Merge branch 'main' into fix/stix2-hash-key-normalization

Fix STIX2 hash key parsing to accept spec-compliant algorithm names
The STIX2 specification requires single quotes around hash algorithm names that contain hyphens (e.g. file:hashes.'SHA-256'). MVT only accepted a non-standard lowercase form (file:hashes.sha256), silently dropping any indicators using the spec-correct spelling. Normalize hash algorithm keys in _process_indicator by stripping quotes and hyphens from the algorithm portion before matching, so all of the following are accepted for SHA-256, SHA-1 and MD5: file:hashes.'SHA-256' (STIX2 spec) file:hashes.SHA-256 file:hashes.SHA256 file:hashes.sha256 (previously the only accepted form) The same normalization is applied to app:cert.* keys. Update generate_stix.py to use the spec-compliant quoted forms, and add test_parse_stix2_hash_key_variants to cover all spelling variants.
2026-04-08 21:12:25 +02:00 · 2026-04-07 20:40:01 +02:00 · 2026-04-07 20:38:37 +02:00 · 2026-04-07 14:07:19 +02:00
3 changed files with 15 additions and 29 deletions
--- a/.github/workflows/add-issue-to-project.yml
+++ b/.github/workflows/add-issue-to-project.yml
@@ -11,7 +11,7 @@ jobs:
    name: Add issue to project
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/add-to-project@v0.5.0
+      - uses: actions/add-to-project@v1
        with:
          # You can target a project in a different organization
          # to the issue
--- a/src/mvt/ios/modules/mixed/sms.py
+++ b/src/mvt/ios/modules/mixed/sms.py
@@ -123,11 +123,6 @@ class SMS(IOSExtraction):
                """
                )
                items = list(cur)
-            elif "no such table" in str(exc):
-                self.log.info(
-                    "No SMS tables found in the database, skipping: %s", exc
-                )
-                return
            else:
                raise exc
        names = [description[0] for description in cur.description]
--- a/src/mvt/ios/modules/mixed/sms_attachments.py
+++ b/src/mvt/ios/modules/mixed/sms_attachments.py
@@ -4,7 +4,6 @@
 #   https://license.mvt.re/1.1/

 import logging
-import sqlite3
 from base64 import b64encode
 from typing import Optional, Union

@@ -80,29 +79,21 @@ class SMSAttachments(IOSExtraction):

        conn = self._open_sqlite_db(self.file_path)
        cur = conn.cursor()
-        try:
-            cur.execute(
-                """
-                SELECT
-                    attachment.ROWID as "attachment_id",
-                    attachment.*,
-                    message.service as "service",
-                    handle.id as "phone_number"
-                FROM attachment
-                LEFT JOIN message_attachment_join ON
-                    message_attachment_join.attachment_id = attachment.ROWID
-                LEFT JOIN message ON
-                    message.ROWID = message_attachment_join.message_id
-                LEFT JOIN handle ON handle.ROWID = message.handle_id;
+        cur.execute(
            """
-            )
-        except sqlite3.OperationalError as exc:
-            self.log.info(
-                "No SMS attachment tables found in the database, skipping: %s", exc
-            )
-            cur.close()
-            conn.close()
-            return
+            SELECT
+                attachment.ROWID as "attachment_id",
+                attachment.*,
+                message.service as "service",
+                handle.id as "phone_number"
+            FROM attachment
+            LEFT JOIN message_attachment_join ON
+                message_attachment_join.attachment_id = attachment.ROWID
+            LEFT JOIN message ON
+                message.ROWID = message_attachment_join.message_id
+            LEFT JOIN handle ON handle.ROWID = message.handle_id;
+        """
+        )
        names = [description[0] for description in cur.description]

        for item in cur: