_value': '2021-09-10T05:22:50.778Z', 'old_value': '2021-09-10T02:45:40.112Z'}}}, full object: 
  {'log.offset': 39817, 'fileset.name': 'misp', 'threatintel.indicator.provider': 'misp', 'threatintel.indicator.type': 'unknown', 'tags': ['threatintel-misp', 'forwarded'], 'input.type': 'log', '@timestamp': '2021-09-10T05:22:50.778Z', 'service.type': 'threatintel', 'event.kind': 'enrichment', 'event.module': 'threatintel', 'event.category': 'threat', 'event.type': 'indicator', 'event.dataset': 'threatintel.misp'}
assert 1 == 0
 +  where 1 = len({'values_changed': {"root['@timestamp']": {'new_value': '2021-09-10T05:22:50.778Z', 'old_value': '2021-09-10T02:45:40.112Z'}}}) 

Expand to view the stacktrace

 a = (<test_xpack_modules.XPackTest testMethod=test_fileset_file_022_threatintel>,)

    @wraps(func)
    def standalone_func(*a):
>       return func(*(a + p.args), **p.kwargs)

../../build/ve/docker/lib/python3.7/site-packages/parameterized/parameterized.py:518: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
../../filebeat/tests/system/test_modules.py:99: in test_fileset_file
    cfgfile=cfgfile)
../../filebeat/tests/system/test_modules.py:185: in run_on_file
    self._test_expected_events(test_file, objects)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <test_xpack_modules.XPackTest testMethod=test_fileset_file_022_threatintel>
test_file = '/go/src/github.com/elastic/beats/x-pack/filebeat/module/threatintel/misp/test/misp_sample.ndjson.log'
objects = [{'@timestamp': '2017-08-28T14:24:36.000Z', 'agent': {'ephemeral_id': '712f1f12-c998-48f4-ad5b-1ed2a59b8976', 'id': '0...t', 'dataset': 'threatintel.misp', 'ingested': '2021-09-10T05:22:52.373477380Z', 'kind': 'enrichment', ...}, ...}, ...]

    def _test_expected_events(self, test_file, objects):
    
        # Generate expected files if GENERATE env variable is set
        if os.getenv("GENERATE"):
            with open(test_file + "-expected.json", 'w') as f:
                # Flatten an cleanup objects
                # This makes sure when generated on different machines / version the expected.json stays the same.
                for k, obj in enumerate(objects):
                    objects[k] = self.flatten_object(obj, {}, "")
                    clean_keys(objects[k])
                    for key in objects[k].keys():
                        if isinstance(objects[k][key], list):
                            objects[k][key].sort(key=str)
    
                json.dump(objects, f, indent=4, separators=(',', ': '), sort_keys=True)
    
        with open(test_file + "-expected.json", "r") as f:
            expected = json.load(f)
    
        assert len(expected) == len(objects), "expected {} events to compare but got {}".format(
            len(expected), len(objects))
    
        # Do not perform a comparison between the resulting and expected documents
        # if the TESTING_FILEBEAT_SKIP_DIFF flag is set.
        #
        # This allows to run a basic check with older versions of ES that can lead
        # to slightly different documents without maintaining multiple sets of
        # golden files.
        if os.getenv("TESTING_FILEBEAT_SKIP_DIFF"):
            return
    
        for idx in range(len(expected)):
            ev = expected[idx]
            obj = objects[idx]
    
            # Flatten objects for easier comparing
            obj = self.flatten_object(obj, {}, "")
            clean_keys(obj)
            clean_keys(ev)
    
            d = DeepDiff(ev, obj, ignore_order=True)
    
>           assert len(d) == 0, "The following expected object doesn't match:\n Diff:\n{}, full object: \n{}".format(d, obj)
E           AssertionError: The following expected object doesn't match:
E              Diff:
E             {'values_changed': {"root['@timestamp']": {'new_value': '2021-09-10T05:22:50.778Z', 'old_value': '2021-09-10T02:45:40.112Z'}}}, full object: 
E             {'log.offset': 39817, 'fileset.name': 'misp', 'threatintel.indicator.provider': 'misp', 'threatintel.indicator.type': 'unknown', 'tags': ['threatintel-misp', 'forwarded'], 'input.type': 'log', '@timestamp': '2021-09-10T05:22:50.778Z', 'service.type': 'threatintel', 'event.kind': 'enrichment', 'event.module': 'threatintel', 'event.category': 'threat', 'event.type': 'indicator', 'event.dataset': 'threatintel.misp'}
E           assert 1 == 0
E            +  where 1 = len({'values_changed': {"root['@timestamp']": {'new_value': '2021-09-10T05:22:50.778Z', 'old_value': '2021-09-10T02:45:40.112Z'}}})

