Misp restsearch error handling#3338
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request aims to fix MISP analyzer error handling for HTTP method mismatches, but contains extensive additional changes including a new MachoInfo analyzer, system update checker, YETI API updates, URLScan domain support, InQuest improvements, frontend modifications, and test infrastructure enhancements.
Changes:
- Fixed MISP analyzer to properly raise exceptions for GET/POST mismatch errors instead of silently failing
- Added MachoInfo analyzer for parsing Mach-O binaries (macOS/iOS executables)
- Implemented system update checker with weekly scheduled checks and admin notifications
- Updated YETI analyzer/connector to use v2 API endpoints with breaking changes
- Enhanced URLScan to support domain observables by prepending https://
- Improved InQuest generic observable type detection with comprehensive regex patterns
- Added TLPTag frontend component improvements and test coverage
- Enhanced test infrastructure with better mocking and async task handling
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| api_app/analyzers_manager/observable_analyzers/misp.py | Added specific error handling for GET/POST mismatch with helpful debug info |
| tests/api_app/analyzers_manager/unit_tests/observable_analyzers/test_misp.py | Added test for restsearch GET/POST error |
| api_app/analyzers_manager/file_analyzers/macho_info.py | New analyzer for Mach-O binary analysis |
| api_app/core/update_checker.py | New module for checking IntelOwl version updates |
| api_app/core/tasks.py | New Celery task for scheduled update checks |
| api_app/models.py | Added UpdateCheckStatus model for tracking version state |
| api_app/serializers/system.py | New serializer for system update status API |
| api_app/views.py | Added endpoint for system update check |
| api_app/urls.py | Registered system update check endpoint |
| frontend/src/components/common/SystemUpdatePanel.jsx | New component for displaying update notifications |
| frontend/src/components/common/TLPTag.jsx | Enhanced with unique IDs and proper text colors |
| api_app/analyzers_manager/observable_analyzers/yeti.py | Updated to YETI v2 API with breaking changes |
| api_app/connectors_manager/connectors/yeti.py | Added timeout to YETI connector |
| api_app/analyzers_manager/observable_analyzers/urlscan.py | Added domain support by prepending https:// |
| api_app/analyzers_manager/observable_analyzers/inquest.py | Improved generic type detection with comprehensive regex |
| api_app/analyzers_manager/file_analyzers/blint_scan.py | Added patch to avoid RecursionError on Mach-O files |
| api_app/visualizers_manager/visualizers/crawl_results.py | New visualizer for URLScan crawl results |
| requirements/project-requirements.txt | Added machofile==2026.2.4 dependency |
| docker/scripts/watchman_install.sh | Updated Watchman to v2026.02.02.00 |
| docker/Dockerfile | Changed WATCHMAN from ARG to ENV |
| intel_owl/settings/_util.py | Added fallback for environments without www-data user |
| tests/* | Multiple test files enhanced with better mocking and coverage |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @mlodic @fgibertoni |
mlodic
left a comment
There was a problem hiding this comment.
good catch, thanks for adding this and restructuring the code
Description
This PR fixes incorrect success reporting in the MISP analyzer when the underlying misp_instance.search() (restSearch) request fails due to HTTP method mismatches (GET vs POST) or related API errors.
As discussed in #2480, PyMISP may raise HTTPError or return a MISPErrorResponse when the restSearch endpoint fails internally (e.g. server expecting POST but receiving GET).
Currently in IntelOwl:
This leads to misleading UI output where a failed MISP query appears as "No results found" instead of indicating that the query itself failed.
Fixes #2480
This PR improves error handling around the
misp_instance.search()call in:by:
This preserves existing logic while improving analyzer correctness and debugging visibility without introducing breaking changes.
Unit tests have been updated accordingly to validate improved failure reporting behaviour.
Type of change
Please delete options that are not relevant.
Checklist
developRuff) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.testsfolder). All the tests (new and old ones) gave 0 errors.DeepSource,Django Doctorsor other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.