diff --git a/integration.js b/integration.js index 5d0b3bd..d914088 100644 --- a/integration.js +++ b/integration.js @@ -181,13 +181,32 @@ function doIndicatorLookups(entityType, entityValues, options, cb) { } if (Array.isArray(result.body)) { result.body.forEach((indicatorResult) => { - const entityValue = get(indicatorResult, 'value.name', '').toLowerCase(); - const entity = entityLookup.get(entityValue); + let entityValue = get(indicatorResult, 'value.name', '').toLowerCase(); + let entity = entityLookup.get(entityValue); if (!entity) { + //The primary hash entity value returned from Analyst1 might not match with the hash value the user is + // specifically looking for. The entity may have associated values that matches with the value + // being searched. As an example, the user may be searching for a SHA256 hash value, but the Analyst1 + // primary value for that SHA256 is a MD5. This logic will ensure those results are still returned. + if (Array.isArray(indicatorResult.hashes)) { + const matchingHash = indicatorResult.hashes.find((hash) => { + return entityLookup.has(hash.value.toLowerCase()); + }); + + if (matchingHash) { + const matchingHashLower = matchingHash.value.toLowerCase(); + + entityValue = matchingHashLower; + entity = entityLookup.get(matchingHashLower); + } + } + // somehow the returned entity value does not match anything in our entity lookup so // we just skip it - Logger.error({ indicatorResult }, 'Indicator Result is missing `value.name`'); - return; + if (!entity) { + Logger.error({ indicatorResult }, 'Indicator Result is missing `value.name`'); + return; + } } entityLookup.delete(entityValue); const details = _getDetails(entity, indicatorResult, options); @@ -462,7 +481,10 @@ function addEvidence(indicator, evidence, tlp, options, cb) { evidenceFileClassification: '', sourceId: options.evidenceSourceId, evidenceFile: { - value: Buffer.from(`Evidence for ${indicator}\nSubmitted from Polarity Analyst1 Integration\n\n${evidence}`, 'utf-8'), + value: Buffer.from( + `Evidence for ${indicator}\nSubmitted from Polarity Analyst1 Integration\n\n${evidence}`, + 'utf-8' + ), options: { filename: `polarity-${+new Date()}.txt`, contentType: 'text/plain' @@ -578,11 +600,11 @@ function validateOptions(options, cb) { }); } - if(options.enableEvidenceSubmission.value === true && - +options.evidenceSourceId.value <= -1){ + if (options.enableEvidenceSubmission.value === true && +options.evidenceSourceId.value <= -1) { errors.push({ key: 'evidenceSourceId', - message: 'Evidence source id must be set to a number greater than or equal to zero. Delete the option value to specify an unknown source.' + message: + 'Evidence source id must be set to a number greater than or equal to zero. Delete the option value to specify an unknown source.' }); } diff --git a/package-lock.json b/package-lock.json index 2af3ef6..697ca6a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "analyst1", - "version": "3.5.4", + "version": "3.5.5", "lockfileVersion": 1, "requires": true, "dependencies": { @@ -58,9 +58,9 @@ "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==" }, "async": { - "version": "3.2.4", - "resolved": "https://registry.npmjs.org/async/-/async-3.2.4.tgz", - "integrity": "sha512-iAB+JbDEGXhyIUavoDl9WP/Jj106Kz9DEn1DPgYw5ruDn0e3Wgi3sKFm55sASdGBNOQB8F59d9qQ7deqrHA8wQ==" + "version": "3.2.5", + "resolved": "https://registry.npmjs.org/async/-/async-3.2.5.tgz", + "integrity": "sha512-baNZyqaaLhyLVKm/DlvdW051MSgO6b8eVfIezl9E5PqWxFgzLm/wQntEW4zOytVburDEr0JlALEpdOFwvErLsg==" }, "asynckit": { "version": "0.4.0", diff --git a/package.json b/package.json index 84e2848..07f7965 100644 --- a/package.json +++ b/package.json @@ -1,10 +1,10 @@ { "name": "analyst1", - "version": "3.5.4", + "version": "3.5.5", "main": "./integration.js", "private": true, "dependencies": { - "async": "^3.2.4", + "async": "^3.2.5", "lodash.groupby": "^4.6.0", "lodash.get": "^4.4.2", "postman-request": "^2.88.1-postman.33"