../../filebeat/tests/system/test_modules.py:229: AssertionError 

Steps errors

Expand to view the steps failures

x-pack/filebeat-pythonIntegTest - mage pythonIntegTest

• Took 37 min 54 sec . View more details on here
• Description: mage pythonIntegTest

x-pack/filebeat-pythonIntegTest - mage pythonIntegTest

• Took 35 min 43 sec . View more details on here
• Description: mage pythonIntegTest

x-pack/filebeat-pythonIntegTest - mage pythonIntegTest

• Took 34 min 10 sec . View more details on here
• Description: mage pythonIntegTest

List files to upload

• Took 0 min 0 sec . View more details on here
• Description: ls -l src/github.com/elastic/beats/build/system-tests-*.tar.gz

Error signal

• Took 0 min 0 sec . View more details on here
• Description: Error 'hudson.AbortException: script returned exit code 1'

Log output

Expand to view the last 100 lines of log output

[2021-09-10T05:53:22.157Z] ============================= slowest 20 durations =============================
[2021-09-10T05:53:22.157Z] 37.45s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_257_checkpoint
[2021-09-10T05:53:22.157Z] 26.65s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_000_rabbitmq
[2021-09-10T05:53:22.157Z] 18.48s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_356_o365
[2021-09-10T05:53:22.157Z] 16.86s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_188_snort
[2021-09-10T05:53:22.157Z] 16.15s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_350_o365
[2021-09-10T05:53:22.157Z] 14.59s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_024_threatintel
[2021-09-10T05:53:22.157Z] 11.06s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_215_panw
[2021-09-10T05:53:22.157Z] 10.90s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_217_panw
[2021-09-10T05:53:22.157Z] 10.89s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_212_panw
[2021-09-10T05:53:22.157Z] 10.89s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_023_threatintel
[2021-09-10T05:53:22.157Z] 10.80s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_216_panw
[2021-09-10T05:53:22.157Z] 10.55s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_175_cisco
[2021-09-10T05:53:22.157Z] 10.52s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_183_cisco
[2021-09-10T05:53:22.157Z] 10.35s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_404_ibmmq
[2021-09-10T05:53:22.157Z] 10.28s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_159_cisco
[2021-09-10T05:53:22.157Z] 9.82s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_030_threatintel
[2021-09-10T05:53:22.157Z] 9.81s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_405_ibmmq
[2021-09-10T05:53:22.157Z] 9.73s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_197_oracle
[2021-09-10T05:53:22.157Z] 9.60s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_248_juniper
[2021-09-10T05:53:22.157Z] 9.55s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_138_fortinet
[2021-09-10T05:53:22.157Z] =========================== short test summary info ============================
[2021-09-10T05:53:22.157Z] FAILED tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_022_threatintel
[2021-09-10T05:53:22.157Z] ================== 1 failed, 429 passed in 2000.99s (0:33:20) ==================
[2021-09-10T05:53:22.157Z] >> python test: Integration Testing Complete
[2021-09-10T05:53:22.421Z] Error: running "/go/src/github.com/elastic/beats/build/ve/docker/bin/pytest --timeout=90 --durations=20 --junit-xml=build/TEST-python-integration.xml tests/system/test_filebeat_xpack.py tests/system/test_http_endpoint.py tests/system/test_xpack_modules.py" failed with exit code 1
