[CISA KEV] Default create_infrastructures to false

[MrStarkEG]

Closes #6284

Summary

The CISA Known Exploited Vulnerabilities connector has a cisa.create_infrastructures flag that, when enabled (the old default), emitted a STIX Infrastructure SDO alongside the Software SCO for every KEV entry. This PR flips the default to false and keeps the legacy behaviour as opt-in.

Why the default was wrong

CISA KEV entries are software products (PHP, Joomla, Laravel, GNU C Library, Apache Struts, October CMS, Spring Framework, Skype for Business, …). STIX 2.1 infrastructure-type-ov enumerates: amplification, anonymization, botnet, command-and-control, control-system, exfiltration, firewall, hosting-malware, hosting-target-lists, phishing, reconnaissance, routers-switches, staging, unknown, workstation. None of these values describe a software product like PHP.

With the old default, the connector therefore emitted Infrastructure SDOs with an empty infrastructure_types field — STIX-non-compliant, and duplicated by the Software SCO that the same bundle already contains.

Field evidence

Observed in a production OpenCTI deployment that had been running this connector with the default enabled:

• 594 Infrastructure SDOs created by this connector
• 98.8% (587 / 594) have infrastructure_types empty/unset
• A substantial fraction are unambiguously software (names listed above)
• The same products already exist correctly as Software SCOs — the Infrastructure SDOs are pure duplicates with wrong STIX semantics

What this PR changes

• src/models/configs/cisakev_configs.py — default flipped True → False; description rewritten to explain the STIX-compliance reasoning
• README.md — default column + sample docker-compose snippet updated; expanded description in the parameters table
• __metadata__/CONNECTOR_CONFIG_DOC.md — default column updated
• __metadata__/connector_config_schema.json — default + description updated

No code logic changed. Behaviour when the flag is explicitly set to true is identical to before.

Testing

Adds the first test suite for this connector (previously zero): 32 tests.

• tests/test_config.py (8 tests) — config defaults, env-var override via the real ConfigLoader, other defaults unchanged
• tests/test_bundle.py (24 tests) — bundle composition in every flag combination, kev_flag_only interaction, real product-name regression cases (PHP, Joomla, Laravel, Apache Struts, October CMS, GNU C Library, Skype for Business), and end-to-end stix2.Bundle.serialize() round-trip
• Mutation check performed locally: flipping the default back to True makes the relevant tests fail, proving the suite actually pins the behaviour.

E2E verification against a real OpenCTI

Deployed the fixed connector against a local OpenCTI stack (platform + worker + redis + elasticsearch + minio + rabbitmq), fed it the real CISA KEV catalog (1,577 CVEs):

Metric	Default (create_infrastructures=false)	Opt-in (create_infrastructures=true)
Vulnerabilities	1,577 ✓	1,577 (deduped by CVE)
Software SCOs	660	660 (deduped by name)
Vendor Identities	258	258 (deduped by name)
Infrastructure SDOs	0 ✓	~660 (one per unique product)
Work record status	complete	complete
Work record errors	[]	[]
ERROR log lines (connector / worker / platform)	0 / 0 / 0	0 / 0 / 0

Compliance with connector standards (docs/05-code-quality-standards.md)

• black --check clean (12 files)
• isort --profile black --check clean
• Custom STIX pylint plugin: 10.00 / 10 (no_generated_id_stix, unused-import, no-value-for-parameter)
• Deterministic STIX IDs everywhere (unchanged from existing code)
• Unit tests present and passing (32 / 32)
• Type hints + Google-style docstrings on new code
• No hardcoded secrets
• Tested with real OpenCTI instance
• Docker deployment verified

Backward compatibility

Users who depend on the legacy behaviour keep working unchanged — they just need to set CISA_CREATE_INFRASTRUCTURES=true explicitly in their config. The kev_flag_only mode is untouched.

Discussion

If maintainers would rather remove the Infrastructure path entirely (since it emits STIX-non-compliant objects even when opted in), I'm happy to follow up with a second PR doing exactly that. Flipping the default is the minimally-invasive change and seemed safer as a first step.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.09%. Comparing base (fa3b2fa) to head (202e298).
⚠️ Report is 24 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (fa3b2fa) and HEAD (202e298). Click for more details.

HEAD has 93 uploads less than BASE

Flag	BASE (fa3b2fa)	HEAD (202e298)
connectors	95	2

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #6283       +/-   ##
===========================================
- Coverage   40.50%    0.09%   -40.42%     
===========================================
  Files        2141     1661      -480     
  Lines      128230   100015    -28215     
===========================================
- Hits        51943       94    -51849     
- Misses      76287    99921    +23634     

Flag	Coverage Δ
baseline	0.00% <ø> (ø)
connectors	96.90% <ø> (+22.83%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.