Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

STIX Patterning language needs intra-list matching capability #66

Open
treyka opened this issue Feb 14, 2018 · 6 comments
Open

STIX Patterning language needs intra-list matching capability #66

treyka opened this issue Feb 14, 2018 · 6 comments
Labels
STIX: Patterning Target: STIX-2.2 Type: Bug

Comments

@treyka
Copy link

treyka commented Feb 14, 2018

No description provided.

@ikiril01
Copy link

This is definitely something that we need to fix, as users are encountering this issue. Here's the draft text we've proposed:

"The literal 's' indicates that, when evaluating two or more AND'd Comparison Expressions that contain a list-based object path, that the Boolean expression MUST evaluate to true if there is an s that allows the AND'd Comparison Expressions to be true, otherwise false"

@gtback
Copy link

gtback commented Apr 26, 2018

I'm okay with this change, even though it does make code to evaluate patterns more complex (despite the relatively minor change to the grammar).

I don't think this should be considered a "bug" that needs to be "fixed", though. It's additional functionality, and was a known limitation at the time the current list-item-matching construct was added.

@ikiril01
Copy link

I think this was something we overlooked when adding the existing list-item-matching construct. So maybe not quite a bug, but it's something that should have been in there ;)

@treyka
Copy link
Author

treyka commented Apr 30, 2018

@samcornwell points out this related CAR proposal

@jmgnc
Copy link

jmgnc commented May 8, 2018

We could possibly solve the multi vars by restricting it to parenthesized expressions:
([s] != 'a' and [s] = 'b') AND ([s] = 'c' and [s] = 'd')

Sam brought up the case of wanting to do an or for one part of it, such as:
([s] = 'a' or [s] = 'b') and [s] = c

This may be valid per the existing text, as ([s] = 'a' or [s] = 'b') is a comparison expression, and so therefor should work.

@jordan2175 jordan2175 added this to the 2.1-csd02-wd05 milestone May 23, 2019
@jordan2175
Copy link

We talked about this 2019-06-05 and Jason says this is super important and that he will propose some text in the document.

@jordan2175 jordan2175 modified the milestones: 2.1-csd02-wd05, unknown Jul 8, 2019
@jordan2175 jordan2175 removed this from the unknown milestone Feb 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
STIX: Patterning Target: STIX-2.2 Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@johnwunder @treyka @gtback @ikiril01 @jordan2175 @jmgnc @srrelitz2