[2021-09-10T05:53:25.736Z] Error: running "docker-compose -p filebeat_8_0_0_2f0ef8cf24-snapshot run -e DOCKER_COMPOSE_PROJECT_NAME=filebeat_8_0_0_2f0ef8cf24-snapshot -e BEAT_STRICT_PERMS=false -e STACK_ENVIRONMENT=snapshot -e TESTING_ENVIRONMENT=snapshot -e GOCACHE=/go/src/github.com/elastic/beats/build/docker-gocache -v /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c/pkg/mod/cache/download:/gocache:ro -e GOPROXY=file:///gocache,direct -e EXEC_UID=1171 -e EXEC_GID=1172 -e BEATS_INSIDE_INTEGRATION_TEST_ENV=true -e GOFLAGS=-mod=readonly -e TEST_COVERAGE=true -e RACE_DETECTOR=true -e TEST_TAGS=null,oracle beat /go/src/github.com/elastic/beats/x-pack/filebeat/build/mage-linux-amd64 pythonIntegTest" failed with exit code 1
[2021-09-10T05:53:25.845Z] Timeout set to expire in 5 min 0 sec
[2021-09-10T05:53:26.147Z] Cleaning up /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c
[2021-09-10T05:53:26.147Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-09-10T05:53:26.147Z] ++ id -u
[2021-09-10T05:53:26.147Z] ++ id -g
[2021-09-10T05:53:26.147Z] + docker run -v /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c:/beat alpine:3.4 sh -c 'find /beat -user 0 -exec chown -h 1171:1172 {} \;'
[2021-09-10T05:53:26.147Z] Unable to find image 'alpine:3.4' locally
[2021-09-10T05:53:26.724Z] 3.4: Pulling from library/alpine
[2021-09-10T05:53:29.285Z] c1e54eec4b57: Pulling fs layer
[2021-09-10T05:53:29.285Z] c1e54eec4b57: Download complete
[2021-09-10T05:53:29.285Z] c1e54eec4b57: Pull complete
[2021-09-10T05:53:29.285Z] Digest: sha256:b733d4a32c4da6a00a84df2ca32791bb03df95400243648d8c539e7b4cce329c
[2021-09-10T05:53:29.285Z] Status: Downloaded newer image for alpine:3.4
[2021-09-10T05:53:31.208Z] + set -e
[2021-09-10T05:53:31.208Z] + echo 'Change permissions with write access of all files inside the specific folder'
[2021-09-10T05:53:31.208Z] Change permissions with write access of all files inside the specific folder
[2021-09-10T05:53:31.208Z] + chmod -R +w /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c
[2021-09-10T05:53:32.191Z] Running in /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c/src/github.com/elastic/beats/build
[2021-09-10T05:53:32.493Z] + rm -rf ve
[2021-09-10T05:53:32.493Z] + find . -type d -name vendor -exec rm -r {} ;
[2021-09-10T05:53:32.818Z] + python .ci/scripts/pre_archive_test.py
[2021-09-10T05:53:35.380Z] Copy ./x-pack/filebeat/build into build/x-pack/filebeat/build
[2021-09-10T05:53:35.397Z] Running in /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c/src/github.com/elastic/beats/build
[2021-09-10T05:53:35.423Z] Recording test results
[2021-09-10T05:53:37.193Z] [Checks API] No suitable checks publisher found.
[2021-09-10T05:53:37.534Z] + tar --version
[2021-09-10T05:53:37.875Z] + tar --exclude=test-build-artifacts-x-pack-filebeat-pythonIntegTest-tgz -czf test-build-artifacts-x-pack-filebeat-pythonIntegTest-tgz .
[2021-09-10T05:54:46.062Z] + gsutil --version
[2021-09-10T05:54:50.334Z] Masking supported pattern matches of $FILE_CREDENTIAL
[2021-09-10T05:54:50.851Z] + gcloud auth activate-service-account --key-file ****
[2021-09-10T05:54:51.802Z] Activated service account credentials for: [[email protected]]
[2021-09-10T05:54:52.392Z] + gsutil -m -q cp -a public-read test-build-artifacts-x-pack-filebeat-pythonIntegTest-tgz gs://beats-ci-temp/Beats/beats/PR-27854-2
[2021-09-10T05:54:58.186Z] + gvm 1.16.6
[2021-09-10T05:54:58.186Z] export GOROOT="/var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c/.gvm/versions/go1.16.6.linux.amd64"
[2021-09-10T05:54:58.186Z] export PATH="/var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c/.gvm/versions/go1.16.6.linux.amd64/bin:$PATH"
[2021-09-10T05:54:58.541Z] + go get -u github.com/magefile/mage
[2021-09-10T05:54:59.153Z] + go get -u github.com/elastic/go-licenser
[2021-09-10T05:54:59.759Z] + go get -u golang.org/x/tools/cmd/goimports
[2021-09-10T05:55:01.699Z] go get: upgraded golang.org/x/tools v0.1.1 => v0.1.5
[2021-09-10T05:55:02.043Z] + go get -u github.com/jstemmer/go-junit-report
