[CISA KEV] Default create_infrastructures to false

external-import/cisa-known-exploited-vulnerabilities/README.md

@@ -65,7 +65,7 @@ There are a number of configuration options, which are set either in `docker-com
 | Parameter               | config.yml                 | Docker environment variable     | Default                                                                       | Mandatory | Description                                                            |
 |-------------------------|----------------------------|---------------------------------|-------------------------------------------------------------------------------|-----------|------------------------------------------------------------------------|
 | Catalog URL             | cisa.catalog_url           | `CISA_CATALOG_URL`              | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | No   | URL of the CISA KEV catalog JSON feed.                                 |
-| Create Infrastructures  | cisa.create_infrastructures| `CISA_CREATE_INFRASTRUCTURES`   | true                                                                          | No        | Create Infrastructure entities for affected products.                  |
+| Create Infrastructures  | cisa.create_infrastructures| `CISA_CREATE_INFRASTRUCTURES`   | false                                                                         | No        | Also create Infrastructure entities for affected products. Disabled by default — KEV entries are software products and do not map to any valid STIX 2.1 `infrastructure-type-ov` value, so enabling this produces Infrastructure objects with an empty `infrastructure_types`. Left opt-in for legacy workflows. |
 | KEV Flag Only           | cisa.kev_flag_only         | `CISA_KEV_FLAG_ONLY`            | false                                                                         | No        | When enabled, the connector only sets the `x_opencti_cisa_kev` flag on Vulnerability objects without modifying any other attribute (description, dates, markings) and without creating additional entities or relationships. See [KEV Flag Only Mode](#kev-flag-only-mode). |
 | TLP                     | cisa.tlp                   | `CISA_TLP`                      | TLP:CLEAR                                                                     | No        | TLP marking for imported data (`TLP:CLEAR`, `TLP:GREEN`, `TLP:AMBER`, `TLP:AMBER+STRICT`, `TLP:RED`). |
 | Interval (deprecated)   | cisa.interval              | `CISA_INTERVAL`                 | 7                                                                             | No        | **[DEPRECATED]** Interval in days between runs. Use `CONNECTOR_DURATION_PERIOD` instead. |
@@ -94,7 +94,7 @@ Configure the connector in `docker-compose.yml`:
       - CONNECTOR_LOG_LEVEL=info
       - CONNECTOR_DURATION_PERIOD=P1D
       - CISA_CATALOG_URL=https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
-      - CISA_CREATE_INFRASTRUCTURES=true
+      - CISA_CREATE_INFRASTRUCTURES=false
       - CISA_KEV_FLAG_ONLY=false
       - CISA_TLP=TLP:CLEAR
     restart: always

external-import/cisa-known-exploited-vulnerabilities/__metadata__/CONNECTOR_CONFIG_DOC.md

@@ -14,7 +14,7 @@ Below is an exhaustive enumeration of all configurable parameters available, eac
 | CONNECTOR_LOG_LEVEL | `string` |  | `debug` `info` `warn` `warning` `error` |  | `"error"` | Determines the verbosity of the logs. |
 | CONNECTOR_DURATION_PERIOD | `string` |  | Format: [`duration`](https://json-schema.org/understanding-json-schema/reference/string#built-in-formats) |  | `"P2D"` | Duration between two scheduled runs of the connector (ISO 8601 format). |
 | CISA_CATALOG_URL | `string` |  | string |  | `"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"` | The URL that hosts the KEV Catalog https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json. |
-| CISA_CREATE_INFRASTRUCTURES | `boolean` |  | boolean |  | `true` | Allows you to create or not create an infrastructure in OpenCTI. |
+| CISA_CREATE_INFRASTRUCTURES | `boolean` |  | boolean |  | `false` | Also emit a STIX Infrastructure SDO for each affected product, alongside the Software SCO. Disabled by default because CISA KEV entries (e.g. PHP, Joomla, Laravel) are software products and do not map cleanly to any value in the STIX 2.1 infrastructure-type-ov vocabulary; enabling this produces Infrastructure objects with an empty infrastructure_types field. Left opt-in for workflows that depend on the legacy behaviour. |
 | CISA_KEV_FLAG_ONLY | `boolean` |  | boolean |  | `false` | When enabled, the connector only sets the x_opencti_cisa_kev flag on Vulnerability objects without creating additional entities (vendors, software, infrastructures) or relationships. |
 | CISA_TLP | `string` |  | `TLP:WHITE` `TLP:CLEAR` `TLP:GREEN` `TLP:AMBER` `TLP:AMBER+STRICT` `TLP:RED` |  | `"TLP:CLEAR"` | Traffic Light Protocol (TLP) level to apply on objects imported into OpenCTI. Possible values: TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:AMBER+STRICT, TLP:RED. |
 | CISA_INTERVAL | `integer` |  | integer | ⛔️ | `7` | [DEPRECATED] Interval in days between two scheduled runs of the connector. |

external-import/cisa-known-exploited-vulnerabilities/__metadata__/connector_config_schema.json

