-
Notifications
You must be signed in to change notification settings - Fork 0
Proposal: Add New Archive File Object
Status: Unreleased
Comment Period Closes:
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/12
There are a number of common archive file formats (e.g. ZIP and RAR) that share similar structures. CybOX 2.0.1 does not provide a standard characterization of these files and their common set of properties.
We propose the creation of a new CybOX object capable of characterizing the common set of metadata associated with archive files.
The ArchiveFileObjectType is an extension of the FileObj:FileObjectType and will introduce a number of related fields. The structure of an archive file object is a set of metadata describing the archive, followed by 1 to n File Objects which are contained within the archive.
| Field | Type | Description |
|---|---|---|
| Archive_Type | enum | Method used to create the archive |
| Archive_Version | string | Version of archive type used to create archive file |
| File_Count | int | Number of files contained within the archive |
| Archive_Encryption_Algorithm | string | Encryption algorithm used to encrypt archive file |
| Archive_Comment | string | Comment strings associated with archive file |
| Archived_File | FileObj | 1 to n File Objects within the archive |
The ArchiveFileFormatType is a union of the base xs:string type and the ArchiveFileFormatEnum. The ArchiveFileFormatEnum is intended to non-exhaustively enumerate possible types of image file format names and thus contains the following values:
| Value | Description |
|---|---|
| ZIP | .zip and .zipx archive format |
| RAR | .rar archive format |
| TAR | .tar archive format |
| 7-Zip | .7z archive format |
| ISO | .iso archive format |
| CAB | .cab archive format |
For the full proposed schema, please see https://github.com/mobhutu/schemas/blob/issue_12/objects/Archive_File_Object.xsd
There is no expected compatibility impact.
- There is a definite distinction between compressing files, archiving files and compressing archived files. For example, GZIP is used to compress files, TAR is used to archive files and ZIP is used to compress and archive files. In this proposal, we're combining the two concepts into a single object which will simplify things by keeping the number of objects down, but could also raise issues as it may not cleanly support archives or compressed files. Will people be able to effectively make use of this as a single CybOX object, or would it make more sense to have ArchiveFile and CompressedFile objects and allow them to be combined as needed?
- Under this single object proposal there are a number of fields that aren't represented (e.g. CRC, compressed/uncompressed size, various flags) because they either aren't used consistently across object types, or are low level attributes that aren't efficient to represent with this approach. Are there specific fields left out that people would like to see represented?
- For the fields that are represented, are the data types appropriate?
- Are there any values that should be added to the
ArchiveFileFormatEnum?