fix(cisa-kev): default create_infrastructures to false

The CISA KEV connector creates Vulnerability and Software entities for
each catalog entry. When cisa.create_infrastructures was true (the old
default) it ALSO emitted an Infrastructure SDO with the same name as
the Software SCO.

KEV catalog entries (PHP, Joomla, Laravel, GNU C Library, Apache
Struts, October CMS, etc.) are software products. None of them map to
any value in the STIX 2.1 infrastructure-type-ov vocabulary
(amplification, botnet, command-and-control, firewall,
routers-switches, ...), so the connector silently emitted
Infrastructure objects with an empty infrastructure_types field —
non-compliant STIX that's also duplicated by the Software SCO already
in the bundle.

Flipping the default to false stops fresh deployments from generating
that noise while preserving the legacy opt-in path for existing users
who rely on the behaviour. No code logic changed — just the default.

Also adds the first test suite for this connector (previously zero):
32 tests covering config defaults, env-var overrides, bundle
composition in every flag combination, regression cases for the
real product names that prompted this change, and end-to-end
stix2.Bundle serialisation.

Docs (README, __metadata__/CONNECTOR_CONFIG_DOC.md, connector_config_schema.json)
updated in lock-step with the default.

Author: MrStarkEG

external-import/cisa-known-exploited-vulnerabilities/README.md

@@ -65,7 +65,7 @@ There are a number of configuration options, which are set either in `docker-com
 | Parameter               | config.yml                 | Docker environment variable     | Default                                                                       | Mandatory | Description                                                            |
 |-------------------------|----------------------------|---------------------------------|-------------------------------------------------------------------------------|-----------|------------------------------------------------------------------------|
 | Catalog URL             | cisa.catalog_url           | `CISA_CATALOG_URL`              | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | No   | URL of the CISA KEV catalog JSON feed.                                 |
-| Create Infrastructures  | cisa.create_infrastructures| `CISA_CREATE_INFRASTRUCTURES`   | true                                                                          | No        | Create Infrastructure entities for affected products.                  |
+| Create Infrastructures  | cisa.create_infrastructures| `CISA_CREATE_INFRASTRUCTURES`   | false                                                                         | No        | Also create Infrastructure entities for affected products. Disabled by default — KEV entries are software products and do not map to any valid STIX 2.1 `infrastructure-type-ov` value, so enabling this produces Infrastructure objects with an empty `infrastructure_types`. Left opt-in for legacy workflows. |
 | KEV Flag Only           | cisa.kev_flag_only         | `CISA_KEV_FLAG_ONLY`            | false                                                                         | No        | When enabled, the connector only sets the `x_opencti_cisa_kev` flag on Vulnerability objects without modifying any other attribute (description, dates, markings) and without creating additional entities or relationships. See [KEV Flag Only Mode](#kev-flag-only-mode). |
 | TLP                     | cisa.tlp                   | `CISA_TLP`                      | TLP:CLEAR                                                                     | No        | TLP marking for imported data (`TLP:CLEAR`, `TLP:GREEN`, `TLP:AMBER`, `TLP:AMBER+STRICT`, `TLP:RED`). |
 | Interval (deprecated)   | cisa.interval              | `CISA_INTERVAL`                 | 7                                                                             | No        | **[DEPRECATED]** Interval in days between runs. Use `CONNECTOR_DURATION_PERIOD` instead. |
@@ -94,7 +94,7 @@ Configure the connector in `docker-compose.yml`:
       - CONNECTOR_LOG_LEVEL=info
       - CONNECTOR_DURATION_PERIOD=P1D
       - CISA_CATALOG_URL=https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
-      - CISA_CREATE_INFRASTRUCTURES=true
+      - CISA_CREATE_INFRASTRUCTURES=false
       - CISA_KEV_FLAG_ONLY=false
       - CISA_TLP=TLP:CLEAR
     restart: always

external-import/cisa-known-exploited-vulnerabilities/__metadata__/CONNECTOR_CONFIG_DOC.md

@@ -14,7 +14,7 @@ Below is an exhaustive enumeration of all configurable parameters available, eac
 | CONNECTOR_LOG_LEVEL | `string` |  | `debug` `info` `warn` `warning` `error` |  | `"error"` | Determines the verbosity of the logs. |
 | CONNECTOR_DURATION_PERIOD | `string` |  | Format: [`duration`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | `"P2D"` | Duration between two scheduled runs of the connector (ISO 8601 format). |
 | CISA_CATALOG_URL | `string` |  | string |  | `"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"` | The URL that hosts the KEV Catalog https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json. |
-| CISA_CREATE_INFRASTRUCTURES | `boolean` |  | boolean |  | `true` | Allows you to create or not create an infrastructure in OpenCTI. |
+| CISA_CREATE_INFRASTRUCTURES | `boolean` |  | boolean |  | `false` | Also emit a STIX Infrastructure SDO for each affected product, alongside the Software SCO. Disabled by default because CISA KEV entries (e.g. PHP, Joomla, Laravel) are software products and do not map cleanly to any value in the STIX 2.1 infrastructure-type-ov vocabulary; enabling this produces Infrastructure objects with an empty infrastructure_types field. Left opt-in for workflows that depend on the legacy behaviour. |
 | CISA_KEV_FLAG_ONLY | `boolean` |  | boolean |  | `false` | When enabled, the connector only sets the x_opencti_cisa_kev flag on Vulnerability objects without creating additional entities (vendors, software, infrastructures) or relationships. |
 | CISA_TLP | `string` |  | `TLP:WHITE` `TLP:CLEAR` `TLP:GREEN` `TLP:AMBER` `TLP:AMBER+STRICT` `TLP:RED` |  | `"TLP:CLEAR"` | Traffic Light Protocol (TLP) level to apply on objects imported into OpenCTI. Possible values: TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:AMBER+STRICT, TLP:RED. |
 | CISA_INTERVAL | `integer` |  | integer | ⛔️ | `7` | [DEPRECATED] Interval in days between two scheduled runs of the connector. |