[2021-09-10T05:55:02.377Z] Running in /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c/src/github.com/elastic/beats/x-pack/filebeat
[2021-09-10T05:55:02.685Z] + mage packageSystemTests
[2021-09-10T05:55:12.736Z] >> creating TAR file from directory: build/system-tests/run, target: /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c/src/github.com/elastic/beats/build/system-tests-x-pack-filebeat.tar.gz
[2021-09-10T05:55:59.614Z] Running in /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c/src/github.com/elastic/beats/src/github.com/elastic/beats
[2021-09-10T05:55:59.936Z] + ls -l src/github.com/elastic/beats/build/system-tests-*.tar.gz
[2021-09-10T05:55:59.936Z] ls: cannot access 'src/github.com/elastic/beats/build/system-tests-*.tar.gz': No such file or directory
[2021-09-10T05:55:59.970Z] ERROR: Failed to archive the build test results
[2021-09-10T05:55:59.970Z] ERROR: script returned exit code 2
[2021-09-10T05:56:00.321Z] + go clean -modcache
[2021-09-10T05:56:03.695Z] Timeout set to expire in 5 min 0 sec
[2021-09-10T05:56:04.006Z] Cleaning up /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c
[2021-09-10T05:56:04.006Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-09-10T05:56:04.006Z] ++ id -u
[2021-09-10T05:56:04.006Z] ++ id -g
[2021-09-10T05:56:04.006Z] + docker run -v /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c:/beat alpine:3.4 sh -c 'find /beat -user 0 -exec chown -h 1171:1172 {} \;'
[2021-09-10T05:56:04.967Z] + set -e
[2021-09-10T05:56:04.967Z] + echo 'Change permissions with write access of all files inside the specific folder'
[2021-09-10T05:56:04.967Z] Change permissions with write access of all files inside the specific folder
[2021-09-10T05:56:04.967Z] + chmod -R +w /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c
[2021-09-10T05:56:05.605Z] Running in /var/lib/jenkins/workspace/PR-27854-2-cae8e9bc-a786-4bfd-85fe-9ef632aa423c
[2021-09-10T05:56:10.969Z] Failed in branch x-pack/filebeat-pythonIntegTest
[2021-09-10T05:56:11.033Z] Stage "Extended" skipped due to earlier failure(s)
[2021-09-10T05:56:11.070Z] Stage "Packaging" skipped due to earlier failure(s)
[2021-09-10T05:56:11.102Z] Stage "Packaging-Pipeline" skipped due to earlier failure(s)
[2021-09-10T05:56:11.155Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-27854/src/github.com/elastic/beats
[2021-09-10T05:56:12.195Z] Running on worker-395930 in /var/lib/jenkins/workspace/Beats_beats_PR-27854
[2021-09-10T05:56:12.240Z] [INFO] getVaultSecret: Getting secrets
[2021-09-10T05:56:12.277Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2021-09-10T05:56:14.383Z] + chmod 755 generate-build-data.sh
[2021-09-10T05:56:14.383Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27854/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27854/runs/2 FAILURE 7747277
[2021-09-10T05:56:14.383Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27854/runs/2/steps/?limit=10000 -o steps-info.json
[2021-09-10T05:56:15.844Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27854/runs/2/tests/?status=FAILED -o tests-errors.json
[2021-09-10T05:56:16.548Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27854/runs/2/log/ -o pipeline-log.txt

🐛 Flaky test report

❕ There are test failures but not known flaky tests.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	1
Passed	3278
Skipped	301
Total	3580

Genuine test errors

💔 There are test failures but not known flaky tests, most likely a genuine test failure.

• Name: Build&Test / x-pack/filebeat-pythonIntegTest / test_fileset_file_022_threatintel – x-pack.filebeat.tests.system.test_xpack_modules.XPackTest

[mergify]

This pull request does not have a backport label. Could you fix it @efd6? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[efd6]

Abandoned in favour of #28124.