Skip to content

Commit 0ba47db

Browse files
authored
Merge pull request #518 from MISP/codex/propose-misp-module-updates-for-malicious-packages
Add malicious-package-report MISP object template for OSV (OpenSSF malicious-packages)
2 parents 97b057d + b6008d2 commit 0ba47db

1 file changed

Lines changed: 103 additions & 0 deletions

File tree

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
{
2+
"attributes": {
3+
"affected-range": {
4+
"description": "Affected version range expression from affected[].ranges.",
5+
"disable_correlation": true,
6+
"misp-attribute": "text",
7+
"multiple": true,
8+
"ui-priority": 7
9+
},
10+
"affected-version": {
11+
"description": "Known malicious or impacted package version from affected[].versions.",
12+
"misp-attribute": "text",
13+
"multiple": true,
14+
"ui-priority": 8
15+
},
16+
"analysis": {
17+
"description": "Behavioral details explaining why the package is malicious (payload, trigger, campaign, impact).",
18+
"disable_correlation": true,
19+
"misp-attribute": "text",
20+
"ui-priority": 7
21+
},
22+
"ecosystem": {
23+
"description": "Package ecosystem from OSV package.ecosystem (e.g. npm, PyPI, Maven, Go).",
24+
"disable_correlation": true,
25+
"misp-attribute": "text",
26+
"ui-priority": 10
27+
},
28+
"ioc-domain": {
29+
"description": "Domain IoC extracted from database_specific.iocs.domains.",
30+
"misp-attribute": "domain",
31+
"multiple": true,
32+
"ui-priority": 9
33+
},
34+
"ioc-ip": {
35+
"description": "IP IoC extracted from database_specific.iocs.ips.",
36+
"misp-attribute": "ip-dst",
37+
"multiple": true,
38+
"ui-priority": 9
39+
},
40+
"ioc-url": {
41+
"description": "URL IoC extracted from database_specific.iocs.urls.",
42+
"misp-attribute": "url",
43+
"multiple": true,
44+
"ui-priority": 9
45+
},
46+
"origin-sha256": {
47+
"description": "SHA-256 digest representing original source report content.",
48+
"misp-attribute": "sha256",
49+
"multiple": true,
50+
"ui-priority": 3
51+
},
52+
"origin-source": {
53+
"description": "Data source identifier from database_specific.malicious-packages-origins[].source.",
54+
"disable_correlation": true,
55+
"misp-attribute": "text",
56+
"multiple": true,
57+
"ui-priority": 4
58+
},
59+
"package-name": {
60+
"description": "Name of the affected package from OSV package.name.",
61+
"misp-attribute": "text",
62+
"ui-priority": 10
63+
},
64+
"reference": {
65+
"description": "Reference URL to advisories, source reports, or related analysis.",
66+
"disable_correlation": true,
67+
"misp-attribute": "link",
68+
"multiple": true,
69+
"ui-priority": 6
70+
},
71+
"report-id": {
72+
"description": "OSV report identifier (e.g. MAL-2025-XXXX).",
73+
"misp-attribute": "text",
74+
"ui-priority": 10
75+
},
76+
"report-modified": {
77+
"description": "OSV report modified timestamp.",
78+
"disable_correlation": true,
79+
"misp-attribute": "datetime",
80+
"ui-priority": 5
81+
},
82+
"state": {
83+
"description": "Lifecycle state of the report in the feed.",
84+
"disable_correlation": true,
85+
"misp-attribute": "text",
86+
"sane_default": [
87+
"active",
88+
"withdrawn",
89+
"unknown"
90+
],
91+
"ui-priority": 6
92+
}
93+
},
94+
"description": "Object describing a malicious open source package report from an OSV-style feed such as OpenSSF malicious-packages.",
95+
"meta-category": "misc",
96+
"name": "malicious-package-report",
97+
"requiredOneOf": [
98+
"package-name",
99+
"report-id"
100+
],
101+
"uuid": "2f8a8711-6ef8-4a9d-89de-f547670573cb",
102+
"version": 1
103+
}

0 commit comments

Comments
 (0)