external-import/cisa-known-exploited-vulnerabilities/__metadata__/connector_config_schema.json

@@ -58,8 +58,8 @@
       "type": "string"
     },
     "CISA_CREATE_INFRASTRUCTURES": {
-      "default": true,
-      "description": "Allows you to create or not create an infrastructure in OpenCTI.",
+      "default": false,
+      "description": "Also emit a STIX Infrastructure SDO for each affected product, alongside the Software SCO. Disabled by default because CISA KEV entries (e.g. PHP, Joomla, Laravel) are software products and do not map cleanly to any value in the STIX 2.1 infrastructure-type-ov vocabulary; enabling this produces Infrastructure objects with an empty infrastructure_types field. Left opt-in for workflows that depend on the legacy behaviour.",
       "type": "boolean"
     },
     "CISA_KEV_FLAG_ONLY": {

external-import/cisa-known-exploited-vulnerabilities/src/models/configs/cisakev_configs.py

@@ -28,8 +28,16 @@ class _ConfigLoaderCISAKEV(ConfigBaseSettings):
         description="The URL that hosts the KEV Catalog https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json.",
     )
     create_infrastructures: bool = Field(
-        default=True,
-        description="Allows you to create or not create an infrastructure in OpenCTI.",
+        default=False,
+        description=(
+            "Also emit a STIX Infrastructure SDO for each affected product, "
+            "alongside the Software SCO. Disabled by default because CISA KEV "
+            "entries (e.g. PHP, Joomla, Laravel) are software products and do "
+            "not map cleanly to any value in the STIX 2.1 infrastructure-type-ov "
+            "vocabulary; enabling this produces Infrastructure objects with an "
+            "empty infrastructure_types field. Left opt-in for workflows that "
+            "depend on the legacy behaviour."
+        ),
     )
     kev_flag_only: bool = Field(
         default=False,

external-import/cisa-known-exploited-vulnerabilities/tests/__init__.py

@@ -0,0 +1,58 @@
+"""Test fixtures for the CISA KEV connector.
+
+Adds `src/` to sys.path so tests can `import main` and
+`from models.configs.cisakev_configs import _ConfigLoaderCISAKEV`
+without packaging the connector. Mirrors how the connector itself
+is invoked at runtime (`python3 main.py` from `src/`).
+"""
+
+import sys
+from pathlib import Path
+
+import pytest
+
+SRC = Path(__file__).resolve().parent.parent / "src"
+sys.path.insert(0, str(SRC))
+
+
+@pytest.fixture
+def sample_kev_entry():
+    """A representative single-product CISA KEV entry.
+
+    Field shape mirrors the upstream catalog:
+    https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
+    """
+    return {
+        "cveID": "CVE-2024-12345",
+        "vendorProject": "Acme Corp",
+        "product": "Acme Widget Server",
+        "vulnerabilityName": "Acme Widget Server RCE",
+        "dateAdded": "2024-01-15",
+        "shortDescription": "Acme Widget Server contains a remote code execution vulnerability.",
+        "requiredAction": "Apply mitigations per vendor instructions.",
+        "dueDate": "2024-02-05",
+        "knownRansomwareCampaignUse": "Unknown",
+        "notes": "",
+        "cwes": ["CWE-78"],
+    }
+
+
+@pytest.fixture
+def kev_entry_software_product():
+    """A KEV entry that is unambiguously a software product (not infrastructure).
+
+    Real example from the CISA KEV catalog.
+    """
+    return {
+        "cveID": "CVE-2017-9805",
+        "vendorProject": "Apache",
+        "product": "Struts",
+        "vulnerabilityName": "Apache Struts Deserialization Vulnerability",
+        "dateAdded": "2021-11-03",
+        "shortDescription": "Apache Struts contains an unsafe deserialization vulnerability.",
+        "requiredAction": "Apply updates per vendor instructions.",
+        "dueDate": "2022-05-03",
+        "knownRansomwareCampaignUse": "Known",
+        "notes": "",
+        "cwes": ["CWE-502"],
+    }