@@ -58,8 +58,8 @@
       "type": "string"
     },
     "CISA_CREATE_INFRASTRUCTURES": {
-      "default": true,
-      "description": "Allows you to create or not create an infrastructure in OpenCTI.",
+      "default": false,
+      "description": "Also emit a STIX Infrastructure SDO for each affected product, alongside the Software SCO. Disabled by default because CISA KEV entries (e.g. PHP, Joomla, Laravel) are software products and do not map cleanly to any value in the STIX 2.1 infrastructure-type-ov vocabulary; enabling this produces Infrastructure objects with an empty infrastructure_types field. Left opt-in for workflows that depend on the legacy behaviour.",
       "type": "boolean"
     },
     "CISA_KEV_FLAG_ONLY": {

external-import/cisa-known-exploited-vulnerabilities/src/models/configs/cisakev_configs.py

@@ -28,8 +28,16 @@ class _ConfigLoaderCISAKEV(ConfigBaseSettings):
         description="The URL that hosts the KEV Catalog https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json.",
     )
     create_infrastructures: bool = Field(
-        default=True,
-        description="Allows you to create or not create an infrastructure in OpenCTI.",
+        default=False,
+        description=(
+            "Also emit a STIX Infrastructure SDO for each affected product, "
+            "alongside the Software SCO. Disabled by default because CISA KEV "
+            "entries (e.g. PHP, Joomla, Laravel) are software products and do "
+            "not map cleanly to any value in the STIX 2.1 infrastructure-type-ov "
+            "vocabulary; enabling this produces Infrastructure objects with an "
+            "empty infrastructure_types field. Left opt-in for workflows that "
+            "depend on the legacy behaviour."
+        ),
     )
     kev_flag_only: bool = Field(
         default=False,

external-import/cisa-known-exploited-vulnerabilities/tests/conftest.py

@@ -0,0 +1,58 @@
+"""Test fixtures for the CISA KEV connector.
+
+Adds `src/` to sys.path so tests can `import main` and
+`from models.configs.cisakev_configs import _ConfigLoaderCISAKEV`
+without packaging the connector. Mirrors how the connector itself
+is invoked at runtime (`python3 main.py` from `src/`).
+"""
+
+import sys
+from pathlib import Path
+
+import pytest
+
+SRC = Path(__file__).resolve().parent.parent / "src"
+sys.path.insert(0, str(SRC))
+
+
+@pytest.fixture
+def sample_kev_entry():
+    """A representative single-product CISA KEV entry.
+
+    Field shape mirrors the upstream catalog:
+    https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
+    """
+    return {
+        "cveID": "CVE-2024-12345",
+        "vendorProject": "Acme Corp",
+        "product": "Acme Widget Server",
+        "vulnerabilityName": "Acme Widget Server RCE",
+        "dateAdded": "2024-01-15",
+        "shortDescription": "Acme Widget Server contains a remote code execution vulnerability.",
+        "requiredAction": "Apply mitigations per vendor instructions.",
+        "dueDate": "2024-02-05",
+        "knownRansomwareCampaignUse": "Unknown",
+        "notes": "",
+        "cwes": ["CWE-78"],
+    }
+
+
+@pytest.fixture
+def kev_entry_software_product():
+    """A KEV entry that is unambiguously a software product (not infrastructure).
+
+    Real example from the CISA KEV catalog.
+    """
+    return {
+        "cveID": "CVE-2017-9805",
+        "vendorProject": "Apache",
+        "product": "Struts",
+        "vulnerabilityName": "Apache Struts Deserialization Vulnerability",
+        "dateAdded": "2021-11-03",
+        "shortDescription": "Apache Struts contains an unsafe deserialization vulnerability.",
+        "requiredAction": "Apply updates per vendor instructions.",
+        "dueDate": "2022-05-03",
+        "knownRansomwareCampaignUse": "Known",
+        "notes": "",
+        "cwes": ["CWE-502"],
+    }